Re: [Clamav-users] Progressive scan ?

[Matt Fretwell]

On Mon, 24 Apr 2006 13:16:57 +0200
Roman ZARAGOCI wrote:

  For example, I would want to scan only new files added to homes 
  directories or by checking the modification date of files.
  Maybe someone has already made this sort of script ?
 
  If you run something like:
 
 find /home -mtime -2 -type f -print0 | xargs -0 clamdscan
 I've got a specific problem with my script, let me explain what it
 does :
 
 1) # First, the script build a text file named file1 containing all
 modified files last day
 find /home -mtime -1 -type f  /tmp/file1
 
 2) # Then, the command grep excludes all lines containing mail (to
 not scan mail files - too long and already scan by another soft)
 grep -v mail /tmp/file1  /tmp/file2
 
 3) # Because clamdscan needs a single line as parameter to specify
 files/repertories to scan, I apply this :
 while read line; do echo -e \$line\ \c; done  file2
 
 So, the file named file2 contains a single line with this format :
 /home/first file /home/second file ...
 I add a double-quote to scan files with spaces.
 
 But when I do :
 while read line; do echo -e \$line\ \c; done  file2 | xargs -0
 clamdscan
 clamdscan replies :
 
 [...] /home/tbigo/some file.exe /home/updvir/update.ini
 /home/updvir/dat-4746.zip : File name too long


 Your scripting skills are somewhat flaky :) This is not an exemplary
method/script, but should give you a general idea, keeping the general
context of your script.

#/bin/sh

find /home -mtime -1 -type f  /tmp/file1;
filelist=`grep -v mail /tmp/file1`;

{
 for x in ${filelist}
  do
clamdscan ${x}
 done
}

#End of file

 The above has no particular semantics or such, but gives a basis to
work from.


Matt

p.s: Before anyone starts pointing out problems with the above quick
 script, it was not meant to be a scripting reference, just a vague
 guideline/concept :)
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Scanning of ole objects in excel sheet

[Matt Fretwell]

On Tue, 14 Mar 2006 09:53:42 +
B Boomerang [EMAIL PROTECTED] wrote:

 I have first created an .exe file containing the eicar virus
 string Then I have created an excel sheet and embedded the
 .exe file in it as an  OLE object (the object is linked and
 embedded) If I send this excel file as an attachment in an
 email, clamd does not find  the eicar virus. (if I send the
 .exe file as an attachment in an email,  clamd does find the
 eicar virus)
 
 Is this a bug in clamd or is it by design that the eicar virus
 is not found  as an OLE object?


 If I remember correctly, the eicar test string has to be in a
very specific format to be recognised as such.

http://www.eicar.com/anti_virus_test_file.htm


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Sending Sample Phishing Exploits Stopped

[Matt Fretwell]

On Sun, 12 Mar 2006 07:18:37 -0500
Gerard [EMAIL PROTECTED] wrote:

 I seem to be having a slight problem with Clamav. It catches
 incoming an incoming virus just fine. It also works on
 phishing schemes.
 
 From time to time, I need to send samples of various phishing
 schemes I receive to others for analysis. Unfortunately,
 Clamav is detecting that I am sending them as an attachment
 and stops the send. How can I bypass this without totally
 disabling Clamav? Would it be possible to 'whitelist' a few
 selected addresses.


 This is nothing to do with Clam. This is implemented within
your MTA/MUA, or however you are calling Clam.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Some Help on initial configuring clamd.conf

[Matt Fretwell]

On Sun, 12 Mar 2006 11:49:41 +0100
MP [EMAIL PROTECTED] wrote:

 Can someone tell me the differences between clamav-server and
 clamav ? what's clamav-server and do I need it ?
 trying to #/sbin/chkconfig --level 2345 clamav-SERVICE on,
 idem for  clamd.conf : what is SERVICE ?
 what are the differences between clamscan and clamdscan ?

 Clamscan is a commandline scanner which loads the DB's every
time it is called. Clamdscan communicates with the clamd server,
which is the more efficient method as the clamd daemon loads the
DB's once at startup, (and then just when the DB's are updated).


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Some Help on initial configuring clamd.conf

[Matt Fretwell]

On Sun, 12 Mar 2006 14:53:21 +0100
MP [EMAIL PROTECTED] wrote:

 [EMAIL PROTECTED] init.d]$ more clamd.init
 #!/bin/bash
 #
 # chkconfig: - 75 25
 # description: The clamd server running for SERVICE
 
 CLAMD_SERVICE=clamav-server
 . /usr/share/clamav/clamd-wrapper
 [EMAIL PROTECTED] init.d]$
 
 Last question :
 What SERVICE do I need to put into ?
 If I clear the field, clamd-init complains about clamd.conf
 not configured. Il I insert something like, let's say  clamd
 wich is the daemon I'd  hope to start, here is the output :


 No idea. The above is specific to your distro. Type, from the
commandline:

/path/to/clamd

 If it starts from that command, (shown by ps as running), the
error is in the startup script on your system. If not, you may
need to check paths/configs.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Disallowed characters found in MIME headers

[Matt Fretwell]

On Fri, 03 Mar 2006 16:43:24 -0800
Alex Gottschalk [EMAIL PROTECTED] wrote:

 This check is causing our mail server to quarentine mail sent
 from PHP  via postfix.  It looks like it's because PHP wants
 to put CRLF on the  MIME headers instead of bare LFs.  Is
 there any way to modify or remove  this behaviour?  At least
 according to the PHP docs 
 URI:http://us3.php.net/function.mail, it should be legal to
 put \r\n  characters as linefeeds in MIME headers.


 Check the RFC's as to whether it is legal or not. 'Should be'
and 'must be' could be two very different things.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] [OT] Rbl listing

[Matt Fretwell]

 Just as a point of possible interest, whilst testing the MSRBL
list that someone mentioned the other day, noticed this:

http://www.msrbl.com/site/check?ip=64.18.103.6

 Might be worthwhile one of the list admins contacting the
rbl admins to point out that listing a virus scanner mailing
list for viral/phishing content is a bit untoward :)

 Good job I was just testing this rbl with a warn status on the
mailserver :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] ping

[Matt Fretwell]

On Mon, 27 Feb 2006 08:03:37 -0500
Mark Grieveson [EMAIL PROTECTED] wrote:

 I just installed clamav on Debian Sarge, using packages from
 the  debian-volatile repository.  When I test the daemon with
 ping, I do not  get the answer pong, which I've read
 somewhere that I should.  Any  idea how I can be sure the
 daemon is working?  Can it be set to check  mail coming in to
 the mail user agent Mozilla Mail, from an smtp?
 
 Note the result below:
 
 debian:/home/mark# clamd ping
 debian:/home/mark#

 The documentation is slightly misleading in this regard. That
command has to be issued over a socket to the clamd daemon, not
from the command line.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Phishing Signatures

[Matt Fretwell]

On Sun, 26 Feb 2006 11:00:23 -0500 (EST)
Krzys [EMAIL PROTECTED] wrote:

 
 I was looking for this but I did not find a lot of info about
 it this  morning and I was wondering if anyone could give me
 some help... I would  like to setup my ClamAV with Phishing
 Signatures but as I said I was  unable to find much info on
 how to do it. I did find lots of sources with  different
 signature files but not much about how to set it up to actualy
 
 use them...
 
 In config file I found someplace that I would be able to use 
 DetectPhishing but it does not work when I add it into my
 config. Do I  need to somehow configure it before I can use
 it? Then if I get signature  files from the net how can I put
 them in so that clamav could use them?
 
 Any help or pointers are greatly appreciated. Thank you so
 much in  advance.

 See Steve's post of earlier today. He has created some extra
sigs for this purpose. Some sigs are already in Clam. Due to the
nature of phishing, however, there is no such thing as a
comprehensive list. Other methods should also be utilised for
detecting phishing. Copy the .ndb files to your database
directory, to use them.

 Steve's site:

http://www.sanesecurity.com/clamav/


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Phishing Signatures

[Matt Fretwell]

On Sun, 26 Feb 2006 13:37:30 -0500 (EST)
Krzys [EMAIL PROTECTED] wrote:

  Yes, I don't see why not, you need to add the ndb files to
  your normal virus database directory and restart clamd.
 
 I am so very sorry for asking such a stupid and for some
 probably obvious  question but how would I do that.

 Yet again, for the THIRD time, COPY THE .NDB FILE TO YOUR
CLAMAV DATABASE DIRECTORY.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamscan delete the entire mailbox

[Matt Fretwell]

On Fri, 24 Feb 2006 07:56:13 +1300
Jason Haar [EMAIL PROTECTED] wrote:

 
  It might be best to find a scanning system that checks at
  the smtp level, rather than scanning the mailbox of the user
  manually. This would delete the virus as it's being
  transferred while preserving the message, and you wouldn't
  have the same issue of having the entire mailbox being
  deleted.

 That's not standard practice.


 There is no such thing as standard practice, in this regard.
General consensus, possibly. At the end of the day, the
draco-admin or company policy decides the standard practice.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] The new e-mail exploit

[Matt Fretwell]

On Tue, 21 Feb 2006 22:09:56 -0700
Philip Ershler [EMAIL PROTECTED] wrote:

 Hi,
  Will ClamAV be able to catch executable scripts hiding
 as e-mail attachments any time soon?


 Any chance of being more specific? What type of executables? If
they are virii, ( couldn't resist the temptation :), it already
does.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: virus detected using clamscan but not with Mail::ClamAV perl module

[Matt Fretwell]

Dale Walsh wrote:

  Now, can we move on? Boy, some people on this list are
  cranky lately.

 I can understand that the holiday season gets on people's
 nerves and it doesn't take much to set someone off.


 What do you mean, 'cranky lately'. They're always
cranky. :) (Couldn't resist).


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] the birth year of ClamAV

[Matt Fretwell]

Joe Yamasaki wrote:

 I want to introduce ClamAV on Japanese magazine as one of
   successful opensource projects. One thing I can't find is when the
   first ClamAV released or this project started. It would be nice to
   hear the birth year of ClamAV. Thanks for all people who made this
   happen.


 The first entry in the Changelog is dated:

Sat Apr  6 22:19:36 CEST 2002

 Don't personally know how close that is to the initial
conception/release date.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Problem to check virus within RAR archives ?

[Matt Fretwell]

Stephan von Krawczynski wrote:

 04/11/2005 14:17:07:26333: run /usr/local/bin/clamdscan -r
 --tempdir=/var/spool/qmailscan/mail-a02113111022758026333
 --disable-summary --unzip --unrar --unace --unarj --zoo --lha --jar
 --tar --tgz  /var/spool/qmailscan/mail-a02113111022758026333 21
 04/11/2005 14:17:07:26333: --output of clamscan was: WARNING:
 Ignoring option -r: please edit clamd.conf instead.


 Clamscan and clamdscan are two different things.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] newbie question

[Matt Fretwell]

Christopher Scott wrote:

 clamscan works just fine and, obviously, trying to run clamdscan  
 results in connect(): No such file or directory
 ERROR: Can't connect to clamd.
 
 Any ideas?


/path/to/clamd

 Clamd has to be running to use clamdscan.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamav only virus? - Trojan.Briss-1

[Matt Fretwell]

Pablo Chamorro C. wrote:

 What I know is clamav doesn't have a 'Virus Information Library' or 
 similar, that is the reason why I'm asking.


 If you search the archives, there have been links to comparison lists
posted in the past.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] uncompressed zip size of Zero

[Matt Fretwell]

q# wrote:

 Of course, but as you can see, I've created my own signature for empty
 file in zip-file and it doesn't work.

 One might surmise, then, that you have not created it correctly?


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Clamav + Exim on FreeBSD

[Matt Fretwell]

jef moskot wrote:

 I'm not sure that it's a new version of zlib, exactly, especially since
 the problem and the fix seem to be OS-specific.
 
 If you have FreeBSD 5.3 or 5.4, there are explicit instructions for what
 to do here:
 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:16.zlib.asc


 According to Secunia, the only updates so far are system vendor supplied.
I do not believe the zlib team has issued an update, as of yet.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Pthread error when compiling clamav

[Matt Fretwell]

bsd wrote:

 I have built on my test machine the latest version of clamav and I am  
 facing a pthread build problem.


 ./configure --disable-pthreads


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Pthread error when compiling clamav

[Matt Fretwell]

Matt Fretwell wrote:

 bsd wrote:
 
  I have built on my test machine the latest version of clamav and I am 
  
  facing a pthread build problem.
 
 
  ./configure --disable-pthreads


 Just read the rest of your message and noticed you were using ports.
That option would go in the Makefile in the clamav port directory:

/usr/ports/security/clamav/work/clamav-0.86.1/Makefile

 under CONFIGURE_ARGS=


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Using clamav to scan adware

[Matt Fretwell]

Joanna Roman wrote:

 IS anyone using clamav to scan adware ? If so, have you been successful
 ? Does your clamav scanner listen on port 80 only ? Or it also listens
 on port 21 ?


 Wouldn't it just be easier to list the complete list of specific goals
you wish to achieve, and then someone can give you a specific yes/no/maybe
answer as to whether it is plausible. It would be easier than asking awry
questions every several days/weeks.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] odd problem w/clamd

[Matt Fretwell]

[EMAIL PROTECTED] wrote:

 usually a restart of clamd does the trick, although yesterday even that
 didn't seem to do the  trick - after restart of clamd the message woudl
 still trickle, so i  rebooted the server, and everything returned to
 normal...


 By the sounds of the above, I personally would say that wouldn't appear
to be a problem with Clam, rather some other part of your setup or system,
possibly even hardware related.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] odd problem w/clamd

[Matt Fretwell]

Odhiambo Washington wrote:

   I run 0.85.1 on FreeBSD 4.11, 5.2.1, 5.3 and 5.4 and in all cases I
   don't have a problem at all. None of my machines is as high specs
   as his.

  Easy, cowboy.  When he says that problems are confined to FreeBSD,
  that does not imply that all FreeBSD installations will have problems.
 
 In that case, he should have said FreeBSD-5.2.1 ;)


 I will just add that I, like you, have never had the slightest problem
with Clam on FreeBSD. It has been rock solid from day one. I stick with
the latest 4 branch release, BTW.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Recent CVS - broken logging to /dev/stderr ?

[Matt Fretwell]

Steve Brown wrote:

 It would appear that maybe privileges are being dropped too quickly 
 because with today's cvs I'm getting permission denied on /dev/stderr 
 with perms = rw--- root.root. It was fine (and still is) on cvs from
 a few days ago.


 Unless I am very much mistaken, the perms on stderr should be 666.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] ERROR: Clamuko: Can't register with Dazuko

[Matt Fretwell]

Scott Woodford wrote:

 Either way, when I run a scan using clamscan or clamdscan, or
 Clamuko simply finds a virus, I get no message that a virus was found,
 except in the log.  All I get was something like error accessing file.
  I want both myself (root) and users to get a message saying virus found
 if either Clamuko picks it up, or a manual scan.  I'm not concerned
 with emailing right now.  These are standalone systems.  Any ideas on
 that?


 What are the contents of the Virusevent line? Clamscan will not use that
parameter, BTW.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] ERROR: Clamuko: Can't register with Dazuko

[Matt Fretwell]

Timothy Omer wrote:


VirusEvent echo Virus found: %v


 Then:

vi /usr/src/sys/boot/forth/loader.conf

 or

man rc.conf

 Those show you options for loading modules at boot time. rc.conf for
modules, not rc.local.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] ERROR: Clamuko: Can't register with Dazuko

[Matt Fretwell]

Scott Woodford wrote:

 My system doesn't have the loader.conf or the rc.conf files.  I searched
 for them and did not find anything.  I don't even have a
 /usr/src/sys/boot/forth directory.  There was no manual entry for
 rc.conf either.  My system is RedHat 9.0.  Any ideas where else to look?


 Apologies. Could have sworn you said you were on *BSD. One of the other
list members may be able to help you with regards to Linux startups. I
personally have no idea.

 With regards to the virusevent, you will also need to restart clamd after
changing clamd.conf.


Matt 
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: undetected malwares

[Matt Fretwell]

Bart Silverstrim wrote:

   The devel's time is not infinite. I am sure most of them do have
   other jobs and things to do also. Do stop trolling and just ask them
   how to submit the virii :) ( No use being of a subtle disposition on
   this list :)

 I also would disagree that he was trolling...sounds like he's peeved at 
 the acidic response he got when he was just trying to be helpful.


 No doubt you are correct with regards to the second aspect. However,
coming back with the 'outdated scanner' bit was unnecessary. Personally, I
have no time for people with tender dispositions. Lifes a bitch. Tough.
Deal with it. (Yes, I am trying to fit as many non posting-etiquette type
responses into one message as possible). For goodness sakes, what is wrong
with people just using common sense and asking first if they are unsure of
how to proceed, or, dare I mention this blasphemy, actually reading any
guidelines or documentation.

 I was never aiming specifically at the OP. He made a mistake. Simple as
that.

 This pissy tit lip, I get upset over everything, type attitude that
people seem to suffer from these days, however, is becoming one of my
major bugbears.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Arrogance toward well-meaning participants (was: undetected malwares)

[Matt Fretwell]

Bart Silverstrim wrote:

 If he already did and hadn't gotten feedback, maybe there could be some
 people who would coordinate some form of feedback system on whether a
 sample is in the works or in the queue or something like that or an
 automated sig-maker system could be worked on as a project. If the
 things he is asking be included in the malware detection code isn't
 going to do it because the developers have vetoed it, then tell him. 

 Give people blood, and they will still find some reason to complain.


 Don't just insult the guy.  Geez.  :-(

 Courtesy first, I do have to agree with you on that. Pandering, however,
is a very different thing.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: undetected malwares

[Matt Fretwell]

Bart Silverstrim wrote:

 My wife and I just had a newborn baby boy.  The first and foremost 
 thing to learn...tolerance.  He cries because it's the only way he can 
 communicate, it's frustrating because we have to interpret what he 
 means.  But he's a baby and that's what they do!  It's their nature.  
 We knew it when we...um...compiled him :-)


 Congratulations. First child, or do you have other children?


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: undetected malwares

[Matt Fretwell]

Bart Silverstrim wrote:

 Don't take out frustrations towards persistent idiots on this guy that
 made, as you put it, an honest mistake.  It makes the entire list and
 the developers look rather poor.

 Just had to say, before I abide to Luca's request and shut up, my first
response was actually nice :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: undetected malwares

[Matt Fretwell]

Michel Arboi wrote:

  You're distributing malware, so you're bad.
 
 Clamav does not even catch half of the worms that are currently in the
 wild. Most of them are dangerous IRC bots.
 I was about to ask how I can help the project. I will not. I think
 that you don't need bad people.


 Calm down chaps :) It is a bad idea to put the files where they are
publicly available. That is a simple fact. You are possibly helping to
spread the problem. However, if the files are not currently detected,
submitting them would be helpful. If you ask on the list, one of the
devel's will advise you regarding how, if you have a large amount to
submit.


 PS: you're distributing an outdated scanner, Im' not sure you are
 better than me.

 The devel's time is not infinite. I am sure most of them do have other
jobs and things to do also. Do stop trolling and just ask them how to
submit the virii :) ( No use being of a subtle disposition on this list :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Arrogance toward well-meaning participants

[Matt Fretwell]

Timo Schoeler wrote:

  What can certainly be observed on this mailing list is a tendency to 
  attack and reproach the developers.
 
 IMHO this is misunderstood then. most of the cases some people ask why
 this or that is managed in this or that way and some people have (and
 tell) an idea of how to 'improve' (mind the colons) things.
 
 this has nothing in common with criticism of any developer.


 Actually, these are not suggestions regarding how one might 'improve'
things. These are initial posts which are carried out with a complete lack
of forethought, and then, when an OP becomes piqued once they are berated
for their aforementioned lack of forethought, become ignorant, for lack of
a better word. Whilst ones does admit that some devel's may lack certain
'people skills', or as the troll one said, are just misanthropic :), (I
really love that one. Practically had it emblazoned on a badge), stupidity
is no excuse on the part of the OP.

 One does not need to be offhand, unless circumstances really do dictate
such. Propogating a link to a public page where viral or trojan software
may be freely downloaded does possibly constitute one of those occasions.
Whilst the OP is already receiving these, the people who are not yet
inundated may well be pretty damn soon.


Matt 
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] should Broken.Executable files be submitted?

[Matt Fretwell]

jef moskot wrote:

 If I use the --detect-broken option, they're picked up as
 Broken.Executable.
 
 Since --detect-broken is not the default behavior for clamscan, should
 these still be submitted at clamav.net or is --detect-broken reasonable
 enough that I should just turn it on?


 Broken is broken :) It is pretty irrelevant, if they are broken, whether
you block them or not, one might suggest.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] /dev/console and LogSyslog

[Matt Fretwell]

imacat wrote:

 Thank you for your answer.  I have made some test of redirecting the
 Syslog channel you specified, but the problem still exists.  The
 LibClamAV Warning:... messages are still there at the console.

 You did restart syslogd after the changes?


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Reporting Phishing Mails?

[Matt Fretwell]

Jan Pieter Cornet wrote:

  Looking forward to 0.90, when these debates can finally end.
 
 They can end NOW, for two reasons: first because subject has been
 beaten to death and then some more already, and second because there's
 a documented solution NOW, too.

 Well, you have just made sure that it will get beaten to death some more.
Talk about a red rag to a bull :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: Memory limit per process hit

[Matt Fretwell]

G.W. Haywood wrote:

  We added a sort of tarpitting solution to our sendmail...
  clamav-milter seems to be suffering. What happens is that the
  maximum number of childs are reached in a 2-4 hour period
 
 People with far more experience than I tell me that this isn't the
 way.


 And the above is the exact reason why they say it isn't the correct way
to do it. Adding this 'delay' to smtp negotiations can literally lead to
you Dos'ing, (or whichever phraseology you prefer), yourself :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Configuring clamd.conf

[Matt Fretwell]

Lee Zelyck wrote:

 # Default: enabled
 #ScanOLE2  ^^^

 As you can see, the comments mention what the default is :)


 Do I need to Uncomment '#DisableDefaultScanOptions'
 and '#ScanOLE2' to get it to scan for OLE2's, or by
 doing nothing, Clam will Scan for OLE2's by default.

 If you wanted to turn that off, you would have to uncomment
DisableDefaultScanOptions and leave ScanOLE2 commented. When you start
clamd, the list of options with which it is running are printed to the
logfile.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Output Errors From Clam-0.85.1 Startup

[Matt Fretwell]

Lee Zelyck wrote:

 Well, I think I have the install working, but I have a
 small lingering concern:
 
 # /etc/init.d/clamav start
 Starting Antivirus database update daemon.
 Starting Antivirus daemon.
 Starting E-mail scanner.
 /usr/local/sbin/clamav-milter: (-q  !LogSyslog):
 warning - all interception message methods are off
 /usr/local/sbin/clamav-milter: --max-children must be
 given if --external is not given
 /etc/init.d/clamav stop


 man clamav-milter.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd lockup ?

[Matt Fretwell]

Jason Frisvold wrote:

 Hi all,
 
 The clamd process on one of my mail servers appears to have locked up
 earlier today.  I was unable to restart or kill the process.  In fact,
 I had to do a hard reset to fix the problem.
 
 So, Im wondering what steps I can take next time to a) determine why
 clamd has locked up, b) gather sufficient debugging information for
 the clamav team, and c) kill and restart the process without the hard
 reboot.
 
 Can anyone give me some pointers?  I understand that there's not a lot
 of information here.  I'm looking for what to do next time, assuming
 there is a next time..  :)


 If a 'kill -9' will not kill the process, I would say your problem lies
elsewhere than with Clam. That would be more indicative of a hardware or
OS problem.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd lockup ?

[Matt Fretwell]

Samuel Benzaquen wrote:

   If a 'kill -9' will not kill the process, I would say your problem
   lies elsewhere than with Clam. That would be more indicative of a
   hardware or OS problem.

 If the process is trying some I/O to some not-available, hard-mounted
 NFS filesystem, then the process will not die with 'kill -9'.
 
 Just a thought.


 I would say that definitely classifies as a non Clam error :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Configuring clamd.conf

[Matt Fretwell]

Lee Zelyck wrote:

 Does this mean that if I don't 'uncomment' anything
 below this point, I will have the default scan options
 enabled?
 Or do I have to enable each of the options below this
 point to augment the Default Scan Options?
 
 In short:  Does the apparent double-negative...:


 Before one of the trolls jumps at this, if you wish to alter any of the
scan options below that option, uncomment DisableDefaultScanoptions, and
then the settings you enable/disable will come into play. Otherwise, if
you leave it commented out, the default scan options will be used,
whatever you enable/disable in the scan options below it.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: Clamav upgrade

[Matt Fretwell]

Souza Simbota wrote:

 checking for mi_stop in -lmilter... no
 checking for library containing strlcpy... no
 checking for mi_stop in -lmilter... no
 configure: error: Cannot find libmilter
 
 Install sendmail-devel
 
 Am running postfix as a mail server. So should I still install
 sendmail-devel?


 From memory, (so may be wrong), supply the following option to configure:

 --without-milter

 Do a './configure --help' to be certain. No use including the milter if
you are using Postfix.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] ACME Labs mail filtering tutorial

[Matt Fretwell]

Jef Poskanzer wrote:

 I've been working on this for a few months, and just published it today:
 
 http://www.acme.com/mail_filtering/
 
 ClamAV gets a prominent mention.


 Love the conclusions page :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] ACME Labs mail filtering tutorial

[Matt Fretwell]

Dennis Peterson wrote:

  ClamAV gets a prominent mention.

   Love the conclusions page :)

 You frequently remind me of me.

 Is that a compliment, or should I be worried :)


 You don't happen to ride a harley, do you?

 Afraid not. Wife wouldn't let me have a motorbike. Thinks I am a walking
disaster, apparently :)


Matt 
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 'ERROR: Parse error at line 1: Unknown option _ELF


.'

[Matt Fretwell]

David Suen wrote:

 I double check with my clamd setting I realized that it is triggered by
 clamd SelfCheck 600 setting.
 
 It is not always happened but sometimes.
 
 Any idea? :(


 Your question has already been answered. Set your configs correctly.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamav-milter logfile permission error

[Matt Fretwell]

Todd Lyons wrote:

   clamav-milter: (-q  !LogSyslog): warning - all interception message
   methods are off
   /var/log/clamav/clamav.log: Permission denied
 
 Well, duh.  The clamd daemon has that file open, so clamav-milter can't
 open it.  Can someone tell me how to tell the milter not to try to open
 that file?  
 
 On my Gentoo boxen, it spits out the warning and then successfully
 starts up:


 man clamav-milter: 

  -c FILE, --config-file=FILE
  By default clamav-milter uses a default configuration file,
  this option allows you to specify another one.


 Worthwhile reading the manpage, might one suggest.


Matt

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamav-milter logfile permission error

[Matt Fretwell]

Todd Lyons wrote:

 Thank you for the sarcas^W kind words.  Can you hazard a guess as to why
 that works on the Gentoo box using the same config settings?

 That was just dry, not sarcastic :) Version difference, possibly?


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problem after upgarding from 0.84 to 0.85

[Matt Fretwell]

ankush grover wrote:

 Starting clamav-milter: ERROR: Please edit the example config file

 ERROR: Please edit the example config file /etc/freshclam.conf.


 Edit those two (   ** example **   ) files, as the error messages
say. Once you do that, you will see why they are called example files.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Force email scanning

[Matt Fretwell]

Doug Hardie wrote:

 I am using sendmail with clamav-milter to scan email.  Normally  
 clamav-milter does not scan messages from the LAN or the machine  
 unless you direct it to do so via the flags.  I would like to be able  
 to put something into a message such that it would be scanned even  
 though it would othwerwise not be scanned - in esseciance an override  
 of the non-scanning options for that specific message.  I can make  
 this happen by using -o but then all the locally generated mail is  
 scanned which is not really necessary.


 It is good practice to scan outgoing mail for virii as well. My advice
would be to enable it globally. ( You have probably already been added to
some acl's by some members on the list :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Force email scanning

[Matt Fretwell]

Wilhelm du Plessis wrote:

 this happen by using -o but then all the locally generated mail is  
 scanned which is not really necessary.

 pardon my jumping on here...
 but just how does one enable it globally to scan local mail aswell ?


 The answer is above :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Matt Fretwell]

Sergey wrote:

 KP Clamav should create log file with same owner as defined in
 KP clamd.conf to work it properly.
 
 i've just noticed the same thing. clamd.log is made by root. but 0.84
 doesn't care about that it works properly.


 The response someone posted a few days ago regarding 'software
covering up sloppy administration' springs to mind regarding this.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

Bart Silverstrim wrote:

 Maybe even do a reverse check to see if there's a mail server on the
 sending system...how many systems would break doing a check like that?

 The sending server isn't guaranteed to be a MX, so any DNS MX or reverse
connection tests would fail.


Matt 
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Matt Fretwell]

Sergey wrote:

 DP We have a winner! Now if you put that in your startup script and log
 DP rotation tool you'll have the job finished.
 
 why is that? if i'll restart clamd it won't going to change the
 permissions of clamd.log. and by the way i don't need any log rotation
 because my clamd.log doesn't eveê become big or something like that.


 And the reply above is a perfect example of sloppy administration.


Matt 
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Matt Fretwell]

Jim Maul wrote:

  Call me old fashioned, but this is something I like to deal with
  myself. There's still a roll for the thinking admin.
 
 No, dont get me wrong here, im not saying clamav should predict 
 anything.  Nor should it have to deal with misconfigured software.  This
 is of course left up to the admin.  However, it seems that it *creates* 
 the logfile owned by root.  And that..well..just isnt right.


 Just to test, as an ordinary user, run:

touch /var/log/test.log

 Now why does it create the logfile as root?



Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Matt Fretwell]

Jim Maul wrote:

  touch /var/log/test.log
  
   Now why does it create the logfile as root?

 While i get your point, it is irrelevant because it should not log in 
 /var/log/ directly.  It should log in /var/log/clamav/


 The main point of my point, (I know that sounds weird), is that an admin
who relies upon any piece of software to correctly create and set
permissions on the logfile is asking for trouble. Clam is not alone in
this. This is not a bug in Clam, it is poor admin technique on the part of
the admin. Your logs are vital for a smoothly running system. The admin
should take full control of their logs.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Matt Fretwell]

Jim Maul wrote:

   The main point of my point, (I know that sounds weird), is that an
   admin who relies upon any piece of software to correctly create and
   set permissions on the logfile is asking for trouble. Clam is not
   alone in this. This is not a bug in Clam, it is poor admin technique
   on the part of the admin. Your logs are vital for a smoothly running
   system. The admin should take full control of their logs.

 And the main point of my point (again with the weirdness) is that yes 
 this should be handled by the admin, however it is indeed a (small) bug.
 
   While the situation SHOULD never come up, clamav should not attempt to
 create a log file which it can never write to.


 I think we have reached stalemate on this one :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

[EMAIL PROTECTED] wrote:

 If we can standardize the set of rules and protocols required for an MTA
 to accept an email, then spam will reduce.  Either that or we need to
 build a better mousetrap. This is jut my $0.02.
 
 Your thoughts?

 What time is the next rocketship to this planet you have found? :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

Bill Taroli wrote:

  This seems more like a discussion for another mailing list or a Usenet
  group on MTAs/SMTP IMHO

 I don't disagree... are there any good ones for SPF or similar debates?


 Postfix list: SPF practically banned except for implementation questions.

 Exim list: Will probably be pointed to a link regarding why *not* to use
SPF.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

[EMAIL PROTECTED] wrote:

 IMO, a sending MTA should never have its smtp port closed unless 
 it is an end-user.

 Once again, a sending server does not have to be a MX. Something within
that domain should be listening on port 25, but not always the machine
which is connecting to yours. Look at the hostname of my machine in the
headers. You will see it has rDNS and fDNS, but is not a MX for the
domain.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

Dennis Peterson wrote:

 What do you think the PTR for a host with 500 virtual domains might look
 like?

 Big :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: clamav-users Digest, Vol 8, Issue 75

[Matt Fretwell]

Dwayne Hottinger wrote:

 Im having a problem with this new virus Trojan.Ascetic.C.  I have clamav
 scanning mail through clamassassin (procmail).  It isnt catching any of 
 them.  I have upgraded to the latest version of clamav and am using 
 clamassassin 1.2.2.  Any ideas how I can get it to start?


 A bit more information would be useful. Is clamd running? Are the mails
being processed correctly through procmail? Are the virii detected when
you manually run clamscan/clamdscan on them?

 With such a vague question, not much can be proferred in the way of
advice.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

[EMAIL PROTECTED] wrote:

   Once again, a sending server does not have to be a MX. Something
   within that domain should be listening on port 25, but not always the
   machine which is connecting to yours. Look at the hostname of my
   machine in the headers. You will see it has rDNS and fDNS, but is not
   a MX for the domain.
 
 True, but it could helo with its hostname and then it would match
 connecting back to check its 220 string.  Even if its a sending server,
 it should listen on 25 to verify that it is a mail server, even if it
 doesn't accept mail.  If it doesn't listen on 25 (or isn't accessable)
 then it is a client and should be using some type of smtp-auth with the
 server to relay through it, or to one of its recipients.  IMO, If you
 send a lot of mail, you should listen on port 25, even if you don't
 accept mail.


 By that theory, we should ban most large providers and mailing lists.
There are a countless number of companies that allow outgoing connections
only from their servers. That theory is vastly flawed and will not work.
Period. Also, any sending server is a client, irrelevant of whether it
works in client and server mode. The connecting machine is *always* a
client.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] (no subject)

[Matt Fretwell]

Dwayne Hottinger wrote:

 Viruses are being detected.  clamd is running.  The mails are being
 processed correctly through procmail.  Its just this particular virus
 that isnt getting detected (Trojan.Ascetic.C).  Sorry to be so vague. 
 Its my first post to the list.  If any more info is needed just let me
 know.  Im just wondering why the emails arent getting flagged.


 Have you tried it with the online-scanner, to see if that detects it?

http://test-clamav.power-netz.de/


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

[EMAIL PROTECTED] wrote:

 What I am saying is that if you can't do some type of verification,
 whether it is connect-back (remember the old dialup
 callback-verification-system?) to the sending server or SPF or some
 other type of authentication mechanism, then you can't trust the sender.
  Really even SPF isn't great because DNS can be spoofed.  

 SAV probes are little less than content free spam. I have firewall rules
for offenders who don't cache their SAV results for a reasonable amount of
time.

 Anyhow, I digress upon this subject. You obviously have a far more
idealistic, (and pipe dream), outlook than I.


Matt 
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

[EMAIL PROTECTED] wrote:

 If they do have a rouge spammer on their network, they might wish to
 know about it anyway.

 I assume that should have been rogue. ( Unless spammers have a
predilection for make up :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

[EMAIL PROTECTED] wrote:

 When our MTA's are rebuilt for the new network some of the strategies
 discussed in this thread will be implemented.  Others will be
 implemented in a test-and-alert-me-only setup to see how effective it
 is.  If it breaks only 1% of the mta's out there then that is an
 acceptable casualty rate and those sysadmins can be contacted.

 Just as a last note on this subject, if you implement some of the ideas
you have been running by the list, your FP rate, at a very rough guess,
would be closer to ten to fifteen percent than one.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

Jef Poskanzer wrote:

 I really miss the days of destructive viruses.  We just don't
 really see 'em like we used to.  Remember Michaelangelo?  What was his
 birthday again?
 
 Actually, I think a little stealth would be better.  Something like
 silently intercepting and dropping any attempts at opening an outbound
 email connection.


 Internal clients on a network, (and I am referring to a LAN, not an
ISP's clients, before anyone says anything), shouldn't be allowed to
connect outbound on port 25 anyway. Everything internal should go through
the MTA.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

Damian Menscher wrote:

  And did you not find the clamd log permissions debugging segment in
  another thread educational? I did.
 
 I found Stephen Gran's comment interesting, in that he beat me to 
 finding the bug (I'd wasted time looking in clamav-milter.c first). 
 The rest of the posts, including your arrogant ramblings, were 
 worthless.

 Firstly Damian, it is not a bug. If you think the logfile issue is a bug,
you and I obviously have vastly different opinions regarding bugs.

 Secondly, debates on a subject are not 'arrogant ramblings' just because
you do not think they fit within the general discussion area of a list.
And how you have the indecency to accuse someone of posting offtopic
responses, when that is exactly what you have just done, is pure
hypocrisy. Full example below:
 
  You people really need to spend more time reading what others have
  done, rather than spending all day screaming your heads off about your
  own little viewpoints.

 Do not dare to criticise, and then have the gross indecency to commit the
same. A polite request one may have abided by, inate ignorance however, is
a different thing.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: virus passing through clamav-milter, but not through clamdscan!

[Matt Fretwell]

Jef Poskanzer wrote:

 Also, Debug in the conf file helps quite a bit, and was actually what I
 was referring to.
 
 Ok, I uncommented that option and stopped/started clamav-milter.
 I don't see any new syslog messages, or anything on stdout.  Where
 should I be looking?  Do I also have to re-enable the regular
 logfile, in addition to LogSyslog?  I just tried that, and all I'm
 seeing in the log file is worm-found messages.


 Not sure about the milter specifics, but I assume you would need to
reload|restart clamd also?


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

Bart Silverstrim wrote:

 Are there any analysis papers out on sober.p yet?  And can anyone else  
 corroborate the theory I have, or am I totally off-base here?  I'm  
 still trying to figure it out from what I can piece together between  
 phone calls for other tasks here :-)


 If I remember correctly, a sideline of sober.p is to install sober.q on
the infected machine, which then spews these messages.


Matt 
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

Brian Read wrote:

 Block all mails from dynamic IP. They are 99,99% spam.

 No they aren't that rule causes quite a few of my customers a 
 headache, as the (linux) mailserver I often install sends the email 
 direct, irrespective of whether there Ip is dynamic or static.  Some
 ISPs charge an arm and a leg for static IPs.

 There are reasonable ISP's, (pricewise), with regards to static ranges.

 There is however the fact that whether the IP's are static or dynamic,
business or domestic class, some ISP's, (mentioning no names), impose
relay restrictions by the domain part in the *sender* address, if you try
doing it the 'relay through ISP's mailhost' way. Which does leave the
choice of having the MTA connect directly to retain the correct domain
part of the senders mail address. This bumph about people shouldn't be
allowed to run a direct MTA to MTA setup unless they have static IP's is
nonsense. One might even say that it is MTA (elitism|snobbery). There are
plenty of legitimate MTA setups running on dynamic IP's. A lot of the time
they are configured in a better fashion than the service providers own
MTA's that most would have them relay through. There really is no
legitimate reason for blocking dynamic IP ranges at the outset. What
really does amaze me though, is that these are generally the admins who
will turn around and say, 'Don't block (variable), you will lose too
much legitimate mail'. Where is the logic in that? They will allow a
crappily configured multinational corporation or ISP to connect, yet not
give dynamics the slightest chance to prove their reliability.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

Todd Lyons wrote:

 You should make their ISP's mail servers be the smarthost or
 relayhost for that customer's mail server.

 Oh yes, really.


 Some ISP's don't allow you to relay mail through them if it's not for
 @ispdomain.com.

 They don't allow you to do that so that they can charge you more than
your service charge per month for the 'ability to use your own domain name
in outgoing mail'. Dream on about using them as a relayhost.

 This restriction bit me in the arse with several customers before finding
out what the problem was. The fact that the information on this point is
buried away, and in no way any reference, or hint, supplied in any 5**
responses, doesn't make life any easier.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] database number

[Matt Fretwell]

Rainer Zocholl wrote:

 There are two flaws IMHO:
  - Gray should only be used for *un*important infos, but
 it is used for important infos and worse main titles(!) too. 

 And I thought I rambled on about irrelevant things.


  - Important infos should be visible with out scrolling.
If you click one item at top, nothing seems to change,
because all changes are shown below...


 My, would you like someone to volunteer to press the down button for you?
For goodness sake, someone has gone to the pain and trouble of designing
the site, writing the documentation and making it all available, and your
complaining about colours and having to scroll?


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

Dennis Peterson wrote:

 Nobody should send mail directly unless it is filtered outbound. In
 fact, that would be a good blacklist: real-time-morons.org. I'd even
 toss in systems that NDR after the connection is closed as they have no
 idea at that point whe the sender is.


 That, I cannot argue with :) Although if I remember correctly, there are
some on this list who are guilty of not filtering outbound.

 I think, (was it Julian who accused us of it?), misanthropic.admins.org
might be a good name :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

Dennis Peterson wrote:

  That was my point.  My mail IS filtered outbound.  So I should have to
  pay double for the privilege of controlling my own email?

 How am I to know that you are filtering your mail? If your IP is in the
 middle of a block of dynamic IP's you are fair game for me to block. The
 world experience is that Windows drones on dialups or cable/dsl are a
 major source of spam/viruses. Nothing distinguishes you from them. You
 get out of that mess by purchasing a fixed IP from an ISP that keeps
 track of non-dynamic IP's for all of our benefits. Nobody said this was
 easy or cheap.

 That is coming back to the dynamic elitist viewpoint. Just as a sideline
question on this, how many corporate machines, on static IP ranges, are
running outdated, security wise, IIS machines which are guaranteed to spew
crap as soon as anything hits? [ price != competence ]

 Also, this does not take into account the fact that quite a large amount
of dynamic ISP accounts are practically static, except in name. I have no
problem with blocking a /24 range if attempts are seen from that block of
addresses, (static or otherwise), but I still cannot see the point of
penalising dynamic IP's just because they are dynamic, without good cause.
If one was going down the OS fingerprinting route tallied to a dynamic IP
check, then that might be feasible, but a straight block with no absolute
reason?


Matt

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

Dennis Peterson wrote:

 Here's how it works, Matt - if you have a dynamic IP, even one that has
 a long life time, other people will still block mail from your IP block.
 That seldom happens if you have a true fixed IP, all other things being
 equal. And you know what? You have no say in it. It is out of your
 control. And if the number of Windows drones continues to grow at the
 current rate you can expect to be blocked pretty damn soon as there's
 just about nothing else left to do. And I'm ok with that.


 Just for later 'discussion' purposes, as your headers for this mail will
prove, I am on a static IP range.

 I am not in the same boat as John, but I still would not dream of
penalising without a proven, (with regards to what my own logs say),
reason. The really annoying thing is, it is easy to set up an automated
system to add offending IP's or IP blocks to your own local rbl's, so any
IP, whether it be dynamic or static has a one shot chance. There is no
need to block outright from the outset.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

Dennis Peterson wrote:

 There is no need to block outright from the outset.

 As I mentioned earlier, I'm getting slammed from comcast.net from relays
 all over the US. It is far easier to block by obvious dsl/cable host
 identifiers than to spend hours trying to figure out what /24 IP ranges
 to tweek. I see the problem as comcasts, not mine. Your milage may vary
 - I know mine did.


 The point with the above is different. Comcast had the initial, with you,
opportunity and made a mess of it. With that level of abuse, if its
related to their network in any way or form, it would be blocked. Even I
wouldn't bother with a /24 block for that level of abuse. By that point, I
would merrily block their entire network, rhsbl and rbl, without giving it
a second thought.

 There is no need to blanket ban every other providers dsl yet, though :)


All the best,

Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

Matt Fretwell wrote:


  There is no need to blanket ban every other providers dsl yet, though
  :)


 Just as a side note, here are a couple of links for Postfix header checks
for this german spam outbreak. 


http://archives.neohapsis.com/archives/postfix/2005-05/1377.html

http://www.heise.de/newsticker/foren/go.shtml?read=1msg_id=7992046forum_id=78695


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: Any suggestions about CPU load in .80 and .84

[Matt Fretwell]

email builder wrote:

 Where do you do that?  Clam itself only has ArchiveMaxFileSize and
 ClamukoMaxFileSize (but we don't use claumuko).  I don't see anything
 obvious in my amavis config (might be missing a default config somewhere
 else though), and I don't know how to make Postfix skip a content filter
 based on that kind of rule?

 No idea how it is done in Amavis, specifically, but quite a few people do
admit to only scanning messages of N size. Virii tend to only appear
within messages upto a certain size, especially self propogating ones.
This is, however, something that has to be done within the content filter
config. I don't believe, I may be wrong, that clamd|clamdscan has an
option for 'scan if less than...'


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Upgrade to 0.85 or wait for 0.86

[Matt Fretwell]

Bill Taroli wrote:

 I completely agree with your point. But taken from a different 
 perspective, this may be one reason to justify that such a product not 
 be used in production IT environments. The point should *not* be missed 
 that something so crucial to one's infrastructure -- that you would of 
 course want to keep up to date -- should *require* updating on a weekly 
 basis to solve *software* issues.

 Oh well, someone had to give me an opening for diversifying :)

 Two points this brings forward. Firstly, and foremost, it does have to be
accepted that Clam is still in pre version one state. Stability in any
software can only be achieved after an extended period of updating and
testing to make sure most avenues are covered. Things stabilise and level
off eventually, but that cannot happen straight away from scratch.

 Secondly, if something is that crucial to your infrastucture, (and if
I've said it once, I've said it a thousand times), you should never have a
single point of failure within a system. If you are not running a backup,
then whatever comes is only to be expected. This applies to anything, not
just AV scanning.


 Obviously, keeping signatures up to date is extremely important. But if
 software is so buggy that regular  code upgrades are required, one
 really needs to start wondering why  that's the case... is it for
 functionality enhancements, or due to quality?

 Simple answer to that one. Inhouse testing and real world conditions are
two completely different beasts. You can throw whatever you have at a
system whilst you are testing it internally, but the testing is limited to
the environments you can create. Once it hits the real world, theory goes
out of the window. There are so many variations to everything, there is no
way you can conceive of them all within a test environment.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Problem in ClamAV 0.85

[Matt Fretwell]

Stephen Gran wrote:

  It's harmless if it's a firewalled machine in your home. I'd never do
  it to a more exposed system or in a multi-user environment - but it
  can be done. What is the directive, BTW?
 
 LogFile /path/to/file


 I think he meant what were the contents of the OP's log directive :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Upgrade to 0.85 or wait for 0.86

[Matt Fretwell]

Jason Frisvold wrote:

 On 5/12/05, Phil Schilling [EMAIL PROTECTED] wrote:
  Thats fine and dandy when you only have one box to upgrade.  I think
  the original question is valid.  .84 lasted what? Week and a half,
  maybe two.  And yes I am a contributor.
 
 I package it in an RPM and use up2date (or preferred rpm handler) to
 update it on all of my machines..  Granted, I only have a handful, but
 having to compile it only once is nice..  :)


 Even compiling it on every machine, (unless you are talking mammoth
scale), is not a hardship. A simple build script, and add any new|updated
options to your original clamd.conf. Not the most taxing of procedures.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Upgrade to 0.85 or wait for 0.86

[Matt Fretwell]

Phil Schilling wrote:

  Not the most taxing of procedures.


 Point still missed. I never said it was hard.  But 2 hours of time to  
 upgrade and test all boxes is not easy to come by.


 Finding time to do anything is not easy. We still cope :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Upgrade to 0.85 or wait for 0.86

[Matt Fretwell]

Phil Schilling wrote:

   Finding time to do anything is not easy. We still cope :)
 
 Ok, your better than me.  Still didn't get my point though and I  
 don't have a we to do it.


 I understood your point perfectly. Why upgrade, using precious time, when
another upgrade may be required very shortly, requiring said time to again
be used. I am just pointing out a pitfall. There is always a good excuse
not do do something. It is, however, exactly that. An excuse.

 Also, referring to oneself in the second instance does not mean there is
more than one. If it is more comfortable for you, *I* cope, as I am alone,
physically, in my efforts :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Upgrade to 0.85 or wait for 0.86

[Matt Fretwell]

Matt Fretwell wrote:

 not do do something

 That should have been, 'not to do something'.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Upgrade to 0.85 or wait for 0.86

[Matt Fretwell]

Mark wrote:

  I understood your point perfectly. Why upgrade, using
  precious time, when another upgrade may be required very shortly,
  requiring said time to again be used. I am just pointing out a
  pitfall. There is always a good excuse not to do something. It is,
  however, exactly that. An excuse.
 
 Your pitfall could easily be turned around to say: I understand
 developers rather have clients test out the product in the field,
 waiting for feedback on bugs and errors, rather than using precious time
 to do more thorough pre-release testing themselves, but this is just an
 excuse for not doing their own homework. It sure were nice if we could
 assume the absence of laziness on either side of the fence.


 Actually, it cannot be turned around in that fashion. Whilst, I will
agree, there are occasions when something may crop up due to improper or
lapsadaisical testing, to expect a Dev team to own every configuration of
(hardware|software) upon which their programme will inevitably end up
running is beyond any reasonable bounds of expectancy. Whilst I do agree
with you on the testing thoroughly before putting into production, at the
cost of losing efficacy for a few days, there is no reason to hold off
updating for the simple fact that there 'may' be another version around
the corner.
 
 Would you accept a hospital nurse telling you that they weren't going to
set your broken arm in plaster 'because it will be healed in a week or
two anyway, so you might as well just wait'? I think not.

 And yes, I will echo what Tomasz said in this regard. These
gentleman|lady admins are paid to keep these systems in prime working
condition, inclusive of updates for new threats or security exploits.
Period. That is why they are called (I.T|Network) Administrators.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Upgrade to 0.85 or wait for 0.86

[Matt Fretwell]

Samuel Benzaquen wrote:

 That is why they are called (I.T|Network) Administrators.
 
 
 Your are right. We are paid.
 Our time is company money and if the product needs too much Admin time,
 then it is not that _gratis_ as we presented it to our bosses in the
 first place.

 Nothing is truly free :)


 There is always something that has to be upgraded/updated. What will be
 the next thing taken care of will be decided by the priorities from the
 people who hold the money.

 That I cannot argue with. Once management decides, it is no longer the
admin's decision.
 But, an admin saying they can't find time to do something is a different
thing altogether :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[Matt Fretwell]

Jef Poskanzer wrote:

  % clamscan -V
  ClamAV 0.84/875/Tue May 10 04:27:59 2005
  % clamscan 473844
  473844: Worm.Bagz.C FOUND
 
 Does clamdscan detect it?
 
 Let's see... Yes.


 clam*d*scan, not clamscan.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[Matt Fretwell]

Jef Poskanzer wrote:

  Does clamdscan detect it?
  
  Let's see... Yes.
 
  clam*d*scan, not clamscan.
 
 YES.

 My apologies. Misinterpreted your previous post.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] New Sober Variant?

[Matt Fretwell]

Jeff Ramsey wrote:

 [Follow up]
 Google thinks this is a virus from 2004 called W32.Mota.B
 
 So why would ClamAV latest version with updates on clamav-milter and
 clamav for OS X with latest updates or clamav with amavis not pick it
 up? I have ran it through three different clamav installs and none of
 them are outdated and none of them pick it up.


 Have you ever considered that it may be damaged? Does any other AV detect
it?


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] ClamAV VirusEvent not working...

[Matt Fretwell]

Timothy Omer wrote:

 But, when I do a manual scan with clamscan it finds the virus but I do
 not get emailed. 
 
 The VirusEvent should be executed whenever a virus is found, but
 obviously it is not. Has anyone got any ideas when this is?


 Clamscan does not use clamd.conf. Clamd and clamdscan use clamd.conf.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] ClamAV VirusEvent not working...

[Matt Fretwell]

Timothy Omer wrote:

 I apologies for my ignorance, I am still new to Linux.
 
 How would I get cron to email me only when a virus is found, I will need
 it to send the email to my external email account.


 The -i flag only shows infected files. Cron only sends a mail if the
command generates output. If there are no infected files, no output, hence
no notification.

clamscan --no-summary -i -r /path/to/dir

 For sending to your external account, either alias the crontab owner to
your external mail address, or put something along the lines of the
command below in cron, or in a shell script which cron runs.

clamscan --no-summary -i -r /path/to/dir ||
   mail -s 'virus found' [EMAIL PROTECTED]

 man 5 crontab. It will explain the specifics of crontabs.



Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] [OT] AIX

[Matt Fretwell]

Matt Fretwell wrote:


  If anyone can possibly help out on this one, if you could please mail
  me off list.


 Slight addendum. The unit is a Motorola RiscPC. Forgot that piece of
somewhat required info :)


Cheers,

Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] [OT] AIX

[Matt Fretwell]

Timo Schoeler wrote:

   Slight addendum. The unit is a Motorola RiscPC. Forgot that piece of
  somewhat required info :)


 you probably mean PowerStack, which is a PReP model [1].

 I believe so. You can probably tell that I am no AIX guru :)


 i do have such a machine here, but i have no AIX that fits -- i only
 have AIX for G5, unfortunately.

 Sods law :)


Cheers Timo,

Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: Exit code with password protected zip file

[Matt Fretwell]

Rick Macdougall wrote:

  You could adopt a policy that yes, password-protected zip files can
  be assumed to be viruses with the following clamd.conf option:

 Yes, I understand that but I don't think a 2 should be returned for a 
 password protected zip file, 2 can be returned for any error, and a 
 password protected zip file should not be an error.  It should be 0 for 
 regular use, or 1 if I enable ArchiveBlockEncrypted, it should never be
 2.


 The problem here would be that if Clam gave a PPZ an exit status of zero,
it would technically be saying that the file was clean. However, it cannot
attest to that, as it never checked it. Putting in a separate exit code
for that condition would be a better way to do it.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Maybe a virus Sober.P

[Matt Fretwell]

Daniel J McDonald wrote:

 as it is harder to scan those messages for viruses

 Nonsense. Mail is mail. If you are running a mailserver, it should be
able to cope with all types of mail, irrelevant of (creation|submission)
method.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

[OT] was: Re: [Clamav-users] Maybe a virus Sober.P

[Matt Fretwell]

 Slightly off topic, but has anyone noticed some numpty, (mentioning no
names), replying to their posts with a test message?


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Maybe a virus Sober.P

[Matt Fretwell]

Dennis Peterson wrote:

  as it is harder to scan those messages for viruses
 
   Nonsense. Mail is mail. If you are running a mailserver, it should
 be able to cope with all types of mail, irrelevant of
  (creation|submission)
  method.
 
  But...if they're using webmail, it bypasses your mail server.  It
  would entirely depend on how up to date the webmail company's
  scanner is and the virus scanner on your user's desktop is...unless
  you're using a web proxy with malware scanner.
 
 My webmail is configured to use our standard smtp servers for all
 inbound/outbound mail. It really isn't all that difficult.


 Exactly. Whatever numpty would have a web based application sending mail
directly, bypassing your smtp, (note the smtp, and not http), servers,
deserves everything they get. That is an irresponsible laziness of design
and implementation. MTA's were designed for a specific reason, to transfer
mail. You would not ask an MTA to serve a webpage. Why should a webserver
be exempt from this type of designed for implementation?


Matt
___
http://lurker.clamav.net/list/clamav-users.html