Re: [Clamav-users] Re: How do I generate a clamd coredump
Hi Thanks. I am using Fedora (red hat) Linux. What should I do then ? --- Anton Yuzhaninov [EMAIL PROTECTED] wrote: Hello, Joanna! You wrote on Fri, 26 May 2006 12:39:39 -0700 (PDT): JR However, if I first su to clamav and then start clamd and then do JR kill -11 pid, a coredump file is generated. It depend on OS. In FreeBSD need to set kern.sugid_coredump=1 and may be set kern.corefile to dir writable clamav user. -- Anton Yuzhaninov, OSPF-RIPE, mail: citrin (at) citrin.ru ___ http://lurker.clamav.net/list/clamav-users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] How do I generate a clamd coredump
If I started clamd as root and then did kill -11 clamd's pid, I did not see any coredump file is generated. However, if I first su to clamav and then start clamd and then do kill -11 pid, a coredump file is generated. Can anyone explain to me the reason ??? - Blab-away for as little as 1¢/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice. ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Spyware signature
Do ClamAV VDBs have spyware signatures ?? - Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] .ppt files take a long time to scan
--- Christopher X. Candreva [EMAIL PROTECTED] wrote: On Sat, 18 Mar 2006, des wrote: Your disk is slow or don't scan large files is a common response. Well, I'm using ramdisk for temp so I don't think that's it. If you can provide a sample file to Trog to help find out what the real issue is that would be great. Sent, hopefuly it helps. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html So has the root cause been determined ? I have tried scanning ppt files on my system and did not see any slowness. Maybe this is file specific ??? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Clamav.net Gone ?
Has clamav.net been shutdown ??? __ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/ ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] How good are clamav's spyware signatures ?
No one has answered this Q so far. Just I am posting it again. I am using an improved version of SCAVR (Squid ClamAV Redirector) that will scan each and every url. However, I dont see any spywares getting caught. I did check that the SCAVR is working properly by attempting to download a virus webmail and the webmail was blocked. So my question is how good is ClamAV's spyware/adware signatures ? John __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] cvd timestamps question
--- [EMAIL PROTECTED] wrote: Joanna Roman wrote: What is the time zone of the timestamps in main.cvd and daily.cvd ? I believe timestamps are stored internally in seconds-since-the-epoch. So whatever your ls -l command says in your time zone, that's the correct time. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html No, I believe you are incorrect. I am talking about the timestamp stored in each main.cvd and daily.cvd's header. That has nothing to do with the ls -l command. __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] How good are clamav's spyware signatures ?
I am using an improved version of SCAVR (Squid ClamAV Redirector) that will scan each and every url. However, I dont see any spywares getting caught. I did check that the SCAVR is working properly by attempting to download a virus webmail and the webmail was blocked. So my question is how good is ClamAV's spyware/adware signatures ? John __ Yahoo! Music Unlimited Access over 1 million songs. Try it free. http://music.yahoo.com/unlimited/ ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] cvd timestamps question
What is the time zone of the timestamps in main.cvd and daily.cvd ? __ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] race condition ??
Hi, How does clamd know whether someone is using the signature tree when it reloads (after it frees) the signature tree ? How is this race-condition handled in the code. I don't see that this condition is ever checked in the code. Let's say the clamd is configured with self-checking. Thanks, John __ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
--- Christopher X. Candreva [EMAIL PROTECTED] wrote: On Mon, 12 Sep 2005, Stephen J. Smoogen wrote: I am currently looking at doing the same thing. I have a set of boxes that I am planning to 'infect' with spyware and then start making signatures for them. It is a rather slow process at the moment.. There doesn't seem to be any reason a separate project couldn't provide a signature package that worked with Clam to look for Spyware (or Spam, or anti-Brady Bunch messages, or whatever for that matter). -Chris == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ _ http://lurker.clamav.net/list/clamav-users.html Whoever is about to submit the spywares, may I ask whether those spywares come in via port 80 or port 21 ? __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
--- Thomas Hruska [EMAIL PROTECTED] wrote: Dennis Peterson wrote: Meanwhile, why don't you create signatures for known spyware and place them in your configuration? ClamAV allows this, you know. If you get good at it you can share them. dp Actually I didn't know that. I was under the impression that it was completely central database driven - which I recognize as meaning signatures have to be added to the central database and distributed before the AV program recognizes it. I will look at adding signatures into the configuration file as an option for a possible course of action. Thanks. -- Thomas Hruska ___ http://lurker.clamav.net/list/clamav-users.html Aren't there already spyware signatures in ClamAV database ? http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=waresearch-type=containscase-sensitivity=Nodatabase=dailydatabase=maindisplay=databasedisplay=virus.submit=.cgifields=database.cgifields=case-sensitivity.cgifields=search-type.cgifields=display __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] To Wilbur Sims (collection malware using honeyports)
--- Tomasz Papszun [EMAIL PROTECTED] wrote: On Mon, 12 Sep 2005 at 11:04:11 -0400, Wilbur Sims wrote: Recently been collecting a lot of various malware through the use of a couple of new honeypots. Good idea. Hi Wilbur Sims, Can you share with us how you collect those malwares ? What are the port numbers ? I have been using SCAVR with clamav on port 80 but not having much luck catching any adwares even though clamav dbs do have a lot of adware signatures. John __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Clamav.net down again ?
Clamav.net down again ? Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clam av database has not updated since Tuesday
The latest clamav database is of ver 1011. I thought this one almost got updated daily. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Is ClamAV in the black or red ?
ClamAV team, I wonder how your finance is going ? Are you guys in the black or red right now ? I think you are great guys. I just hate to see this great project gets interrupted because of financial issue. John __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Using clamav to scan adware
IS anyone using clamav to scan adware ? If so, have you been successful ? Does your clamav scanner listen on port 80 only ? Or it also listens on port 21 ? - Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Using clamav to scan adware
--- Matt Fretwell [EMAIL PROTECTED] wrote: Joanna Roman wrote: IS anyone using clamav to scan adware ? If so, have you been successful ? Does your clamav scanner listen on port 80 only ? Or it also listens on port 21 ? Wouldn't it just be easier to list the complete list of specific goals you wish to achieve, and then someone can give you a specific yes/no/maybe answer as to whether it is plausible. It would be easier than asking awry questions every several days/weeks. Matt ___ http://lurker.clamav.net/list/clamav-users.html People has submitted viruses like below: main.cvd Adware.Adtag-1 main.cvd Adware.BBuddy-13 main.cvd Adware.Aspy-1 main.cvd Adware.Atlas main.cvd Adware.Adstart-2 main.cvd Adware.Winad-14 main.cvd AdWare.Xawm main.cvd Adware.Beti-1 main.cvd Adware.Beti-2 main.cvd Adware.Gator-5 main.cvd Adware.Toolbar-14 main.cvd Adware.Gator-6 main.cvd Adware.Toolbar-15 main.cvd Adware.Ezula-1 I was using the SquidClamAV Redirector trying to filter adwares/spywares and have not been very successful. So I am just wondering whether those adwares come in via web port or ftp port or other p2p application port. Just because people have submited those adware samples, it does not mean the people must have caught them with ClamAV right ? __ Do you Yahoo!? Make Yahoo! your home page http://www.yahoo.com/r/hs ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Using clamav against adware -- ceres.cab
I have several questions: 1. Have anybody succesfully filtered spywares/adwares using clamav ? Adware.BBuddy-1 (Clam) main.cvd Adware.BBuddy-3 (Clam) main.cvd Adware.BBuddy-4 (Clam) main.cvd Adware.BBuddy-2 (Clam) main.cvd Adware.BBuddy-5 (Clam) main.cvd Adware.BBuddy-7 (Clam) main.cvd Adware.BBuddy-8 (Clam) main.cvd Adware.BBuddy-9 (Clam) main.cvd Adware.BBuddy-10 (Clam) main.cvd Adware.BBuddy-11 (Clam) main.cvd Adware.BBuddy-12 (Clam) 2. Can clamav handle *.cab file ? ceres.cab is one of the most popular spyware/adware transponder. I dont see clamav website mention that clamav is able to handle ceres.cab http://www.webhelper4u.com/transponder/transfileslocations.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Does clamav consider adware and spyware the same thing ?
Does clamav consider adware and spyware the same thing ? Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] scanning dll type files
Can clamav scan dll type files ? I dont see the clamav website mention that clamav can scan dll type files. http://www.clamav.net/abstract.html#pagestart Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] For those who submitted adware/spyware samples
Can you send me the files that you submitted because my clamav filter has failed to catch any spyware/adware so far. I found that clamav is very good at stoping mail born viruses but not sure about its capability of stopping spywares. Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Using clamav against adware -- ceres.cab
Can you tell me under what circustances those files were detected ? Is it via mail scanner scanning or web scanning ? And what .cab file is it ? --- Securiteinfo.com [EMAIL PROTECTED] wrote: Le vendredi 17 Juin 2005 18:40, Joanna Roman a crit : I have several questions: 1. Have anybody succesfully filtered spywares/adwares using clamav ? Yes. 2. Can clamav handle *.cab file ? Yes. -- Cordialement, Arnaud Jacques Consultant Scurit Tlphone / Fax : +33-(0)3.44.39.76.46 Portable : +33-(0)6.24.40.95.03 E-mail : [EMAIL PROTECTED] Securiteinfo.com La Scurit Informatique - La Scurit des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ ___ http://lurker.clamav.net/list/clamav-users.html Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] undetected malwares
--- Michel Arboi [EMAIL PROTECTED] wrote: http://passoire.hd.free.fr/malware/ All those malwares are not detected by ClamAV. They were automatically fetched by TFTP from infected machines when they tried to attack my IP. Hi Michel, How do those machines got infected in the first place and what do you mean by IP ? ip address ? What do you mean by attack here ? Do you mean that the infected machines try to tftp malwares to your machine ? I just try to understand how malwares spreaded ? Some files might be broken, as TFTP is not a very reliable protocol. I removed duplicated files and truncated files. Hope this help. ___ http://lurker.clamav.net/list/clamav-users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Can ClamAV detect this ?
Can the current ClamAV scan .eml and .nws file types ? http://www.malware.com/index2.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can ClamAV detect this ?
--- Odhiambo Washington [EMAIL PROTECTED] wrote: * Joanna Roman [EMAIL PROTECTED] [20050609 09:34]: wrote: Can the current ClamAV scan .eml and .nws file types ? http://www.malware.com/index2.html 5 years down the line, you still think Microsoft has not fixed those issues, correct? Tell us if you tested the outlined procedures and they work on your PC, which is running the latest service pack for its version??? Also, please remember that ClamAv is not a desktop mailware scanner by design. Also, I may be naive, but I don't categorise whatever is on that page as malware ;) -Wash http://www.netmeister.org/news/learn2quote.html -- +==+ |\ _,,,---,,_ | Odhiambo Washington [EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ A rock pile ceases to be a rock pile the moment a single man contemplates it, bearing within him the image of a cathedral. -- Antoine de Saint-Exupery ___ http://lurker.clamav.net/list/clamav-users.html I am just asking in general. So do you know what malwares can ClamAV detect right now ? __ Discover Yahoo! Have fun online with music videos, cool games, IM and more. Check it out! http://discover.yahoo.com/online.html ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] How does ClamAV classify Worm and Trojan ?
When someone submit a virus sample (in the format of email, exe file, *.hml file), what criteria does ClamAV team use to classify the virus sample as Worm or Trojan ? - Discover Yahoo! Use Yahoo! to plan a weekend, have fun online more. Check it out! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV HW acceleration
--- Niek [EMAIL PROTECTED] wrote: On 6/5/2005 5:22 AM +0200, Joanna Roman wrote: I am just wondering how feasible it is to do AV hw acceleration in general. Besides using faster CPU and faster memory, ASIC can't really help. Can anybody shed some light ? You answered your own question. Now I'm awaiting a similar question on the spamassassin list. Niek Baakman ___ http://lurker.clamav.net/list/clamav-users.html I am just throwing out this question hoping someone might have some novel idea of accelerating AV in HW. Does anybody have any idea how company like Sensory Networks does HW acceleration then. I have real doubt about the result. I wonder how much gain they can achieve. __ Discover Yahoo! Find restaurants, movies, travel and more fun for the weekend. Check it out! http://discover.yahoo.com/weekend.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV HW acceleration
--- Damian Menscher [EMAIL PROTECTED] wrote: On Sun, 5 Jun 2005, Joanna Roman wrote: --- Niek [EMAIL PROTECTED] wrote: On 6/5/2005 5:22 AM +0200, Joanna Roman wrote: I am just wondering how feasible it is to do AV hw acceleration in general. Besides using faster CPU and faster memory, ASIC can't really help. Can anybody shed some light ? You answered your own question. I am just throwing out this question hoping someone might have some novel idea of accelerating AV in HW. Does anybody have any idea how company like Sensory Networks does HW acceleration then. I have real doubt about the result. I wonder how much gain they can achieve. Disclaimer: I'm making all of this up. The purpose of the accelerator isn't necessarily to make it go faster, but rather to offload some work from the main CPU. (Otherwise, you could just buy more CPUs and load-balance the work.) That way you save the expensive part (the CPU) for stuff it's good at, and use the cheaper part (the accelerator) for specialty work. For the case of virus scanning, there is NO floating-point arithmetic involved. So about half the transistors in your typical CPU are going to waste. Now imagine if you could simply produce a P4 minus the floating point units for half the cost, and get the same virus-scanning speed. Now imagine cutting out the cost of the motherboard with all its useless goodies like video and sound, and just having a raw interface to the accelerator (and its local ram). Sounds like a good deal to me, though obviously it'd require some serious effort to get the first prototype to work. Someone tell me if I got any of this anywhere close to being right. ;) Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lurker.clamav.net/list/clamav-users.html With muti core CPU coming out, I just dont feel the work of building a special AV accelerating chip justify the need. At least from the price/performance ratio perspective, it is not worth it. Not to mention the time to market. If you use off the shelf PC, you automatically gets 2X performance every 18 to 24 months. So why bother ? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV HW acceleration
--- Securiteinfo.com [EMAIL PROTECTED] wrote: Le dimanche 5 Juin 2005 22:15, Joanna Roman a écrit : --- Niek [EMAIL PROTECTED] wrote: On 6/5/2005 5:22 AM +0200, Joanna Roman wrote: I am just wondering how feasible it is to do AV hw acceleration in general. Besides using faster CPU and faster memory, ASIC can't really help. Can anybody shed some light ? You answered your own question. Now I'm awaiting a similar question on the spamassassin list. Niek Baakman ___ http://lurker.clamav.net/list/clamav-users.html I am just throwing out this question hoping someone might have some novel idea of accelerating AV in HW. Does anybody have any idea how company like Sensory Networks does HW acceleration then. I have real doubt about the result. I wonder how much gain they can achieve. Dedicated hardware acceleration is always fastest than the fastest CPU. Have you got a 3D acceleration video card in your PC ? If yes, why ? :) -- Cordialement, Arnaud Jacques Consultant Sécurité Téléphone / Fax : +33-(0)3.44.39.76.46 Portable : +33-(0)6.24.40.95.03 E-mail : [EMAIL PROTECTED] Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ ___ http://lurker.clamav.net/list/clamav-users.html I dont know how graphics CPU works. But when it comes to virus scanning, one has to read every byte of the file. I can't think of any ASCII can do better job than CPU when it comes to this. __ Discover Yahoo! Have fun online with music videos, cool games, IM and more. Check it out! http://discover.yahoo.com/online.html ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] How fast are main.cvd and daily.cvd growing monthly ?
In terms of percentage and absolute size, how fast are both databases growing monthly ? Anybody have any idea ? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] ClamAV HW acceleration
I am just wondering how feasible it is to do AV hw acceleration in general. Besides using faster CPU and faster memory, ASIC can't really help. Can anybody shed some light ? I just want to have some intellectual discussion. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] backward compatibility questions
I am using 0.83. If I do not upgrade, will clamd eventually refuse to reload main.cvd and daily.cvd ? I already noticed that the new sigtool refuses to list sigs if I used it on older versions of virus databases. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] backward compatibility questions
--- Brian Morrison [EMAIL PROTECTED] wrote: On Wed, 1 Jun 2005 09:16:06 -0700 (PDT) in [EMAIL PROTECTED] Joanna Roman [EMAIL PROTECTED] wrote: I am using 0.83. If I do not upgrade, will clamd eventually refuse to reload main.cvd and daily.cvd ? I already noticed that the new sigtool refuses to list sigs if I used it on older versions of virus databases. The last time this happened I think that the database format changed about the time that 0.8x appeared and that meant that 0.65 and earlier would not be able to read the new versions. Yes, 0.8x will eventually be useless but by then new versions will be out and you will be seriously lacking in protection if you have not upgraded already. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lurker.clamav.net/list/clamav-users.html I dont think odd that the virus db format got changed again is very low. BTW, what do you mean by 0.8x is 'useless' ? What do you mean by 'useless' ? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] regarding clamav load balancing on a multip processor system
If I ran clamav on multi processor box, will the scanning thread be distributed among multiple processors ? Or this is pthread specific ? Have anyone try this yet ? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] virus questions
How are virues like IRC.LXD.A, IRC.Gadez.A encountered ? When a user submit a virus, how do clamav team know that they are of IRC types ??? Just curious . __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] How are downloader viruses encountered ??
--- Christoph Cordes [EMAIL PROTECTED] wrote: Joanna Roman wrote: Can anybody tell me how downloader viruses are encountered ? Is it via http browsing and adware ?? Not only - sometimes they are spammed through mail or distributed through P2P networks - you can find them almost everywhere in many different flavours. -- Best regards, Christoph mailto:[EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html Can anyone give me some virus examples (name only) that are spreaded via web/http ? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] curl/wget related question
Hi I am adding some kind of web scanning code into a http proxy. Somewhere in the code where the proxy is ready to send the HTTP GET request to the server, I added some code to first download the URL and scan it before letting the proxy to send the GET request out. I was using something like system(/usr/local/bin/curl url name ...). This works well only if the server does not require any session information. In other words, the mechanism wont work if I try to intercept some download via, for example, mail.yahoo.com because the curl will open a fresh tcp connection, about which the server has not session information. So I am wondering whether it is possible to make curl talk to the server via an already opened socket descriptor. That way I can just pass the socket descriptor to the curl instead of calling system(curl ...) !!! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] db search error
Link: http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Trojan.Lowzone-37search-type=containscase-sensitivity=Nodatabase=dailydatabase=maindisplay=databasedisplay=virus.submit=.cgifields=database.cgifields=case-sensitivity.cgifields=search-type.cgifields=display Try searching Trojan.Lowzone-37 Got following response File 'daily.zmd' missing in archive; has the db format changed? --- What is this ? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] looking for utility that can control clamav remotely ...
Hi, I am thinking of building/looking for some kind of utility that can let me remotely control clamav tools. (The utility is not restricted to control only clamav but can be used to control other tools remotely in a similar manner.) Basically the utility will be running on the same machine as the clamd/clamscand. A client can connect to the utility via web interface. From the web interface, the user can start or stop, for example, the clamd/clamdscan. Does anyone know any existing source code that can do such a thing ? Thanks. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] How are downloader viruses encountered ??
Can anybody tell me how downloader viruses are encountered ? Is it via http browsing and adware ?? Trojan.Downloader.Agent-117 Trojan.Downloader.Agent-118 Trojan.Downloader.Agent-119 Trojan.Downloader.Agent-120 __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] How are downloader viruses encountered ??
--- Tomasz Kojm [EMAIL PROTECTED] wrote: On Wed, 27 Apr 2005 18:11:17 -0700 (PDT) Joanna Roman [EMAIL PROTECTED] wrote: Can anybody tell me how downloader viruses are encountered ? Is it via http browsing and adware ?? via lottery Trojan.Downloader.Agent-117 Trojan.Downloader.Agent-118 Trojan.Downloader.Agent-119 Trojan.Downloader.Agent-120 __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around Tired. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Apr 28 03:18:44 CEST 2005 ___ http://lurker.clamav.net/list/clamav-users.html Serious answers only. You must be tired. Take a break man ! :) Serious, how are they encountered ? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] total memory consumption of main.cvd and daily.cvd
What is the total memory consumption of mail.cvd and daily.cvd after they are loaded into the memory ? __ Do you Yahoo!? Plan great trips with Yahoo! Travel: Now over 17,000 guides! http://travel.yahoo.com/p-travelguide ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] urllib for C [http scanner]
Hi, There is a http scanner for clamav called SCAVR, which uses python's urllib. Do anyone know whether there is a urllib equivalent for C ? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Can phishing be considered one kind of spam ?
Can phishing be considered one kind of spam ? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Looking for a nible http redirector
Hi Does anybody know of any nice http redirector/proxy other than SCAVR (SquidClamAV Redirector). SCAVR has to work with squid, which is too clumsy too me. I only need the redirector functionality that can work with clamav scanner. Thanks. __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV is not 100% open still ?!
--- Thomas Lamy [EMAIL PROTECTED] wrote: Guillaume Arcas wrote: Damian Menscher a écrit : http://www.clamav.net/doc/0.75/signatures.pdf They removed the functionality in 0.80 and above, but that's because it's simplest for users to create md5 signatures of unknown binaries (and the automatic signature generation depended on having another virus scanner detect it already anyway). Of course, you can also create signatures by hand, which isn't that difficult once you've read the .pdf file for the format. About the only thing we *can't* do is create a .cvd file that is signed by the original authors. But if the project were forked, that would be trivial to fix also (requires a one-line change to the source code). What do you mean by they removed the functionality ? sigtool - the command line utility used to create manipulate signatures - is still there in 0.83. As already said, you cannot build CVD files by yourself but you can create a signature and then create your own database with sigtool and use these files. They removed the functionality from the tool, not the tool itself, for two reasons: (1) The resulting signatures weren't accurate (2) The use violates the license of most (if not all) commercial scanners Why would it violate any license of any commercial scaners ? __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV is not 100% open still ?!
--- Tomasz Kojm [EMAIL PROTECTED] wrote: On Wed, 6 Apr 2005 05:14:36 -0700 (PDT) Joanna Roman [EMAIL PROTECTED] wrote: My question is can you just run sigtool over the whole file and use the md5 result as the virus signature ? Yes you can but it won't work accurately if the target file even simply changes (e.g. by adding some foo bytes after the last section). -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Apr 6 14:18:07 CEST 2005 ___ http://lurker.clamav.net/list/clamav-users.html So again, back to my original Q. Give an file suspected with viruses, how do you know which portion of the file to extract a virus signature from. I think it would be great if the clamav team can put up some kind of tutorial that teaches that. And assuming you know what and where to extract the signatures, do the current sig tools allow you to extract the md5 sig/virus signature of certain portion of any file ? __ Do you Yahoo!? Yahoo! Sports - Sign up for Fantasy Baseball. http://baseball.fantasysports.yahoo.com/ ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] heuristic based scanning
ClamAV Team: Have you already thought about adding heuristic based scanning ability to the existing code ? John __ Do you Yahoo!? Yahoo! Personals - Better first dates. More second dates. http://personals.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Will ClamAV always be an open source project ?
What if it got bought up by some company one day ? __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV is not 100% open still ?!
At least we still don't know how virus signatures and patterns are created ? Will that ever be disclosed ? __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV is not 100% open still ?!
--- Robert G. Werner [EMAIL PROTECTED] wrote: Joanna Roman wrote: At least we still don't know how virus signatures and patterns are created ? Will that ever be disclosed ? __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail ___ http://lurker.clamav.net/list/clamav-users.html The source code is there. What are you missing? -- In Reach Technology:http://www.inreachtech.net/ Robert G. Werner [EMAIL PROTECTED] Tel: 559.304.5122 Marge:I would love you if you weighed 1,000 pounds but ... Homer:Beautiful. G'night. King-Size Homer ___ http://lurker.clamav.net/list/clamav-users.html If I gave you a .exe file that has virus, how do you extract the virus signature from the .exe file ? I dont think I know how to do it ? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamd potential race condition
Hi What would happen if the clamd is notified by freshdb to reload the db when the clamd is in the middle of scanning something. I have not read that part of the code yet. But if you know the answer on top of your head, pls inform me. __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Is this a bug with virus database or updatescripts ???
--- Tomasz Papszun [EMAIL PROTECTED] wrote: On Fri, 01 Apr 2005 at 9:32:36 -0800, Joanna Roman wrote: Le vendredi 1 Avril 2005 00:50, Joanna Roman a crit : I noticed that a lot of virus sigs are not available in the virus database. For example, I tried to search in the virus database (http://clamav-du.securesites.net/cgi-bin/clamgrok) for HTML.Phishing.Bank-156, which is in the latest updates but it is not there! Two questions: 1. Who is responsible for the script ? When I went to http://clamav-du.securesites.net/ I got redirected to clamav ? Can someone from ClamAV fix the script ? The script has been fixed. Thank you for letting us know that there was a problem with it. 2. How can I have sigtool list actual virus signatures (not just virus names) ? mkdir somedirectory ; cd somedirectory ; sigtool --unpack-current=main.cvd ; sigtool --unpack-current=daily.cvd ; rm COPYING ; cat * -- Tomasz PapszunSysAdm @ TP S.A. Lodz, Poland | And it's only tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros. tomek at clamav.net http://www.ClamAV.net/ A GPL virus scanner ___ http://lurker.clamav.net/list/clamav-users.html Glad to know that... __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] What's wrong with the database ???Re: [Clamav-virusdb] Update (daily: 799)
I cannot seem to be able to lookup a lot of signatures from this link http://clamav-du.securesites.net/cgi-bin/clamgrok HTML.Phishing.Bank-157 HTML.Phishing.Bank-159 l are two to start with ... ! --- Trog [EMAIL PROTECTED] wrote: ClamAV databases updated (2005.04.01 10:49 +): daily.cvd version: 799 Submission: 22808 Sender: Glenn Steen Added: HTML.Phishing.Bank-157 Submission: 22969 Sender: wadim gusew Submission notes: False positive from Commerical AV. Added: No Submission: 22972 Sender: Anonymous Added: HTML.Phishing.Bank-159 Submission: 22973 Sender: Anonymous Added: HTML.Phishing.Bank-158 Submission: 22982 Sender: Glenn Steen Submission notes: same as #22808 Added: No Submission: 23005 Sender: Anonymous Added: W97M.Skaarj.A Virus name alias: W97M.Skaarj.A (Bitdefender) Submission: 23019 Sender: Clayton Keller Submission notes: W32.Magistr.A found using CVS Added: No Submission: 23020 Sender: Rob Stampfli Added: HTML.Phishing.Bank-160 Submission: 23029 Sender: Jotti Submission notes: Joke.Jepruss detected when extracted Added: No Submission: 23127 Sender: Virus Total Added: Joke.Fool.A Submission: 23135 Sender: Nigel Horne Added: JS.Psyme.AN Virus name alias: JS/Berbew.F (F-Prot) ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-virusdb __ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Is this a bug with virus database or updatescripts ???
--- Maurice Lucas [EMAIL PROTECTED] wrote: On Thu, 2005-03-31 at 19:22 -0800, Joanna Roman wrote: --- Securiteinfo.com [EMAIL PROTECTED] wrote: Hello, Le vendredi 1 Avril 2005 00:50, Joanna Roman a crit : I noticed that a lot of virus sigs are not available in the virus database. For example, I tried to search in the virus database (http://clamav-du.securesites.net/cgi-bin/clamgrok) for HTML.Phishing.Bank-156, which is in the latest updates (http://lurker.clamav.net/message/20050331.095845.0b407689.en.html) but it is not there! To check if the virus database include a particular virus signature please use : sigtool -l|grep name_of_virus eg : sigtool -l|grep HTML.Phishing.Bank-156 The result is yes, HTML.Phishing.Bank-156 is in the virus database. Regards, Arnaud ___ http://lurker.clamav.net/list/clamav-users.html But when it did not show up in the search result ?? Try search it at the following link and you would get nothing ... ! http://clamav-du.securesites.net/cgi-bin/clamgrok A search on this page for Phishing.Bank gives back 5 results but sigtool -l |grep Phishing.Bank|wc -l gives 163 Phishing.Bank results. Conclusion the cgi script is corrupt and not clamav This is also the answer to the other question from you What's wrong with the database Maurice Lucas ___ http://lurker.clamav.net/list/clamav-users.html Two questions: 1. Who is responsible for the script ? When I went to http://clamav-du.securesites.net/ I got redirected to clamav ? Can someone from ClamAV fix the script ? 2. How can I have sigtool list actual virus signatures (not just virus names) ? __ Yahoo! Messenger Show us what our next emoticon should look like. Join the fun. http://www.advision.webevents.yahoo.com/emoticontest ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Is this a bug with virus database or update scripts ???
I noticed that a lot of virus sigs are not available in the virus database. For example, I tried to search in the virus database (http://clamav-du.securesites.net/cgi-bin/clamgrok) for HTML.Phishing.Bank-156, which is in the latest updates (http://lurker.clamav.net/message/20050331.095845.0b407689.en.html) but it is not there! You can find a lot of such examples ! __ Do you Yahoo!? Make Yahoo! your home page http://www.yahoo.com/r/hs ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Is this a bug with virus database or update scripts ???
--- Securiteinfo.com [EMAIL PROTECTED] wrote: Hello, Le vendredi 1 Avril 2005 00:50, Joanna Roman a écrit : I noticed that a lot of virus sigs are not available in the virus database. For example, I tried to search in the virus database (http://clamav-du.securesites.net/cgi-bin/clamgrok) for HTML.Phishing.Bank-156, which is in the latest updates (http://lurker.clamav.net/message/20050331.095845.0b407689.en.html) but it is not there! To check if the virus database include a particular virus signature please use : sigtool -l|grep name_of_virus eg : sigtool -l|grep HTML.Phishing.Bank-156 The result is yes, HTML.Phishing.Bank-156 is in the virus database. Regards, Arnaud ___ http://lurker.clamav.net/list/clamav-users.html But when it did not show up in the search result ?? Try search it at the following link and you would get nothing ... ! http://clamav-du.securesites.net/cgi-bin/clamgrok __ Do you Yahoo!? Make Yahoo! your home page http://www.yahoo.com/r/hs ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Questions on clamd.conf parameters: MaxConnectionQueueLength and MaxThreads
What are MaxConnectionQueueLength and MaxThreads for ? I think that you can only run one clamd instance on one machine. Anymore more instaces will automatically exist due to not being able to bind to the same socket (either /tmp/clamd or TCP socket 3310. On my machine, I set both to be 2. Then I noticed that I can do more than two telnet 3310 to the localhost. So I am just curious what are MaxConnectionQueueLengh and MaxThreads really for ? __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] This is a bug in 0.82 and 0.83
Hi, Let me know what you think. I downloaded clamav (0.92) and installed it. When I clamscan clamav-0.82.tar.gz, clamscan says the archive is OK. However, when I clamscan clamav-0.82/test, clamscan says ClamAV-Test-File found. So why cant clamscan detect ClamAV-Test-File virus in clamav-0.82.tar.gz in the first place ?? At the beginning, I thought it could be due to max space was reached. So I scan with option --max-block, apparently none of max-files, max-space and max-recursion was reached. Is this a bug ? See below: linux7:/home/netscan 192 clamscan clamav-0.82/test/ -- detected ClamAV-Test-File clamav-0.82/test/clam.cab: ClamAV-Test-File FOUND clamav-0.82/test/clam-error.rar: RAR module failure clamav-0.82/test/clam-error.rar: OK clamav-0.82/test/clam.rar: ClamAV-Test-File FOUND clamav-0.82/test/clam.exe: ClamAV-Test-File FOUND clamav-0.82/test/clam.exe.bz2: ClamAV-Test-File FOUND clamav-0.82/test/README: OK clamav-0.82/test/clam.zip: ClamAV-Test-File FOUND --- SCAN SUMMARY --- Known viruses: 30342 Scanned directories: 1 Scanned files: 7 Infected files: 5 Data scanned: 0.00 MB I/O buffer size: 131072 bytes Time: 0.376 sec (0 m 0 s) exit code = 1 linux7:/home/netscreen1 193 clamscan clamav-0.82.tar.gz --- Did not detect ClamAV-Test-File clamav-0.82.tar.gz: OK --- SCAN SUMMARY --- Known viruses: 30342 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 23.78 MB I/O buffer size: 131072 bytes Time: 6.080 sec (0 m 6 s) exit code = 0 linux7:/home/netscan 194 clamscan --block-max clamav-0.82.tar.gz -- Did not detect ClamAV-Test-File clamav-0.82.tar.gz: OK --- SCAN SUMMARY --- Known viruses: 30342 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 23.78 MB I/O buffer size: 131072 bytes Time: 6.156 sec (0 m 6 s) exit code = 0 linux7:/home/netscan 195 __ Do you Yahoo!? Yahoo! Mail - Easier than ever with enhanced search. Learn more. http://info.mail.yahoo.com/mail_250 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Not detecting virus in uuencoded document in mail?
--- Jerome Limozin [EMAIL PROTECTED] wrote: Sorry, excuse the total newby I am if this is a well know issue, but I browsed the mailing-list archives and FAQ and couldn't find an answer. Just installed clamav 0.82. ran freshclam OK, ran tests against test files - it worked fine, detected for example the clam.exe file. then, I uunencoded clamav.exe test file and sent it to me by email (uuencode clam.exe clam.exe | mail jerome) then ran clamscan against the mail file (maildir format) - clamscan doesn't detect the test virus. here is the content of this mail (I changed a bit headers not to disclose my server name) : $cat testmail Return-Path: [EMAIL PROTECTED] X-Original-To: jerome Delivered-To: [EMAIL PROTECTED] Received: by server_fqdn (Postfix) id 22181233; Sun, 13 Feb 2005 08:53:46 +0900 (JST) Delivered-To: [EMAIL PROTECTED] Received: by server_fqdn (Postfix, from userid 0) id 0FE9024B; Sun, 13 Feb 2005 08:53:46 +0900 (JST) To: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Date: Sun, 13 Feb 2005 08:53:46 +0900 (JST) From: [EMAIL PROTECTED] (jerome) begin 644 clam.exe M35I0``([EMAIL PROTECTED]: M``$``+MQ$$``,\!04(OS4U-0LE`,`1FK'GYNC$` M`VM4/]F`X?OC$`Z7_M`G-(;1,S2%B#`H!`G!V%P([EMAIL PROTECTED],$``` MP!```(`0``#:$```]!`` M2T523D5,,S(N1$Q,``!%ET4')O8V5SP!54T52,S(N M1$Q,`$-,04UEW-A9V5;WA!`.80/S\_/U!%``!,[EMAIL PROTECTED] MX`[EMAIL PROTECTED] M``!``,`@```[EMAIL PROTECTED](``` M```0```0$```A!```(`` M M M6T-,04U!5ET`$!! $P``` ` end I thought clamav would understand uuencoded parts and scan them? Am I wrong? thanks Jerome ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users So is this problem fixed now ??? If so, in what release ? __ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Do I have to restart clamd everytime I runs frecshlam ??
Do I have to restart clamd everytime I runs frecshlam to have the clamd load up the updated db ? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Re:ClamAV Developers, please take a look at this problem too. Could be serious if this is really a bug!
--- Joanna Roman [EMAIL PROTECTED] wrote: I first clamscaned the downloaded clamav-0.82.tar.gz but it does not detect any virus. Then I gunzipped it, untarred it, tarred and gzipped it, and then clamscaned it again. This time, it detect ClamAV-Test-File. If you take a look at the Data scanned:, you will see the first time is 23.77MB and the second time is only 3.16MB. Can any developers give me an explaination cweng-fedora:/home/cweng 235 clamscan clamav-0.82.tar.gz clamav-0.82.tar.gz: OK --- SCAN SUMMARY --- Known viruses: 30742 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 23.77 MB I/O buffer size: 131072 bytes Time: 5.060 sec (0 m 5 s) cweng-fedora:/home/cweng 236 gunzip clamav-0.82.tar.gz cweng-fedora:/home/cweng 237 tar xf clamav-0.82.tar cweng-fedora:/home/cweng 238 cweng-fedora:/home/cweng 238 tar cf clamav-0.82.tar clamav-0.82 cweng-fedora:/home/cweng 239 gzip clamav-0.82.tar cweng-fedora:/home/cweng 240 clamscan clamav-0.82.tar.gz clamav-0.82.tar.gz: ClamAV-Test-File FOUND --- SCAN SUMMARY --- Known viruses: 30742 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 3.16 MB I/O buffer size: 131072 bytes Time: 2.032 sec (0 m 2 s) cweng-fedora:/home/cweng 241 cweng-fedora:/home/cweng/clamav-0.82 111 gzip --version gzip 1.3.3 (2002-03-08) Copyright 2002 Free Software Foundation Copyright 1992-1993 Jean-loup Gailly This program comes with ABSOLUTELY NO WARRANTY. You may redistribute copies of this program under the terms of the GNU General Public License. For more information about these matters, see the file named COPYING. Compilation options: DIRENT UTIME STDC_HEADERS HAVE_UNISTD_H HAVE_MEMORY_H HAVE_STRING_H HAVE_LSTAT Written by Jean-loup Gailly. cweng-fedora:/home/cweng/clamav-0.82 112 tar --version tar (GNU tar) 1.13.25 Copyright © 2001 Free Software Foundation, Inc. This program comes with NO WARRANTY, to the extent permitted by law. You may redistribute it under the terms of the GNU General Public License; see the file named COPYING for details. Written by John Gilmore and Jay Fenlason. cweng-fedora:/home/cweng/clamav-0.82 113 __ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users __ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Another strange bug in clamscan (Developers take a look please!)
I first clamscaned the downloaded clamav-0.82.tar.gz but it does not detect any virus. Then I gunzipped it, untarred it, tarred and gzipped it, and then clamscaned it again. This time, it detect ClamAV-Test-File. If you take a look at the Data scanned:, you will see the first time is 23.77MB and the second time is only 3.16MB. Can any developers give me an explaination cweng-fedora:/home/cweng 235 clamscan clamav-0.82.tar.gz clamav-0.82.tar.gz: OK --- SCAN SUMMARY --- Known viruses: 30742 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 23.77 MB I/O buffer size: 131072 bytes Time: 5.060 sec (0 m 5 s) cweng-fedora:/home/cweng 236 gunzip clamav-0.82.tar.gz cweng-fedora:/home/cweng 237 tar xf clamav-0.82.tar cweng-fedora:/home/cweng 238 cweng-fedora:/home/cweng 238 tar cf clamav-0.82.tar clamav-0.82 cweng-fedora:/home/cweng 239 gzip clamav-0.82.tar cweng-fedora:/home/cweng 240 clamscan clamav-0.82.tar.gz clamav-0.82.tar.gz: ClamAV-Test-File FOUND --- SCAN SUMMARY --- Known viruses: 30742 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 3.16 MB I/O buffer size: 131072 bytes Time: 2.032 sec (0 m 2 s) cweng-fedora:/home/cweng 241 cweng-fedora:/home/cweng/clamav-0.82 111 gzip --version gzip 1.3.3 (2002-03-08) Copyright 2002 Free Software Foundation Copyright 1992-1993 Jean-loup Gailly This program comes with ABSOLUTELY NO WARRANTY. You may redistribute copies of this program under the terms of the GNU General Public License. For more information about these matters, see the file named COPYING. Compilation options: DIRENT UTIME STDC_HEADERS HAVE_UNISTD_H HAVE_MEMORY_H HAVE_STRING_H HAVE_LSTAT Written by Jean-loup Gailly. cweng-fedora:/home/cweng/clamav-0.82 112 tar --version tar (GNU tar) 1.13.25 Copyright © 2001 Free Software Foundation, Inc. This program comes with NO WARRANTY, to the extent permitted by law. You may redistribute it under the terms of the GNU General Public License; see the file named COPYING for details. Written by John Gilmore and Jay Fenlason. cweng-fedora:/home/cweng/clamav-0.82 113 __ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Not detecting virus in uuencoded document in mail?
Jerome, I ran into a similar problem before. If you attached the encoded file with the right extension, clamscan would understand it. Otherwise, clamscan just thinks it is a text file! --- Jerome Limozin [EMAIL PROTECTED] wrote: Sorry, excuse the total newby I am if this is a well know issue, but I browsed the mailing-list archives and FAQ and couldn't find an answer. Just installed clamav 0.82. ran freshclam OK, ran tests against test files - it worked fine, detected for example the clam.exe file. then, I uunencoded clamav.exe test file and sent it to me by email (uuencode clam.exe clam.exe | mail jerome) then ran clamscan against the mail file (maildir format) - clamscan doesn't detect the test virus. here is the content of this mail (I changed a bit headers not to disclose my server name) : $cat testmail Return-Path: [EMAIL PROTECTED] X-Original-To: jerome Delivered-To: [EMAIL PROTECTED] Received: by server_fqdn (Postfix) id 22181233; Sun, 13 Feb 2005 08:53:46 +0900 (JST) Delivered-To: [EMAIL PROTECTED] Received: by server_fqdn (Postfix, from userid 0) id 0FE9024B; Sun, 13 Feb 2005 08:53:46 +0900 (JST) To: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Date: Sun, 13 Feb 2005 08:53:46 +0900 (JST) From: [EMAIL PROTECTED] (jerome) begin 644 clam.exe M35I0``([EMAIL PROTECTED]: M``$``+MQ$$``,\!04(OS4U-0LE`,`1FK'GYNC$` M`VM4/]F`X?OC$`Z7_M`G-(;1,S2%B#`H!`G!V%P([EMAIL PROTECTED],$``` MP!```(`0``#:$```]!`` M2T523D5,,S(N1$Q,``!%ET4')O8V5SP!54T52,S(N M1$Q,`$-,04UEW-A9V5;WA!`.80/S\_/U!%``!,[EMAIL PROTECTED] MX`[EMAIL PROTECTED] M``!``,`@```[EMAIL PROTECTED](``` M```0```0$```A!```(`` M M M6T-,04U!5ET`$!! $P``` ` end I thought clamav would understand uuencoded parts and scan them? Am I wrong? thanks Jerome ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users __ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Is anyone using Michael Lang's SquidClamAV Redirector ?
If so you, have you encountered the following errors
?/
Feb 11 14:50:37 localhost SquidClamAV: Unable to get
Size from Url
http://home.netscape.com/bookmark/7_2/home.html:
[Errno socket error] timed out
Feb 11 14:50:37 localhost SquidClamAV: Ignored Request
http://home.netscape.com/bookmark/7_2/home.html
127.0.0.1/localhost.localdomain - GET
Feb 11 14:50:37 localhost SquidClamAV: Unable to get
Size from Url
http://home.netscape.com/bookmark/7_2/home.html:
[Errno socket error] (111, 'Connection refused')
Feb 11 14:50:37 localhost SquidClamAV: Ignored Request
http://home.netscape.com/bookmark/7_2/home.html
127.0.0.1/localhost.localdomain - GET
Feb 11 14:50:37 localhost SquidClamAV: Unable to get
Size from Url http://www.yahoo.com/: [Errno socket
error] (111, 'Connection refused')
Feb 11 14:50:37 localhost SquidClamAV: Ignored Request
http://www.yahoo.com/ 12.1.1.100/- - GET
Feb 11 14:50:37 localhost SquidClamAV: Unable to get
Size from Url
http://home.netscape.com/bookmark/7_2/home.html:
('http error', 503, 'Service Unavailable',
httplib.HTTPMessage instance at 0xb7d39a2c)
Feb 11 14:50:37 localhost SquidClamAV: Ignored Request
http://home.netscape.com/bookmark/7_2/home.html
12.1.1.100/- - GET
Feb 11 14:50:37 localhost SquidClamAV: Unable to get
Size from Url
http://home.netscape.com/bookmark/7_2/home.html:
('http error', 503, 'Service Unavailable',
httplib.HTTPMessage instance at 0xb7d39a2c)
__
Do you Yahoo!?
Yahoo! Mail - 250MB free storage. Do more. Manage less.
http://info.mail.yahoo.com/mail_250
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Re: clamav-0.82 bug (Cannot detect virus in certain archive ???)
I dont get it. If it can scan test.tar.gz, then why it cant scan clamav-0.82.tar.gz, which contains test directory, which contains clam.exe.bz2 ? Since both are gz archives!? So what is the problem ? --- Tomasz Kojm [EMAIL PROTECTED] wrote: On Wed, 9 Feb 2005 18:03:30 -0800 (PST) Joanna Roman [EMAIL PROTECTED] wrote: If you tgz test dir to be test.tar.gz, the clamscan can detect it. But clamscan cannot detect it in clamav-0.82.tar.gz I just want to know the reason (e.g. max number of files reached ? max archive level reached ?). Anybody knows the answer ??? Not all kinds of GNU tar archives are currently supported by the internal unpacker. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Feb 10 03:17:07 CET 2005 ATTACHMENT part 1.2 application/pgp-signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] virus signature length
What is the average virus signature length these days ? __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] clamav-0.82 bug (Cannot detect virus in certain archive ???)
I downloaded clamav (0.92) and installed it. When I clamscan clamav-0.82.tar.gz, clamscan says the archive is OK. However, when I clamscan clamav-0.82/test, clamscan says ClamAV-Test-File found. So why cant clamscan detect ClamAV-Test-File virus in clamav-0.82.tar.gz in the first place ?? At the beginning, I thought it could be due to max space was reached. So I scan with option --max-block, apparently none of max-files, max-space and max-recursion was reached. Is this a bug ? See below: linux7:/home/netscan 192 clamscan clamav-0.82/test/ -- detected ClamAV-Test-File clamav-0.82/test/clam.cab: ClamAV-Test-File FOUND clamav-0.82/test/clam-error.rar: RAR module failure clamav-0.82/test/clam-error.rar: OK clamav-0.82/test/clam.rar: ClamAV-Test-File FOUND clamav-0.82/test/clam.exe: ClamAV-Test-File FOUND clamav-0.82/test/clam.exe.bz2: ClamAV-Test-File FOUND clamav-0.82/test/README: OK clamav-0.82/test/clam.zip: ClamAV-Test-File FOUND --- SCAN SUMMARY --- Known viruses: 30342 Scanned directories: 1 Scanned files: 7 Infected files: 5 Data scanned: 0.00 MB I/O buffer size: 131072 bytes Time: 0.376 sec (0 m 0 s) exit code = 1 linux7:/home/netscreen1 193 clamscan clamav-0.82.tar.gz --- Did not detect ClamAV-Test-File clamav-0.82.tar.gz: OK --- SCAN SUMMARY --- Known viruses: 30342 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 23.78 MB I/O buffer size: 131072 bytes Time: 6.080 sec (0 m 6 s) exit code = 0 linux7:/home/netscan 194 clamscan --block-max clamav-0.82.tar.gz -- Did not detect ClamAV-Test-File clamav-0.82.tar.gz: OK --- SCAN SUMMARY --- Known viruses: 30342 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 23.78 MB I/O buffer size: 131072 bytes Time: 6.156 sec (0 m 6 s) exit code = 0 linux7:/home/netscan 195 __ Do you Yahoo!? The all-new My Yahoo! - What will yours do? http://my.yahoo.com ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Re: clamav-0.82 bug (Cannot detect virus in certain archive ???)
If you tgz test dir to be test.tar.gz, the clamscan can detect it. But clamscan cannot detect it in clamav-0.82.tar.gz I just want to know the reason (e.g. max number of files reached ? max archive level reached ?). Anybody knows the answer ???René Berber [EMAIL PROTECTED] wrote: Joanna Roman wrote: I downloaded clamav (0.92) and installed it. When I clamscan clamav-0.82.tar.gz, clamscan says the archive is OK. However, when I clamscan clamav-0.82/test, clamscan says "ClamAV-Test-File" found. So why cant clamscan detect "ClamAV-Test-File" "virus" in clamav-0.82.tar.gz in the first place ??It seems to be specific to clamav-0.82.tar.gz.I did "tar czvf test.tar.gz clamav-0.82/test; clamscan test.tar.gz" and it does find the ClamAV-Test-File. With the old clamav-0.80.tar.gz it only finds the Eicar-Test-Signature which is inside clamdwatch.tar.gz .So, I think this might be intentional, somewhere clamscan has hardcoded to ignore the test directory inside clamav-*.tar.gz .Whatever.-- René Berber___http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term'___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
