Re: [Clamav-users] Update using freshclam
On 7/25/2006 10:20 PM +0200, [EMAIL PROTECTED] wrote: Hello! I have a simply question; have there mot been any updates to clamav in the last 2 days or so? The reason i ask, is when i run freshclam for the past 2 days, my sigs and such have been the same: main.cvd is up to date (version: 39, sigs: 58116, f-level: 8, builder: tkojm) daily.cvd is up to date (version: 1618, sigs: 4549, f-level: 8, builder: cco Can someone verify that their sigs and such are the same or are they different than mine? Thanks This right here on the homepage: http://www.clamav.net Niek ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Secure Download of Virus Pattern Files
On 2/9/2006 2:38 PM +0100, [EMAIL PROTECTED] wrote: Is there anyway that I can configure ClamAV to use an SSL connection when downloading pattern files? Instead of using http my company requires me to use an https connection. not afaik You can however configure a remote server you own to download the new patterns, and retrieve them via ssl to your company box! Anyways, patterns are digitally signed anyway. Explain the policymakers in your company that retrieving over ssl is useless. Regards, Niek Baakman ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] freshclam not round-robin DatabaseMirror
Hi, I have this box with bind running on it. The system is configured to use 127.0.0.1 as nameserver (bind). Freshclam is configured with DatabaseMirror db.nl.clamav.net. However the freshclam log is full with updates only from: db.nl.clamav.net (IP: 62.133.206.90) db.nl.clamav.net is a round-robin RR with 7 ips, but freshclam only uses the first ip. Running host db.nl.clamav.net on the shell constantly randomizes the list of 7 ips. How do I get freshclam to randomly pick an ip from the round-robin record? Regards, Niek ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] DNS record older than 3 hours - happening since yesterday?
On 2/8/2006 11:56 PM +0100, Todd Lyons wrote: Let's not rule out the possibility of dns cache poisoning. If you're not running a recent version of whatever dns server you are using, it could be susceptible to this, and it could be someone experimenting with attempting to fool your freshclam process into thinking that it's current (by feeding bogus information to your nameservers). I know of nobody claiming to have seen such a thing, but it is _possible_ and so therefore it should at least be looked at. dig +short @ns1.clamav.net txt current.cvd.clamav.net 0.88:35:1278:1139243341:1 dig +short @ns2.clamav.net txt current.cvd.clamav.net 0.88:35:1281:1139437741:1 ns3 till ns7 show what ns2 shows. So there's definitely something wrong with ns1. Regards, Niek Baakman ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] subject rewrite
On 1/19/2006 5:16 PM +0100, Krzys wrote: Is there a way to rewrite subject line and include name of a virus in it? Chris No, perhaps your mail filtering software (which calls clamav) can. regards, Niek ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] virus not detected
On 1/19/2006 1:13 PM +0100, Payal Rathod wrote: But she was using her own dns server without any forwarder at all. With warm regards, -Payal ok regards, Niek ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] OT: American date format (was:[EMAIL PROTECTED])
On 1/19/2006 5:46 PM +0100, M.S. Lucas wrote: It's written as it's spoken, I think. Today's date is 'January 19th, 2006,' not '19 January, 2006' or '2006, January, 19.' In Dutch it is '19 January, 2006' just like 15:30 is `half four' and not 'half past three' Yeh and we say meters not 3 feet. Can we drop this OT discussion ? regards, Niek ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] virus not detected
On 1/18/2006 6:18 PM +0200, Payal Rathod wrote: On Wed, Jan 18, 2006 at 12:11:19PM -0500, Chris Conn wrote: update your defs, version 1245 gets it. I updated and it was found. But that is weird, I always update every 1 hour and just a few mins back I manually tried to update, but the virus was not detected and now it is. I am interested in making a temporary sig myself. Any help on this? With warm regards, The update was released a few minutes after you started this thread :) The pdf explains how to create your own signatures. Afaik you place them in the DatabaseDirectory (which is defined in clamd.conf). Regards, Niek Baakman ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] virus not detected
On 1/18/2006 6:34 PM +0100, Payal Rathod wrote: On Wed, Jan 18, 2006 at 06:22:38PM +0100, Niek wrote: The update was released a few minutes after you started this thread :) But on my friends amchine she still get, # freshclam ClamAV update process started at Wed Jan 18 22:59:58 2006 SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES See the FAQ at http://www.clamav.net/faq.html for an explanation. You should really look into this warning! main.cvd is up to date (version: 35, sigs: 41649, f-level: 6, builder: tkojm) daily.cvd is up to date (version: 1244, sigs: 840, f-level: 6, builder: sven) And she has just flused her dns cache too. What is wrong for her case? Perhaps she configured her dns server to use a forwarder, and the forwarder hasn't updated yet ? Regards, Niek Baakman ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Undetected Virus
On 1/18/2006 1:23 AM +0100, Gerard Seibert wrote: Is this something that I should be reporting to someone? Thanks! http://clamav.net submit sample Regards, Niek ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav.net Gone ?
On 1/3/2006 2:58 AM +0200, Joanna Roman wrote: Has clamav.net been shutdown ??? No. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] what is the default port that clamav (clamd) runs on
On 11/28/2005 12:24 AM +0200, Robert Cates wrote: Hi all, I've just installed clamav 0.87.1 on my Debian Woody machine and I need to know what's the default port number that clamd runs on. I can't find it any where in the docs or the web site. Please reply directly back to me, as I am not yet subscribed to this ML. Thanks in advance! Robert Hi Robert, man clamd.conf man netstat Niek Baakman ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Update: Worm/Virus related to SID 3813: WEB-CGI awstats.pl configdir command execution attempt and other SIDs ?
On 11/5/2005 4:43 PM +0200, [EMAIL PROTECTED] wrote: Hi, I couldn't help it and I ran the program, of course with a sniffer on. Syntax: lupii IP_address_of_the_reporting_host Here's what I found: 1. runs on RedHat Enterprise Workstation 4 2. opens up udp:7222 3. Exchanges some info with IP_address_of_the_reporting_host over udp 7222 4. remains active in the background 5. starts a SYN scan to port 80 on random destinations, this particular example it used a class A address, keeping the first 2 octets unchanged and changing just the last 2 octets of the address, in order from X.Y.0.0 to X.Y.z.w. 6. it doesn't seem to be downloading anything from the Internet 7. It tries several ways to infect the scanned system, all are based on CGI command execution/code injection: awstats.pl, webhints, xml-rp for php etc. You can see all these if you look at the program code. I stopped the program but I have the capture. Any news from anybody else ? Tudor Hi, awstats had some security issues. Always keep it up to date and put it behind username and password authentication. Niek Baakman ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] HTML.Phishing.Pay-39 False positives
On 6/28/2005 9:42 PM +0200, Edward Rudd wrote: I am receiving false positives for the HTML.Phishing.Pay-39 virus/phishing signature. Currently I have 2 messages in my quarantine, Hmmz, I'm wondering here, about virus scanning, and phishing. Would it be possible to exclude certain signatures, so they wouldn't hit? Like for instance, can you make clamav not detect all HTML.* stuff ? Niek Baakman ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] HTML.Phishing.Pay-39 False positives
On 6/28/2005 9:51 PM +0200, Odhiambo Washington wrote: What happens when you disable ScanHTML in dspam.conf? I meant, lets say i dont want clamav to detect somefool variants. Niek ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] HTML.Phishing.Pay-39 False positives
On 6/28/2005 10:00 PM +0200, Odhiambo Washington wrote: Why do you want to do this anyway? FPs?? I don't want clamav to detect phish mail. Niek ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Using clamav to scan adware
On 6/20/2005 10:24 PM +0200, Joanna Roman wrote: Just because people have submited those adware samples, it does not mean the people must have caught them with ClamAV right ? Get a product dedicated to spyware/adware scanning. Niek ___ http://lurker.clamav.net/list/clamav-users.html
Re: Fwd: [Clamav-users] Re: which scans mail
On 6/17/2005 3:05 PM +0200, Bart Silverstrim wrote: CAN SOMEONE PLEASE UNSUBSCRIBE HIM? Maybe permanently?... After the 15th time, I really start to hate those @#$%! OoO replies... procmail/maildrop/sa/ect are you friends. Niek Baakman ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] For those who submitted adware/spyware samples
On 6/17/2005 8:32 PM +0200, Joanna Roman wrote: Can you send me the files that you submitted because my clamav filter has failed to catch any spyware/adware so far. I found that clamav is very good at stoping mail born viruses but not sure about its capability of stopping spywares. This is not a virus exchange list. If you want protection from ad- spyware, get anti-spyware software. Niek Baakman ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] What does this message mean?
On 6/16/2005 8:04 PM +0200, Ken Goods wrote: Scanning: Starting Jun 16 10:18:19 gw-mail MailScanner[16151]: Commercial scanner clamav timed out! Jun 16 10:18:19 gw-mail So you're saying these are MailScanner generated messages? That should tell you enough, or did you pay for clamav ? Niek Baakman ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Arrogance toward well-meaning participants (was: undetected malwares)
On 6/6/2005 5:54 PM +0200, Kevin W. Gagel wrote: Tomasz, The best defence against such childish behaviour is to consider the source and not bother to respond. You're above such childish behaviour, the child is not. Don't bother responding to it... I'll bite, who's childish ? We can't tell, because you decided to top-post. Niek Baakman ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] WORM_Netsky.DAM WORM_BAGZ.C not being caught
On 6/2/2005 11:55 AM +0200, ramya wrote: These two viruses are being caught on servers by other scanners.. but not by ClamAV.. Can anyone explain this to me?? With the information you've supplied here, there is 1 explanation: no definition for these viruses. I have 0.85.1 version running. Regards Ramya Please let us know what else you've tried. If you got failure messages or not. Also check if you're really running 0.85.1 (and not some older version). See the list archives and/or the faq on how to make sure you are really using the latest defs. If all this is in order, submit the virus via the webform on http://clamav.net Regards, Niek Baakman ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Submitting a virus file
On 4/19/2005 2:13 PM +0200, Albert Pauw wrote: I have submitted two executables more than a week ago. They were found by the AVG virusscanner (amongst others) as Downloader.Small.21.AY and Downloader.Small.22.K, but it seems they are not incorporated into updates. How long does it usually take for a submission to enter the updates? Thanks, Albert I've submitted a rbot variant, and a trojan.banker 3 days ago. They didn't make it either. The trojan.banker I sumitted in Februari as well, still no detection. Both are detected by 50% of the scanners @virustotal and @jotti. Clamav team ? Niek ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Submitting a virus file
On 4/19/2005 8:25 PM +0200, Tomasz Kojm wrote: Does it send itself via e-mail? No they didn't send themselves per e-mail. So what you're saying is, only selfspreading e-mail viruses qualify to make it through the submit process ? Niek ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] New Virus?
On 3/31/2005 8:58 PM +0100, Jeffrey Kroll wrote: You shouldn't be allowing .exe's anyway ... Its common knowledge that .exe .com .bat .pif .scr are all not normal file transmissions. I would never ever allow a file extension from the listed above to ever be accepted as a attachment to a e-mail ... It should automaticly be denied at the mailserver scan engine -- this is most commonly a default feature turned on by defualt. Headers from your mail: X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Clamav-users] New Virus? Thread-Index: AcU2HfVJlXoUlYzJRuC2osx2VBm8CwABWsIg Looks like you have reason to deploy security by obscurity. Niek -- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam -f daemontools
On 3/22/2005 11:30 AM +0100, Lukas Feiler wrote: Hi list! I want to run freshclam with daemontools but freshclam just doesn't seem to know the -f option. /usr/local/bin/freshclam -h tells me there is an -f option but ``/usr/local/bin/freshclam -d -f -c 12'' will just result in /usr/local/bin/freshclam: invalid option -- f ERROR: Unknown option passed. check freshclam.conf from the 0.83 tarball. It has a directive for foreground. Niek -- Use plain text: http://www.geoapps.com/nomime.shtml Learn to quote:http://www.netmeister.org/news/learn2quote2.html Avoid disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] I still could not solve it!!
On 3/21/2005 1:24 PM +0100, [EMAIL PROTECTED] wrote: thanx for the previous response but sorry to say that it did not work out. The following was the output [EMAIL PROTECTED] clamav]# rpm -Uvh clamav-0.83-1.i386.rpm clamav-devel-0.83-1.i386.rpm warning: clamav-0.83-1.i386.rpm: V3 DSA signature: NOKEY, key ID 6cdf2cc1 error: Failed dependencies: zlib = 1.2.1.2 is needed by clamav-0.83-1 Get zlib updated rpm for your distro from your distro's ftp, or get it from rpmfind.net. Or get the clamav source code, and comfigure it with the nozlibcheck option. Niek -- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] qmail with clamav and spamassassin
Carefully read the 1st url in my sig. Then try reading the qmail mailing list archive, as this topic comes up every week or so. (hint, simscan, qscanq or qmail-scanner or others). P.S. You really need to read the nomine url, as your email was totally unreadable for people who do not use outlook (et al). Niek -- Use plain text: http://www.geoapps.com/nomime.shtml Learn to quote:http://www.netmeister.org/news/learn2quote2.html Avoid disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Thank You!
Can someone remove this from the list ? Regards, Niek ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positives
david thompson wrote: Thats why I am now thinking clamscan may not be working properly. I am using clam 0.83 on slackware 10. Any ideas Submit false positives via www.clamav.net And don't over do the punctuation :) Niek -- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] virus incident response?
On 2/17/2005 12:08 AM +0100, John Madden wrote: Several times now, we've been burned by virii that are picked up by other virus scanners when ClamAV doesn't yet have the signature. Within a couple of hours, when the bulk of the threat has already passed, Clam then catches up. Mydoom.M-2 was the virus of the day today. What is being done to get signatures out more quickly, if anything? Or can anything be done? Thanks, John Hi, What's a good enough time frame for you ? 1 minute ? Seriously, everything has been said about clam/submission/samples/ect. If you base your whole anti virus defense on 1 product, I wouldn't want to be your end user. Just stop mail with certain attachments (.bat/.com/.scr/.cpl/.ectect) at the door. This + some people with regex knowledge, if shit hits the fan, and 1-2 virusscanners is a more effective strategy than your current one. Niek -- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
On 2/17/2005 1:20 AM +0100, John Madden wrote: Hmm. Are there factors that can affect freshclam's performance? I got the Mydoom.M-2 sig at 17:10EST today. When was it available? (The mailing list archive doesn't appear to yet reflect today's update(s).) Timezone = CET (GMT+1) ClamAV update process started at Wed Feb 16 23:16:21 2005 main.cvd is up to date ClamAV update process started at Wed Feb 16 23:30:53 2005 daily.cvd updated (version: 707, sigs: 1806, f-level: 4, builder: ccordes) Niek -- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
On 2/17/2005 9:34 AM +0100, Niek wrote: Timezone = CET (GMT+1) ClamAV update process started at Wed Feb 16 23:16:21 2005 main.cvd is up to date ClamAV update process started at Wed Feb 16 23:30:53 2005 daily.cvd updated (version: 707, sigs: 1806, f-level: 4, builder: ccordes) Actually, 23:10 (this box didn't catch it untill 23:30 coz of unlucky cached dns. Niek -- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] qq temporary Problem
On 2/10/2005 10:38 AM +0100, Simon Fishley wrote: Hi List Maybe someone can suggest a solution for me because I am at my wits end. I have a qmail server running Clam 0.81 (upgrade to .82 pending) which intermittantly gives errors to servers trying to pass mail on to it. The first Exceprt is from one of my office servers trying to send a mail to the problematic server. The second is what the other server logs in /var/log/maillog Excerpt from relay server: Feb 10 11:14:52 ike sendmail[28829]: j1A9M9128824: to=[EMAIL PROTECTED], delay=00:01:00, xdelay=00:00:50, mailer=esmtp, pri=159086, relay=myservername. [xxx.xxx.xxx.xxx], dsn=4.0.0, stat=Deferred: 451 qq temporary problem (#4.3.0) Excerpt from Destination Server Feb 10 11:14:53 luke X-Qmail-Scanner-1.24st: [myservername110802689268310391] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2 Check the softlimit in the qmail-smtpd run script. Niek -- Use plain text: http://www.geoapps.com/nomime.shtml Learn to quote:http://www.netmeister.org/news/learn2quote2.html Avoid disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] qq temporary Problem
On 2/10/2005 1:49 PM +0100, Simon Fishley wrote: On Thu, 10 Feb 2005 13:40:06 +0100, Niek [EMAIL PROTECTED] wrote: Check the softlimit in the qmail-smtpd run script. Niek Hi Niek I thought about that - I doubled it to 1 a few days ago. No difference. The error messages suggests it could be permissions. Check if clamd has rights in QS' workdir Niek -- Use plain text: http://www.geoapps.com/nomime.shtml Learn to quote:http://www.netmeister.org/news/learn2quote2.html Avoid disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ArchiveMaxFileSize doesn't work
On 2/7/2005 6:51 PM +0100, Rémi gauthier wrote: clamscan -V ClamAV 0.81/700/Thu Feb 3 23:33:15 2005 clam it works fine, but it seem to scan files who are bigger than ArchiveMaxFileSize define in /etc/clamav/clamd.conf. clamd scan it with clamdscan Niek -- Use plain text: http://www.geoapps.com/nomime.shtml Learn to quote:http://www.netmeister.org/news/learn2quote2.html Avoid disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RAR module failure
On 2/1/2005 6:32 PM +0100, Ben Stuyts wrote: On 1 Feb 2005, at 18:20, Stephen Gran wrote: Yes, the internal unpacker for rar archives doesn't handle v3 rar archives. Try clamscan --unrar /path/to/unrar for this. Thanks, that is indeed the problem. Now it says Trojan.LdPinch.JM1-3 FOUND. I'm using clamav as a milter with sendmail. I can't seem to find a way to do this same trick with clamd of clamav-milter. No option in clamd.conf either. I seem to be getting more and more of these rar files. Is there any way of scanning these using clamav-milter? unfortunately, the --unrar parameter is for clamscan only. Niek -- Use plain text: http://www.geoapps.com/nomime.shtml Learn to quote:http://www.netmeister.org/news/learn2quote2.html Avoid disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamdscan does not scan protected directories
On 1/28/2005 11:25 AM +0100, Hal Goldfarb wrote: clamdscan uses the clamd daemon to perform scans, and since it runs as user clamav (or the like), it does not have enough permissions to scan calling user's directories if they are protected. For instance, my .tvtime subdirectory in my home will be scanned by clamscan, but will generate errors using clamdscan. I understand why, but isn't this some sort of shortcoming of this design? I will use clamscan, not clamdscan, until this can be addressed. Run clamd as a user with enough privileges. Niek -- Use plain text: http://www.geoapps.com/nomime.shtml Learn to quote:http://www.netmeister.org/news/learn2quote2.html Avoid disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Cron Job for CLAMD
On 11/6/2004 9:57 PM +0200, Cory Megitt [ClamAV] wrote: Hi All; The following command gets run at 2am each night. /usr/bin/freshclam --quiet -l /var/log/clamav/clam-update.log I always find an email stating the following: ERROR: Clamd was NOT notified: Can't connect to clamd on 127.0.0.1:3310 connect(): Connection refused How can I fix this? Hi, Don't hijack threads, i.e.: do not start a new topic by replying to an old mail. Use the new mail feature in your mailer. That said... freshclam.conf is configured to notify clamd via tcp. Read the manual/docs/faqs/ect to change it. Regards, Niek -- Use plain text: http://www.geoapps.com/nomime.shtml Learn to quote:http://www.netmeister.org/news/learn2quote2.html Avoid disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Is clamav scan for outgoing email?
On 10/29/2004 9:05 AM +0200, Danny Koh wrote: Is there anything I need to set or configure under clamav to get it scans for my outgoing mail? I hope you guys with similar setup can provide me some advise. It would pretty much appreciated. Thank you. Regards, Danny Koh System Administrator Configure the tcp.smtp file to set $QMAILQUEUE variable for relay ip(ranges) as well. Regards Niek -- Use plain text: http://www.geoapps.com/nomime.shtml Learn to quote:http://www.netmeister.org/news/learn2quote2.html Avoid disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] New virus undetected by clamav?
On 10/29/2004 2:43 PM +0200, Michele Baldessari wrote: * Fajar A. Nugraha ([EMAIL PROTECTED]) wrote: Again, thanks for the quick response and db updates. (wonder whether McAfee already detect this particular variant?) Symantec surely doesn't (at least this morning...haven't checked for any updates yet). every AV detects it. Niek -- Use plain text: http://www.geoapps.com/nomime.shtml Learn to quote:http://www.netmeister.org/news/learn2quote2.html Avoid disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Performance Help - 100% cpu usage
On 10/26/2004 3:33 PM +0200, Trog wrote: So, I was correct, QMR completely screws up the ClamAV installation for no reason other than ignorance and gross stupidity. It also tells it's misguided users to run freshclam on-the-hour. Another bad decision. So, don't follow anything they say about installing ClamAV, and you'll be ok. -trog QMR delivers the community with the open source equivelant of 'next, next, next, next, next, next, finish' installations. Regards, Niek -- Use plain text: http://www.geoapps.com/nomime.shtml Learn to quote:http://www.netmeister.org/news/learn2quote2.html Avoid disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Old ClamAV workaround
On 10/24/2004 6:13 PM +0200, Mark Adams wrote: Okay, it appears the Mandrake Linux update system hasn't caught up with developers yet. Urpmi offers only ver. 061. I upgraded from 0.61, when notified a few days ago that it was outdated, to the packages in clamav-0.80-1mdk.1bcr.i586.rpm from ftp.neocat.org. I had to force the installation through dependency hell and it produced a relocation error whenever I tried to run clamscan, freshclam or anything else clamav related. Much futsing around with it later, I uninstalled ver. 08 and reinstalled 0.61. The problem with this is that whenever Freshclam runs I get failures to find md5sum on the virus definition files. My most recent attempt yielded this: [snip] Use the source Luke. Regards, Niek -- Use plain text: http://www.geoapps.com/nomime.shtml Learn to quote:http://www.netmeister.org/news/learn2quote2.html Avoid disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Independent Testing
On 10/21/2004 1:21 AM +0200, Dave P wrote: I am trying to convince my company to switch to open source where possible. It is much easier if the software has been evaluated by an independent group. Unfortunately, reviews that I could find, including GMX Systematic and Heise magazines, were negative. The opinion seemed to be summed up by Andreas Marx's (of AV-Test.Org) comments to the 2004 Virus Bulletin Conference where he said that results of a particular test were not available for ClamAV, because a large number of files in our test set are still not detected. Are there any independent tests out there that do not paint such a bleak picture? Are there any plans to submit ClamAV or ClamWin to Virus Bulletin? Dave Hi, I'm pretty independent. Clamav is meant as a MTA virus scanner. And at that it does a top job on my production servers. I don't need a commercial product scanning mail any more. So, the only window of opportunity for viruses is between the time of outbreak, till there are defs available. And even at that, clamav usually beats the commercial products. If you want to convince your boss, ask him if he'll agree to this. Setup clam on your MTA, and after clam has scanned it, let your preferred commercial virus scanner scan the mail. Anything that arrives at the commercial scanner, clamav thought was clean. Regards, Niek -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] qmail-scanner-1.23 and clamav 0.80
On 10/19/2004 10:32 AM +0200, Kareem Mahgoub wrote: Hello list, I have upgraded from clamav 075.1 to clamav-80 using the rpm for FC2. after the upgrade, qmail-scanner ( 1.23 ) is not detecting clamav. I have recompiles qmail-scanner, ran qmail-scanner.pl -z and qmail-scanner.pl -g , with the same result. Any clue?? Best Regards, Kareem Mahgoub Hi, Like Alex stated, wrong list. Oh, and don't start a new conversation by replying to an old message you received from this list. It messes things up for the threaded readers. Regards, Niek -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] New version Clamd with Daemontools
On 10/19/2004 10:54 AM +0200, Awie wrote: All, I stuck to use clamd of version 0.80 with daemontools (I used this scheme very nicely for older version). Does anyone know how to do it? Thx Rgds, Awie I use daemontools to run clamd. I didn't change a thing when upgrading from 0.75.1 to 0.80rc-series, and 0.80 final. My run script and clamd.conf attached. Regards, Niek -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers #!/bin/sh exec 21 CLAMD_FILE=/tmp/clamd SCAN_FILE=$0 # Check for a leftover socket. if [ -e $CLAMD_FILE ] then echo run: WARNING: file $CLAMD_FILE exists if clamdscan $SCAN_FILE then echo run: FATAL: Clamd is already running. Trying to start anyway... else echo run: INFO: Clamd is not running. Deleting $CLAMD_FILE rm -f $CLAMD_FILE fi fi # Run the scanner daemon. exec /usr/sbin/clamd ## ## Example config file for the Clam AV daemon ## Please read the clamd.conf(5) manual before editing this file. ## LogFile /dev/stderr DatabaseDirectory /usr/share/clamav LocalSocket /tmp/clamd FixStaleSocket Foreground MaxThreads 30 MaxDirectoryRecursion 20 # Scan options, turn off everything, then enable a couple DisableDefaultScanOptions ScanPE ScanOLE2 ScanHTML ScanArchive ArchiveMaxFileSize 15M ArchiveMaxRecursion 8 ArchiveMaxFiles 1500 ArchiveMaxCompressionRatio 300 #LogFileUnlock #LogFileMaxSize 2M #LogTime #LogClean #LogSyslog #LogFacility LOG_MAIL #LogVerbose #PidFile /var/run/clamd.pid #TemporaryDirectory /var/tmp #TCPSocket 3310 #TCPAddr 127.0.0.1 #MaxConnectionQueueLength 30 #StreamMaxLength 20M #MaxThreads 20 #ReadTimeout 300 #IdleTimeout 60 #MaxDirectoryRecursion 20 #FollowDirectorySymlinks #FollowFileSymlinks #SelfCheck 600 #VirusEvent /usr/local/bin/send_sms 123456789 VIRUS ALERT: %v #User clamav #AllowSupplementaryGroups #Debug #ScanMail #MailFollowURLs #ScanRAR #ArchiveLimitMemoryUsage #ArchiveBlockEncrypted #ArchiveBlockMax ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Error in latest update to Database
On 10/18/2004 6:44 PM +0200, Graham Dodd wrote: On the latest update to the signatures I saw this in the log file ClamAV update process started at Mon Oct 18 18:17:01 2004 main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek) daily.cvd updated (version: 535, sigs: 1272, f-level: 3, builder: trog) WARNING: Your ClamAV installation is OUTDATED - please update immediately ! WARNING: Current functionality level = 2, required = 3 Database updated (25254 signatures) from database.clamav.net (195.70.36.141). Clamd successfully notified about the update. I'm running 0.75.1, so I'm wondering why I have this entry in the log as 0.80 only got released in the last few days Anyone got any ideas ? Graham I _think_ because you won't detect a bunch of viruses by not upgrading. If symantec/sophos/ect would release an engine update, you'd want that to be installed in order to catch the latest viruses? Regards, Niek -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[OT] Re: [Clamav-users] List problem?
On 10/18/2004 7:49 PM +0200, Robin Lynn Frank wrote: Not quite, our server is rejecting mail from his server because of the lack of reverse dns. You probably know this, but you'll loose many emails and it won't stop spam. Regards, Niek -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [OT] Re: [Clamav-users] List problem?
On 10/18/2004 8:03 PM +0200, Christopher X. Candreva wrote: No but it cuts it off considerably. It's cut the number of spams my account receives here from about 100 day to about 10. Those figures could be right if spammers send chinese/korean zombies after you. However, in the 'western' world the ratio PTR yes/no is much higher. Almost all the USA broadband zombies have rdns. And still loads of legit mail servers have no rdns. It's a choice you make. I don't do it, because I can stop spam with other means. But I can't bring back legit emails from people/companies that wont/can't/ect have rdns on their mailserver ip. Regards, Niek -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] GDI+ bug exploit Mutations
On 10/17/2004 10:14 PM +0200, Steve Basford wrote: Thanks Jotti ! Really awesome site ! Good work! It's a very useful site, along with VirusTotal's site. Before I go anymore off-topic, just two points to note: a) Jotii isn't running the very lastest CVS version, he will only run the lastest STABLE version, so it won't cope too well with the .CAB/UPX stuff :( Good thing clamav 0.80 stable got released today! Regards, Niek -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] TXT record update lag ?
Hi, update 525 appeared around 13:46 GMT+2 On a 0.75.1 server, i (luckily) catched it at: ClamAV update process started at Mon Oct 11 13:48:49 2004 daily.cvd updated (version: 525, sigs: 1031, f-level: 2, builder: trog) The time now is: 14:23 GMT+2 and the txt record still shows: 0.80rc3:27:524:1097490616 (cleared my dns cache, and made a fresh query, also tried from hosts that do not have clamav installed. The zone has a ttl of 15 minutes.) It's been almost 40 minutes, I hope this is not normal ? Regards, Niek -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] TXT record update lag ?
On 10/11/2004 3:32 PM +0200, Cedric Foll wrote: Same problem here. I've done a freshclam --no-dns because with dns query the signature 525 wasn't find. Regards. as of 15:10 GMT+2 the txt record is updated into: 0.80rc4:27:525:1097500281 ~ 1h30m after the update was released. Regaards, Niek -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] TXT record update lag ?
On 10/11/2004 3:42 PM +0200, Brian Morrison wrote: 0.80rc4:27:525:1097500281 ~ 1h30m after the update was released. Maybe because this coincided with the 0.80rc4 update? Heh, didn't even notice the rc4. Regards, Niek -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ML server change
On 9/30/2004 10:53 AM +0200, JORT Emmanuel wrote: i unsubscribed from the clamav-users list in June (before this change) and now, since it has changed on the new ML i receive mail from the list. so, i unsubscribed again there's a few minutes (near one hour) from https://lists.sourceforge.net/lists/options/clamav-users but i still receive mail... It doesn't seem to be normal. Thanks to answer ? Perhaps sourceforge crontabbed unsubcribements ? Niek -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Clamav no longerbeing updated, not catching viruses
On 9/30/2004 3:33 PM +0200, Brian wrote: Hi all, Hoping someone can shed some light on an issue we are having. A few days ago ClamAV stopped being updated for some reason and doesn't appear to be catching viruses. I've checked the logs, but there doesn't seem to be any indication of something wrong (other places to check?), and a view of the clam-update.log shows that updates just stopped happening a few days ago. I can run the freshclam and manually update, but it was doing this automatically. I tried restarting clamav, but doesn't seem to have fixed the problem. I am using clamav ver. 0.70, running on RedHat Enterprise 3. I can provide more info if needed. Many thanks in advance for any help, ideas, etc. Cheers, Brian Brian, If it was updating automatically, you either had freshclam daemonized, or you ran freshclam from crontab. It's more likely you were using freshclam -d than freshclam via the crontab. Check your startup scripts for freshclam. I'd advise you to update clamav to 0.75.1 (latest stable release), or 0.80rc3 (latest release candidate which will detect the new jpeg virus). Niek -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] If you want to post/reply to the list, read this please.
Hi, Now that we have 2 mailing lists, please take note of the following. If you hit Reply all in your mail client, make sure you remove the old mailing list addy: [EMAIL PROTECTED] The new address is: [EMAIL PROTECTED] So please make sure thats the old address in the To field when you reply. I've seen some post where the To: header had both mailing lists in it. Kind regards, Niek -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] If you want to post/reply to the list, read this please.
On 9/30/2004 8:28 PM +0200, Niek wrote: So please make sure thats the old address in the To field when you reply. My god i suck, what i meant was: So please make sure that the old address is _not_ in the To: field when you hit send. Niek -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
On 9/20/2004 11:45 PM +0200, Jonathan Pitcher wrote: We have Clam Av installed and running. It is blocking virus e-mails but is not generating any notification. Is it possible to send a message onto the user that they had an e-mail blocked? Or to an admin stating that [EMAIL PROTECTED] had a virus sent to them? Thanks in advance. Don't send notification emails at all! Perhaps maybe to the mail administrator, but you don't want that on a busy mail server. If you want to know how many viruses hit your box, you take a look at the clam logs. Don't confuse your users with a message that you've stopped a virus. Who wants to know these days? I, as a mail admin and a user, certainly don't want to. A Week ago I switched from qmail-scanner, to simscan [1]. It drops viruses at smtp level with a permanent failure message. No one is notified or emailed. Just another entry in the clam logs. I love it. [1] http://www.inter7.com/?page=simscan Regards, Niek Baakman -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Getting clamav to log with multilog
On 9/20/2004 4:32 PM +0200, Matt Gourley wrote: Hi all, I've been trying to get ClamAV to log via multilog so that I can generate reports via mrtg. I followed the instructions here: http://www.clamav.net/doc/0.75.1/clamd_supervised/clamd-daemontools-guide.txt Here are my relevant clamav.conf settings: LogFile /dev/stderr LocalSocket /tmp/clamd #LogTime #LogClean #LogSyslog #LogVerbose #LogFileUnlock #LogFileMaxSize 2M FixStaleSocket StreamSaveToDisk MaxThreads 30 MaxDirectoryRecursion 15 Foreground Regards, Niek Baakman -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: [Clamav-users] Windows port ?
On 9/19/2004 10:14 PM +0200, [EMAIL PROTECTED] wrote: Looks like You don't want to compete with Windows Antivirus programs ;-) This would be bad becouse I found mingw native windows port not very complicated. By the way - I checked some Backdoor (about 173 I have till now) and results are : Panda Antivirus : 164/173 identified ClamAV CVS version: 58/173 identified Sadly to say there is a long way ahead :-( (or maybe ClamAV is not against Backdoors ?) Boguslaw Brandys Clamav is for backdoors as well. But it is especially designed for opensource smtp gateways. Instead of talking on how clamav doesn't detect your backdoors collection, submit them to the clamav team: http://www.clamav.net/sendvirus.html Regards, Niek Baakman -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamav and pictures
On 9/16/2004 5:51 PM +0200, Vladimir Potapov wrote: Every day I have received about 30 email's with pictures which have strange names( for example sevwqwso.gif, iwhfetsn.gif, qfwecqtf.jpg) and nonexistent's senders ([EMAIL PROTECTED], [EMAIL PROTECTED]). Clamav don't find any viruses in this email's . Did you start receiving them 1-2 days ago? If so, they could be trying to exploit this new microsoft vuln. http://secunia.com/advisories/12528/ Can Clamav find viruses in pictures? Clamav scans what you tell it to scan. If something in a file matches a known pattern, clamav will detect. Perhaps the jpegs are renamed pifs/exes/ect ? Regards, Niek Baakman -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamav under an SMP environment
On 9/13/2004 9:09 AM +0200, Scott Ryan wrote: 4 x Dell 6650s - 4 HT Xeons. It used to be a CPU hog until we started using clamdscan instead of clamscan :S Jup, huge difference: clamscan loads the definitions, and all it needs to scan every time it is started. Clamd runs as a daemon, so the definitions are read once, and clamdscan feeds clamd. On busy servers clamscan isn't advisable. Regards, Niek Baakman -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] freshclam: crontab vs. daemon
On 9/7/2004 9:28 AM +0200, Ralph Angenendt wrote: Which would give the following behaviour how? | ClamAV update process started at Tue Sep 7 00:01:35 2004 | ClamAV update process started at Tue Sep 7 00:54:56 2004 | ClamAV update process started at Tue Sep 7 01:48:16 2004 | ClamAV update process started at Tue Sep 7 02:41:37 2004 | ClamAV update process started at Tue Sep 7 03:34:58 2004 | ClamAV update process started at Tue Sep 7 04:28:19 2004 | ClamAV update process started at Tue Sep 7 05:21:40 2004 | ClamAV update process started at Tue Sep 7 06:15:01 2004 | ClamAV update process started at Tue Sep 7 07:08:22 2004 | ClamAV update process started at Tue Sep 7 08:01:43 2004 | ClamAV update process started at Tue Sep 7 08:55:03 2004 Ralph something like the following in freshclam.conf: Checks 25 or 26 Kind regards, Niek Baakman -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] (no subject)
You start a new message by replying to a very old one. Don't do this. You send html formatted to a mailing list. Don't do this, see the nomime url in my sig. On 9/7/2004 5:19 PM +0200, Erick Dantas Rotole wrote: Postfix, clamav, amavisd-new and spamassassin is not detecting the virus W32/[EMAIL PROTECTED] mailto:W32/[EMAIL PROTECTED] detected by mcafee. I discovered that clamav already detect this virus. What is happening? Thanks Are you using the latest clamav version (0.75.1) ? If so, are you definitions up to date ? Maybe clamav doesn't detect it, because mcafee already detected it and removed the virus from the email ? If the above do not apply, read the FAQ on http://www.clamav.net to check out what you can do next (have it scanned online, submit the sample. Regards, Niek Baakman -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] (no subject)
On 9/7/2004 6:07 PM +0200, Niek wrote: You start a new message by replying to a very old one. Don't do this. Sorry, this was not the case. My mua seems to be threading messages with the same subject. Regards, Niek Baakman -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] [OT] Symantec update frequency
On 8/31/2004 11:02 PM +0200, John Jolet wrote: I don't believe Symantec updates their definitions more than once a week. Certainly not for us poor home users. you can update all you want, but the file won't change. The following are my experiences with new defs from Symantec: Liveupdate: 1-2 times per week, they save up the 'non important' viruses. Intelligent updater: 1-2 per day. Beta intelligent updater: multiple times per day. The catch is, that Joe Homeuser only uses liveupdate. If he wants to stay up-to-date, he has to grab the (beta) intelligent updates manually. Run them manually (this can be scripted, Symantec has some batch files on their website if you search long enough.) Symantec's corporate products can be configured to update more often, than standard liveupdate. Kind regards, Niek Baakman -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Can I submit a file if I'm not sure it's a virus?
On 9/1/2004 1:49 AM +0200, D.J. Fan wrote: I just received 3 emails with a subject of 'foto' or 'fotos' and a zip attachment named 'foto.zip' with 'calc.exe' and 'foto.htm' contained therein that passed through 3 different scanners undetected. I don't want to infect my own machine by opening it. Can I forward it to someone to check it out? http://www.clamav.net Click on 'submit sample' Regards, Niek Baakman -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Messages that got through clam
On 9/1/2004 1:52 AM +0200, Philip Ershler wrote: I am running clam in series with RAV on CommuniGate Pro via cgpav. The messages go through clam first and if clam says OK then they go through RAV. Today RAV caught 4 messages that clam thought were OK. The following lines are from the RAV log. Should I provide the original messages to the clam team, via appropriate methods? And by the way, how does one send the clam team apparently virus laden e-mail? Thanks, Phil Aug 31 12:47:22 [06801] infected with Win32/[EMAIL PROTECTED] Aug 31 12:53:22 [06858] infected with Win32/[EMAIL PROTECTED] Aug 31 14:01:30 [07878] infected with JS/Dword.dr* Aug 31 09:22:20 [04888] infected with VBS/Baggle.Z.dr* Aug 31 10:46:56 [05625] infected with HTML/IFrame_Exploit* What version of clamav are you using ? If 0.75.1, update to 0.75.1 or CVS. If the viruses are not detected after upgrading, submit them via: http://www.clamav.net 'submit sample' Regards, Niek Baakman -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] segfaults
On 8/27/2004 7:54 PM +0200, Jim Maul wrote: Quoting hondaman [EMAIL PROTECTED]: Thank you for the reply. I installed libgmp, and this is the out put now: Aug 27 10:52:52 HardGaming freshclam[7574]: Daemon started. Aug 27 10:52:52 HardGaming freshclam[7575]: freshclam daemon 0.75 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Aug 27 10:52:52 HardGaming freshclam[7575]: ClamAV update process started at Fri Aug 27 10:52:52 2004 Aug 27 10:52:52 HardGaming freshclam[7575]: 64.18.103.6 is up to date (version: 1529911840, sigs: -1073744424, f-level: 0, builder: (null)) Aug 27 10:52:52 HardGaming freshclam[7575]: (null) updated (version: 1529911840, sigs: -1073744424, f-level: 0, builder: (null)) Aug 27 10:52:52 HardGaming kernel: freshclam[7575]: segfault at 0004 rip 003b5b16e380 rsp 007fbfffe878 error 4 Im not too sure here, but those (null)'s dont look good. Neither does the version: 1529911840, sigs: -1073744424. something is definitely corrupt. Jim Yes it does. So OP: update to clamav 0.75.1 or latest devel. Regards, Niek Baakman -- ___ Read about mime: ( )http://www.geoapps.com/nomime.shtml Read about quoting: X http://www.netmeister.org/news/learn2quote.html Read about disclaimers: / \http://www.goldmark.org/jeff/stupid-disclaimers --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clam or Clamassassin problem
On 8/17/2004 10:23 PM GMT+2, lnx wrote: I've just installed Clamassassin and an error message is appearing in the header, details below. X-Virus-Status: Failed X-Virus-Report: Internal error mktemp MSGTMP failed X-Virus-Checker-Version: clamassassin 1.2.1 with clamdscan / ClamAV version 0.75.1 signatures 24.457 Status: The problem is that the script could not create tempfiles. I'm not sure sure if this is a clamav or clamassassin problem. How do I correct this? Leeroy Hi, Don't use mime in email messages to mailing lists. If you do not know what this means, read: http://www.geoapps.com/nomime.shtml This sounds like a clamassassin permission problem. You'd be better off asking this question on the clamassassin-discuss mailing list. Kind regards, Niek Baakman --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Freshclam cron interval {Revisado por Antivirus}
On 8/16/2004 7:53 PM GMT+2, Mike Robinson wrote: Why not just do what I've been working on. Just set up a procmail rule that runs freshclam whenever you get a message from the clamav-virusdb list. It should work just as good as the clamav team sending you a virusdb push every time the database is updated. I don't know what your return times of the sourceforge mailing lists are. But over here, it can take up to 1.5, 2hours during USA daytime. Regards, Niek Baakman --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] freshclam wont work
On 8/15/2004 12:26 PM GMT+2, david thompson wrote: If you type echo $PATH you will see that the search path is not the same for you as an ordinary user and you as super user. I typed echo $path and got a blank. Peter said: echo $PATH, not echo $path. I did not install a rpm-so the above will not find freshclam. However, I have found that the executable is /usr/local/bin/freshclam. I opened a console as su, and typed freshclam and it updated ok. But why cant I use freshclam as su without bash reporting that it cant find the command? Has it something to do with ldconfig? all the best david Because /usr/local/bin isn't in your $PATH. Do as Damian Menscher suggested! Regards, Niek --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: [Clamav-virusdb] Update (daily: 454) - Doesn't work
On 8/15/2004 12:32 PM GMT+2, [EMAIL PROTECTED] wrote on Clamav-virusdb: ClamAV database updated (Sun Aug 15 10:30:32 UTC 2004): daily.cvd, viruses.db2 Version: 454 Submission: 5158-web Sender: Daniel De Martin Submitted virus name: Backdoor.IrcContact.20 Added: Backdoor.IrcContact.20 freshclam does *not* find version 454. Regards, Niek --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: [Clamav-virusdb] Update (daily: 454) - Doesn't work
On 8/15/2004 5:09 PM GMT+2, Brian Morrison wrote: On Sun, 15 Aug 2004 13:27:37 +0200 in [EMAIL PROTECTED] Niek [EMAIL PROTECTED] wrote: freshclam does *not* find version 454. It may have taken a while to get to the mirrors, freshclam picked it up here a few minutes ago. Same here. But that raises the following question. The database was updated: Sun Aug 15 10:30:32 UTC 2004. I got the update Sun Aug 15 14:36:32 2004 UTC 2004 (wasnt available 30 minutes earlier) Isn't that a little late, I mean: what good is 4 hours? Regards, Niek --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Worm.Mydoom.M
said the following on 8/12/2004 5:44 AM GMT+2: I scan mail with clamav 0.75 on my gentoo. My bases is up to date. Clamdscan /virus_file Not catch a virus. You are probably scanning a broken sample. In any case, update to clamav 0.75.1. Regards, Niek Baakman --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] QS 1.23 upgrade - procs not dying
Doug Monroe said the following on 8/10/2004 5:19 AM GMT+2: linux RH9 2.4.20-31.9 Qmail-Scanner 1.23 clamav 0.75.1 odd problem since upgrading to 1.23, with coincidental update to clamav 0.75 Over the past 3-4 days I've seen clamscan processes hanging around, sucking up resources, never dying, causing high load. I can kill the processes, but after some time I end up in the same boat: ps output I notice clamscan options within QS have changed from: my $clamscan_options=-r --disable-summary --max-recursion=10 --max-space=10; to: my $clamscan_options=-r -m --unzip --unrar --unzoo --lha --disable-summary --max-recursion=10 --max-space=10; but I can run any of the above options from cmd line on the orig. email msg w/o problem. Anyone seeing similar problems with thier QS setup? QS log Doug, I would recommend clamdscan (together with clamd) instead of clamscan. When you run clamscan, it has to initialize the virusdb every time it runs. Set up clamd, and configure QS to use clamdscan instead of clamscan. You will see huge load/io improvements. Kind regards, Niek Baakman --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Ignoring option -r
Tomasz Papszun said the following on 8/10/2004 1:45 PM GMT+2: On Tue, 10 Aug 2004 at 13:39:57 +0300, Arthur Kerpician wrote: Tomasz Papszun wrote: Because these warnings from clamdscan have been introduced just recently (they are needed to help avoid repeated complaints like I use 'clamdscan --mbox' but viruses in emails aren't detected!). Previously clamdscan just silently ignored unsupported options. Clamdscan is called by qmail-scanner-1.23 and don't remember setting any -r option anywhere. I don't know qmail-scanner so I can't say details but something _must_ issue -r anyway. From QS 1.23 qmail-scanner-queue.pl: my $clamdscan_binary='/usr/bin/clamdscan'; my $clamdscan_options=-r --disable-summary --max-recursion=10 --max-space=10; (wrapped) Kind regards, Niek Baakman --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New virus/worm ???
Michael Brennen said the following on 8/9/2004 7:58 PM GMT+2: Just in the last few minutes I've started getting hit with several copies of a a zip packaged exe file from widely varying sources. The names are of the form 'price.*\.zip'. I've submitted a copy online and it was accepted. Anyone else seeing this? -- Michael Run freshclam. daily 444 detects the price zip as Trojan.RunMe. The price.exe has some urls inside it, if you wget that 2.jpg you get a Worm.Bagle.AI, which made it into daily 445. Regards, Niek Baakman --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Upgrade?
Matt Burleigh said the following on 8/3/2004 2:12 PM GMT+2: I am running .70 clamav and it works (thanks!) fine. Is there a compeling reason to upgrade? Matt, Yes, you will not catch as much viruses with 0.70 as with 0.75.1. Latest mydoom with borked mime for e.g. Also newer versions tend to fix many other things, such as better memory management. It is very advisable to upgrade. Regards, Niek Baakman --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New variant Bagle not being detected?
Mike Brodbelt wrote: Hi, I got a suspicious mail this morning which looked very like a virus, and I'm now receiving reports from a neighbouring institution that they are getting hit with the same thing. It is rumored to be a new variant of Bagle, though noting I have picks it up yet. The mail goes something like this:- Dear user of acu.ac.uk, We have received reports that your e-mail account was used to send a huge amount of junk e-mail messages during this week. Most likely, your computer was infected and now runs a trojaned proxy server. Please follow the instruction in order to keep your computer safe. Sincerely yours, The acu.ac.uk support team. It also contains at attached zip file, which contains a file named amcluv.htm(lots of embedded nulls).com The neighbouring institution had their domain in the mail, instead of mine, so the virus appears to be attempting a bit of socian engineering. Also, the from address was forged to be from MAILER-DAEMON at my domain. Has anyone else seem this? I've submitted it to the ClamAV database, and received a thank you note, telling me the submission has not been added, and giving no information as to why not, which is less helpful than I'd have hoped... The online scanner does not currently pick it up. Is there a way I can manually extract a signature to add to my local database, if ClamAV won't do it? Mike. It is mydoom.o (mydoom.m some call it) which is detected by latest clamav defs. Niek --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ClamAV version 0.74 doesn't detect some viruses
Matias Lopez Bergero wrote: Hello I haved installed clamav 0.74 on my email server, and I am using it with clamav-milter. Some of my users callme today to tould me that he was reciving viruses on his email acount. I said_ no way. But it's true. This is the virus: Worm.Bagle.AF.2 I test it agains the online scaner. Should I install a prior version? I was using 0.70 and It was working great. Best Regards! Matías. If you're sure you have the latest defs, and clamav doesn't catch it, submit it! http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi Regards, Niek --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Not catching W32.Netsky.P ???
Ken Morley wrote: I have ClamAV 0.71 installed on RHES3 and updated to the latest definitions as of 06/24/2004. I don't know the AV signature file version number, but it's protecting against 22076 viruses. This is integrated as a mail filter using SendMail, SpamAssassin MIMEDefang and seems to be working correctly as the combination is correctly detecting and handling many infected e-mails. The problem is that it's not detecting [EMAIL PROTECTED] (name as detected by Symantec Anti Virus). Why? I would submit a sample, but Symantec AV is deleting the infected attachments as soon as it encounters them. Thanks for the assistance! Ken Morley Clamav named netsky somefool. Be sure to upgrade to newest clamav, 0.71 is a tad old. Regards, Niek --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] unknown OLE2 entry
[EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ever since 0.71 our nightly clamscan of our file server has been giving the following error. LibClamAV Error: ERROR: unknown OLE2 entry type: 66 LibClamAV Error: ERROR: unknown OLE2 entry type: 66 LibClamAV Error: ERROR: unknown OLE2 entry type: 20 LibClamAV Error: ERROR: unknown OLE2 entry type: 37 LibClamAV Error: ERROR: unknown OLE2 entry type: 20 LibClamAV Error: ERROR: unknown OLE2 entry type: 37 Can anyone tell me why and what does it mean ? The command line used is : su -s /bin/bash -c '/usr/local/bin/clamscan -r -i --exclude Clamav - --exclude amavisd /public' - root in /etc/cron.daily/clamrun.sh Apart from this there are no other problems. It still works okay because we caught an I.frame exploit last week and since 0.72 several files come up Oversized xip. Cheers in advance. Dr James Allen Director of Clinical Engineering Heartsine Technologies Tel : +44 (0) 28 9093 9400 Fax : +44 (0) 28 9093 9401 DLine : +44 (0) 28 9093 9417 EMail : [EMAIL PROTECTED] Please update to version 0.72 Regards, Niek --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: Freshclam not responding
Gervase wrote: Following my own question of Tue, 2004-06-01 at 15:05, in which I wrote: I have been using Clamav 0.70 without problem for some time but without warning freshclam recently stopped responding. No error message except the usual notification that I had no digital signature, which is another problem which I have not solved but am not too concerned about at this stage. The link just stopped responding. I then updated to 0.71 hoping in vain that the problem would go away. It didn't of course. Can anyone suggest the answer, or help a relative newbie to identify the problem? I have read all the help files and read all recent suggestions for upgrading with interest but none seem to help. I first did a make uninstall, then removed (I think) all traces of 0.70, and freshclam -V only throws up 0.71. File permissions don't seem to be a problem either. I am now stumped. Thanks in advance. If I leave it alone long enough, I get the following message: ClamAV update process started at Tue Jun 1 16:31:59 2004 SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES ERROR: Can't get information about database.clamav.net host. ERROR: Connection with database.clamav.net (IP: ???) failed. Trying again... Does this help anyone identify the problem? Check for dns lookup problems. Also, update to clamav 0.71 Niek --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamav - Qmail - Ezmlm
Scott Ryan wrote: I may be posting to the wrong link, but I am just trying to cover all angles: I am using qmail - qmailscanner - clamav-0.70 and ezmlm. All regular mail is passed to qmailscanner and thus virus scanned. But all mail sent to a mailing list is not. Is there anywhere in Ezmlm that i must configure for it to be parsed through qmail scanner before hitting the queue? Thanks in advance Scott Ryan Scott, turn on debugging in qmailscanner, send a few mails with attachments to the list, (or a testlist, if you don't want to bother the listusers) and check the QS logs. Hope this point you in the right direction. Regards, Niek --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] sigtool not working correctly
Mark Novak wrote: Hello all, I recently upgraded my Clamav from 0.70-rc to clamav-0.70. After the upgrade my sigtool stopped working as it used to. For example: [EMAIL PROTECTED] log]# sigtool -i /var/lib/clamav/daily.cvd Build time: 29 Apr 2004 07-50 +0200 Version: 294 # of signatures: 1075 Functionality level: 2 Builder: diego MD5: 4a5bcb4e2e696c4e918ef8dd8d0b2ae2 Digital signature: FUJWP7lblQugBK02KPsQMF2Seg/ IHEAanlB56P7AxZ84pLAfGnH1zxtW+B2YZyJelLSEyZOprZhHSccdoAzXMD9Q4hUipjpMJ8+ v9RlqHJpXrogrpP8vDJsjeb+N93ikPEa4TwEVmZ8aHgcfNUbhXIOQD4wOEWBWdcya9GRS+Ke Verification OK. [EMAIL PROTECTED] log]# But if I try to grep for a specific virus, I get nothing: [EMAIL PROTECTED] log]# sigtool -l |grep -i somefool [EMAIL PROTECTED] log]# Clam is catching a ton of somefool variants every hour, as well as the newest Bagle variants that I see listed in the update emails, but sigtool won't show them. Any and all ideas are appreciated! Thanks, Mark Novak Mark, Maybe the path for the cvd files changed after your upgrade, and sigtool and clam are looking in the old location for cvd files? Regards, Niek --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clam assigns wrong virus name??
Ralf Guenthner wrote: I guess that you use very old database - Win32.Mix isn't present in the database since the end of February 2004. sigtool -l |grep -i mix .. .. W32.Mix.1852 Tomasz, thanks a lot for replying. I'm afraid that's not the problem, though. Here's the result of a fresclam: ClamAV update process started at Wed Apr 28 16:00:00 2004 SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES main.cvd is up to date (version: 22, sigs: 20229, f-level: 1, builder: tkojm) daily.cvd is up to date (version: 291, sigs: 1072, f-level: 2, builder: ccordes) What now? Read the faq: http://www.clamav.net/faq.html Regards, Niek --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] freshclam notify'n clamd
Andrzej Zawadzki wrote: Do You have in /etc/freshclam # Send the RELOAD command to clamd. #NotifyClamd [/optional/config/file/path] NotifyClamd /etc/clamav.conf ? read the logs i posted: Clamd successfully notified about the update. --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Problems detecting Worm.SomeFool.Y
Andreas Haase wrote: Hello, I have several installations of clamav. Versions are 0.67 or 0.70. A customer sent an infected file with the virus named in the subject. Version 0.67 detects the virus correctly, 0.70 doesn't. Comparing the amount of known virus, there is a difference of about 75 viruses. Needless to say that I updated the signatures several times using freshclam, which was successfull (no error messages) but the diff between the installations keeps as it is. I also deleted the signature files and got it completely new. Is there anything I'm doing wrong? Or how do I get the newest signatures that detect this virus? Regards, Andreas Haase Postmaster EastLink GmbH If you use clamd, it can take up to one hour before clamd selfchecks itself, and rereads the definition files. Selfcheck can be set in clamav.conf. Hope this helps, Niek --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Netsky -V
Andrew Mouawad wrote: Hi, Just heard a report of a new virus called netsky -v that is doing the rounds. Apparently works only on an up-patched OE, but does not need an attachment to be opened, just for the user to click on the subject line. Haven't heard of this one, or find anything on the net yet. Any one else seen or heard of this one? http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav and milter - dedicated mailing list.
Odhiambo Washington wrote: May I propose a separate mailing list for milter users? There seems to be alot of discussions about milter (now I even know it's some form of sendmail plugin) that warrants this. Some of us use Exiscan and we find milter quite a 'strange' idea ;-)) The list could be named clamav-milter-users. I believe the usage of ClamAv has grown to an extent that this now warranted. Any seconders Not a good idea if you ask me. What if this list attracts more qmail-scanner users, or exiscan ? Although I agree I see lots of questions regarding milter, over 50% can be solved by anyone, as they are really questions about clamav. Splitting this list up will only result in crosspostings, posting on the wrong list, motions to start more seperate lists. My 0.02 cents Niek --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] new virus (?): automatically scanned for viruses using xxx
Fajar A. Nugraha wrote: I see some occurences of emails containing compressed attachment, not detected by ClamAV, all claiming to be automatically scanned for viruses using xxx where xxx is either McAfee, Norton, or possibly other AV vendors, complete with their logo attached. The attachments are not password-protected, but I can't open it with ark (perhaps this is winzip-only archive). A sample was submitted to http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi As I don't use M$ Win, I don't know what it does exactly. Anybody else got these? Or perhaps some other vendor already detect this? Regards, Fajar Fajar, Sounds like a bagle variant. The attachment could be a RAR archive. Niek --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Complete system scan...
Mike van Vugt wrote: Why are my message taking an hour to get to the list Mike, Because sourceforge.net hosts _many_ lists, so their mailserver are kinda busy. Niek --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ClamAV Hangs with an error message
Jorge Rodríguez wrote: Hi people, I have installed on Debian: Qmail 1.03 from debian w/Auth SMTPD patch + Qmail-Scanner 1.21 + SpamAssassin 2.63-0 + ClamAV 0.67-6. ClamAV works fine for various hours a day, but suddenly I begin to see messages in my mail.log file: Apr 13 00:03:29 imaggina X-Qmail-Scanner-1.21: [imaggina108180739547029817] clamscan: corrupt or unknown ClamAV scanner error or memory/resource/perms problem - exit status 50 and nobody can send any email through the server. I must delete the line that enables the use of qmail-scanner in tcp.smtp file and restart qmail. 'Til now my server is unprotected without the clamav because anytime anybody wants to send an email the error above appears and in Outlook the answer for the user is a qq temporary error. Can anyone help me?? Thanks a lot Jorge Jorge, from man clamscan: RETURN CODES 50: Database initialization error. Regards, Niek --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] RAR module failure
Hi list, Using devel of 20040412, and got this RAR module failure on a rar. unfortunately qmail-scanner deleted it, so can't reproduce it. Isn't it possible to make clamav call the freeware unrar executable ? Regards, Niek --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] submitting samples (name instead?)
Jim Maul wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Henry Harvey Sent: Friday, April 09, 2004 10:16 AM To: [EMAIL PROTECTED] Subject: [Clamav-users] submitting samples (name instead?) Would it be possible to report what viruses (names) are not being detected by ClamAV, instead of submitting a sample? We have Symantec Corporate Ed AV running on all workstations and it blocks those files from even saving to any pc. I have the logs which says that [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] are still being delivered to workstations. Meaning they were not stopped by ClamAV. A search on the database of ClamAV results with nothing with those same variants. ClamAV works perfectly fine with other viruses though, like those SomeFool viruses. Being the NetSky _IS_ SomeFool, i wonder what your saying here. If they are being blocked, how are they being detected by symantec? he said: those virusses are caught by norton on workstations, clamav didn't catch them on the mailserver. Given that the workstations received them by mail. Niek Baakman --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users