[Clamav-users] Sasser Worm Virus not shown with sigtool
Freshclam reports: RELAY:root[sbin] freshclam ClamAV update process started at Wed May 5 10:07:25 2004 Reading CVD header (main.cvd): OK main.cvd is up to date (version: 22, sigs: 20229, f-level: 1, builder: tkojm) Reading CVD header (daily.cvd): OK daily.cvd is up to date (version: 303, sigs: 1196, f-level: 2, builder: trog) However when I run: sigtool -l | grep -i sasser I get nothing. Shouldn't Worm.Sasser.A, Worm.Sasser.D and Worm.Sasser.B all show up using this? Lynn Duerksen Technical Manager Futureware Distributing, Inc --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Sasser Worm Virus not shown with sigtool
|Subject: [Clamav-users] Sasser Worm Virus not shown with sigtool | |Freshclam reports: | |RELAY:root[sbin] freshclam |ClamAV update process started at Wed May 5 10:07:25 2004 |Reading CVD header (main.cvd): OK main.cvd is up to date |(version: 22, sigs: 20229, f-level: 1, builder: |tkojm) |Reading CVD header (daily.cvd): OK |daily.cvd is up to date (version: 303, sigs: 1196, f-level: 2, builder: |trog) | |However when I run: | |sigtool -l | grep -i sasser | |I get nothing. Shouldn't Worm.Sasser.A, Worm.Sasser.D and |Worm.Sasser.B all show up using this? | Never Mind! I figured it out. clamav datadir is /var/amavisd/usr/local/share/clamav # because of running in chroot for amavisd sigtool is looking in /usr/local/share/clamav # those files were not up to date. This directory must be # hard coded into sitool --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] OpenBSD clamav Port (0.67-1) RAR Files
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Helmut Schneider Sent: Wednesday, March 17, 2004 2:40 AM To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] OpenBSD clamav Port (0.67-1) RAR Files INFECTED (Worm.Bagle.Gen-rarpwd) Lynn Duerksen wrote: Thats the point, if clamav would have detected the virus in the original mail I wouldn't have posted here... :) I am experiencing similar problems on my OpenBSD 3.4 box and was wondering if there has been any resolution on this issue. I'm using 3.4, too. I installed the latest csv and everything seems to work ok. I feed a saved-infected message and amavisd-new reported in the log: Mar 17 13:38:17 TECHGATE1 amavis[8104]: (08104-04) INFECTED (Worm.Bagle.Gen-rarpwd), [EMAIL PROTECTED] - [EMAIL PROTECTED], quarantine virus-20040317-133817-08104-04, Message-ID: [EMAIL PROTECTED], Hits: - So it looks like were good to go! Thanks to the Clamav team for the hardwork. L A Duerksen --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] OpenBSD clamav Port (0.67-1) RAR Files
Fajar A. Nugraha wrote: Helmut Schneider wrote: seems that the clamav Port (0.67-1) has problems with RAR Files (e.g. Bagle.N): To avoid missunderstandings, I know the file is pwd, but clamav does not recognize the virus within the archive (maybe a DB problem)... Sometimes the signatures were created using the complete mail, so clamscan won't recognize the attachment alone but it will recognize the complete mail. If you use clamscan, you can work around RAR errors using --unrar[=FULLPATH] Enable support for .rar files But since the RARs are password-protected, it's useless. My suggestion is try feeding the complete virus mail to clamscan (instead of just the attachment), and see if it works. Thats the point, if clamav would have detected the virus in the original mail I wouldn't have posted here... :) I am experiencing similar problems on my OpenBSD 3.4 box and was wondering if there has been any resolution on this issue. I have an OpenBSD 3.3 stable box running in parallel with the OpenBSD 3.4 box that has caught the Worm.Bagle.Gen-rarpwd. 3.3 box running amavisd-new-20030616-p2 patched to allow scanning of full message clamav-0.67-1 unrar-2.50 3.4 box running amavisd-new-20030616-p8 /etc/amavisd.conf settings $keep_decoded_original_re = new_RE( qr'^MAIL$', # retain full original message for virus checking clamav-0.67-1 unrar-3.20beta3 Don't know if any of this information helps but only solution I have right now is to ban all .rar files on the 3.4 box. Thanks L. A. Duerksen --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] RE: [AMaViS-user] Zip File Password
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Ted Cabeen
Yep. Some scanners are now able to detect the virus like
this, but they have to scan the entire message in order to do
so. I've written a two line patch that copies the email.txt
file into the parts directory so that the mail itself gets
scanned and the virus is detected. Here it is, if you want it:
*** amavisd Sun Jan 4 17:00:19 2004
--- /usr/local/sbin/amavisd Tue Mar 2 10:54:52 2004
***
*** 4785,4790
--- 4785,4791
use Digest::MD5;
use Net::Server 0.83;
use Net::Server::PreForkSimple;
+ use File::Copy;
BEGIN {
import Amavis::Conf qw(:platform :confvars :notifyconf :sa);
***
*** 5305,5310
--- 5306,5312
$msginfo-mime_entity(mime_decode($fh,$tempdir));
prolong_timer($which_section);
}
+ copy($tempdir/email.txt,
$tempdir/parts/email.txt);
$which_section = virus_scan;
# some virus scanners behave badly if interrupted,
# so for now just turn off the timer
--
All though I had to make the 2nd part of this patch by hand it seems to
be working well. This morning clamd caught 4 messages that amavisd
quarantined and identified as (Worm.Bagle.F-zippwd-3)
Virus scanner output:
/var/amavisd/tmp/amavis-20040303T081020-01279/parts/email.txt:
Worm.Bagle.F-zippwd-3 FOUND
The message has been quarantined as:
/var/amavisd/quarantine/virus-20040303-082055-01279-08
Good work and Thanks!
Thanks to the clamav folks as well. They have been working hard to stay
ahead of this.
L. A. Duerksen
Technical Manager
Futureware Distributing, Inc
OpenBSD 3.3
amavisd-new-20030616-p2
spamassassin 2.55
postfix-2.0.10
ClamAV version 0.67-1
---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Undefined symbol _deny_severity
Just update a system running .65 to .67-1 /usr/libexec/ld.so: Undefined symbol _deny_severity in clamd:/usr/lib/libwrap.so.3.0 I tried the OpenBSD port as well as the stable code. Same results Any suggestions? Lynn Duerksen Technical Manager Futureware Distributing, Inc OpenBSD 3.3 Amavisd-new --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] ERROR: You must specify at least one database mirror.
I went back to .66 since .67-1 is having trouble on OpenBSD 3.3 right now but now I get the following when running freshclam ERROR: You must specify at least one database mirror. The command I used is: /usr/local/bin/freshclam -l /var/amavisd/var/log/clam-update.log --datadir=/var/amavisd/usr/local/share/clamav --log-verbose The datadir has the mirrors.txt file in it. Its contents is: RELAY:root[share] more mirrors.txt database.clamav.net database.clamav.net database.clamav.net I tried it with the user switch just in case it was not reading user info from it RELAY:root[sbin] /usr/local/bin/freshclam -l /var/amavisd/var/log/clam-update.log --datadir=/var/amavisd/usr/local/share/clamav --log-verbose --user amavisd ERROR: You must specify at least one database mirror. Any ideas on how to make this work? L. A. Duerksen Technical Manager Futureware Distributing, Inc OpenBSD 3.3 amavisd-new-20030616-p2 spamassassin 2.55 postfix-2.0.10 ClamAV version 0.65 --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Undefined symbol _deny_severity
I'm not using milter. Why does this affect an install with postfix? -Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of Igor Brezac Sent: Wednesday, February 18, 2004 3:15 PM To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] Undefined symbol _deny_severity Clamav assumes that everyone uses a static verison of libwrap. Here is a patch for clamav-milter.c. A similar patch needs to be applied to configure script for the tcpwrappers detection and libwrap needs to be linked against the clamav-milter binary only. --- clamav-milter.c.origWed Feb 18 15:56:29 2004 +++ clamav-milter.c Mon Feb 16 07:32:02 2004 @@ -401,6 +401,10 @@ #ifdef WITH_TCPWRAP #include tcpd.h + +int allow_severity = LOG_DEBUG; +int deny_severity = LOG_ERR; + #endif #if defined(CL_DEBUG) defined(C_LINUX) -Igor On Wed, 18 Feb 2004, Lynn Duerksen wrote: Just update a system running .65 to .67-1 /usr/libexec/ld.so: Undefined symbol _deny_severity in clamd:/usr/lib/libwrap.so.3.0 I tried the OpenBSD port as well as the stable code. Same results Any suggestions? Lynn Duerksen Technical Manager Futureware Distributing, Inc OpenBSD 3.3 Amavisd-new --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users -- Igor --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Undefined symbol _deny_severity
-Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of Igor Brezac Sent: Wednesday, February 18, 2004 3:57 PM To: [EMAIL PROTECTED] Subject: RE: [Clamav-users] Undefined symbol _deny_severity My guess is that your clamd/clam*scan is linked with libwrap. What does 'ldd clamd' say? /usr/local/sbin/clamd: -lclamav.1 = /usr/local/lib/libclamav.so.1.3 (0x40025000) -lz.2 = /usr/lib/libz.so.2.0 (0x4003d000) -lbz2.10 = /usr/local/lib/libbz2.so.10.2 (0x4004a000) -lgmp.6 = /usr/local/lib/libgmp.so.6.2 (0x40059000) -lpthread.1 = /usr/lib/libpthread.so.1.0 (0x40083000) -lc.29 = /usr/lib/libc.so.29.0 (0x4009a000) -Igor On Wed, 18 Feb 2004, Lynn Duerksen wrote: I'm not using milter. Why does this affect an install with postfix? --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Autochecking script for clamd
Well, but why run freshclam all the time? I suppose that I could have run a cron job. But in dealing Am I wrong in thinking this way? That: You are wasting your bandwidth running freshclam (well, at some point the virus db files are up to date so no data is tx-ed to your box) all the time. You are making the database servers use cpu time that could be used for other purposes. Nothing personal here though, just a question. ;) I don't understand what you are getting at. My bandwidth is not an issue at this time. If you are suggesting that I am wasting the bandwidth and cpu time on the servers I download from, how would checking for updates 4 times a day be any different if done with a cron job versus a daemon? --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Autochecking script for clamd
Subject: Re: [Clamav-users] Autochecking script for clamd At 08:50 PM 11/27/2003, Brian Bruns wrote: Well, I should have put this in the last message. I guess the one I threw together doesn't require anything special (doesn't need daemontools), and only needs bash. I have a habit of writing things very simply to be as small and lightweight as possible :) daemontools isn't special, whatever that means, and bash shells are neither small nor lightweight. so, you lose on all counts. Special is as Special Does! I use a simple shell script to check for clamd and freshclam since there have been versions where both/either died. Plus I timestamp and log. As far as daemontools, I could never get it to function properly on my OpenBSD - Postfix - Amavisd system. This simple script works great. #!/bin/sh # redirect output to /var/log/messages file exec 1/var/log/checkclam exec 21 TIMESTAMP=`date +%b %e %H:%M:%S` # Check for clamd daemon if ! (ps -aU amavisd | grep clamd | grep -v grep /dev/null) then echo $TIMESTAMP restarting clamd # Remove Stale Socket rm /var/amavisd/clamd.sock # Start clamd /usr/local/sbin/clamd # Timestamp, log and send me a note echo $TIMESTAMP restarting clamd /tmp/clamrestart.txt cat /tmp/clamrestart.txt | mail -s clamd restart report [EMAIL PROTECTED] /dev/null rm /tmp/clamrestart.txt /dev/null fi if ! (ps -aU amavisd | grep freshclam | grep -v grep /dev/null) then echo $TIMESTAMP restarting freshclam daemon /usr/local/bin/freshclam -d -c 4 --datadir=/var/amavisd/usr/local/share/clamav --log-verbose fi FYI - Since installing 0.65 this has recorded no restarts L. A. Duerksen Technical Manager Futureware Distributing, Inc OpenBSD 3.3 amavisd-new-20030616-p2 spamassassin 2.55 postfix-2.0.10 ClamAV version 0.65 --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] 3 Days on 0.65 and all is well
Installed latest stable version at 9:00 CSt 11/14 and has run without problems. L. A. Duerksen Technical Manager Futureware Distributing, Inc OpenBSD 3.3 amavisd-new-20030616-p2 spamassassin 2.55 postfix-2.0.10 ClamAV version 20030829 --- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] FYI - OpenBSD 3.3 - Postfix - Amavisd-new - SA - clamav-devel-20031023 Up for 4 days without a problem.
4 days without a problem...Knock on wood!! No restarts no stale sockets. Things are looking good. Amavisd-new running chroot as user amavisd in directory /var/amavisd Installed clamav as follows First: run configure with shown options ./configure --disable-clamav --enable-dependency-tracking --disable-clamuko --enable-bigstack --with-user=amavisd --with-group=amavisd --disable-cr Next: edit */Makefile and change all pthread to lpthread clamav-milter/Makefile clamd/Makefile clamdscan/Makefile clamscan/Makefile database/Makefile docs/Makefile etc/Makefile freshclam/Makefile libclamav/Makefile sigtool/Makefile Then: /etc/clamav.conf has following settings LogFile /var/amavisd/var/log/clamd.log LogTime LogVerbose PidFile /var/amavisd/var/run/clamd.pid DataDirectory /var/amavisd/usr/local/share/clamav LocalSocket /var/amavisd/clamd.sock FixStaleSocket MaxDirectoryRecursion 15 User amavisd ArchiveMaxFileSize 10M ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 L. A. Duerksen Technical Manager Futureware Distributing, Inc OpenBSD 3.3 amavisd-new-20030616-p2 spamassassin 2.55 postfix-2.0.10 clamav-devel-20031023 --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Fwd: Ruh-Roh SOBIG.G?
I had two separate system getting hit pretty hard with SOBIG.G. One a
wholesale distributor and one a trucking company. Both running
Amavisd-new - Postfix - Clamd - OpenBSD 3.3. I noticed that most of the
traffic was from less than a couple dozen IP addresses. I set my packet
filters to reject all traffic from these IPs. I also tracked down the
ISP responsible on about half the offending IPs and most had abuse email
addresses to report them, in which I did. It took my virus traffic down
over 1000%.
I can get away with more than an IP can since both places can usually
identify if they would expect valid mail from those addresses.
I still have them being rejected but no longer see those rules being
acted on according to my pflog. They must have gotten cleaned up.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Ray Slakinski
Sent: Thursday, September 25, 2003 1:24 PM
To: [EMAIL PROTECTED]
Subject: [Clamav-users] Fwd: Ruh-Roh SOBIG.G?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
FYI:
Begin forwarded message:
From: Dragos Ruiu [EMAIL PROTECTED]
Date: Thu Sep 25, 2003 3:01:16 AM Canada/Eastern
To: [EMAIL PROTECTED]
Subject: Ruh-Roh SOBIG.G?
SOBIG was nasty for me. One of my clients was getting more
than 7MB/s
sustained of SOBIG.F, and I had to deal with bandwidth charges for
more than 450GB of SOBIG over a ten day period! My client had a
particularly nasty problem with this nuisance because the
malware email address
scanner
picked up the support email out of their software which is
estimated to
be installed at over 10 million computers. And when you try
to stuff
seven
megaBYTES per second into a 1.5 megaBIT per second office T1 some
not nice stuff happens. Nevermind their poor Exchange server blowing
up trying to deal with 400-700 messages/min (which I still think any
reasonable _real_ mail server _should_ be able to cope
with). Postfix
and PCRE on a fat pipe was the solution (albeit at some
cost) in this
instance.
(Gave some interesting stats actually, for instance worm activity
peaked
every day between 6-8 am PST and again nightly at 7pm PST
which roughly
corresponds to morning in Asia. ~10 Million users yielded
around 30k
unique
IP hosts that generated that 450Gb of traffic, with the
average host
sending
500-1000 individual copies, but there were about a dozen or
so notables
that sent us 10-30k copies well above the rest. Heavy tailed
distribution.
Interestingly, there seemed to be no peak for Europe
morning indicating
maybe this thing wasn't such a big problem there.)
So anyway let me get to the punchline. After SOBIG.F so nicely shut
itself
down on Sept 10 according to its built in lycene
deficiency, we all
went
phew, and went to pay the silly bandwidth bill (while
vowing to pour a
full beer on the head of the author if he ever turns up).
Now I noted with concern this morning that I started getting more
wicked
screensavers. :-) Analysis indicates that this new nuisance of this
the newly ressurected malware does not correspond with any of the
earlier
variants. (the files show the same variations in length as
the older
SOBIG.F)
I did a little poking at it and it seems to be pretty
similar to the
old one.
I can provide this to anyone who needs it but you should have a copy
of it already. :-(
The old one was static across copies usually differing only
in bytes
at the end after the null region and the length.
The new one is mildly different. Below are some diffs of hexdumps.
(byte per line between the new one and the old one) I
haven't pulled
it apart in disassembly yet, but I wanted to send out a
heads up, and
to flip the bird to whatever cretin spawned this new
nuisance. I now
owe you two beers on your head I think.
SOBIG Filter instructions for Postfix
---
(compile with pcre - this is in the OpenBSD Ports tree already)
1) Add this to main.cf:
mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
2) Then put this in /etc/postfix/mime_header_checks.regexp:
/
filename=\?(.*)\.(bat|chm|cmd|com|do|exe|hta|jse|rm|scr|pif|v
be|vbs|vx
d|xl)\?$/
REJECT For security reasons we reject attachments of this type
Diff of new and old binaries attached below.
BTW in case you were wondering how to use diff
on binary files this little program is a nice trick to
to let you use standard diff on arbitrary binaries... :-)
#include stdio.h
main()
{
int c;
while((c = getchar()) != EOF)
printf(%02x\n,c);
}
sigh...
--dr
--
Top security experts. Cutting edge tools, techniques and
information.
Tokyo, Japan November, 2003 http://www.pacsec.jp
pgpkey http://dragos.com/ kyxpgp
--- old.pif.hex Wed Sep 24 23:17:15 2003
RE: [Clamav-users] clamd dies
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Kojm Sent: Tuesday, September 16, 2003 10:23 AM To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] clamd dies I have not seen anyone with a solution so far for my Postfix-Spamassassin-Openbsd3.3-Amavisd-new setup. On the latest version freshclam even bombs now. Run the following script from crontab Freshclam bombs ? Can't believe ;) Although it does not happen as often as clamd on occasion it does need to be restarted. It had gone 11 days without needing restarting but this morning it needed restarting twice in 1 hour. I still wonder if it has to do with running amavisd in chroot jail under user amavisd. Is there a guide somewhere for running it in chroot jail. I have gotten all kinds of advice from different sources and I usually have to do some tweaking of each to make it work. I know that the OpenBSD port has the user _clamd coded into the port. I modify the Makefile and set it to user amavisd but still have to come back and chown on some files and directories that were set to user _clamd. My log of restarts: -- -- checkclam log grep restarting -- -- Sep 4 22:30:01 restarting clamd daemon Sep 5 09:30:01 restarting clamd daemon Sep 5 14:30:01 restarting freshclam daemon Sep 5 15:00:01 restarting freshclam daemon Sep 5 20:30:01 restarting clamd daemon Sep 9 22:00:01 restarting clamd daemon Sep 10 21:30:01 restarting clamd daemon Sep 11 11:00:01 restarting clamd daemon Sep 14 21:30:01 restarting clamd daemon Sep 16 10:00:02 restarting freshclam daemon Sep 16 10:30:01 restarting freshclam daemon -- -- end checkclam log -- -- My clamav.conf settings -- -- clamav.conf -- -- LogFile /var/amavisd/var/log/clamd.log LogTime LogVerbose PidFile /var/run/clamd.pid DataDirectory /var/amavisd/usr/local/share/clamav LocalSocket /var/amavisd/clamd.sock MaxConnectionQueueLength 30 MaxThreads 10 MaxDirectoryRecursion 15 User amavisd ArchiveMaxFileSize 10M ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 -- -- end clamav.conf -- -- --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] OpenBSD port: clamav-20030829
This port looks like it has solved my problem with clamd bombing on me. I would like to summarize how I did the setup and install for others running Postfix, Amavisd-new, and Spamassassin on OpenBSD 3.3 in chroot jail that have reported similar problem. Is there an ftp or http site were the previously attached file can be downloaded so I can reference that in my notes? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wouter de Vries Sent: Saturday, August 30, 2003 10:42 AM To: [EMAIL PROTECTED]; Flinn Mueller Subject: [Clamav-users] OpenBSD port: clamav-20030829 Hi, Hereby I attach the port for OpenBSD 3.3 clamav-20030829. It looks like Flinn is to busy with other things, so I updated it. Wouter. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] are there any statistic tools out there?
I'd like to do some statistics about scanned emails. I use postfix + amavisd + clamav + cyrus. Search the list archives. There are so many solutions like this posted there long ago. long ago solutions are not searchable since the move to sourceforge. There are only 213 archived articles with all but 7 from this month. I too would like to see what others are using. I have the scripts for spam and mail statistics but none for virus statistics. --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Still Fighting Problem with clamd bombing out on Openbsd 3.3 w amavisd-new and postfix
I finally got a ktrace trap as well. 13403 clamdGIO fd 6 read 16 bytes 17433d48097703e9 13403 clamdRET read 8192/0x2000 13403 clamdPSIG SIGSEGV SIG_DFL code 2 addr=0x38383263 trapno=2 13403 clamdPSIG SIGSEGV SIG_DFL code 0 addr=0x0 trapno=0 13403 clamdNAMI clamd.core Is there anyone who can decifer these traces and tell me what it means? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Hooper Sent: Saturday, August 16, 2003 2:43 AM To: [EMAIL PROTECTED] Subject: RE: [Clamav-users] Still Fighting Problem with clamd bombing out on Openbsd 3.3 w amavisd-new and postfix If anyone has any suggestions I would love the help. I have two installs doing the exact same thing. So if I made a mistake in my setup I made it more than once. FWIW, I am seeing the same thing happen under 3.3-stable on two of my machines. Ktrace shows clamd bombing out with... 26027 clamdRET read 557/0x22d 26027 clamdPSIG SIGSEGV SIG_DFL code 1 addr=0x3033343d trapno=1 26027 clamdPSIG SIGSEGV SIG_DFL code 0 addr=0x0 trapno=0 Complete trace avaliable. Ben. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet _072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Still Fighting Problem with clamd bombing out on Openbsd 3.3 w amavisd-new and postfix
Tomasz Kojm asked for core file :-) . I assume the list does not want a 12MB core dump file so I will forward it directly to Tomasz. It took me some time to figure out where the file was stored. It ended up in the root of chroot jail not the clamd working directory. PS. Please, respond _under_ the original (previous) message(s), not above them. This is basics of Netiquette. Not sure I follow this. How does one reference comments by others if I reply to the original message? Also, remove unneeded fragments of previous message(s), especially these awful commercials by SF. It's really ugly, space-wasting and hard-answerable to have all that junk nested a couple of times. Thank you. Sorry about the junk, just lazy in my haste. L. A. Duerksen Technical Manager Futureware Distributing, Inc OpenBSD 3.3 amavisd-new-20030616-p2 spamassassin 2.55 postfix-2.0.10 ClamAV version 0.60 --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Still Fighting Problem with clamd bombing out on Openbsd 3.3 w amavisd-new and postfix
From: [EMAIL PROTECTED] Oh, seems that you already tried to mail it to me and of course my server rejected it. Lynn, if you haven't an easy way of placing it on the WWW, drop me a note and I'll increase the message size limit temporarily. Your wish is my command. I have placed the clamd.core file at http://www.futurewareinc.com/download/clamd.core Any help would be appreciate. Thanks L. A. Duerksen Technical Manager Futureware Distributing, Inc OpenBSD 3.3 amavisd-new-20030616-p2 spamassassin 2.55 postfix-2.0.10 ClamAV version 0.60 --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [clamav-users] OpenBSD Port
How well does freshclam work in this release, if clamd is run with amavisd-new in chroot and the following clamav.conf settings - - - - - - - - - - - - - - - - - - - # Path to the local socket. The daemon doesn't change the mode of the # created file (portability reasons). You may want to create it in a directory # which is only accessible for a user running daemon. # LocalSocket /var/run/clamd/clamd.sock LocalSocket /var/amavisd/clamd.sock # Run as selected user (clamd must be started by root). # By default it doesn't drop privileges. User amavisd - - - - - - - - - - - - - - - - - - - By default it looks like feshclam runs as _clamd. Can I change it to amavisd? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 12:46 PM To: [EMAIL PROTECTED] Subject: [clamav-users] OpenBSD Port Update (07/21/2003) I've updated 0.60 and 20030720 with a small minor bug fix. Many thanks for everyone who sent feedback. clamav tested on 3.3 i386 I've also attached the latest snapshot 20030720 clamav-devel tested on 3.3 i386 Porthome: http://activeintra.net/openbsd/article.php?id=5 Regards, Flinn Mueller - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [clamav-users] clamd dropping out with no aparent reason
Tomasz Kojm [EMAIL PROTECTED] wrote .. I'm experiencing the same trouble running a similar setup: OpenBSD3.3, Postfix, amavisd-new-20030314-p2 (running chrooted), spamassassin, clamd What I noticed is that the problem occurs after a db update via freshclam. I notice that it always seemed to be close to an update, but I update 12 times a day. It bombs out at most once a day. Basically after a successful update clamd checks itself and the db for updates (by default every 3600 sec). Then it detect the change a write in the log: SelfCheck: Database modification detected. Forcing reload. Reading databases from /usr/local/share/clamav The two thing may not be connected. Please set the SelfCheck option to some small value and touch the database while clamd is running. Does clamd die clamd remained running during this process. I have manually run freshclam and could not make it bomb. ? Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] (\/)\. http://www.konarski.edu.pl/~zolw \..._ I nie zapomnij kliknac w brzuszek... //\ /\\ - C. Amboinensiswww.pajacyk.pl - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
