Re: [Clamav-users] Stale clamav CVS repository at sourceforge.net?
On 4/17/06, Tomasz Kojm [EMAIL PROTECTED] wrote: On Mon, 17 Apr 2006 09:54:34 +0100 Brian Morrison [EMAIL PROTECTED] wrote: On Mon, 17 Apr 2006 01:13:34 +0300 Panagiotis Christias [EMAIL PROTECTED] wrote: Hello, the CVS repository at sourceforge.net seems to be stale since the end of March. At least the web interface at: http://cvs.sourceforge.net/viewcvs.py/clamav/clamav-devel/ Any ideas? Yes. SF suffered a serious problem with developer CVS a while back, it isn't fully fixed yet due to some loss of data and the need to restore it. Anonymous CVS access is currently only up to the last updates from dev CVS in late March. Last SF status update is now 10 days old so I don't know any more. You can use the CVS snapshots until the issue is resolved by SF.net: http://www.clamav.net/snapshot/ Yes, that's how I verified that the project is still up and running :) Regards, Panagiotis ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Stale clamav CVS repository at sourceforge.net?
Hello, the CVS repository at sourceforge.net seems to be stale since the end of March. At least the web interface at: http://cvs.sourceforge.net/viewcvs.py/clamav/clamav-devel/ Any ideas? Regards, Panagiotis ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: clamav-milter: stale files in quarantine directory and open file descriptors
On 3/18/06, Panagiotis Christias [EMAIL PROTECTED] wrote: Hello, we are observing the following behaviour with our clamd/clamav-milter setup: there some messages that exceed the StreamMaxLength remaining in the quarantine directory with filenames like msg.AuxBaE. Clamav-milter keeps around 17 open filedescriptors for each such file. These file descriptors are not released and over the time reach high numbers, around several thousands (~5000 or more). Eventually clamav-milter stops responding and gets restarted by the watchdog script (clmilter_watch). We have three mail gateways running the same setup and they have the same problem. All of them are running ClamAV version 0.88, clamav-milter version 0.87 on FreeBSD 5.3/5.4. Clamav-milter run as: clamav-milter -enNqd -m 150 -U /var/tmp/clamav Our clamd.conf contain: LogFile /var/log/clamav/clamd.log LogFileMaxSize 0 LogTime LogSyslog LogFacility LOG_MAIL PidFile /var/run/clamav/clamd.pid TemporaryDirectory /var/tmp/clamav-tmp DatabaseDirectory /var/db/clamav LocalSocket /var/run/clamav/clamd FixStaleSocket TCPAddr 127.0.0.1 MaxConnectionQueueLength 50 StreamMaxLength 1M MaxThreads 100 User clamav AllowSupplementaryGroups ScanPE DetectBrokenExecutables ScanOLE2 ScanMail ScanHTML ScanArchive ArchiveMaxFileSize 1M ArchiveMaxCompressionRatio 1500 Here is a sample of the quarantine directory followed by the output of lsof (I'm sorry about the formatting): % ls -lt /var/tmp/clamav | head total 5246994 -rw--- 1 clamav wheel 1049604 Mar 18 19:46 msg.AuxBaE drwx-- 2 clamav wheel 5120 Mar 18 19:45 060318 -rw--- 1 clamav wheel 105 Mar 18 19:43 msg.JxxvNF -rw--- 1 clamav wheel 1050797 Mar 18 19:31 msg.VHSVPJ -rw--- 1 clamav wheel 1050743 Mar 18 19:26 msg.Wbbvdw -rw--- 1 clamav wheel 1049604 Mar 18 19:25 msg.EwAggU -rw--- 1 clamav wheel 105 Mar 18 19:22 msg.jieLN6 -rw--- 1 clamav wheel 1049500 Mar 18 18:54 msg.vHmpcn -rw--- 1 clamav wheel 1049496 Mar 18 18:41 msg.v02yjx % /usr/local/sbin/lsof -n -w -c clamav-milter | egrep msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE I can provide you with some of /var/tmp/clamav/msg.* files for debugging. Regards, Panagiotis Hello, we tried to run clamav-milter without the quarantine option: clamav-milter -enNqd -m 150 -U /var/tmp/clamav Now some of the messages that exceed the StreamMaxLength linger around in the TemporaryDirectory (/var/tmp/clamav-tmp as defined in clamav.conf). Actually they are not whole messages just the first part of them (until they reach StreamMaxLength, set to 1MB). Here is the ls -lt output: % ls -lt /var/tmp/clamav-tmp/clamav-c11d50658f95ce57 total 42240 -rw--- 1 clamav wheel 1049685 Mar 20 22:56 msg.PU9k1M -rw--- 1 clamav wheel 1049407 Mar 20 20:32 msg.N3bV6C -rw--- 1 clamav wheel 1049399 Mar 20 20:11 msg.UwRgAj -rw--- 1 clamav wheel 1049404 Mar 20 19:43 msg.lQ8HVp -rw--- 1 clamav wheel 1049386 Mar 20 19:16 msg.1bleQF -rw--- 1 clamav wheel 1049421 Mar 20 19:03 msg.RrElJ2 -rw--- 1 clamav wheel 1049389 Mar 20 18:46 msg.PHLTDC -rw--- 1 clamav wheel 1049360 Mar 20 18:11 msg.e39fVc -rw--- 1 clamav wheel 1049361 Mar 20 17:55 msg.NviCyQ -rw--- 1 clamav wheel 1049357 Mar 20 17:14 msg.4HCWK5 -rw--- 1 clamav wheel 1049500 Mar 20 16:58 msg.J6V4d6 -rw--- 1 clamav wheel
[Clamav-users] clamav-milter: stale files in quarantine directory and open file descriptors
Hello, we are observing the following behaviour with our clamd/clamav-milter setup: there some messages that exceed the StreamMaxLength remaining in the quarantine directory with filenames like msg.AuxBaE. Clamav-milter keeps around 17 open filedescriptors for each such file. These file descriptors are not released and over the time reach high numbers, around several thousands (~5000 or more). Eventually clamav-milter stops responding and gets restarted by the watchdog script (clmilter_watch). We have three mail gateways running the same setup and they have the same problem. All of them are running ClamAV version 0.88, clamav-milter version 0.87 on FreeBSD 5.3/5.4. Clamav-milter run as: clamav-milter -enNqd -m 150 -U /var/tmp/clamav Our clamd.conf contain: LogFile /var/log/clamav/clamd.log LogFileMaxSize 0 LogTime LogSyslog LogFacility LOG_MAIL PidFile /var/run/clamav/clamd.pid TemporaryDirectory /var/tmp/clamav-tmp DatabaseDirectory /var/db/clamav LocalSocket /var/run/clamav/clamd FixStaleSocket TCPAddr 127.0.0.1 MaxConnectionQueueLength 50 StreamMaxLength 1M MaxThreads 100 User clamav AllowSupplementaryGroups ScanPE DetectBrokenExecutables ScanOLE2 ScanMail ScanHTML ScanArchive ArchiveMaxFileSize 1M ArchiveMaxCompressionRatio 1500 Here is a sample of the quarantine directory followed by the output of lsof (I'm sorry about the formatting): % ls -lt /var/tmp/clamav | head total 5246994 -rw--- 1 clamav wheel 1049604 Mar 18 19:46 msg.AuxBaE drwx-- 2 clamav wheel 5120 Mar 18 19:45 060318 -rw--- 1 clamav wheel 105 Mar 18 19:43 msg.JxxvNF -rw--- 1 clamav wheel 1050797 Mar 18 19:31 msg.VHSVPJ -rw--- 1 clamav wheel 1050743 Mar 18 19:26 msg.Wbbvdw -rw--- 1 clamav wheel 1049604 Mar 18 19:25 msg.EwAggU -rw--- 1 clamav wheel 105 Mar 18 19:22 msg.jieLN6 -rw--- 1 clamav wheel 1049500 Mar 18 18:54 msg.vHmpcn -rw--- 1 clamav wheel 1049496 Mar 18 18:41 msg.v02yjx % /usr/local/sbin/lsof -n -w -c clamav-milter | egrep msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE clamav-mi 65257 clamav 134u VREG 4,18 1049604 10058197 /var/tmp/clamav/msg.AuxBaE I can provide you with some of /var/tmp/clamav/msg.* files for debugging. Regards, Panagiotis ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Mytob virus detected as Broken.Executable?
Hello, we got reports that several emails carrying the Mytob virus (W32/[EMAIL PROTECTED] as reported by F-Prot) slipped through our ClamAV installation (0.87.1, latest virus database 34/1197). We managed to get a copy of an infected message and submitted it to the ClamAV Virus Database where it was recognised as Broken.Executable. We are using the default values, more or less, for the scanning options in our clamav-milter/clamd installation and thus DetectBrokenExecutables was disabled by default. Any opinions regarding the DetectBrokenExecutables option? Could we or should we enable it? And if so, why is it disabled by default? The infected message can be found at: http://noc.ntua.gr/~christia/tmp/message Regards, Panagiotis http://noc.ntua.gr/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-milter logging habbits
On 6/30/05, Nigel Horne [EMAIL PROTECTED] wrote: From /var/log/mail: Jun 30 03:38:28 diomedes clamav-milter[60071]: j5U0cN65081507: /var/tmp/clamav/msg.G8CVC4: HTML.Phishing.Bank-1 Intercepted virus from [EMAIL PROTECTED] to [EMAIL PROTECTED] Jun 30 03:38:28 diomedes clamav-milter[60071]: File quarantined as /var/tmp/clamav/050630/j5U0cN65081507.HTML.Phishing.Bank-1 Jun 30 03:38:28 diomedes clamav-milter[60071]: Quarantined infected mail as /var/tmp/clamav/050630/j5U0cN65081507.HTML.Phishing.Bank-1 Yes it's a mistake. I'll fix it ASAP. -Nigel This is a feature request. The first line in the log carries a lot of useful information, almost everything. Would it be possible to also include the sender's IP address? It would save us a few lines of scripting when analyzing the logs. Regards, Panagiotis ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamav-milter logging habbits
From /var/log/mail: Jun 30 03:38:28 diomedes clamav-milter[60071]: j5U0cN65081507: /var/tmp/clamav/msg.G8CVC4: HTML.Phishing.Bank-1 Intercepted virus from [EMAIL PROTECTED] to [EMAIL PROTECTED] Jun 30 03:38:28 diomedes clamav-milter[60071]: File quarantined as /var/tmp/clamav/050630/j5U0cN65081507.HTML.Phishing.Bank-1 Jun 30 03:38:28 diomedes clamav-milter[60071]: Quarantined infected mail as /var/tmp/clamav/050630/j5U0cN65081507.HTML.Phishing.Bank-1 The last two log lines provide the same more or less information, right? Or am I missing something? Tech-details follow, we are running ClamAV version 0.86.1, clamav-milter version 0.86 and clamav_milter_flags=-enNqd -m 75 -U /var/tmp/clamav using clamd.conf: LogFile /var/log/clamav/clamd.log LogFileMaxSize 0 LogTime LogSyslog LogFacility LOG_MAIL PidFile /var/run/clamav/clamd.pid TemporaryDirectory /var/tmp/clamav-tmp DatabaseDirectory /var/db/clamav LocalSocket /var/run/clamav/clamd FixStaleSocket TCPAddr 127.0.0.1 MaxConnectionQueueLength 50 MaxThreads 30 User clamav AllowSupplementaryGroups ScanPE ScanOLE2 ScanMail ScanHTML ScanArchive ArchiveMaxCompressionRatio 1500 Regards, Panagiotis ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Request for --whitelist-ip-addr=FILE
Hello, as reported to the list a couple of months ago in some cases (my case too) emails are relayed from one mail server to another within the same network/organisation. When all the mail servers run clamav the emails get scanned more than one time. It would be handy if clamav-milter had an option like --whitelist-ip-addr=FILE, which would allow more networks to be added in the localNets array using an external file. Regards, Panagiotis ___ http://lurker.clamav.net/list/clamav-users.html