Re: [clamav-users] Tracking false positives
On Sun, 2011-03-06 at 20:32 -0500, Alex wrote:
> > Every email has a unique-ish Message-Id. Proper MUAs, when replying,
> > will set the In-Reply-To header to the just replied-to message's
> > Message-Id, and likewise add it to the list in the References header.
>
> Yes, I understand this. I just thought the "thread view" period for a
> message would be about a month or so, not six, and therefore would no
> be lost in an old archive, but instead just treated as a new message.
There is no time period. The In-Reply-To header reflects the parent
message's Message-Id, and References keeps all of the parents.
> > That's pretty much everything to understand, here. Probably not worth to
> > quit over it. :)
>
> I meant quit on this off-topic thread before I make myself look any
> more inept :-)
That's the beauty of anonymous addresses, isn't it? OK, we've had this
topic before. ;)
Well, it probably was more worthwhile than most of the "something broke"
threads. And the lesson anyway is, if you are using a third-party sig
downloader script, subscribing to the sanesecurity list probably is a
good idea.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-users] Tracking false positives
On Sun, 2011-03-06 at 17:52 -0500, Alex wrote:
> > In-Reply-To and References headers. Set when replying.
> >
> > guenther -- who has given up hoping long ago, that folks running mail
> > servers should understand mail headers
>
> I'm not sure if I should quit while I'm still behind, or if I should
> add that I do understand that mail header; I knew those headers would
> be set, but I guess I didn't understand any previous references
> containing that header would still associate this email with that
> reference.
Every email has a unique-ish Message-Id. Proper MUAs, when replying,
will set the In-Reply-To header to the just replied-to message's
Message-Id, and likewise add it to the list in the References header.
Proper MUAs will use these headers to create a tree representation of
the whole thread, when enabling the "Thread View" feature.
Setting these threading headers happens when replying. Removing the
quoted text does not affect this, neither does using a new Subject. (You
didn't try this, but some folks seem to believe it would magically make
it a new mail.)
That's pretty much everything to understand, here. Probably not worth to
quit over it. :)
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-users] Tracking false positives
On Sun, 2011-03-06 at 17:22 -0500, Alex wrote:
> > There was some discussion about this particular signature on the
> > Sanesecurity list. Archives here:
> > http://news.gmane.org/gmane.comp.security.virus.clamav.sanesecurity
> Thanks everyone for the information. I thought for sure it was that I
> was doing something wrong, which is why I didn't google it first.
>
> I'll also start a new thread next time; I didn't think it would be
> associated with that old thread any longer for the very reason that it
> was so old.
In-Reply-To and References headers. Set when replying.
guenther -- who has given up hoping long ago, that folks running mail
servers should understand mail headers
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-users] Tracking false positives
On Sun, 2011-03-06 at 15:39 -0500, Alex wrote:
> Some time ago I posted a message requesting help tracking down a false
> positive, and trying to learn why it triggered. I have another one.
Yes, back in Sep 2010. A lot of people using threading and keeping an
archive are unlikely to ever read this new-spawned sub-thread.
IMHO, a new FP months later warrants a new thread...
> $ sigtool --find-sigs MBL_144360 | sigtool --decode-sigs
> VIRUS NAME: MBL_144360
> TARGET TYPE: ANY FILE
> OFFSET: *
> DECODED SIGNATURE:
> update.multivaccine.co.kr/setupa
>
> Is that the correct way? I looked at the email itself, and not only is
> it from a trusted sender, but it doesn't contain that URL in the
> message. Am I missing something?
This has extensively been discussed on the sanesecurity mailing list
(even though it is unrelated to sanesecurity).
This MBL sig used to be a broken, plain 'updat'. It has been fixed
since, and re-issued using the same sig name.
For the full story, see this.
http://article.gmane.org/gmane.comp.security.virus.clamav.sanesecurity/3092
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] Reload process
On Sun, 2010-05-23 at 17:43 +0300, Török Edwin wrote:
> > > If a file is determined to be clean, its MD5 is added to an in-memory
> > > cache.
> > > When scanning a new file, its MD5 is computed and looked up in the
> > > cache. If found, it is considered clean.
> > > On DB reload the entire cache is cleared.
> >
> > But, isn't that typically done multiple times a day?
> >
> > So what exactly is the use-case for this, other than doing full system
> > scans more frequently than signature updates?
>
> Even when doing full systems scan you still have a cache of last N
> minutes (where N depends how often you reload the DB).
> This helps with:
> - duplicate files, or files both in archived an unarchived state
> - since we cache at the extracted files level, even if only part of an
> archive/container is redundant, we have that cached
> - mails containing same attachment, which was already determined to be
> clean
Ah, now I see. :) Thanks for explaining, Török.
> - archive bombs: instead of trying to scan 2^N files until the
> recursion depth/maxfilesize limit is reached, it only needs to scan N
> files (N is recursion depth) for a typical archive bomb that expands to
> 2 more archives at each depth.
> - ensure that the bytecode won't accidentally need 2^N time to run: if
> it happens to extract a file that matches the logical signature of the
> same bytecode again, which would trigger further extraction and so on
>
> The latter is the reason why the feature was added, however some initial
> tests have showed improved performance for nearly any kind of scan
> (system, mails, home, etc.)
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] Reload process
On Sun, 2010-05-23 at 10:21 +0300, Török Edwin wrote:
> > else
> > Scan it like it does now
> > ( with everything in the DB, I assume. )
> > }
>
> A simpler form of this is already implemented in 0.96 :)
>
> If a file is determined to be clean, its MD5 is added to an in-memory cache.
> When scanning a new file, its MD5 is computed and looked up in the
> cache. If found, it is considered clean.
> On DB reload the entire cache is cleared.
But, isn't that typically done multiple times a day?
So what exactly is the use-case for this, other than doing full system
scans more frequently than signature updates?
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] unofficial rules preferred
On Mon, 2009-09-14 at 17:27 +0200, Wolfgang Breyha wrote:
> I'm running clamd with both official and sanesecurity sigs.
>
> Now I made a test with my virus archive and recognized that clamd prefers the
> sanesecurity sigs. Using only ClamAV original sigs I have ~3500 virus matches.
> Using both original and sanesecurity sigs ~3900 are found, but the originals
> only match ~2000 anymore and all the others are catched by sanesecurity rules.
>
> Since I want to block mail found by the original rules und mark mails for
> spamassassin found by sanesecurity this is really bad.
>
> Is there any way to set kind of priority which of the rules are preferred?
I once asked a related question. The answer was along the lines, that it
is unpredictable which sig(-set) will fire, and there is no way to
define preferences or order of matches. With a single clam instance,
that is.
guenther
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] ClamAV Webinar on 4th March
On Sat, 2009-02-21 at 02:57 +0100, chen wrote:
> Why don't this lists webmaster install a simple forum ?
Please don't hijack unrelated threads.
> Yes a link to unsubscribe this list would be welcome.
You just confirmed you don't read any of these posts. Not even the ones
clearly talking about this very topic.
Would you mind following the link you quoted? There you'll find
instructions how to unsubscribe easily.
> > http://www.clamav.net/support/ml
THAT link. Pretty please with sugar on top.
Why can't I stop laughing, though I feel like crying?
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] OT: Re: please remove
On Fri, 2009-02-20 at 22:25 -0500, Gary L Burnore wrote:
> Laurens wrote:
> > I have been wanting to unsubscribe from this fucking thing for over a
> > year can not remember log in details etc and as a result I keep
> > getting this shit.
>
> Ok, someone's gotta say it, YOU are a fucking moron. The info can be found
> at the bottom of every one of these posts,
Thanks, Gary. :)
> > I have written, mailed and asked politely all to no avail it is
> > now called spam.
>
> No, it's not. But feel free to believe anything your little brain desires.
>
>
> > STOP THIS SHIT PLEASE
Laurens, it's amazing -- you just replied to an old post, ignoring the
entire thread talking about HOW to unsubscribe. Sometimes it's better to
read, than to shout, eh?
Even in my wildest dreams, I don't see how *you* managed to subscribe to
this list in the first place.
> http://lists.clamav.net/mailman/listinfo/clamav-users
>
> Look down at the bottom, (that's the opposite of where you like to post) and
> see this:
>
> To unsubscribe from clamav-users, get a password reminder, or change your
> subscription options enter your subscription email address:
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
[Clamav-users] OT: Re: please remove
On Thu, 2009-02-19 at 10:50 +, Ian Eiloart wrote:
> > http://www.clamav.net/support/ml
>
> Can we not have the list unsubscribe link in the footer, too? It's a legal
Maybe start by following the link you quoted... ;)
> requirement in the UK to have an easy to use mechanism to unsubscribe to
> marketing emails. The definition of marketing would definitely extend to
> promotion of free open source software. Whether it also extends to a
This is NOT marketing, neither promotion.
> support list like this might be debatable, but surely the developers of
> software developed mainly in response to the spamming industry ought to be
> following best practice.
Those guys managed to subscribe themselfs, somehow. Too bad some (quite
rare on technical lists) individuals seem to forget how they did that.
*shrug*
> As long as most MTAs don't expose the List-Unsubscribe: header (none do by
> default, as far as I'm aware), it can't be described as "easy to use". Some
> MTAs even make it really hard to find the full message headers.
Evolution does. Nope, doesn't display the header verbatim, but offers
Unsubscribe, Get Info and other actions on all mailing list posts.
guenther -- crawls back into his hole for more coffee
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] Submitting malware attachments or full email?
On Tue, 2008-12-02 at 10:10 +0100, Tomasz Kojm wrote:
> On Tue, 02 Dec 2008 00:59:01 +0100
> Karsten Bräckelmann <[EMAIL PROTECTED]> wrote:
FWIW, detected as Trojan.Invo-13 and Trojan.Downloader-60790.
Which (again) raises the question why that variation, for what appears
to be a single malware.
> > Should I submit the entire, original email, or the attachment only?
>
> The entire email is usually most useful to us.
Thanks, Tomasz. I kind of went paranoid, given the scary report
recently referred in my OP.
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
[Clamav-users] Submitting malware attachments or full email?
Today started again what seems to establish itself as the Monday run [1]
of user-frightening malware attachments, properly phrased German. The
last one is exactly one week ago, and they appear to start after office
hours. *sigh*
Given the recent report on this list of malware submissions, where parts
of the innocent wrapper mail ended up in the signatures, rather than the
attachment only...
Should I submit the entire, original email, or the attachment only?
Also, since no one answered my previous question: Samples checked by
virustotal are *not* automatically forwarded to you guys? Or are they?
guenther -- come on, this is just a nick
[1] Sorry, Robert, if you again don't get that wave. ;)
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] Bugzilla
On Tue, 2008-11-04 at 12:55 -0500, Jason Bertoch wrote:
> > Use the advanced search tab. Or select 'All' instead of 'Open Bugs'.
>
> I suppose I should have mentioned I tried that. Even with all components,
> versions, statuses, resolutions, severities, priorities, hardware, and OS's
> checked, a search for PDF in summary or comment returns Zarro Boogs.
Select all -- don't do that. :)
Advanced Search, un-check [1] any Status -- this will not limit to any
sub-set -- which defaults to all kind of valid bugs. Enter some search
words for Summary and/or Comment [1]. Returns 67 bugs for comment
contains "pdf".
Since you are searching for a bug *you* filed, you can use Email /
reporter contains instead of doing a plain text summary or comment
search. HTH
guenther
[1] Ctrl-click does the trick. In the Status case you can select all to
get the same result, though.
[2] Defaults to contains the string. Change this, if you are looking for
comments simply containing multiple words.
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] Malware submission / Virustotal
On Sat, 2008-10-25 at 16:27 +0200, Karsten Bräckelmann wrote:
> Recent flood of (German only?) Trojan.Agent malware, partly slipping by
> ClamAV. So I now am submitting samples where I spot 'em...
FWIW, also reported by Heise (sorry, German only).
http://www.heise.de/security/news/meldung/117971
Robert, just consider yourself lucky you didn't see any of them. ;)
> By doing so, two questions came up:
>
> (a) After testing the sample message with Virustotal, should I even
> bother submitting it from clamav.net, too? If memory serves me
> correctly, these samples are being forwarded to the ClamAV sig team
> anyway. Just couldn't find any note on the websites...
Any takers? Are virus samples checked by Virustotal automatically
forwarded to the ClamAV sig team?
> (b) When submitting on clamav.net I opted in for "notify me" and "stay
> anonymous". However, I didn't get any notification about yesterdays
> sample, which already has been added to the sigs. How comes, is this
> broken?
Probably just an oops or something, I *did* receive a notification mail
about further samples submitted. Sending these from mailer-daemon isn't
the best choice IMHO, though.
> Thanks in advance for any insight, that might help speed up the process
> and not waste our sig teams time unnecessarily.
Let's try this again. :)
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] Malware submission / Virustotal
On Sun, 2008-10-26 at 10:22 +0100, Robert Schetterer wrote:
> Karsten Bräckelmann schrieb:
> > Recent flood of (German only?) Trojan.Agent malware, partly slipping by
> > ClamAV. So I now am submitting samples where I spot 'em...
> >
> > By doing so, two questions came up:
[ Yet unanswered sample submission best-practice questions snipped. ]
> Hi Karsten,
> just for may interest, i dont see
> a significant grow of german maleware in mail,
> i use clamav-milter with
> http://www.sanesecurity.com/clamav/
> and i dont know something slipping through
> ( investigated the quarantaine dir )
> on 5 realy big mailserver with over hundert domains ( mostly german )
> an over 3000 mailboxes,
OK, here's a rough sketch, no hard numbers. Also, please note that I am
NOT a mail admin with a lot of users. The numbers below represent pretty
much me, and me only. :)
This started Fri and seems to have ceased by today already. I received
like 40 of these a day, with half of them slipping by ClamAV on Fri.
Usually I don't even get anything near 40 malware mails a *week*. That's
why I believe the term "flood" is justified.
(Talking about malware, attached archives containing Windows
executables, mind you. This does not include the bulk of pestering
phishes. And yes, I do use the SaneSecurity phish sigs.)
> after all it would only be evil if real viri bypass
> but as its some kind of spam ( pishing etc ) its
> checked from spamassassin and marked too in my setups
> perhaps you should tune up antispam features in your mailserver
SpamAssassin is tuned rather well, thanks. :) In fact, you probably
should know me from the SA mailing list, Robert. ;)
And indeed, all of them scored around 15+, none slipped by SA. This
however is a consequence of using the same botnet. ClamAV still didn't
recognize the malware.
I didn't complain. And my post was not about ClamAV not catching them,
either. I asked about sample submission best-practices and avoiding
unnecessary workload -- which remains unanswered.
> in general to block incoming bots before getting to clamav-antivir stage
> that should raise down the maleware rate in any case
I don't block at SMTP stage for various reasons. One being, that I need
the spam corpus.
Anyway, while this gets slightly off-topic, most of these did hit
Spamhaus XBL (sic) or at least PBL. That might explain why you didn't
see them.
> so where do your info come from ?
Straight from my mail in-stream. :) Plus some general knowledge about
botnets and their specific, identifying patterns, regarding some of the
statements above.
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
[Clamav-users] Malware submission / Virustotal
Recent flood of (German only?) Trojan.Agent malware, partly slipping by
ClamAV. So I now am submitting samples where I spot 'em...
By doing so, two questions came up:
(a) After testing the sample message with Virustotal, should I even
bother submitting it from clamav.net, too? If memory serves me
correctly, these samples are being forwarded to the ClamAV sig team
anyway. Just couldn't find any note on the websites...
(b) When submitting on clamav.net I opted in for "notify me" and "stay
anonymous". However, I didn't get any notification about yesterdays
sample, which already has been added to the sigs. How comes, is this
broken?
Thanks in advance for any insight, that might help speed up the process
and not waste our sig teams time unnecessarily.
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] Scan stops at first virus sig
On Thu, 2008-04-10 at 13:58 +0100, Greg Smith wrote:
> I am trying to scan files so that clam scans the entire file for all viruses
^
Smells like mbox.
> and doesnt stop at the first one it finds? Is this possible?
In that case, formail is your friend. If you're not about mbox files,
please be more specific.
$ formail -s clamdscan - < $mbox
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Creating your own Signatures: Bound Offset
On Sat, 2008-01-26 at 10:29 +0100, Tomasz Kojm wrote:
> On Sat, 26 Jan 2008 01:20:26 +0100
> Karsten Bräckelmann <[EMAIL PROTECTED]> wrote:
>
> > $ cat test.ndb
> > local.test:4:0:{-4096}74657374
>
> It won't work because there's no 'sub-signature' preceding the range wildcard.
> You can use a floating offset to workaround the limitation:
>
> local.test:4:0,4096:74657374
Thanks Tomasz, that works nicely. :)
Just a pity, that the sig manual doesn't mention range wirldcards at
all. Or the limitation of a preceding sub-signature to be at least 2
chars.
Anyway, now that this works -- any word on the speed impact (as per my
OP and the other sub-thread)?
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] help-about regular expressions in signatures-From: T?r?k Edwin
On Sun, 2008-01-27 at 16:44 -0500, xue wen wrote:
> The signature I have made up is like this:
>
> Worm.Yawen (Clam)=61*7c62
>
> where "617c62" means "a|b". Once I add the wildcard into this signature,
> there will be an error, no matter I put it into a .db or .ndb file. Is there
> something wrong of the way I build my signature?
As I've pointed out in a related post 2 days ago, there seems to be a
limitation on the signatures and minimum lengths of sub-signatures, when
wildcards are involved.
A single char before the wildcard does not work. You'll need at least 2
chars before and after the wildcard.
6161*6262
The above will match any stream, that contains two consecutive 'a', and
two consecutive 'b' at any point later. Oh, and this time, I checked by
building a sig. ;)
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 10. Re: help-about regular expressions in signatures (Kris Deugau)
On Sun, 2008-01-27 at 17:03 -0500, xue wen wrote:
> I just want to learn the format of ClamAV's signature. So I tried to build a
> signature containing a wildcard by myself. The example I used is as follows:
>
> I have made up a signature of: Worm.Yawen (Clam)=61*7c62
> where "617c62" means "a|b".
I believe this will match the string 'a|b' literally. If you want an
alternation, to match either 'a' or 'b', only hex encode the strings.
The wildcard stuff must not be hey encoded.
(61|62)
Caveat: Going from my understanding of the not-so-fine sig manual, I
have not tested this. ;)
> Then I put this signature into a .db file. When
> I didn't add the * in the signature, it can be used to match the string of
> a|b. But once I added the * into the signature, there was an error like
> this:
>
> LibClamAV Error: cli_parse_add(): Problem adding signatures (2).
> Problem parsing signature at line 1
> Problem parsing database at line 1
> Can't load daily.db: Malformed database
> ERROR: Malformed database
>
> What is wrong in my method of building the signature with wildcard?
As Török already told you Fri, wildcard signatures go into a .ndb file.
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Creating your own Signatures: Bound Offset
On Fri, 2008-01-25 at 18:41 -0800, Dennis Peterson wrote:
> Karsten Bräckelmann wrote:
> > On Fri, 2008-01-25 at 17:54 -0800, Dennis Peterson wrote:
> >> The sigs are full of unbound RE's. That's why scanning mbox mail files is
> >> pointless.
> >
> > Yes, I know. I contributed that fact to the thread a while ago...
> >
> > I do realize the ambiguity here -- there is no plural for 'mail'. :)
> > However, I am talking about a *single* mail. If I would have been
> > talking about mbox files, I'd have used that term.
> I've been out of town and haven't got caught up on all the world's history.
Dennis, now you're confusing me. :)
Nothing to catch up with, I've been referring to the thread "Getting
line numbers" back in Oct. Both of us have been discussing that topic.
> ClamAV's archives on on the list. Bounded (and anchored) RE's always
> run faster and they're more accurate. What's to lose?
I know about the archives, I've been a long time subscriber. Anyway...
What's to lose? Well, as per my OP, it just doesn't work. ClamAV freaks
out, when you start a hex signature with a (bounded) wildcard.
Besides, I'm not convinced bounded wildcards [1] actually do run faster
in clam. Haven't looked at the engines code, but given the rather
limited set of wildcards, I doubt it uses backtracking. And the bound
does impose another constraint while scanning the stream, no?
Good point about running faster when anchored, though. :)
guenther
[1] The doc talks about wildcards -- rightly so. They are no REs. The
only thing that at least comes close is the alternation.
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Creating your own Signatures: Bound Offset
On Fri, 2008-01-25 at 17:54 -0800, Dennis Peterson wrote:
> Karsten Bräckelmann wrote:
>
> > The main purpose was, to keep ClamAV from scanning the entire, possibly
> > large file (err, mail). And maybe even speed it up. It's good practice
> > to bound your REs or wildcards anyway.
> >
> > I wonder, if this indeed would speed up scanning, however small, of
> > large-ish files. Or would the additional constraint actually impose more
> > CPU cycles spent?
>
> The sigs are full of unbound RE's. That's why scanning mbox mail files is
> pointless.
Yes, I know. I contributed that fact to the thread a while ago...
I do realize the ambiguity here -- there is no plural for 'mail'. :)
However, I am talking about a *single* mail. If I would have been
talking about mbox files, I'd have used that term.
Dennis, thanks for your reply. Just doesn't answer the question,
unfortunately... ;)
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Creating your own Signatures: Bound Offset
So I finally got around to writing some (well, one for now ;) custom
signatures. There's currently a highly annoying, lame phishing attempt I
want to swat early.
Anyway, while playing with the sigs and trying some optimization, the
sig broke horribly for some weird reason. Please see below for a
stripped down test case. What's so bad about it?
Instead of using the "any" offset, I tried to bound it, by setting the
offset to 0, and starting the hex signature with a limited wildcard.
Also, I noticed the parser isn't happy, if there is such a wildcard with
less than 2 bytes either at the beginning or end of the string.
Well, I could just start the sig with "From " and then anchor it at
offset 0. :) But the question remains -- why?
Another question: Does this actually make sense?
The main purpose was, to keep ClamAV from scanning the entire, possibly
large file (err, mail). And maybe even speed it up. It's good practice
to bound your REs or wildcards anyway.
I wonder, if this indeed would speed up scanning, however small, of
large-ish files. Or would the additional constraint actually impose more
CPU cycles spent?
Thanks for any insight. :)
guenther
$ cat test.ndb
local.test:4:0:{-4096}74657374
$ clamscan --quiet -d test.ndb msg
LibClamAV Error: cli_parse_add(): Problem adding signature (1).
LibClamAV Error: Problem parsing signature at line 1
LibClamAV Error: Problem parsing database at line 1
LibClamAV Error: Can't load test.ndb: Malformed database
ERROR: Malformed database
$ clamscan --version
ClamAV 0.92/5553/Fri Jan 25 22:14:29 2008
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav gcc dependendencies ...
Please resist the urge to top-post.
On Mon, 2007-12-17 at 15:52 -0800, fchan wrote:
> Hello,
> I'm on a MacBookPro running 10.4.11 with xcode
> 2.5 and I tried your suggestion "export
> CC=gcc-3.4" and I got this error:
The advice was rather specific to Debian. And actually started by
installing GCC 3.4...
> checking for gcc... gcc-3.4
> checking for C compiler default output file name...
> configure: error: C compiler cannot create executables
> See `config.log' for more details.
>
> Here is what saw in config.log:
>
> ./configure: line 1: gcc-3.4: command not found
See?
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Signature precedence
On Mon, 2007-10-22 at 14:43 -0500, Noel Jones wrote:
> At 12:37 PM 10/22/2007, Karsten Bräckelmann wrote:
> >When using additional, third party signatures, is there any particular
> >order in the signatures?
>
> No particular order.
>
> >If both, the official as well as the third
> >party sigs match, which one is being reported?
>
> One or the other will be reported, but not both. The one actually
> reported is unpredictable.
Thanks, Noel. That's exactly what I needed, though I did hope for
another answer. ;) Guess my logs are just that -- logs. No way to turn
them into half-decent stats, unless I rerun per signature set.
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Signature precedence
I seem to recall I have come across this before, but I just can't find
it. Maybe someone knows off-hand. :)
When using additional, third party signatures, is there any particular
order in the signatures? If both, the official as well as the third
party sigs match, which one is being reported?
karsten
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RFC: Recognize mbox format
On Mon, 2007-10-08 at 16:25 -0300, Joao S Veiga wrote:
> > Of course. However, I got the impression that neither of the recent
> > reporters does this additional step. Also, this gets even more annoying
> > (and maybe impossible) when dealing with PST files (which one of the OPs
> > does).
>
> Hi, if one of those reporters is me, I don't "advocate" doing what I do. I
> was
> justifying why I do it :-). [...]
Indeed, you are. :-)
Sorry, if that came out wrong. I'm not a native English speaker, and
didn't mean to accuse you or anyone for that matter.
The mentioned procedure of re-scanning after delivery does bear some
pitfalls. Which in both these cases led to false alarms. Since it seems
to be practice anyway, one needs to be aware of potential issues. That
is all I was aiming for: Pointing out the issues, raising awareness.
> In the FreeGame case, I just removed the signature from daily.ndb.
Which, at the point of your OP and as mentioned in the previous thread,
has been done upstream already. :)
> I just replied to a guy who had the same false alarm as me, since I already
> had
> found the workaround (and had submitted the sample false positive file). Then
> the
> wrath of heavens broke down on me.
Err, no, you did not reply, but start a new thread.
Anyway, pointing out issues (as you did) and submitting FP samples
always is appreciated. :)
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RFC: Recognize mbox format
On Mon, 2007-10-08 at 09:15 -0700, Dennis Peterson wrote:
> Karsten Bräckelmann wrote:
> >>> Another downside of this approach, together with ClamAV treating mbox
> >>> format files as text/plain is, that only the first hit will be reported.
> >> That was made to improve performance, the Changelog say so.
> >
> > Thanks for clarifying this, René.
> >
> > Anyway, that whole last paragraph was a heads up to those who advocated
> > re-scanning after delivery (see the recent threads). They do not get
> > what they believe they do.
>
> Unless you separate the mbox file(s) into maildir files and then you get
> exactly what
> you expect. It is, however, an annoying additional step one must take to
> ensure
> systems are as secure as possible.
Of course. However, I got the impression that neither of the recent
reporters does this additional step. Also, this gets even more annoying
(and maybe impossible) when dealing with PST files (which one of the OPs
does).
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RFC: Recognize mbox format
On Wed, 2007-10-03 at 18:31 -0500, René Berber wrote:
> Karsten Bräckelmann wrote:
> > Another downside of this approach, together with ClamAV treating mbox
> > format files as text/plain is, that only the first hit will be reported.
>
> That was made to improve performance, the Changelog say so.
Thanks for clarifying this, René.
Anyway, that whole last paragraph was a heads up to those who advocated
re-scanning after delivery (see the recent threads). They do not get
what they believe they do.
Also, thanks to you and Tomasz for replying to this request with some
insight. IMHO wildcards in the signatures should be properly limited
anyway. Unfortunately, the supported patterns are somewhat limited in
functionality -- something that probably suits binary viruses much
better than text-based email scam...
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] RFC: Recognize mbox format (was: Re: Getting line numbers)
On Wed, 2007-10-03 at 10:45 -0700, Dennis Peterson wrote:
> Karsten Bräckelmann wrote:
Developers, read on. :)
> > Somewhat simplified, the signature reads "Subject with the string game"
> > and "an IP style http link".
> >
> > Scanning maildirs as well as scanning individual messages before
> > delivering, this enforces that both be in the same email. Scanning a
> > whole mbox however, does *not*.
> >
> > The Subject can be in one message, and the link in another one further
> > down the file. Boom, we got a hit! :) (Actually, according to your
> > prose description, it neither needs to be a (Subject) header, nor an IP
> > style link.)
> >
> >
> > Which raises the question if the OP is correct when stating that ClamAV
> > knows how to handle mbox files. It sure does not look like that. The
> > summary claimed to have scanned one (mbox) file. It did not claim to
> > have scanned a bunch of messages, treated individually and applying the
> > signatures against each of them -- just a single text/plain file, that
> > happens to resemble more than one message.
> >
>
> This is my conclusion too, and the question was really thrown out there for
> comment
> from the SourceFire folks to provide clarification. Given that clamscan knows
> where
> in the file it is as well as being aware of the construction of it they
> appear to be
> very close to doing the right thing so it would be surprising to learn they
> do not.
Right. :) Adjusted the Subject accordingly. Maybe this will get some
attention by the developers. Would be nice if someone could shed some
light on this. Or implement it.
Another downside of this approach, together with ClamAV treating mbox
format files as text/plain is, that only the first hit will be reported.
Something to keep in mind for the use case mentioned in that other
thread. All you will gain is knowledge, that the users might have been
exposed to some threat, before the good guys caught up. You will *not*
know which threat, since there may be others lurking, too...
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Getting line numbers
On Tue, 2007-10-02 at 10:24 -0700, Dennis Peterson wrote:
> Can anyone offer a reason why the OP found a virus in the mbox file but not
> in the
> split out maildir messages? That kind of inconsistency is unsettling.
Rather easy I guess, given your analysis of the RE earlier. :)
Caveat: I have not checked the signature myself, going from your own
description only. Also, I assume that "any number of characters"
actually includes \n. The signature wouldn't match my FreeGame crap
otherwise anyway.
Somewhat simplified, the signature reads "Subject with the string game"
and "an IP style http link".
Scanning maildirs as well as scanning individual messages before
delivering, this enforces that both be in the same email. Scanning a
whole mbox however, does *not*.
The Subject can be in one message, and the link in another one further
down the file. Boom, we got a hit! :) (Actually, according to your
prose description, it neither needs to be a (Subject) header, nor an IP
style link.)
Which raises the question if the OP is correct when stating that ClamAV
knows how to handle mbox files. It sure does not look like that. The
summary claimed to have scanned one (mbox) file. It did not claim to
have scanned a bunch of messages, treated individually and applying the
signatures against each of them -- just a single text/plain file, that
happens to resemble more than one message.
A note to the OP: Line numbers won't get you anything. Well, at least
for mbox files that is. Let's assume ClamAV would have spit out a line
number. Now what? Your mail client doesn't support "displaying the mail
of line N". And what if this is an mbox file being served by an IMAP
server? Even less client control over the file...
Your only option would be to start an editor, to look at the raw mail.
OK, would work in this case, maybe. But what about if this wouldn't be
such a dumb text/plain crap, but a binary attached base64 encoded to a
mail?
Scanning incoming messages before delivering definitely is the way to
go. On one hand, you can act appropriately, and be sure to avoid issues
like these match inconsistencies [1]. On the other hand, scanning
periodically after delivery is much too late anyway. How do you ensure
the user didn't fall for the phish already?
guenther
[1] yes, that mbox file seems to be clean, not containing any virus
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] signature names
On Wed, 2007-09-12 at 07:28 -0700, John Rudd wrote:
> (to the developers, not in answer to Burnie)
>
> See, the current name scheme needs to be fixed. And no one responded at
> all to my proposed scheme from a month or two ago.
Coincidentally, my very first question on this list years ago was about
naming conventions (or the lack thereof), too. :)
karsten
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] As soon as Sourcefire starts charging for viru s updates,
On Tue, 2007-08-28 at 13:26 -0500, Bryan Johns wrote:
> On 8/28/07, Bowie Bailey <[EMAIL PROTECTED]> wrote:
> > I'm not worried about ClamAV being acquired. At the moment, everyone is
> > saying that there are no plans to change anything. As long as that
> > remains the case, the only difference is that there is now some money
> > behind the project. If Sourcefire decides to start charging for updates
> > some time in the future, I will re-evaluate my usage of ClamAV. Until
> > then, I see no reason to worry about it.
>
> Even then, there's already been mention in this thread about forking
> off an open version and/or the existence of third-party virus db
> repositories. ClamAV appears to enjoy a great deal of community
> support in the form of patches, bug fixes, and virus submissions.
>
> SourceFire would be foolish, in my opinion, to throw that away. If I
> were part of their decision making process I'd recommend keeping it
> like it is and rolling out an "enterprise" version with an actual help
> desk for paying customers.It would also be stupid, IMHO, for the
> community to turn away from ClamAV while a free version with free
> virus updates were still available just out of anger because an
> eeevil corporation bought it and tried to make some $$$.
Amen.
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] I need help
On Mon, 2007-08-06 at 13:47 -0400, Pedro Luis Domínguez Viqueira wrote:
> My fresclam say
>
> ERROR: Can't get information about db.us1.clamav.net: Host not found
Check your configuration. Where does that host name come from? There is
no surprise here, because -- as freshclam correctly told you -- that
host doesn't exist...
[EMAIL PROTECTED] ~]# grep -B3 ^.DatabaseMirror /etc/freshclam.conf
# Uncomment the following line and replace XY with your country
# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
#DatabaseMirror db.XY.clamav.net
> -Mensaje original-
> De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED]
> Enviado el: Domingo, 05 de Agosto de 2007 06:00 a.m.
> Para: clamav-users@lists.clamav.net
> Asunto: clamav-users Digest, Vol 35, Issue 5
[ snipping an entire digest ]
Please do *NOT* reply to any previous list post, if you actually want to
start a new thread. Please *DO* remove any quotes of previous posts
that are not relevant to the issue at hand.
Also, please try giving your posts a *descriptive* Subject. "help" does
not help, and tends to result in less responses...
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] scan taking too long
On Fri, 2007-08-03 at 16:18 -0500, Daniel J McDonald wrote:
> I've had really good success with clamav for a few years now, but I've
> had a message stuck in my queue for a week:
> Aug 3 14:54:08 sa postfix/lmtp[25237]: 9A1381196:
> to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1]:10025,
> delay=363983, delays=363554/0.02/0/428, dsn=4.5.0, status=deferred (host
> 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=25448-06,
> virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd
> av-scanner FAILED: CODE(0x804bbac) Exceeded allowed time at (eval 50)
> line 309. at (eval 50) line 511.; ClamAV-clamscan av-scanner
> FAILED: /usr/bin/clamscan collect_results - reading aborted: timed out
> at /usr/sbin/amavisd line 2812. at (eval 50) line 511. (in reply to end
> of DATA command))
[...]
> The message contains a pdf:
> []$ sudo postcat -q 9A1381196 | grep Content-Type:
> Content-Type: multipart/mixed;
> Content-Type: multipart/alternative;
> Content-Type: text/plain;
> Content-Type: text/html;
> Content-Type: application/pdf;
>
>
> It appears to be rather large:
> []$ sudo postcat -q 9A1381196 | wc
> 118520 118856 9113939
>
> And it takes a long time when run interactively:
> []$ sudo postcat -q 9A1381196 | clamscan -
> stdin: OK
>
> --- SCAN SUMMARY ---
> Known viruses: 142140
> Engine version: 0.91.1
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 25.20 MB
> Time: 488.716 sec (8 m 8 s)
Yes, the message indeed appears to be rather large... ;)
> from the content, it appears to be marketing anyway, so it's not
> critical, but advice on what to do with it would be appreciated.
Limit the size of mails for scanning in whatever calls ClamAV?
Scanning huge messages takes a long time (scales worth than linear,
AFAIK), and that's why you get a timeout.
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
