Re: [clamav-users] clamav-users Digest, Vol 201, Issue 22

[Eigeldinger Simon]

Mit freundlichen Grüßen

Simon Eigeldinger
Informatik
Nebengebäude 1, OG1

Stadt Hohenems
Kaiser-Franz-Josef-Straße 4
6845 Hohenems
T: +43 5576 7101-1143 | E: simon.eigeldin...@hohenems.at | www.hohenems.at

Diese Nachricht und allfällige angehängte Dokumente sind vertraulich und nur 
für den/die Adressaten bestimmt.

-Ursprüngliche Nachricht-
Von: clamav-users  Im Auftrag von 
clamav-users-requ...@lists.clamav.net
Gesendet: Donnerstag, 26. August 2021 14:00
An: clamav-users@lists.clamav.net
Betreff: clamav-users Digest, Vol 201, Issue 22

Send clamav-users mailing list submissions to
clamav-users@lists.clamav.net

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.clamav.net/mailman/listinfo/clamav-users
or, via email, send a message with subject or body 'help' to
clamav-users-requ...@lists.clamav.net

You can reach the person managing the list at
clamav-users-ow...@lists.clamav.net

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of clamav-users digest..."


When responding, please don't respond with the entire Digest.  Please trim your 
response.


Today's Topics:

   1. Re:  ClamAV? blog: ClamAV 0.104.0 Second Release Candidate is
  here! (Paul Kosinski)
   2. Re: Authenticity token element not found (Philipp Ewald)


--

Message: 1
Date: Wed, 25 Aug 2021 10:25:37 -0400
From: Paul Kosinski 
To: "clamav-users@lists.clamav.net" 
Subject: Re: [clamav-users]  ClamAV? blog: ClamAV 0.104.0 Second
Release Candidate is here!
Message-ID: <20210825102537.76e2f05b@ime1.iment.local>
Content-Type: text/plain; charset=US-ASCII

On Tue, 24 Aug 2021 23:08:52 +
"Micah Snyder (micasnyd)"  wrote:

> This conversation is a fun read!  But don't worry really no point removing 
> the docs from the source package or the pre-compiled packages.  Including it 
> is painless at this point.  If you're curious why, here's the process...
> 
> The documentation website source is hosted in our 
> Cisco-Talos/clamav-documentation<https://github.com/Cisco-Talos/clamav-documentation>
>  repo.
> 
> Any time there is a change to the docs, GitHub Actions automatically 
> re-builds the static site using mdBook and force-pushes it to the 
> gh-pages<https://github.com/Cisco-Talos/clamav-documentation/tree/gh-pages> 
> branch to publish it.
> 
> To include the docs in the source tarball, all we do (Jenkins does) is copy 
> the contents of that branch into the 
> clamav/docs/html<https://github.com/Cisco-Talos/clamav/tree/main/docs/html> 
> directory before building the source package.
> 
> >From there, the build system takes care of it.  The docs/html directory is 
> >bundled into the tarball, and when building the pre-compiled packages, the 
> >html directory is marked for installation and so is included in each 
> >package.  
> 
> That also means that if you're not building from the release tarball (i.e. if 
> you're building from a git clone), you won't get an offline copy of the 
> documentation.
> 
> -Micah
> 
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.


Sounds good!


--

Message: 2
Date: Wed, 25 Aug 2021 16:31:56 +0200
From: Philipp Ewald 
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] Authenticity token element not found
Message-ID: <672df378-8b5e-232b-0c46-57b9c3ecb...@digionline.de>
Content-Type: text/plain; charset=utf-8; format=flowed

interesting:

* Expire in 0 ms for 6 (transfer 0x5591a10a4710)
* Expire in 1 ms for 1 (transfer 0x5591a10a4710)
* Expire in 0 ms for 1 (transfer 0x5591a10a4710)
* Expire in 1 ms for 1 (transfer 0x5591a10a4710)
* Expire in 0 ms for 1 (transfer 0x5591a10a4710)
* Expire in 0 ms for 1 (transfer 0x5591a10a4710)
* Expire in 2 ms for 1 (transfer 0x5591a10a4710)
* Expire in 0 ms for 1 (transfer 0x5591a10a4710)
* Expire in 1 ms for 1 (transfer 0x5591a10a4710)
* Expire in 4 ms for 1 (transfer 0x5591a10a4710)
* Expire in 1 ms for 1 (transfer 0x5591a10a4710)
* Expire in 1 ms for 1 (transfer 0x5591a10a4710)
* Expire in 4 ms for 1 (transfer 0x5591a10a4710)
* Expire in 2 ms for 1 (transfer 0x5591a10a4710)
* Expire in 2 ms for 1 (transfer 0x5591a10a4710)
* Expire in 4 ms for 1 (transfer 0x5591a10a4710)
* Expire in 2 ms for 1 (transfer 0x5591a10a4710)
* Expire in 2 ms for 1 (transfer 0x5591a10a4710)
* Expire in 4 ms for 1 (transfer 0x5591a10a4710)
* Expire in 3 ms for 1 (transfer 0x5591a10a4710)
* Expire in 3 ms for 1 (transfer 0x5591a10a4710)
* Expire in 4 ms for 1 (transfer 0x5591a10a4710)
* Expire in 4 ms for 1 (transfer 0x5591a10a4710)
* Expire in 4 ms for 1 (transfer 0x5591a10a4710)
* Expire in 4 ms for 1 (transfer 0x5591a10a4710)
* Expire in 4 ms for 1 (transfer 0x5591a10a4710)
* Expire

Re: [clamav-users] Warning: No matches found for: clamav on CentOS Linux release 7.9.2009 (Core)

[Simon Wilson via clamav-users]

- Message from Kaushal Shriyan via clamav-users  
 -

Date: Mon, 19 Jul 2021 14:34:30 +0530
From: Kaushal Shriyan via clamav-users 
Reply-To: ClamAV users ML 
 Subject: [clamav-users] Warning: No matches found for: clamav on  
CentOS Linux release 7.9.2009 (Core)

  To: ClamAV users ML 
  Cc: Kaushal Shriyan 



Hi,

I am running CentOS Linux release 7.9.2009 (Core) and installed epel
repository.

# rpm -qa | grep epel
epel-release-7-13.noarch
# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
#yum search clamav
Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: mirrors.piconets.webwerks.in
 * extras: mirrors.piconets.webwerks.in
 * updates: mirrors.piconets.webwerks.in
base

| 3.6 kB  00:00:00
docker-ce-stable

| 3.5 kB  00:00:00
elastic-7.x

   | 1.3 kB  00:00:00
extras

| 2.9 kB  00:00:00
ius

   | 1.3 kB  00:00:00
mariadb

   | 2.9 kB  00:00:00
nginx

   | 2.9 kB  00:00:00
updates

   | 2.9 kB  00:00:00
(1/10): base/7/x86_64/group_gz

| 153 kB  00:00:00
(2/10): extras/7/x86_64/primary_db

| 242 kB  00:00:00
(3/10): elastic-7.x/primary

   | 288 kB  00:00:00
(4/10): docker-ce-stable/7/x86_64/primary_db

|  62 kB  00:00:00
(5/10): docker-ce-stable/7/x86_64/updateinfo

|   55 B  00:00:00
(6/10): ius/x86_64/primary

| 100 kB  00:00:01
(7/10): updates/7/x86_64/primary_db

   | 8.8 MB  00:00:04
(8/10): base/7/x86_64/primary_db

| 6.1 MB  00:00:05
(9/10): nginx/7/x86_64/primary_db

   |  67 kB  00:00:04
(10/10): mariadb/primary_db

   |  36 kB  00:00:05
elastic-7.x

  880/880
ius

  467/467
Warning: No matches found for: clamav
No matches found

Am I missing anything? Please suggest further. Thanks in Advance.

Best Regards,

Kaushal



- End message from Kaushal Shriyan via clamav-users  
 -


Doesn't look like EPEL is being checked - look at the list of repos.  
Is it enabled?


See below on a CentOS 7 server:

[root@emp75 ~]# yum search clamav
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.mirror.ausnetservers.net.au
 * epel: epel.mirror.digitalpacific.com.au
 * extras: centos.mirror.ausnetservers.net.au
 * updates: centos.mirror.ausnetservers.net.au
= N/S matched: clamav  
==

clamav-filesystem.noarch : Filesystem structure for clamav
clamav-unofficial-sigs.noarch : Scripts to download unofficial clamav  
signatures

clamav.x86_64 : End-user tools for the Clam Antivirus scanner
clamav-data.noarch : Virus signature data for the Clam Antivirus scanner
clamav-devel.x86_64 : Header files and libraries for the Clam  
Antivirus scanner

clamav-lib.x86_64 : Dynamic libraries for the Clam Antivirus scanner
clamav-milter.x86_64 : Milter module for the Clam Antivirus scanner
clamav-update.x86_64 : Auto-updater for the Clam Antivirus scanner data-files

  Name and summary matches only, use "search all" for everything.


--
Simon Wilson
M: 0400 12 11 16


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] configure: error: Your libcurl is misconfigured. libcurl (e.g. libcurl-devel) is required in order to build freshclam and clamsubmit

[Simon Wilson via clamav-users]

- Message from "G.W. Haywood via clamav-users"  
 -

Date: Thu, 15 Jul 2021 11:32:37 +0100 (BST)
From: "G.W. Haywood via clamav-users" 
Reply-To: ClamAV users ML 
 Subject: Re: [clamav-users] configure: error: Your libcurl is  
misconfigured. libcurl (e.g. libcurl-devel) is required in order to  
build freshclam and clamsubmit

  To: Kin Sou via clamav-users 
  Cc: "G.W. Haywood" 



Hi there,

On Thu, 15 Jul 2021, Kin Sou via clamav-users wrote:


I am installing clamav 0.102.3 on CentOS8.4 ...


Please can you confirm that you're trying to install version 0.102.3?

If so, I suggest that you don't do that.  Better to install the latest
version (which is 0.103.3) and, in view of very recent events (see the
mailing list for the last day or so), perhaps even wait for 0.103.4 to
be released which I guess will be soon.


checking for curl-config... /usr/bin/curl-config
./configure: line 30064: auto=yes: command not found
checking for curl_easy_init in -lcurl... no
configure: error: Your libcurl is misconfigured. libcurl (e.g.
libcurl-devel) is required in order to build freshclam and clamsubmit.

How to solve this hurdle?


The line number 30064 doesn't seem to match with the version of the script
which I have in the original tarball.  Is this a RedHat source package?
It seems to be saying that you don't have /usr/bin/curl-config which might
mean that you haven't installed it, or that you've installed it somewhere
strange, or this might be a red herring.  Anyway I'd suggest starting with
a clean sheet and at least downloading the latest official source tarball
from the ClamAV site before you try again.



- End message from "G.W. Haywood via clamav-users"  
 -


It would be FAR easier to install Clamav 103.3 from EPEL repository  
for CentOS / RH than build from source, especially when releases get  
published through EPEL very quickly.


Simon

--
Simon Wilson
M: 0400 12 11 16


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Restriction of downloads

[Simon Wilson via clamav-users]

- Message from "Joel Esler (jesler) via clamav-users"  
 -

Date: Sat, 13 Mar 2021 01:49:34 +
From: "Joel Esler (jesler) via clamav-users"  


Reply-To: ClamAV users ML 
 Subject: Re: [clamav-users] Restriction of downloads
  To: ClamAV users ML 
  Cc: "Joel Esler (jesler)" 



Would the community be willing to pay for updates?


The thing I can't get over is the sense of entitlement coming out of  
some of the emails to this list for a service provided at no cost that  
is now being reasonably restricted because of impact on the people  
providing it *at no charge*, which if not resolved could potentially  
remove the ability for *any* of us to use it.


Go figure... Even more bizarre is people trying to create and share  
workarounds. Ah well...


From my POV Clamav has provided me with a great (free) tool for many  
years at only the cost of my time to learn it, and with a great and  
supportive community. If it were to move to a model wherein there was  
reasonable contribution I'd sign up for it.


Purely selfishly :) perhaps a model appropriately structured for home  
users like me (with < 10 users) to get updates with more for corporate  
/ govt users. :-D




--
Simon Wilson
M: 0400 12 11 16


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Freshclam failing to get update

[Simon Banton via clamav-users]

Ah, OK, thanks.

S.

On Thu, 11 Feb 2021 at 13:49, G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
> 41;344;0c
>
> On Thu, 11 Feb 2021, Simon Banton via clamav-users wrote:
>
> > Is there anything about ClamAV v0.97.3 that would mean it's suddenly
> unable
> > to fetch the daily updates via freshclam? I know it's an old version, but
> > this is on a very old box running Centos 4 so upgrading isn't practical
> at
> > the moment (for, you know, *reasons*).
>
> You need to upgrade.
>
> All versions of ClamAV before 0.100 are now past End Of Life and obsolete.
>
> You should also at least subscribe to the 'clamav-announce' mailing list,
> where this was announced (yesterday).
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Freshclam failing to get update

[Simon Banton via clamav-users]

Hi,

Is there anything about ClamAV v0.97.3 that would mean it's suddenly unable
to fetch the daily updates via freshclam? I know it's an old version, but
this is on a very old box running Centos 4 so upgrading isn't practical at
the moment (for, you know, *reasons*).

Suddenly started seeing this whenever freshclam tries to run:

Feb 11 13:07:01 ptah freshclam[24470]: ClamAV update process started at Thu
Feb 11 13:07:01 2021
Feb 11 13:07:01 ptah freshclam[24470]: main.cvd is up to date (version: 59,
sigs: 4564902, f-level: 60, builder: sigmgr)
Feb 11 13:07:07 ptah freshclam[24470]: nonblock_connect: connect(): fd=4
errno=101: Network is unreachable
Feb 11 13:07:07 ptah freshclam[24470]: Can't connect to port 80 of host
db.gb.clamav.net (IP: 2606:4700::6810:da54)
Feb 11 13:07:07 ptah freshclam[24470]: Trying host db.gb.clamav.net
(2606:4700::6810:db54)...
Feb 11 13:07:07 ptah freshclam[24470]: nonblock_connect: connect(): fd=4
errno=101: Network is unreachable
Feb 11 13:07:07 ptah freshclam[24470]: Can't connect to port 80 of host
db.gb.clamav.net (IP: 2606:4700::6810:db54)
Feb 11 13:07:07 ptah freshclam[24470]: getpatch: Can't download
daily-26077.cdiff from db.gb.clamav.net
Feb 11 13:07:07 ptah freshclam[24470]: nonblock_connect: connect(): fd=4
errno=101: Network is unreachable
Feb 11 13:07:07 ptah freshclam[24470]: Can't connect to port 80 of host
db.gb.clamav.net (IP: 2606:4700::6810:da54)
Feb 11 13:07:07 ptah freshclam[24470]: Trying host db.gb.clamav.net
(2606:4700::6810:db54)...
Feb 11 13:07:07 ptah freshclam[24470]: nonblock_connect: connect(): fd=4
errno=101: Network is unreachable
Feb 11 13:07:07 ptah freshclam[24470]: Can't connect to port 80 of host
db.gb.clamav.net (IP: 2606:4700::6810:db54)
Feb 11 13:07:07 ptah freshclam[24470]: getpatch: Can't download
daily-26077.cdiff from db.gb.clamav.net
Feb 11 13:07:14 ptah freshclam[24470]: nonblock_connect: connect(): fd=4
errno=101: Network is unreachable
Feb 11 13:07:15 ptah freshclam[24470]: Can't connect to port 80 of host
db.gb.clamav.net (IP: 2606:4700::6810:db54)
Feb 11 13:07:15 ptah freshclam[24470]: Trying host db.gb.clamav.net
(2606:4700::6810:da54)...
Feb 11 13:07:15 ptah freshclam[24470]: nonblock_connect: connect(): fd=4
errno=101: Network is unreachable
Feb 11 13:07:15 ptah freshclam[24470]: Can't connect to port 80 of host
db.gb.clamav.net (IP: 2606:4700::6810:da54)
Feb 11 13:07:15 ptah freshclam[24470]: getpatch: Can't download
daily-26077.cdiff from db.gb.clamav.net
Feb 11 13:07:16 ptah freshclam[24470]: Incremental update failed, trying to
download daily.cvd
Feb 11 13:07:16 ptah freshclam[24470]: nonblock_connect: connect(): fd=4
errno=101: Network is unreachable
Feb 11 13:07:16 ptah freshclam[24470]: Can't connect to port 80 of host
db.gb.clamav.net (IP: 2606:4700::6810:da54)
Feb 11 13:07:16 ptah freshclam[24470]: Trying host db.gb.clamav.net
(2606:4700::6810:db54)...
Feb 11 13:07:16 ptah freshclam[24470]: nonblock_connect: connect(): fd=4
errno=101: Network is unreachable
Feb 11 13:07:16 ptah freshclam[24470]: Can't connect to port 80 of host
db.gb.clamav.net (IP: 2606:4700::6810:db54)
Feb 11 13:07:16 ptah freshclam[24470]: Can't download daily.cvd from
db.gb.clamav.net
Feb 11 13:07:16 ptah freshclam[24470]: Trying again in 5 secs...

This started to happen yesterday after years of trouble free operation.
Nothing on my box's configuration has changed between freshclam working and
it not working.

Any pointers as to a possible cause would be most welcome.

Cheers
Simon

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Services Difference & Memory Utilization

[Simon Wilson via clamav-users]

CentOS 8 needs 2GB just to install. In my experience you will struggle to get 
*anything* useful to run with 2GB.

Simon Wilson

From: bobby via clamav-users 
Sent: Monday, 14 September 2020 10:34 am
To: clamav-users@lists.clamav.net
Cc: bobby
Subject: [clamav-users] Services Difference & Memory Utilization

I noticed on my CentOS 8 machine, there are two different services listed: 
clamd@multi-user.service  and system-clamd.slice.  I don't have enough memory 
to run the first one, but only the second one (192M).  Is clamd really running? 
 What is the difference between these two services?
I only have 2 GB of memory.  Is there any way to run clamd? I get this error 
when I try to run it: 
[201060.293876] Out of memory: Killed process 254784 (clamd) total-vm:830500kB, 
anon-rss:682068kB, file-rss:0kB, shmem-rss:0kB, UID:983 
[201095.669009]  out_of_memory+0x1ba/0x490

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Scanning files with ClamAV on Windows

[Simon Eigeldinger]

Hi,

Thanks for writing back.
Will have a look at the documentation and at the archive.

Greetings,
Simon



Am 22.04.2020 um 01:48 schrieb G.W. Haywood via clamav-users:

Hi there,

On Wed, 22 Apr 2020, Simon Eigeldinger wrote:

I plan to set up some ClamAV instances on Windows Servers to scan some 
office documents and other files.


If I were going to scan files for Windows malware, I wouldn't use a
Windows box to scan them - but that's up to you.


So helping the other scanner which is already installed and to see
if it is missing a virus.


I'd expect you'd have more luck if you used the other scanner to see
what was missed by ClamAV.


I have just some stupid questions :-) :


They're not stupid, but they do really only scratch the surface.


Which signatures to use?
The default ones that come with the example config?


Any that you can get hold of.  There are a lot of them about.  The
Sansecurity signatures get a good press but I use them to fight spam
rather than protect against malware.  I personally think that if you
can find malware on a machine, it's already too late to be looking.


Any config i should take a look at?


There's a lot of documentation, you should read it.


As far as i have seen ClamAV isn't scanning the whole file just a
part of it.  Do viruses sit at a special point of a file or do
traces of them exist at special spots?


It's not really like that.  Drink deep, or taste not...

ClamAV needs to know something about the different types of files, so
it can do a better job of scanning, and there's an upper limit to the
amount of data that ClamAV will scan in any event.  There have been
discussions about it on this list, please spend some quality time with
the archives.



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Scanning files with ClamAV on Windows

[Simon Eigeldinger]

Hi all,

I plan to set up some ClamAV instances on Windows Servers to scan some 
office documents and other files.
So helping the other scanner which is already installed and to see if it 
is missing a virus.


I have just some stupid questions :-) :
Which signatures to use?
The default ones that come with the example config?
Any config i should take a look at?
As far as i have seen ClamAV isn't scanning the whole file just a part 
of it.
Do viruses sit at a special point of a file or do traces of them exist 
at special spots?


Greetings and thanks for helping. It is very apreciated.

Simon

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV reputation rating

[Simon Hobson via clamav-users]

Epicon Elysium via clamav-users  wrote:

> Does ClamAV support in enabling the reputation rating? Seems I couldn't find 
> any info when searching for it. There's nothing mentioned in the config file 
> as well.

AIUI no, it doesn't have anything for that.
However, a very common setup is use AMaViS to scan mail, with ClamAV as just 
one of the tools it uses - the other tools can include things like reputation 
rating (eg sender real-time blacklists and so on).
You might also want to have a look at PolicyD (aka Cluebringer) which brings 
other tools to the party - such as greylisting and quotas.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Possible problem with daily.cld 25460 / CVE-2019-0903

[Simon Mousey Smith via clamav-users]

Hi

Same here UK clamav with our mailcleaner 

Every one of our backup pdfs are being marked with this even tho they have been 
fine for years

Prob a false positive

Regards

Simom

Sent from my iPhone

> On 25 May 2019, at 21:54, Hans Morten Kind via clamav-users 
>  wrote:
> 
> Seems like evry pdf-file is marked as infected by
>  Win.Exploit.CVE_2019_0903-6966169-0
> 
> I have put it into local.ign2 and restarted my clamd 
> hmk
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] clamscan, fmap errors and --max-filesize

[Simon Oxwell]

Hi,

Longtime user, first-time poster ;)

I'm having some issues with trying to get clamscan to skip over some
very large files, without running into memory allocation issues.

A problem directory looks like this:

# ls -alh
total 2.6G
drwxr-xr-x   2 root root   72 May 22 12:17 .
drwxrwxrwt. 12 root root 4.0K May 22 12:16 ..
-rw-r--r--   1 root root 1.7G May 22 12:13 bigfile1
-rw-r--r--   1 root root 851M May 22 12:14 bigfile2
-rw-r--r--   1 root root  10K May 22 12:10 file1
-rw---   1 root root  94M May 22 12:13 file2
-rw-r--r--   1 root root 264K May 22 12:14 file3

and scanning it does this:

# clamscan -r .
./file1: OK
LibClamAV Warning: fmap: map allocation failed
LibClamAV Error: CRITICAL: fmap() failed
./bigfile1: Can't allocate memory ERROR
./bigfile2: OK
./file3: OK
./file2: OK

--- SCAN SUMMARY ---
Known viruses: 6133971
Engine version: 0.101.2
Scanned directories: 1
Scanned files: 4
Infected files: 0
Total errors: 1
Data scanned: 0.00 MB
Data read: 2624.80 MB (ratio 0.00:1)
Time: 47.989 sec (0 m 47 s)

So, ah-ha, I think, obviously I need to limit the file size being
scanned, so add a --max-filesize flag, but:

# clamscan -r --max-filesize=1024 .
./file1: OK
LibClamAV Warning: fmap: map allocation failed
LibClamAV Error: CRITICAL: fmap() failed
./bigfile1: Can't allocate memory ERROR
./bigfile2: OK
./file3: OK
./file2: OK

--- SCAN SUMMARY ---
Known viruses: 6133971
Engine version: 0.101.2
Scanned directories: 1
Scanned files: 4
Infected files: 0
Total errors: 1
Data scanned: 0.00 MB
Data read: 2624.80 MB (ratio 0.00:1)
Time: 49.758 sec (0 m 49 s)

Same outcome. Tried with the debug flag and this was the relevant bit:

LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV Warning: fmap: map allocation failed
LibClamAV Error: CRITICAL: fmap() failed
LibClamAV debug: cli_magic_scandesc: returning 20  at line 3891 (no
post, no cache)
./bigfile: Can't allocate memory ERROR

So it looks like clamscan is trying to determine the file type before it
then decides if its too large (in case it's a container?), so fmap()'s
it and then can't allocate memory?

I've got a fair number of servers and VMs being scanned, and I'm make
sure that scan errors (ie exit code 2, unknown error) like this are sent
to the monitoring system for investigation, and this generating noise.
How do I work around this?

(I've considered running a find / -type f -size -50M or similar, dumping
that to a file and feeding that to clamscan via the -f flag, but any
transitory file that's gone away by the time that clamscan gets to it
produces a missing file error, and also exits with code 2, so that's not
great either)

Thanks,


Simon

-- 
Simon Oxwell | Hosting Team

Funnelback
P: +61 2 6176 3170 | F: +61 2 6230 7313
soxw...@funnelback.com  | www.funnelback.com
A: Ground Floor, 51 Allara Street, Civic, Canberra 2601



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV Central Management tools

[Simon Hobson]

Robert Schetterer  wrote:

> Div monitors should be fine to code for such things
> like monit, munin, xymon, icinga, nagios , zabbix etc

Nagios has a plugin for it (someone's already done the coding), I used to use 
it at my last job.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FreshClam - DNS issues since October 31st

[Simon Mousey Smith]

Hi,

We started seeing the same problem here

It was fine during the night but then this morning started again with the 
WARNING messages?

[root@mailgw ~]# host -t txt current.cvd.clamav.net
current.cvd.clamav.net descriptive text 
"0.99.2:58:24027:1510207861:1:63:46632:318"
[root@mailgw ~]# date
Thu Nov  9 10:27:43 GMT 2017
[root@mailgw ~]# 

Regards

Simon

> On 9 Nov 2017, at 10:05, Adolf Belka <adolf.be...@gmail.com> wrote:
> 
> I am still seeing the message. Periodically it stops and when I check that is 
> when the time from the DNS record has become closer to my computers time but 
> then the delta progressively increases and exceeds the 3 hours and the 
> message starts again. Today it started again at 10:12 (Netherlands time 
> zone). At 9:56 it was fine.
> 
> Here is the DNS TXT value I get:-
> 
> current.cvd.clamav.net descriptive text 
> "0.99.2:58:24027:1510207861:1:63:46632:318"
> 
> My current computer time was 1510221600.
> 
> The following came from the dig command:-
> 
> ; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> current.cvd.clamav.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20331
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;current.cvd.clamav.net.INA
> 
> ;; AUTHORITY SECTION:
> cvd.clamav.net.3600INSOAns3.clamav.net. 
> hostmaster.oltrelinux.com. 2006375260 1800 900 604800 7200
> 
> ;; Query time: 281 msec
> ;; SERVER: 192.168.26.254#53(192.168.26.254)
> ;; WHEN: Thu Nov 09 11:03:50 CET 2017
> ;; MSG SIZE  rcvd: 116
> 
> Regards,
> 
> Adolf Belka
> 
> Sent from my Desktop Computer
> 
> On 08/11/17 20:47, David Raynor wrote:
>> The DNS records are being updated at the source properly now. If you are
>> still seeing an error, then the proper record is not reaching the server
>> you are contacting for DNS or not propagating correctly to your area or
>> something like that.
>> 
>> If you are still seeing those errors, let us know what the value of the DNS
>> TXT record you are seeing for current.cvd.clamav.net. You can use "host" or
>> "dig" or another command to check it.
>> 
>> Example (with current value):
>> 
>> $ host -t txt current.cvd.clamav.net
>> current.cvd.clamav.net descriptive text
>> "0.99.2:58:24025:1510165084:1:63:46630:318"
>> 
>> Dave R.
>> 
>> On Wed, Nov 8, 2017 at 11:34 AM, Noel Jones <njo...@megan.vbhcs.org> wrote:
>> 
>>> I'm still getting these errors too.   :\
>>> 
>>> 
>>> 
>>> 
>>>   -- Noel Jones
>>> 
>>> 
>>> On 11/8/2017 9:50 AM, Joel Esler (jesler) wrote:
>>>> The team working on these issues is seeing these emails, so it’s good
>>> that you are writing in, if you are still experiencing issues.
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>>> 
>> 
>> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FreshClam - DNS issues since October 31st

[Simon Mousey Smith]

Maybe not every day but every week maybe?

Has the issue been resolved yet?

Simon

> On 8 Nov 2017, at 14:02, Reindl Harald <h.rei...@thelounge.net> wrote:
> 
> 
> 
> Am 08.11.2017 um 14:43 schrieb Jeff:
>> Since October 31st, I get the following DNS warnings every time freshclam
>> runs:
>> ...
>> ClamAV update process started at Tue Nov 07 09:26:33 2017
>> +++WARNING: DNS record is older than 3 hours.+++
>> +++WARNING: Invalid DNS reply. Falling back to HTTP mode.+++
> 
> do we really need each day a new thread about it?
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] fail updates

[Simon Mousey Smith]

Hi,

Still having a few issues here, even after ' rm -rfv mirrors.dat '

Reading CVD header (main.cvd): WARNING: main.cvd not found on remote server
WARNING: Can't read main.cvd header from db.gb.clamav.net (IP: 193.1.193.64)

WARNING: DNS record is older than 3 hours.
WARNING: Invalid DNS reply. Falling back to HTTP mode.

Regards

Simon

> On 7 Nov 2017, at 00:41, Paul Kosinski <clamav-us...@iment.com> wrote:
> 
> I killed our "mirrors.dat" at 2017-11-06 19:35:35 (EST). It was last
> modified at 2017-11-06 18:06:29 (EST). We'll see what happens.
> 
> Paul Kosinski
> 
> 
> 
> On Mon, 6 Nov 2017 21:21:58 +
> "Joel Esler (jesler)" <jes...@cisco.com> wrote:
> 
>> It would be helpful, if, starting now, deleting mirrors.dat and
>> *then* telling us about failing mirrors…. Cause…. We’ve done many
>> changes in the past month, it would be good to start from a clean
>> slate.
>> 
>> 
>> --
>> Joel Esler | Talos: Manager |
>> jes...@cisco.com<mailto:jes...@cisco.com>
> 
>> http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] update mirror trouble?

[Simon Mousey Smith]

Hi,

Same here still having problems but slightly different

ClamAV update process started at Mon Nov  6 09:46:22 2017
WARNING: DNS record is older than 3 hours.
WARNING: Invalid DNS reply. Falling back to HTTP mode.
junk.ndb is up to date (version: custom database)
jurlbl.ndb is up to date (version: custom database)
phish.ndb is up to date (version: custom database)
rogue.hdb is up to date (version: custom database)
sanesecurity.ftm is up to date (version: custom database)
scam.ndb is up to date (version: custom database)
spamimg.hdb is up to date (version: custom database)
winnow_malware.hdb is up to date (version: custom database)
winnow_malware_links.ndb is up to date (version: custom database)
sigwhitelist.ign2 is up to date (version: custom database)
spamattach.hdb is up to date (version: custom database)
spear.ndb is up to date (version: custom database)
spearl.ndb is up to date (version: custom database)
blurl.ndb is up to date (version: custom database)
winnow.attachments.hdb is up to date (version: custom database)
winnow_bad_cw.hdb is up to date (version: custom database)
winnow_extended_malware.hdb is up to date (version: custom database)
bofhland_cracked_URL.ndb is up to date (version: custom database)
bofhland_malware_URL.ndb is up to date (version: custom database)
bofhland_phishing_URL.ndb is up to date (version: custom database)
bofhland_malware_attach.hdb is up to date (version: custom database)
crdfam.clamav.hdb is up to date (version: custom database)
malwarehash.hsb is up to date (version: custom database)
porcupine.ndb is up to date (version: custom database)
phishtank.ndb is up to date (version: custom database)
porcupine.hsb is up to date (version: custom database)
hackingteam.hsb is up to date (version: custom database)
badmacro.ndb is up to date (version: custom database)
Sanesecurity_sigtest.yara is up to date (version: custom database)
Sanesecurity_spam.yara is up to date (version: custom database)
Reading CVD header (main.cvd): WARNING: Can't read main.cvd header from 
database.clamav.net (IP: )
Trying again in 5 secs…

Regards

Simon

> On 6 Nov 2017, at 06:16, Tsutomu Oyamada <oyam...@promark-inc.com> wrote:
> 
> Hi,
> 
> It looks like that Updating of CVD in database.clamav.net is not working
> (stopping).
> Do you have any trouble problem happened?
> 
> We are in Japan, and it set CNAME for database.clamav.net as
> db.jp.clamav.net.
> db.jp.clamav.net has 4 IP addresses and those are working in roundrobin.
> Every sites are working, but CVD version stops at 24010 as follows.
> 
> db.jp.clamav.net.   39  IN  A   218.44.253.75
> db.jp.clamav.net.   39  IN  A   203.178.137.175
> db.jp.clamav.net.   39  IN  A   27.96.54.66
> db.jp.clamav.net.   39  IN  A   124.35.85.83
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Mirror Sync Outage for ClamAV updates

[Simon Mousey Smith]

Would this explain why all morning ive been getting this error ?

WARNING: DNS record is older than 3 hours.
WARNING: Invalid DNS reply. Falling back to HTTP mode.

Regards

Simon

> On 1 Nov 2017, at 14:43, Joel Esler (jesler) <jes...@cisco.com> wrote:
> 
> http://blog.clamav.net/2017/11/mirror-sync-outage-for-clamav-av-updates.html
> 
> ClamAV Community --
> 
> ClamAV is currently experiencing an issue with one of our sync servers that 
> provides updates from our infrastructure out to the ClamAV mirrors.
> 
> Since end-users receive their updates from the ClamAV mirrors, this means 
> that currently, ClamAV AV updates are currently not available.
> 
> Our operations team is currently working on the issue, and we will provide 
> updates as needed.
> 
> --
> Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Ppt.Exploit.CVE_2017_0199-6336815-1 FP?

[Simon Mousey Smith]

Hi,

We have a few this morning from a few of our servers too which contain docx 
files

thisisasecretfile.docx: Ppt.Exploit.CVE_2017_0199-6336815-1 FOUND

Regards

Simon

> On 5 Oct 2017, at 09:49, Al Varnell <alvarn...@mac.com> wrote:
> 
> Please don't include signatures that apply to "Any File" in an e-mail as it 
> was detected as infected upon arrival and could easily be blocked by 
> intermediate mail servers.
> 
> -Al-
> 
> On Thu, Oct 05, 2017 at 01:42 AM, Hajo Locke wrote:
>> since yesterday we found a lot of malware called 
>> Ppt.Exploit.CVE_2017_0199-6336815-1
>> Hitrate is extremly increasing. Currently i believe this is a FP.
>> Signature looks short:
>> Ppt.Exploit.CVE_2017_0199-6336815-1 
>> This decodes to:
>> 
>> 
>> Unfortunately i cant sent samples of found docx-files, because they are 
>> privat.
>> Anybody else noticed this behaviour?
>> 
>> Thanks,
>> Hajo
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Freshclam failure - Still ongoing???

[Simon Mousey Smith]

Hi

I think the is a fault with that particular provider of the mirror

whois 193.1.193.64 os showing as HEANET-MIRROR

My 'dig database.clamav.net <http://database.clamav.net/>' in the UK Liverpool 
here WAS showing as that IP address,

however the round-robin doesn’t seem to use that server anymore strangely 
enough? and NOW using others instead

Maybe contact heanet and ask them if the is an issue with there mirror server

Or change ya freshclam.conf to use another dns like db.uk.clamav.net 
<http://db.uk.clamav.net/>

Regards

Simon

> On 25 Aug 2017, at 09:37, briancullen <briancul...@netspace.net.au> wrote:
> 
> The problem has me (also in Australia) still stuck on 23695:
> 
> main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: 
> sigmgr)
> WARNING: getpatch: Can't download daily-23695.cdiff from database.clamav.net
> WARNING: getpatch: Can't download daily-23695.cdiff from database.clamav.net
> ERROR: getpatch: Can't download daily-23695.cdiff from database.clamav.net
> WARNING: Incremental update failed, trying to download daily.cvd
> WARNING: getfile: daily.cvd not found on remote server (IP: 193.1.193.64)
> ERROR: Can't download daily.cvd from database.clamav.net
> Giving up on database.clamav.net...
> 
>> On 25 Aug 2017, at 6:24 pm, Paul Dean <c...@thecave.ws> wrote:
>> 
>> Hi,
>> 
>> I've checked the lists and nuked the mirror.dat file as suggested, but still 
>> getting failure on dling daily-23699.cdiff via freshclam.
>> Also tried via wget, and got a 404 error. So currently I'm stuck on 23698.
>> 
>> Also nuked all .cld files and still failed.
>> 
>> I've got a few servers/machines that use ClamAV, so hoping a overall fix 
>> instead of each machine would be preferable.
>> 
>> All machines are based in AU and failures happen with db.local.clamav.net 
>> and database.clamav.net.
>> 
>> -- 
>> 
>> Thanks
>> 
>> Paul Dean.
>> 
>> "Life is not WHAT you make it, it's WHO you have in it..."
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Unable to download database

[Simon Mousey Smith]

Managed to get it working again from a user who helped 

Toss your /usr/lib/clamav/mirrors.dat file to eliminate the Ignoring mirror 
messages.

And then seemed to start working again

Simon

Sent from my iPhone

> On 24 Aug 2017, at 11:49, Gene Heskett <ghesk...@shentel.net> wrote:
> 
>> On Thursday 24 August 2017 04:11:55 Simon Mousey Smith wrote:
>> 
>> Hi All
>> 
>> Still having issue here in UK Liverpool
>> 
>> WARNING: getfile: daily.cvd not found on database.clamav.net (IP:
>> 193.1.193.64)
>> 
>> Regards
>> 
>> Simon
>> 
>> Sent from my iPhone
> 
> I'm having trouble with a couple sites in the last few hours too:
> 
> Wed Aug 23 03:10:11 2017 -> main.cld is up to date (version: 58, sigs: 
> 4566249, f-level: 60, builder: sigmgr)
> Wed Aug 23 03:10:31 2017 -> WARNING: getfile: daily-23700.cdiff not found 
> on db.us.clamav.net (IP: 204.130.133.50)
> Wed Aug 23 03:10:31 2017 -> WARNING: getpatch: Can't download 
> daily-23700.cdiff from db.us.clamav.net
> Wed Aug 23 03:10:33 2017 -> WARNING: getfile: daily-23700.cdiff not found 
> on db.us.clamav.net (IP: 194.8.197.22)
> Wed Aug 23 03:10:34 2017 -> WARNING: getpatch: Can't download 
> daily-23700.cdiff from db.us.clamav.net
> Wed Aug 23 03:10:34 2017 -> Trying host db.us.clamav.net 
> (69.163.100.14)...
> Wed Aug 23 03:11:04 2017 -> nonblock_connect: connect timing out (30 
> secs)
> Wed Aug 23 03:11:04 2017 -> Can't connect to port 80 of host 
> db.us.clamav.net (IP: 69.163.100.14)
> Wed Aug 23 03:11:04 2017 -> Trying host db.us.clamav.net 
> (200.236.31.1)...
> Wed Aug 23 03:11:10 2017 -> WARNING: getfile: daily-23700.cdiff not found 
> on db.us.clamav.net (IP: 200.236.31.1)
> Wed Aug 23 03:11:10 2017 -> WARNING: getpatch: Can't download 
> daily-23700.cdiff from db.us.clamav.net
> Wed Aug 23 03:11:40 2017 -> nonblock_connect: connect timing out (30 
> secs)
> Wed Aug 23 03:11:40 2017 -> Can't connect to port 80 of host 
> db.us.clamav.net (IP: 69.12.162.28)
> Wed Aug 23 03:11:40 2017 -> Trying host db.us.clamav.net 
> (64.6.100.177)...
> Wed Aug 23 03:12:10 2017 -> nonblock_connect: connect timing out (30 
> secs)
> Wed Aug 23 03:12:10 2017 -> Can't connect to port 80 of host 
> db.us.clamav.net (IP: 64.6.100.177)
> Wed Aug 23 03:12:10 2017 -> Trying host db.us.clamav.net 
> (150.214.142.197)...
> Wed Aug 23 03:12:40 2017 -> nonblock_recv: recv timing out (30 secs)
> Wed Aug 23 03:12:40 2017 -> WARNING: getfile: Error while reading 
> database from db.us.clamav.net (IP: 150.214.142.197): Operation now in 
> progress
> Wed Aug 23 03:12:40 2017 -> WARNING: getpatch: Can't download 
> daily-23700.cdiff from db.us.clamav.net
> Wed Aug 23 03:12:40 2017 -> Trying host db.us.clamav.net 
> (194.186.47.19)...
> Wed Aug 23 03:13:38 2017 -> nonblock_recv: recv timing out (30 secs)
> Wed Aug 23 03:13:38 2017 -> WARNING: getfile: Error while reading 
> database from db.us.clamav.net (IP: 194.186.47.19): Operation now in 
> progress
> Wed Aug 23 03:13:38 2017 -> WARNING: getpatch: Can't download 
> daily-23700.cdiff from db.us.clamav.net
> Wed Aug 23 03:13:38 2017 -> WARNING: Incremental update failed, trying to 
> download daily.cvd
> Wed Aug 23 03:14:08 2017 -> nonblock_connect: connect timing out (30 
> secs)
> Wed Aug 23 03:14:08 2017 -> Can't connect to port 80 of host 
> db.us.clamav.net (IP: 204.130.133.50)
> Wed Aug 23 03:14:38 2017 -> nonblock_connect: connect timing out (30 
> secs)
> Wed Aug 23 03:14:38 2017 -> Can't connect to port 80 of host 
> db.us.clamav.net (IP: 207.57.106.31)
> Wed Aug 23 03:14:38 2017 -> Trying host db.us.clamav.net 
> (69.12.162.28)...
> Wed Aug 23 03:15:08 2017 -> nonblock_connect: connect timing out (30 
> secs)
> Wed Aug 23 03:15:08 2017 -> Can't connect to port 80 of host 
> db.us.clamav.net (IP: 69.12.162.28)
> Wed Aug 23 03:15:08 2017 -> Trying host db.us.clamav.net 
> (64.6.100.177)...
> Wed Aug 23 03:15:38 2017 -> nonblock_connect: connect timing out (30 
> secs)
> Wed Aug 23 03:15:38 2017 -> Can't connect to port 80 of host 
> db.us.clamav.net (IP: 64.6.100.177)
> Wed Aug 23 03:15:38 2017 -> Trying host db.us.clamav.net (64.22.33.90)...
> Wed Aug 23 03:16:08 2017 -> nonblock_connect: connect timing out (30 
> secs)
> Wed Aug 23 03:16:08 2017 -> Can't connect to port 80 of host 
> db.us.clamav.net (IP: 64.22.33.90)
> Wed Aug 23 03:16:08 2017 -> Trying host db.us.clamav.net 
> (200.236.31.1)...
> Wed Aug 23 03:29:28 2017 -> Downloading daily.cvd [100%]
> Wed Aug 23 03:29:29 2017 -> ERROR: Verification: Can't verify database 
> integrity
> Wed A

Re: [clamav-users] Freshclam failure

[Simon Mousey Smith]

BINGO!!!   GENIUS!!!   FIXED!!!

Been banging my head against the wall all morning trying to resolve it

Simon

> On 24 Aug 2017, at 11:05, Al Varnell <alvarn...@mac.com> wrote:
> 
> Toss your mirrors.dat file to eliminate the Ignoring mirror messages.
> 
> -Al-
> 
> On Aug 24, 2017, at 3:02 AM, Simon Mousey Smith <simonsmith5...@gmail.com> 
> wrote:
> 
>> Still having probs here in the uk liverpool and sadly can’t change the DNS 
>> records as its using a local dns internally
>> 
>> Retrieving http://database.clamav.net/daily-23702.cdiff
>> Ignoring mirror 81.91.100.173 (due to previous errors)
>> Ignoring mirror 129.67.1.218 (due to previous errors)
>> Ignoring mirror 193.1.193.64 (due to previous errors)
>> Ignoring mirror 178.79.177.182 (due to previous errors)
>> WARNING: getpatch: Can't download daily-23702.cdiff from database.clamav.net
>> Retrieving http://database.clamav.net/daily-23702.cdiff
>> Ignoring mirror 193.1.193.64 (due to previous errors)
>> Ignoring mirror 81.91.100.173 (due to previous errors)
>> Ignoring mirror 178.79.177.182 (due to previous errors)
>> Ignoring mirror 129.67.1.218 (due to previous errors)
>> WARNING: getpatch: Can't download daily-23702.cdiff from database.clamav.net
>> Retrieving http://database.clamav.net/daily-23702.cdiff
>> Ignoring mirror 193.1.193.64 (due to previous errors)
>> Ignoring mirror 129.67.1.218 (due to previous errors)
>> Ignoring mirror 178.79.177.182 (due to previous errors)
>> Ignoring mirror 81.91.100.173 (due to previous errors)
>> ERROR: getpatch: Can't download daily-23702.cdiff from database.clamav.net
>> WARNING: Incremental update failed, trying to download daily.cvd
>> Whitelisting short-term blacklisted mirrors
>> Retrieving http://database.clamav.net/daily.cvd
>> Ignoring mirror 81.91.100.173 (due to previous errors)
>> Ignoring mirror 129.67.1.218 (due to previous errors)
>> Trying host database.clamav.net (193.1.193.64)...
>> Trying to download http://database.clamav.net/daily.cvd (IP: 193.1.193.64)
>> WARNING: getfile: daily.cvd not found on database.clamav.net (IP: 
>> 193.1.193.64)
>> ERROR: Can't download daily.cvd from database.clamav.net
>> Querying daily.0.82.0.0.C101C140.ping.clamav.net
>> Giving up on database.clamav.net...
>> Update failed. Your network may be down or none of the mirrors listed in 
>> /etc/freshclam.conf is working. Check 
>> http://www.clamav.net/doc/mirrors-faq.html for possible reasons.
>> 
>> [root@mailgw etc]# dig database.clamav.net
>> 
>> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> database.clamav.net
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14816
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
>> 
>> ;; QUESTION SECTION:
>> ;database.clamav.net.   IN  A
>> 
>> ;; ANSWER SECTION:
>> database.clamav.net.24  IN  CNAME   db.local.clamav.net.
>> db.local.clamav.net.7200IN  CNAME   db.uk.clamav.net.
>> db.uk.clamav.net.   24  IN  A   81.91.100.173
>> db.uk.clamav.net.   24  IN  A   193.1.193.64
>> db.uk.clamav.net.   24  IN  A   178.79.177.182
>> db.uk.clamav.net.   24  IN  A   129.67.1.218
>> 
>> ;; Query time: 79 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Thu Aug 24 11:00:42 2017
>> ;; MSG SIZE  rcvd: 144
>> 
>> Any ideas?
>> 
>> Simon
>> 
>>> On 24 Aug 2017, at 10:49, Bill Maidment <b...@maidment.me> wrote:
>>> 
>>> Yeah that worked. Thanks
>>> I guess that server will get a good working over now.
>>> 
>>> 
>>> -Original message-
>>>> From:Simon Wilson <si...@simonandkate.net>
>>>> Sent: Thursday 24th August 2017 19:26
>>>> To: clamav-users@lists.clamav.net
>>>> Subject: Re: [clamav-users] Freshclam failure
>>>> 
>>>> I got mine working by pointing it to 'de' in /etc/freshclam.conf
>>>> 
>>>> - Message from Bill Maidment <b...@maidment.me> -
>>>>   Date: Thu, 24 Aug 2017 19:24:04 +1000
>>>>   From: Bill Maidment <b...@maidment.me>
>>>> Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
>>>> Subject: Re: [clamav-users] Freshclam failure
>>>> To: ClamAV users ML <clamav-users@lists.clamav.net>
>>>> 
>>>> 
>>>>> It's stil fa

Re: [clamav-users] Freshclam failure

[Simon Mousey Smith]

Still having probs here in the uk liverpool and sadly can’t change the DNS 
records as its using a local dns internally

Retrieving http://database.clamav.net/daily-23702.cdiff
Ignoring mirror 81.91.100.173 (due to previous errors)
Ignoring mirror 129.67.1.218 (due to previous errors)
Ignoring mirror 193.1.193.64 (due to previous errors)
Ignoring mirror 178.79.177.182 (due to previous errors)
WARNING: getpatch: Can't download daily-23702.cdiff from database.clamav.net
Retrieving http://database.clamav.net/daily-23702.cdiff
Ignoring mirror 193.1.193.64 (due to previous errors)
Ignoring mirror 81.91.100.173 (due to previous errors)
Ignoring mirror 178.79.177.182 (due to previous errors)
Ignoring mirror 129.67.1.218 (due to previous errors)
WARNING: getpatch: Can't download daily-23702.cdiff from database.clamav.net
Retrieving http://database.clamav.net/daily-23702.cdiff
Ignoring mirror 193.1.193.64 (due to previous errors)
Ignoring mirror 129.67.1.218 (due to previous errors)
Ignoring mirror 178.79.177.182 (due to previous errors)
Ignoring mirror 81.91.100.173 (due to previous errors)
ERROR: getpatch: Can't download daily-23702.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Whitelisting short-term blacklisted mirrors
Retrieving http://database.clamav.net/daily.cvd
Ignoring mirror 81.91.100.173 (due to previous errors)
Ignoring mirror 129.67.1.218 (due to previous errors)
Trying host database.clamav.net (193.1.193.64)...
Trying to download http://database.clamav.net/daily.cvd (IP: 193.1.193.64)
WARNING: getfile: daily.cvd not found on database.clamav.net (IP: 193.1.193.64)
ERROR: Can't download daily.cvd from database.clamav.net
Querying daily.0.82.0.0.C101C140.ping.clamav.net
Giving up on database.clamav.net...
Update failed. Your network may be down or none of the mirrors listed in 
/etc/freshclam.conf is working. Check 
http://www.clamav.net/doc/mirrors-faq.html for possible reasons.

[root@mailgw etc]# dig database.clamav.net

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> database.clamav.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14816
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;database.clamav.net.   IN  A

;; ANSWER SECTION:
database.clamav.net.24  IN  CNAME   db.local.clamav.net.
db.local.clamav.net.7200IN  CNAME   db.uk.clamav.net.
db.uk.clamav.net.   24  IN  A   81.91.100.173
db.uk.clamav.net.   24  IN  A   193.1.193.64
db.uk.clamav.net.   24  IN  A   178.79.177.182
db.uk.clamav.net.   24  IN  A   129.67.1.218

;; Query time: 79 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 24 11:00:42 2017
;; MSG SIZE  rcvd: 144

Any ideas?

Simon

> On 24 Aug 2017, at 10:49, Bill Maidment <b...@maidment.me> wrote:
> 
> Yeah that worked. Thanks
> I guess that server will get a good working over now.
> 
> 
> -Original message-
>> From:Simon Wilson <si...@simonandkate.net>
>> Sent: Thursday 24th August 2017 19:26
>> To: clamav-users@lists.clamav.net
>> Subject: Re: [clamav-users] Freshclam failure
>> 
>> I got mine working by pointing it to 'de' in /etc/freshclam.conf
>> 
>> - Message from Bill Maidment <b...@maidment.me> -
>> Date: Thu, 24 Aug 2017 19:24:04 +1000
>> From: Bill Maidment <b...@maidment.me>
>> Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
>>  Subject: Re: [clamav-users] Freshclam failure
>>   To: ClamAV users ML <clamav-users@lists.clamav.net>
>> 
>> 
>>> It's stil failing here:
>>> 
>>> wget http://database.clamav.net/main.cvd
>>> --2017-08-24 19:21:28--  http://database.clamav.net/main.cvd
>>> Resolving database.clamav.net (database.clamav.net)... 193.1.193.64
>>> Connecting to database.clamav.net  
>>> (database.clamav.net)|193.1.193.64|:80... connected.
>>> HTTP request sent, awaiting response... 404 Not Found
>>> 2017-08-24 19:21:29 ERROR 404: Not Found.
>>> 
>>> 
>>> 
>>> -Original message-
>>>> From:Al Varnell <alvarn...@mac.com>
>>>> Sent: Thursday 24th August 2017 18:42
>>>> To: ClamAV users ML <clamav-users@lists.clamav.net>
>>>> Subject: Re: [clamav-users] Freshclam failure
>>>> 
>>>> See previous discussion  
>>>> <http://lists.clamav.net/pipermail/clamav-users/2017-August/004990.html>
>>>> 
>>>> And Blog announcement earlier today  
>>>> <http://blog.clamav.net/2017/08/cvd-download-issues-for-august-23-2017.html>.
>>>&

Re: [clamav-users] Freshclam failure

[Simon Wilson]

I got mine working by pointing it to 'de' in /etc/freshclam.conf

- Message from Bill Maidment <b...@maidment.me> -
Date: Thu, 24 Aug 2017 19:24:04 +1000
From: Bill Maidment <b...@maidment.me>
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
 Subject: Re: [clamav-users] Freshclam failure
  To: ClamAV users ML <clamav-users@lists.clamav.net>



It's stil failing here:

 wget http://database.clamav.net/main.cvd
--2017-08-24 19:21:28--  http://database.clamav.net/main.cvd
Resolving database.clamav.net (database.clamav.net)... 193.1.193.64
Connecting to database.clamav.net  
(database.clamav.net)|193.1.193.64|:80... connected.

HTTP request sent, awaiting response... 404 Not Found
2017-08-24 19:21:29 ERROR 404: Not Found.



-Original message-

From:Al Varnell <alvarn...@mac.com>
Sent: Thursday 24th August 2017 18:42
To: ClamAV users ML <clamav-users@lists.clamav.net>
Subject: Re: [clamav-users] Freshclam failure

See previous discussion  
<http://lists.clamav.net/pipermail/clamav-users/2017-August/004990.html>


And Blog announcement earlier today  
<http://blog.clamav.net/2017/08/cvd-download-issues-for-august-23-2017.html>.


Except that users are having some continuing issues tonight.

-Al-

On Aug 24, 2017, at 1:34 AM, Bill Maidment <b...@maidment.me> wrote:

> Hi
> I've been using clamav for many years ans suddenly yesterday  
freshclam failed, first on the JP mirror, then on the AU mirror and  
now everywhere.
> I've tried all the suggested solutions, but nothing obvious in  
the logs apart from the following:

>
> ERROR: getpatch: Can't download daily-23699.cdiff from db.AU.clamav.net
> ERROR: Can't download daily.cvd from db.AU.clamav.net
> ERROR: getpatch: Can't download daily-23699.cdiff from db.local.clamav.net
> ERROR: Can't download daily.cvd from db.local.clamav.net
> ERROR: getpatch: Can't download daily-23699.cdiff from database.clamav.net
> ERROR: Can't download daily.cvd from database.clamav.net
>
> Cheers
> Bill Maidment
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



- End message from Bill Maidment <b...@maidment.me> -



--
Simon Wilson
M: 0400 12 11 16

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Unable to download database

[Simon Mousey Smith]

Hi All

Still having issue here in UK Liverpool

WARNING: getfile: daily.cvd not found on database.clamav.net (IP: 193.1.193.64)

Regards 

Simon

Sent from my iPhone

> On 24 Aug 2017, at 08:48, maxal <m...@sbg.at> wrote:
> 
> hi,
> 
> also some issues here on 193.1.193.64
> 
> Thu Aug 24 09:40:07 2017 -> ERROR: getpatch: Can't download daily-
> 23699.cdiff from database.clamav.net
> Thu Aug 24 09:40:07 2017 -> WARNING: Incremental update failed, trying
> to download daily.cvd
> Thu Aug 24 09:40:07 2017 -> WARNING: getfile: daily.cvd not found on
> database.clamav.net (IP: 193.1.193.64)
> 
> http://193.1.193.64/daily-23699.cdiff --header
> "Host:database.clamav.net"
> --2017-08-24 09:42:00--  http://193.1.193.64/daily-23699.cdiff
> Connecting to 193.1.193.64:80... connected.
> HTTP request sent, awaiting response... 404 Not Found
> 2017-08-24 09:42:00 ERROR 404: Not Found.
> 
> inetnum:193.1.193.0 - 193.1.193.127
> org:ORG-HA8-RIPE
> netname:HEANET-MIRROR
> country:IE
> 
> regards
> max
> 
>> On Thu, 2017-08-24 at 09:21 +0200, lukn555 wrote:
>> Thank you for your effort, Joel.
>> 
>> I still have issues with the following server from
>> db.centraleu.clamav.net group:
>> 
>> $ wget http://193.230.240.8/daily-23697.cdiff --header
>> "Host:database.clamav.net"
>> --2017-08-24 09:02:01--  http://193.230.240.8/daily-23697.cdiff
>> Connecting to 193.230.240.8:80... connected.
>> HTTP request sent, awaiting response... 403 Forbidden
>> 2017-08-24 09:02:01 ERROR 403: Forbidden.
>> 
>> 
>>> On 23.08.2017 23:21, Joel Esler (jesler) wrote:
>>> All — I sent a note earlier, but this should be fixed/recovering
>>> now.  We are working on an idea that may prevent this kind of thing
>>> from happening in the future.
>>> 
>>> Dennis — If you do a health check, and you find things that are…
>>> not matching up with our results… please let me know your failure
>>> list?
>>> 
>>> 
>>> --
>>> Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jesler@cisco.
>>> com>
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On Aug 23, 2017, at 3:16 PM, Dennis Peterson <denni...@inetnw.com>> ailto:denni...@inetnw.com>> wrote:
>>> 
>>> After testing several of the DNS round robin aliases I found the
>>> db.ca.clamav.net<http://db.ca.clamav.net> had the most reliable
>>> server set for North America. After editing the freshclam.conf file
>>> the files updated on the next cron.hourly cycle.
>>> 
>>> I also found that the number of viable mirror sites is a small
>>> portion of the total number of mirrors. I also found that a lot of
>>> "local" mirrors are not all that local.
>>> 
>>> I think I'll run a health check of every mirror in the western
>>> hemisphere and use the results in a local DNS round robin running
>>> my own servers. It is a form of dynamic load balancing using real-
>>> time network response time. If nothing else it will stop most if
>>> not all attempts to missing mirrors which seem to be the majority.
>>> Obviously it will also ignore mirrors that disallow icmp traffic.
>>> 
>>> dp
>>> 
>>> On 8/23/17 9:48 AM, Dennis Peterson wrote:
>>> nslookup db.local.clamav.net<http://db.local.clamav.net> |awk
>>> '/Address:/ {print $2}' |xargs -L1 ping -c 1
>>> 
>>> nslookup db.us.clamav.net<http://db.us.clamav.net> |awk '/Address:/
>>> {print $2}' |xargs -L1 ping -c 1
>>> 
>>> nslookup db.ca.clamav.net<http://db.ca.clamav.net> |awk '/Address:/
>>> {print $2}' |xargs -L1 ping -c 1
>>> 
>>> nslookup db.ru.clamav.net<http://db.ru.clamav.net> |awk '/Address:/
>>> {print $2}' |xargs -L1 ping -c 1
>>> 
>>> nslookup db.uk.clamav.net<http://db.uk.clamav.net> |awk '/Address:/
>>> {print $2}' |xargs -L1 ping -c 1
>>> 
>>> 
>>> Nobody home.
>>> 
>>> dp
>>> 
>>> On 8/23/17 12:26 AM, lukn555 wrote:
>>> Good Day ClamAV List
>>> 
>>> Since yesterday at around noon CET I've been having issues
>>> downloading
>>> the ClamAV database:
>>> 
>>> freshclam --version
>>> ClamAV 0.99.2/23696/Tue Aug 22 14:36:14 2017
>>> 
>>> 
>>> # /usr/local/bin/freshclam --verbose
>>> Current working dir is /usr/local/share/clamav
&g

Re: [clamav-users] Unable to download database

[Simon Mousey Smith]

Same here from UK Liverpool datacenter

Was able to download a few hours ago but then stopped again

Simon 

Sent from my iPhone

> On 23 Aug 2017, at 18:33, Maarten Broekman <maarten.broek...@gmail.com> wrote:
> 
> Similar issues with addresses for db.us.clamav.net. 7 of 16 mirrors aren't
> reachable.
> 
> $ host db.us.clamav.net
> db.us.clamav.net is an alias for db.us.big.clamav.net.
> *db.us.big.clamav.net <http://db.us.big.clamav.net> has address
> 208.72.56.53*
> *db.us.big.clamav.net <http://db.us.big.clamav.net> has address
> 64.6.100.177*
> *db.us.big.clamav.net <http://db.us.big.clamav.net> has address 64.22.33.90*
> db.us.big.clamav.net has address 69.12.162.28
> db.us.big.clamav.net has address 69.163.100.14
> db.us.big.clamav.net has address 104.131.196.175
> db.us.big.clamav.net has address 128.199.133.36
> db.us.big.clamav.net has address 150.214.142.197
> *db.us.big.clamav.net <http://db.us.big.clamav.net> has address
> 155.98.64.87*
> *db.us.big.clamav.net <http://db.us.big.clamav.net> has address
> 168.143.19.95*
> db.us.big.clamav.net has address 194.8.197.22
> *db.us.big.clamav.net <http://db.us.big.clamav.net> has address
> 194.186.47.19*
> db.us.big.clamav.net has address 198.148.78.4
> db.us.big.clamav.net has address 200.236.31.1
> db.us.big.clamav.net has address 204.130.133.50
> *db.us.big.clamav.net <http://db.us.big.clamav.net> has address
> 207.57.106.31*
> 
> $ host db.us.clamav.net | awk '/address/ { print $NF }' | xargs -L1 ping -c
> 1
> 
> *--- 208.72.56.53 ping statistics ---*
> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
> 
> *--- 64.6.100.177 ping statistics ---*
> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
> 
> *--- 64.22.33.90 ping statistics ---*
> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
> 
> --- 69.12.162.28 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> --- 69.163.100.14 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> --- 104.131.196.175 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> --- 128.199.133.36 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> --- 150.214.142.197 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> *--- 155.98.64.87 ping statistics ---*
> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
> 
> *--- 168.143.19.95 ping statistics ---*
> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
> 
> --- 194.8.197.22 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> *--- 194.186.47.19 ping statistics ---*
> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
> 
> --- 198.148.78.4 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> --- 200.236.31.1 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> --- 204.130.133.50 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> 
> *--- 207.57.106.31 ping statistics ---*
> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
> 
> 
> On Wed, Aug 23, 2017 at 1:26 PM, Maarten Broekman <
> maarten.broek...@gmail.com> wrote:
> 
>> For me, 3 of the 5 db.local.clamav.net addresses have 100% packet loss:
>> 
>> $ host db.local.clamav.net
>> db.local.clamav.net is an alias for db.us.rr.clamav.net.
>> db.us.rr.clamav.net has address 200.236.31.1
>> db.us.rr.clamav.net has address 208.72.56.53
>> db.us.rr.clamav.net has address 69.12.162.28
>> db.us.rr.clamav.net has address 150.214.142.197
>> db.us.rr.clamav.net has address 194.186.47.19
>> 
>> $ host db.local.clamav.net | awk '/address/ { print $NF }' | xargs -L1
>> ping -c 1
>> --- 200.236.31.1 ping statistics ---
>> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
>> 
>> *--- 208.72.56.53 ping statistics ---*
>> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
>> 
>> --- 69.12.162.28 ping statistics ---
>> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
>> 
>> *--- 150.214.142.197 ping statistics ---*
>> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
>> 
>> *--- 194.186.47.19 ping statistics ---*
>> *1 packets transmitted, 0 received, 100% packet loss, time 0ms*
>> 
>> 
>> 
>> 
>> On Wed, Aug 23, 2017 at 12:48 PM, Dennis Peterson <denni...@inetnw.com>
>> wrote:
>> 
>>>

Re: [clamav-users] Scanning IMAP traffic without user credential storage

[Simon Hobson]

Beeblebrox  wrote:

>> ... If clamd finds something (it does happen), what's the plan?
>> The message is *already* in the user's mail box, and I'd say it should
>> *not* be there in your scenario, because the user can pick up the bad
>> mail simply by connecting other than through your gateway.
> 
> I was thinking "somehow" to move the email to a quarantine folder and
> then sending an advisory to the user "message from joe has been
> quarantined, please take following steps". Perhaps even some process to
> strip all attachments, convert message to text-only (risky?) and send
> the text-only content along with the advisory.
> 
> Moving the message to quarantine folder on the host server (Gmail)
> would require user credential by MTA, so there's another hole in my
> concept. I wonder if there's an MTA that stores hashed credentials but
> is also able to auto-update such credentials as received from client
> device / MUA so that no direct user interaction with the Gateway is
> necessary.

Well if you could act as a MiM then you'd act as an IMAP server to the client 
and get the credentials from them as they log in. You'd then log into the real 
upstream server using those credentials. You'd have to proxy everything so that 
the client sees the contents of the mailboxes - but you'd have the access you'd 
need to move the infected mail and add a new warning message.

BUT, two problems.
I have no idea at all if there is such a proxy mechanism in existence.

Most of all, it can't be done with SSL connections without either the client 
users getting security warnings which they'd have to accept, or the clients 
having your own root certificate installed. Neither of these are a good idea - 
one teaches users to ignore certificate errors, the other opens the door to all 
manner of "mischief".

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Scanning IMAP traffic without user credential storage

[Simon Hobson]

Dave McMurtrie  wrote:

> The original poster doesn't mention which IMAP server he's using.

As I read it, he's looking at "random users accessing random servers" - eg a 
user connecting his phone to the guest network and it then accessing Gmail.
I really don't think it's possible to do what he wants. In principle it would 
work for non-SSL connections, but the whole point of SSL is to prevent the sort 
of MiM connection he is trying to do. For it to work, the proxy would need to 
talk SSL to the server (no problem), process the non-protected stream 
internally, and talk SSL to the client. The latter is the problem as the proxy 
will not be able to sign the connection using a (eg) Google certificate - which 
is, of course, the whole point of SSL, the client should flash up a big "this 
site is bogus" warning to the user !

In a corporate environment, with control of the clients, it's possible to 
install your own root certificate on the clients and then use that to sign the 
client-side connection. Obviously that won't work with any other clients, and 
it's a really really bad idea anyway from the security PoV (breaks all 
client-side verification - eg the "green bar" for banking websites).

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Apparently legitimate Paypal email disguises domain name in links - thus identified as likely phishing

[Simon Hobson]

Andy Schmidt  wrote:

> If Paypal expects their emails to be delivered, then the CONTENT of their
> emails must not use phishing techniques.

In my experience, most PayPal emails are a catalogue of the things people are 
told not to do ! Things like "click here to check your account" come 
immediately to mind !

The fact that they feel the need to put "we've put your full name in to show 
it's really us" is indicative to me that they must realise what they are doing.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Central management server?

[Simon Hobson]

robert k Wild  wrote:

> Can I install a clamav server and point all my clamav end users ie Mac
> Linux windows to the server to get update definitions

Yes. Setup your own mirror and point everything at it.

> and can I manage my
> clients from the server ie see if there online run scans and lock clients
> so they can't change settings?

As already said, that's the province of enterprise systems.
You should be able to "roll your own" with a combination of local permissions 
management (stop users fiddling with settings), configuration management 
systems (such as Puppet already mentioned, set configuration), centralised 
logging and log analysis (see what is running when), and monitoring systems 
(e.g. I use Nagios to monitor if ClamAV is up to date on my servers).

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

[Simon Hobson]

Tsutomu Oyamada  wrote:

> Our environment is a local mirror.
> However, it does not matter.
> 
> I wanted to know if there is the case that the DNS TXT of ClamAV have
> not been updated for few days.
> Could it be possibe?
> Is this issue caused by the problem on our enviroment of querying DNS?
> The daily.cvd is updated in real time now.
> Could this issue be happened when the freshclam try to query DNS?

Given that no-one else has seen the same issue, it was most likely a problem 
local to you. It's is unlikely that any of us could guess what that problem was 
given that we can't see your systems.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

[Simon Hobson]

Tsutomu Oyamada  wrote:

> ClamAV update process started at Sat Nov  5 05:01:15 2016
> Using IPv6 aware code
> Querying current.cvd.clamav.net
> TTL: 1797
> Software version from DNS: 0.99.2
> main.cvd version from DNS: 57
> main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: 
> amishhamner)
> daily.cvd version from DNS: 22473
> 
> This log shows that freshclam was started at 5:01 of 5th Nov. and the result 
> of querying DNS was "daily.cvd version: 22473".
> According to the mail [clamav-virusdb] which is sent daily, the daily.cvd 
> version should be 22479 at 5:01 of 5th Nov.
> 
> We want to know why freshclam cannot get the latest daily.cvd version.
> Is this difference of daily.cvd version caused by cache of DNS?

OK, try restarting freshclam and see what comes up in the logs. 5th Nov is 
quite a while ago !
If it still doesn't get the correct information, give us the output of "dig 
current.cvd.clamav.net txt" - you may need to install the dig (Domain Internet 
Groper) package.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

[Simon Hobson]

I realise English is not your main language and this is probably very difficult 
for you to explain in what is to you a foreign language, but I don't think we 
are able to figure out just what is not working ...

Tsutomu Oyamada  wrote:

> In the present situation fail.

What is failing ?

Does your local mirror update ?
If not, post logs from freshclam showing the failures to update.
Also post your freshclam config.

If your local mirror does update, then we assume your local clients are failing 
to update from your mirror.
If that is the case, post the freshclam logs from a failing client, and it's 
config.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

[Simon Hobson]

Al Varnell  wrote:

> So I think I have the answer for this one. From my research it would seem 
> that TTL values are set by the DNS server you are accessing, not by the 
> ClamAV and is the same for all records on that server.  You would have to 
> check with the DNS ISP to find out if it has changed or not.

OK, there seems to be some confusion about how DNS works and what the TTL value 
does, and what lookups report. Dennis has sort of covered some of this, but it 
might help to see the whole process.

When you do a lookup for a name, your client asks the locally configured 
resolver the question - eg what is the TXT record for current.cvd.clamav.net.

Assuming the resolver has nothing in the cache, then it will go to the root 
servers and ask the same question. The root servers won't know, so they will 
reply to the effect of "I don't know, but the name servers  
have a better answer" - ie the name servers for .net
So your resolver goes and asks the same question of one or more of those 
servers. They'll get the same "I don't know, but ..." answer, this time with a 
list of name servers handling clamav.net.
The resolver will continue in this manner until it reaches far enough down the 
tree to get find a server that knows the answer. In this case, the nameservers 
for clamav.net (ns[2-7].clamav.net here*) know the answer and will return it.

Using DIG, this is the chain of results, note that when using +trace, DIG 
deliberately ignores cached records and so the TTL values are those of the 
records as served by the relevant name server (except for the root servers 
which I assume it still uses the local resolver cache for - it has to start 
somewhere !)  :

$ dig +trace current.cvd.clamav.net txt

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +trace current.cvd.clamav.net txt
;; global options: +cmd
.   45003   IN  NS  h.root-servers.net.
.   45003   IN  NS  b.root-servers.net.
.   45003   IN  NS  l.root-servers.net.
.   45003   IN  NS  e.root-servers.net.
.   45003   IN  NS  g.root-servers.net.
.   45003   IN  NS  m.root-servers.net.
.   45003   IN  NS  j.root-servers.net.
.   45003   IN  NS  c.root-servers.net.
.   45003   IN  NS  i.root-servers.net.
.   45003   IN  NS  a.root-servers.net.
.   45003   IN  NS  d.root-servers.net.
.   45003   IN  NS  f.root-servers.net.
.   45003   IN  NS  k.root-servers.net.
;; Received 508 bytes from 192.168.0.33#53(192.168.0.33) in 21 ms

net.172800  IN  NS  e.gtld-servers.net.
net.172800  IN  NS  m.gtld-servers.net.
net.172800  IN  NS  f.gtld-servers.net.
net.172800  IN  NS  a.gtld-servers.net.
net.172800  IN  NS  l.gtld-servers.net.
net.172800  IN  NS  b.gtld-servers.net.
net.172800  IN  NS  j.gtld-servers.net.
net.172800  IN  NS  c.gtld-servers.net.
net.172800  IN  NS  d.gtld-servers.net.
net.172800  IN  NS  h.gtld-servers.net.
net.172800  IN  NS  k.gtld-servers.net.
net.172800  IN  NS  g.gtld-servers.net.
net.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 2001:7fe::53#53(2001:7fe::53) in 43 ms

clamav.net. 172800  IN  NS  ns3.clamav.net.
clamav.net. 172800  IN  NS  ns4.clamav.net.
clamav.net. 172800  IN  NS  ns7.clamav.net.
clamav.net. 172800  IN  NS  ns6.clamav.net.
clamav.net. 172800  IN  NS  ns4a.clamav.net.
clamav.net. 172800  IN  NS  ns1a.clamav.net.
;; Received 302 bytes from 192.42.93.30#53(192.42.93.30) in 44 ms

current.cvd.clamav.net. 1800IN  TXT 
"0.99.2:57:22593:1479972755:1:63:45272:285"
cvd.clamav.net. 7200IN  NS  ns3.clamav.net.
cvd.clamav.net. 7200IN  NS  ns4.clamav.net.
cvd.clamav.net. 7200IN  NS  ns5.clamav.net.
cvd.clamav.net. 7200IN  NS  ns6.clamav.net.
cvd.clamav.net. 7200IN  NS  ns7.clamav.net.
;; Received 184 bytes from 2a01:4f8:160:8421::2#53(2a01:4f8:160:8421::2) in 38 
ms


Naturally it would be wasteful if the resolver did all these lookups every 
time, so it stores all the results it gets back in a local cache. So next time 
you lookup the same answer, it already has it. If you lookup a different .net 
address, it already knows which servers handle .net. And so on.

Re: [clamav-users] GPL license question

[Simon Hobson]

Borough Rumford  wrote:

> I know clamav is released under GPL license, and third-party commercial app 
> shouldn’t link libclamav.

Is the library under the GPL or LGPL - the answer is different for the two 
licences ?
https://www.gnu.org/licenses/gpl-faq.en.html#GPLStaticVsDynamic
https://www.gnu.org/licenses/gpl-faq.en.html#LGPLStaticVsDynamic

AIUI, if you link against a GPL library then your code needs to be compatible 
with the GPL, if you link dynamically against an LGPL library then it doesn't.
That's the reason for having the LGPL.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Threading (Was: How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?)

[Simon Hobson]

Mark Allan  wrote:

> 
>> For my, I use Mail.app the majority of the time.  Apparently if I delete 
>> lines and inline reply like I do in Thunderbird, Mail.app just tells me to 
>> eat dust and unthreads the whole thing.  Guess I should file a bug with 
>> Apple.
> 
> That's strange. I use Mail.app as well, and as far as I'm aware, there's 
> never been a problem replying to emails and keeping the threading and quoted 
> text.

Me too, never come across that. But then I'm still on 10.8 (Mountain Lion) so 
can't speak for later versions, I know Apple does have a history of taking 
something that works and "fixing" it - in the same way people talk of taking 
their dog to the vet to be "fixed" (by removing bits that worked).


Groach  wrote:

> Consider my explanation of 'notification' above.  So now, how do I post a 
> 'reply' to someone elses comment if I no longer have an "email notification" 
> (to click 'REPLY' on)?

What I usually do in that situation is to carefully copy the email subject as 
it appears in the archives and create a new email. The new email won't have any 
references headers to link it to the thread, but any half decent client and 
list archive should be capable of recognising the subject as being the same as 
the existing thread and link it in that way.
Your message won't appear in the right place in the threaded view in the 
archives, but it should appear in the same thread.

The same issue occurs for people getting a list digest.


In theory, if it's presented, you could copy the message header from the 
archive and add that as a custom header (In-Replay-To:) to your email. Looking 
at the Mailman archive for the list it doesn't seem to be presented, but I 
suspect some archives may keep and display it.
The key headers are :

Message-Id:
This should be a globally unique ID generated by your mail client.

In-Reply-To:
If you reply to an email, the In-Reply-To: header should be set to the 
Message-Id: of the message you reply to.

References:
This builds up as a message gets replied to over time. Each reply should be 
adding the Message-Id: to this so there ends up a chain of which messages let 
to this one.

In-Reply-To: should be sufficient to put your message in the right place in the 
thread.



What you must never ever do is select some random list message in an unrelated 
thread and hit reply - either to respond to an existing thread or to start a 
new one. Because this reply will include In-Reply-To: and probably References: 
headers, this will cause your unrelated message to get threaded into the wrong 
thread. If you are browsing an archive and find a seemingly unrelated thread 
intermingled with another one - this is probably the cause.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] mail server and clamav in different machine

[Simon Hobson]

M.hafez wdeln...@yahoo.com wrote:

 can i install the mail server (win or Linux based ) and the clamav in 
 different machine, that may allow me to filter more than one mailer server 
 using the same Clamav machine.

In principle yes, though it very much depends on how you are going to pass the 
email to it.

If you do file based scanning - ie the server saves a file (or files) and then 
calls ClamAV - you will need to arrange shared files and ensure the file paths 
remain consistent for both ends.
If you run it as a filter and pass the message in via that, then it should only 
be a case of pointing each mail server at the right socket.

But why not duplicate the ClamAV installation and distribute the workload ?
I built a small cluster (Postfix+PostfixAdmin+MySQL+Courier+Amavis+ClamAV) 
and configured each server to do before-queue scanning of inbound emails. I 
made so there is one master machine which holds the mail store, and a number of 
other mail servers that will accept connections, scan the mail, and if accepted 
put it in the mail store via NFS. This was because of the potential delays 
introduced by before-acceptance scanning and to spread the load of that 
scanning across multiple hosts.
My experience is that by far the highest load on my mail servers is the 
scanning.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamd and Systemd

[Simon Hobson]

Scott Kitterman deb...@kitterman.com wrote:

 Is harmless supposed to include not installable ?
 
 No.  What's not installable? 
 
 Install clamav-daemon (with the lib) and don't worry about it.

Given that I wouldn't be bothered at all if SystemD was just an init system, 
it's all the other crap I want to keep out. Do you really think I'm going to 
allow a SystemD library (who's package description gives no clues about it's 
functions or intentions) onboard ?

If ClamD is only using this library if SystemD is installed, then presumably 
it'll work without that library when SystemD isn't installed ? So all I need is 
a dummy (empty) package that provides whatever apt is looking for to satisfy 
the installation dependency ?

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamd and Systemd

[Simon Hobson]

G.W. Haywood cla...@jubileegroup.co.uk wrote:

 I would
 
 http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installation

Been there, done that, but what a right PITA it creates - specifically trying 
to figure what package is triggering a chain of dependencies that's trying to 
pull in part of SystemD

 and then install ClamAV from source.  I wouldn't use packages for
 things like ClamAV anyway.

I have to consider maintainability - and given the skills (or lack of) left in 
the business when I find a better job or get hit by the proverbial bus, I've 
been making a point of sticking to packages.

 Not at all, it's just Debian doing what Debian does (i.e. drive me nuts).

It's been driving me nuts today. Perhaps it's just what I'm used to but I 
prefer Debian to most other distros - I learned my first Unix with SCO Xenix 
and then Openserver5.


Scott Kitterman deb...@kitterman.com wrote:

 Also, does anyone know how important this dependency is ? Is it just
 some small optional features, or something fundamental that can't be
 removed ? My gut feeling is that given the range or platforms ClamAV
 runs on (inc many without SystemD), it can't be that important.
 
 It's there because of the way we build the package to support the default 
 init system.  I don't recall exactly why. It doesn't, however, do anything if 
 systemd isn't the active init system. Other than taking a small amount of 
 disk space it's harmless. 

Is harmless supposed to include not installable ?

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] unsubscribe

[Simon Hobson]

Cmos35 x.lep...@laposte.net wrote:

 I never asked to be unsubscribed, I asked a question and I unsubscribed by 
 David Barr

No, he didn't unsubscribe you - only you can do that (or someone forging your 
email address in the sender field)

I assume he wanted to unsubscribe from the list, but ignored the email he would 
have had when first signing up (which contained information) and made no effort 
to find out how to do it properly.
If he'd made any effort at all, he'd have found these helpful headers in any 
list email :
 List-Id: ClamAV users ML clamav-users.lists.clamav.net
 List-Unsubscribe: 
 http://lists.clamav.net/cgi-bin/mailman/options/clamav-users,  
 mailto:clamav-users-requ...@lists.clamav.net?subject=unsubscribe
 List-Archive: http://lists.clamav.net/pipermail/clamav-users/
 List-Post: mailto:clamav-users@lists.clamav.net
 List-Help: mailto:clamav-users-requ...@lists.clamav.net?subject=help
 List-Subscribe: 
 http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users,  
 mailto:clamav-users-requ...@lists.clamav.net?subject=subscribe

Like most mailing lists, all he had to do was to send a blank message to 
whatever the list is-request with unsubscribe in the subject - or click on 
the link and go to the mail manager website and do it. I see this periodically 
on every mailing list I'm on - even the ones where there is a help message 
clearly visible in the footer of every list message :-/

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV installation is OUTDATE!

[Simon Hobson]

Marcio Fiorette marcio.fiore...@gmail.com wrote:

 Não estou conseguindo atualizar o ClamAV da versão 0.98.5 para 0.98.6
 no Debian 7. Já segui os procedimentos que estão no site
 www.clamav.net e mesmo assim não obtive sucesso.

Google tells me you're trying to update but it's not working.

Did you install ClamAV as a Debian package ? If so then do NOT use any other 
tools to update it, just use the Debian supplied package tools. This applies to 
any distribution - if you installed the distribution package then you should 
update using the distro specific tools/packages.

If you include wheezy-updates as a repository (see /etc/apt/sources) then 
0.98.6 is already there - apt-get update  apt-get upgrade should update it 
(and anything else that needs updating.

If you don't include wheezy-updates (which you should do - it's your security 
updates) then you'll still only get 0.98.5

https://packages.debian.org/search?keywords=clamavsearchon=namessuite=allsection=all

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)

[Simon Hobson]

Daniel Spies ds20150222c...@pskx.net wrote:

 I don't get how you find it more appropriate to silently reject someone's 
 e-mail

I don't. I don't know where you got that from - perhaps it's from seeing so 
many examples of bad practice that's become the norm so you assume everyone is 
that bad ?

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)

[Simon Hobson]

Daniel Spies ds20150222c...@pskx.net wrote:

 In my opinion, it doesn't make any sense to scan e-mail leaving the server. 
 The recipient will never trust these tags anyway. So why scan at all? It's 
 important to scan incoming mail, be it from a local or an external client.

I disagree.
Recipients may not trust the tags, but it *should* stop outbound spam/infected 
mail should your machine (or one of the clients) get compromised. IMO spam and 
malware is not just something to stop coming in, it's something to porevent 
going out - if more networks prevented it going out then there'd be less of a 
problem.

On my systems I scan *everything*, and I firewall off everything I can - 
including preventing outbound connections to port 25.

At work I run mail servers that are used by customers - including as smart 
relays. It's not all that uncommon to find one of the customer compromised and 
sending out thousands (or millions) of spam emails - so my latest server also 
does rate limiting to limit the damage done before it gets spotted and blocked.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)

[Simon Hobson]

OK, this is getting well off-topic for this list, this will be my final say on 
the matter - and from some of the other comments I see I'm not alone in 
considering you part of the problem.


Daniel Spies ds20150222c...@pskx.net wrote:

 Recipients may not trust the tags, but it *should* stop outbound 
 spam/infected mail should your machine (or one of the clients) get 
 compromised. IMO spam and malware is not just something to stop coming in, 
 it's something to porevent going out - if more networks prevented it going 
 out then there'd be less of a problem.
 
 It's not always black and white. I assume you're responsible for the clients 
 you're talking about, i.e. they are your customers or colleagues.

It varies, but in the general case they may be managed customers (where we 
look after the network, servers, and clients) through to customers only in 
that they use our mail servers. Regardless, all mail they send through my 
servers is scanned - and I do block anything that reaches a sufficient 
spamminess score or fails the AV checks.

 While spoon-feeding colleagues or customers may be okay for the sake of 
 security, my clients would certainly raise hell if they would receive errors 
 due to false positives. Most people expect their system to just work -- no 
 matter what.

Which is one reason it's very important to make sure you are not part of the 
problem. Allowing a customer to sent nasties through your mail server is a 
good way of getting it blacklisted - and then it certainly doesn't just work. 
I can assure you that when your server gets on a blacklist, your customers do 
complain - and they complain a lot louder than if you block one or two spammy 
messages.
The best way to stay off blacklists is to block spam and nasties at source - 
not just rely on the recipient to catch it later ...

 By the way: I don't even reject virus/spam mail, I just tag them. If a client 
 is dumb enough to open the attachment of a tagged e-mail, so be it.

So you are part of the problem. It's already been said that tagging is 
meaningless - yet you assume it's reasonable to expect others to act on your 
tags.

 On my systems I scan *everything*, and I firewall off everything I can - 
 including preventing outbound connections to port 25.
 
 I am not in the situation where all my clients sit in a firewalled private 
 network; it's more the free-mail kind of situation. What and when my clients 
 send e-mail is non of my concern, as long as they do it in common dimensions, 
 i.e. in a way that matches a real person.

Most of the customers are also not on managed networks. But on my own systems I 
block outbound connections to port 25 other than what's needed (actually, I 
mostly have a block everything and allow what's needed policy). It's all part 
of a layered approach - you protect your systems, but you also add a layer that 
limits the damage if they do get compromised.

 However, rejecting outgoing e-mail right away is not an option, which 
 ultimately makes the scanning of these messages redundant.

Which makes you part of the problem.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-users-bounces DKIM signature verify error

[Simon Hobson]

Scott Kitterman ubu...@kitterman.com wrote:

 ... but isn't this a bit off topic?

Yes it is - but the OP asked here as he was having problems with this list.

 In this particular case, he's got a local configuration issue nothing really 
 to 
 do with clamav, SPF, or DKIM (as a protocol).

Yes it's a local config problem (he needs to turn off DKIM, or at least turn it 
down to the point where it's virtually useless), but it's a hard stretch to say 
it's nothing to do with DKIM since DKIM *IS* his problem !

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] clamav-users-bounces DKIM signature verify error

[Simon Hobson]

Scott Kitterman ubu...@kitterman.com wrote:

 No, sending bounces to the list is his problem.

Sorry, but that's a relatively common techie attitude - ignore the fact that 
the end user probably has no idea what's going on (else why ask for help about 
it ?) From the USER perspective, he has a problem with using this list, and 
has asked for help identifying WHY. His problem is **NOT** sending bounces, his 
problem is list server is unsubbing him and/or he isn't getting all the mails 
- bouncing mails is a *cause* of that, and DKIM is a *cause* of that.

As you say, the discussion of the merits or otherwise of DKIM and/or SPF out OT 
for this list, but the OP didn't know that that was the problem until he asked 
the question. Now he knows what the underlying issue is - he can address it, 
asking for help in an appropriate forum if required.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] clamav-users-bounces DKIM signature verify error

[Simon Hobson]

Marcello Lupo ml...@itspecialist.it wrote:

 Have you any idea of the reason for this problem and how to let it go away?

Other than DKIM breaks stuff

 As now I’m loosing some messages from the list for sure.

Stop using mailing lists OR stop using DKIM
Or you might be able to tune DKIM to exclude the message content - which rather 
defeats the object.

http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail#Annotations_by_mailing_lists


SPF has the same problem.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] clamav stops boot

[Simon Hobson]

Alain Zidouemba azidoue...@sourcefire.com wrote:

 The ClamAV engine won't update itself automatically. You will have to
 manually perform that operation. The latest version of ClamAV (version
 0.98.1) can be downloaded here:
 http://www.clamav.net/lang/en/download/sources/

However, as the OP is using Debian, is new to Debian, and assuming it's been 
installed as a package, then he'd be better just using the system update tools.

apt-get update  apt-get upgrade to upgrade everything, or apt-get upgrade 
followed by apt-get install clamav-daemon clamav-freshclam should pull in 
updates for the ClamAv stuff. That is, assuming it's a moderately up to date 
Debian version.

But he has to get it booted first ! The system should continue past that 
message, so I'm not sure what's going on. As a quick hack, booting into 
recovery mode (should be a boot option at the Grub menu) and rm 
/etc/rc2.d/S*clamav-daemon should get the machine to a bootable state.
Once the system boots, dpkg -l '*clamav*' should show what's installed.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Problem with Freshclam and local mirror

[Simon Hobson]

Shawn Webb sw...@sourcefire.com wrote:

 I suspect the fault lies in a rather small piece of code that was supposed
 to make the call to recv() a little more robust. If you have the ability
 (or desire) to compile from source, can you please try the attached patch?
 If the patch works, I'll integrate it into our next release.

Thanks, but I'm not really in a position to test it - I don't have build tools 
on any of my machines, and don't really have the skills to use them anyway.

In response to my bug report 
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743305), Andreas Cadhalpun 
has pointed out that there is now a PrivateMirror option in freshclam.conf. 
I've configured this and things now seem to work, though I need to leave it for 
a while to be sure.
The only reference to the new option I could find on my system was on line 962 
of the changelog.


And thanks for the other suggestions.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

[clamav-users] Problem with Freshclam and local mirror

[Simon Hobson]

Because I've several machines using it, I've setup one to act as a local 
server, with the others pulling their updates from it. It's been generally 
reliable for years, but since updating to 0.98.1 I'm having repeated problems 
where the slaves just stop fetching updates.

As an example, one of them as of this morning was 7 revisions out of date. 
Freshclam log says :
 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
 ERROR: Can't download daily.cvd from virusdb.back.mydomain
 Giving up on virusdb.back.mydomain...
 Update failed. Your network may be down or none of the mirrors listed in 
 /etc/clamav/freshclam.conf is working. Check  
 http://www.clamav.net/support/mirror-problem for possible reasons.

Invariably, if I delete mirrors.dat and restart Freshclam it will then download 
daily.cvd :
 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
 Downloading daily.cvd [100%]
 daily.cvd updated (version: 18725, sigs: 863475, f-level: 63, builder: neo)
 bytecode.cvd is up to date (version: 236, sigs: 43, f-level: 63, builder: 
 dgoddard)
 Database updated (3287743 signatures) from virusdb.back.mydomain (IP: 
 172.nn.nn.nn)

Systems are running Debian Wheezy and fully up to date.

Checking the logs, I can see one system at 6:50 said :

 ClamAV update process started at Tue Apr  1 06:50:35 2014
 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
 Downloading daily.cvd [100%]
 WARNING: Mirror 172.nn.nn.nn is not synchronized.
 Trying again in 5 secs...
 ClamAV update process started at Tue Apr  1 06:50:42 2014
 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
 WARNING: Can't download daily.cvd from virusdb.back.mydomain
 Trying again in 5 secs...

And on the Apache logs of the main server, I can see daily.cvd being fetched at 
06:50 then nothing at all after that. It looks like Freshclam just flags the 
mirror as bad and never checks it again.


Any ideas ?

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Problem with Freshclam and local mirror

[Simon Hobson]

Greg Folkert g...@donor.com wrote:

 I had this problem and have used a brute force solution to remove the
 mirrors.dat file every day so it'll ignore previous problems (like the
 machine being unavailable or other such issues)

I had already considered the same. Since I've got two machines that have 
dropped 3 revisions behind already today (ie in the last 8 hours) I'll do that 
unless anyone has any more elegant suggestions or knows how to fix the 
underlying problem.

In the meantime, I've logged a bug against the Debian package.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Debian packaging

[Simon Hobson]

Greg Folkert g...@donor.com wrote:

 Debian Stable is that. If you must have 0.98.1, you should also be using
 backports... at least I used to until I just used Sid for everything.
 Backports help extend Stable's longevity and freshness a bit... but it
 is no guarantee 0.98.1 will be there.

Actually it should filter down once it's gone through some testing. Stable 
means different things to different packages - and AFAIK policy hasn't changed 
much in terms of updating volatile security related packages like ClamAV.



Matthew Newton m...@leicester.ac.uk wrote:

 Debian's policy is to ensure that stable means stable - so they
 only generally apply security patches. There was a volatile
 repository once as they realised that software like ClamAV needs
 updating more but conflicted with normal policy; it looks like
 it's been replaced, but I don't know if they still maintain the
 ClamAV package there.

It is still there, just under a different name - should be covered by the 
version/updates (eg wheezy/updates) source.
http://www.debian.org/security/


As for installing the update, as pointed out there are several options. If you 
have wheezy/updates in your apt-sources list then it should appear (eventually) 
after passing through Debian's quality processes.

If you want it sooner, then pull it from testing - something I've done with a 
few packages from time to time. I've found that mostly things are fairly 
reliable by the time they reach testing - but it's worth a scan of the bugs 
list first.

Or if you want bleeding edge - either install from upstream source, or install 
from unstable. Unstable can be, well, unstable - so you roll your dice and take 
your chances.


Personally, I try to avoid installing from source. Not because I can't do it (I 
have done it when I've had no option), but I have to consider maintainability - 
especially if I've moved on and the system gets inherited by someone with 
limited Linux/FOSS skills. YMMV - what you do on a home system (only you to 
consider) or in an environment where there are plenty of experienced Linux/FOSS 
admins is one thing; what you do when there's no such people around is another.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Is there any chance of the 97.8 version as shipped by ubuntu 10.04.4 LTS, working?

[Simon Hobson]

Gene Heskett ghesk...@wdtv.com wrote:

 So, is there any hope of making it work again using what the repo's for 
 ubuntu 10.04.4 LTS will put back in (version 97.8) using synaptic?  Or has 
 the data format changed so much its hopeless?

97.8 is the current stable version in Debian (98 has just hit unstable) and 
Freshclam is working fine for me. I don't see there being any problems.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Debian packaging

[Simon Hobson]

Greg Folkert wrote:
Simon, 
Why not open a Bug, or look to see if there is one. Oh wait:
In Pending Upload bugs for 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727027

Just gotta look. Rending since Oct 2013

Yes indeed.

And lookit that, some Simon Hobson li...@thehobsons.co.uk

Commented on it Fri, 15 Nov 2013 9:54:48 +.

And look what a positive response it's had so far !

Make noise on the list or continue to bomb the bug(s)... This place
ain't gonna be helpful in this regard.

Well since no-one's come back with something like the package maintainer's 
gone AWOL or similar, I'll keep bumping that bug ticket. Does seem strange, I 
don't recall such a long delay in the past.
Updating from source isn't really an option since I need to leave these systems 
maintainable by people who need the simplicity of apt-get upgrade.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

[clamav-users] Debian packaging

[Simon Hobson]

Does anyone know what the situation is with Debian packages ?
It's been something like 2 months now and 0.98 still doesn't appear to have 
made it to unstable, let alone testing.

I'm assuming this also affects Debian derived distros like Mint and Ubuntu.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Virus names - a rose by any name?

[Simon Hobson]

Pancho wrote:
Hi - thanks to everyone for the replies. I have seen 2 replies now and it
may well be that I have not been clear enough because both are at cross
purposes.

Then it might help if you alaborated on what you meant.

Unfortunately I don't have further time to invest in this topic but I do
hope that someone at ClamAV sees value in the suggestions.

They might if they could understand what the suggestions were. It;s clear from 
your response that what people took away from your post is not what you meant. 
Hence it's unlikely that anyone will see value in something they haven't seen.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Virus names - a rose by any name?

[Simon Hobson]

Pancho wrote:

While I understand the comment, it makes it risky I believe from a security
perspective to tell users anything more than  file contains virus. 

I say this because if we find a virus and provide the message file contains
virus with name ClamAV proprietary virus name XYZ then malicious users
can effectively deduce our virus engine simply by using the custom name.
See the site http://virusscan.jotti.org/en for a very easy illustration of
how to do this.

Once the malicious user knows this again, it is a fairly straightforward
thing for them to test exploits against a site like jotti until they find
one not detected by ClamAV - then submit that exploit to our site knowing
that it will successfully bypass our anti virus.

AFAIK ClamAV doesn't tell outside users anything - that is up to the software 
that calls it and the administrator that set it up.

For example, suppose we are using ClamAV to scan inbound mail - using Amavis as 
integration software as that's a fairly common setup. So when the email is 
submitted by the outside MTA, our MTA hands off the message the Amavis, and 
Amavis (amongst other things) halds it off to ClamAV.

The response sent to the outside MTA can be anything from message blocked at 
one extreme to ClamAV found XXX at the other - and where in that spectrum is 
down to not just ClamAV (which should correctly identify what it found IMO), 
but also the config of Amavis and the config of our MTA.

Of course, what is reported to the outside MTA can be different to what is 
logged in our mail log. We may just report blocked to outside while logging 
full details (as is usually the case) in the mail log so that the administrator 
has more information if the reason is queried.

Much the same applies if you scan innbound file on a web site that allows 
uploads - what ClamAV reports to your software, and what your software reports 
to the end user may be different things.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] linux scan of WordPress directories

[Simon Hobson]

Vid Luther wrote:


 I'm wondering if it's possible to run ClamAV on a file system that has a
ton of WordPress installs.


Yes, use (IIRC) clamscan to scan the directories.
I've done that on my servers when there's been any question about a 
customer site.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Licensing DLLs

[Simon Hobson]

Chuck Swiger wrote:


  What if WE made an AV plugin DLL to link our software with libclamav?

If your software license isn't GPL-miscible, then you should not 
redistribute the combination of your software, the plugin, and 
ClamAV.


Isn't this a case where the component they've linked with (in this 
case) ClamAV would need to be GPL, but the other component it talks 
to doesn't need to be ?
I'm assuming these are separate units - ie there's the closed main 
system, and the GPL plugin code linked with ClamAV.


The fact that the closed main system is distributed alongside the GPL 
code doesn't mean it has to be GPL - provided they are clear in the 
documentation etc which parts are closed, and which are GPL. Very 
much a flip round of the case where software uses non-free libraries 
(http://www.gnu.org/licenses/gpl-faq.html#FSWithNFLibs)



Also,
http://www.gnu.org/licenses/gpl-faq.html#GPLInProprietarySystem
says :

However, in many cases you can distribute the GPL-covered software 
alongside your proprietary system. To do this validly, you must make 
sure that the free and non-free programs communicate at arms length, 
that they are not combined in a way that would make them effectively 
a single program.


It then goes on to say :

The difference between this and incorporating the GPL-covered 
software is partly a matter of substance and partly form. The 
substantive part is this: if the two programs are combined so that 
they become effectively two parts of one program, then you can't 
treat them as two separate programs. So the GPL has to cover the 
whole thing.


My interpretation of this would be that in the case the OP asked 
about, provided he makes the plugin a distinctly separate program 
(and GPLs any code he adds to the GPLd code to make it work with his 
API) then it would qualify. It would require the plugin to be 
separate and optional - but i see no reason it can't be shipped on 
the same disk.




The GPL is actually not as all encompasing and restricted as many 
believe - it *IS* possible to combine GPL and non-free software in a 
system if you do it right, and using GPL software does *NOT* 
automatically mean the entire system has to be GPL. Perpetuating 
these myths doesn't do anyone any good.


If in doubt, the OP could always as FSF who I'm sure would be quite 
happy to have someone ask them rather than make assumptions and/or 
get it wrong. I dare say they'd be happier if the whole lot was GPLd, 
but Rome wasn't built in a day.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Some questions about setting up ClamAV

[Simon Hobson]

Andy Newby wrote:


How can we have clamAV automatically scan the images after they are
uploaded (to catch any viruses as quickly as possible)?


You'd need to get your software to do that. Between accepting the 
upload and doing anything with it, call Clamscan to scan it.


Alternatively, and I don't know if this is possible, I believe some 
OSs have facilities to monitor a filesystem for changes. If you can 
get the system to tell you when a new file has been created in your 
upload directory, then you could scan it then - but of course you may 
need to wait for the upload to complete.


If it is not possible to set up clamAV like this, how can we set up 
a cron job to scan the image folders and domain / server ?


You create a cron job, to run at whatever schedule you want, that 
calls Clamscan with the options you want.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Some questions about setting up ClamAV

[Simon Hobson]

Andy Newby wrote:


We're using ClamAV on a Unix Centos Server, with WHM and Cpanel, we would
like to do this:

1)  Set up a cron job to scan a single domain (via Cpanel), and a cron job
for the entire server (via WHM), how?


Create cron jobs to call clamscan with the options you want ?


2)  We would like to set up a cron job to update ClamAV with the latest
virus DB on a single domain (via Cpanel), and a cron job for the entire
server (via WHM), how?


Ditto. Setup cron jobs to call freshclam. Or just let freshclam do 
it's job automatically. If you have a lot of instances to update, you 
might consider setting up a central server to fetch updates and then 
let individual servers/instances fetch from that.



3)   our web site allows users to upload images via a standard form.   We
would like to set up ClamAV to be able to scan their file before it gets
uploaded to the server, how can we do this?


You can't - it's not there to scan before it's been uploaded. You'd 
need to look at the software being used and get it to scan all new 
files before it goes on to use them.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] How can I have clamd reject items that can't be scanned?

[Simon Hobson]

Per Jessen wrote:


  It's not about not being able to scan, it's about not wanting to

 scan. Regardless, clamav doesn't reject or approve mails, that's for
 your MTA to do.


 If you use ClamAV as milter, it's up to ClamAV to tell the MTA what to
 do so I guess there's a task for ClamAV too..


Well,  I guess it depends on your point of view. Personally I see the
MTA doing the rejection, possibly based on information from elsewhere
(DNS, blacklists, clamav, wherever).


This is a rather pointless argument about semantics which doesn't 
answer the original question. I'll rephrase it for the pedants :


I see that there are ways to limit the level of archive that will be 
scanned as well as the size of the entities to be scanned.  Is there 
a way for CLAMAV to then flag them as not allowed?


Oh, I see it works without modification. Is it possible for ClamAV to 
flag that the message should be rejected if it can't be scanned - 
seems a reasonable question to me. The OP didn't say is it possible 
for ClamAV to reject the message, they rather correctly asked about 
flagging it for rejection.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] How can I have clamd reject items that can't be scanned?

[Simon Hobson]

Per Jessen wrote:


The OP started by saying there are ways to limit the level of archive
that will be scanned as well as the size of the entities to be
scanned, which are performance optimizing options one can use if
desired. To which I commented that it's not about a message that can't
be scanned, but whether your limits allow it to be scanned.  Remove the
limits, and everything is scanned (presumbly only limited by hardware
resources).


Well of course there have to be limits somewhere, and I recall one 
issue is malevalent attachments designed specifically to crash 
extractors.
A second issue I recall from the past is the sending of password 
protected archives - the scanner is unable to check it, but of course 
a user taken in by the message may well open it. So that's a separate 
consideration - whether to allow password protected archives or to 
reject them.



Nonetheless, it is actually an interesting question - should/does clamav
return not-scanned-due-to-user-restriction in such cases?


I guess that's the key question, and is it possible to set the 
reported result to reject in that case ?

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Value too large for defined data type

[Simon Friedberger]

Am 14.10.2011 20:02, schrieb Christoph Moench-Tegeder:

Simon, can you recompile the test program with
gcc -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE x.c -o xtest
and test again?


Yes, that works. :)

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Value too large for defined data type

[Simon Friedberger]

Hello everybody,

I'm getting the following error trying to scan a file:

WARNING: myfilename: Can't access file
myfilename: Value too large for defined data type

It seems that this error can be caused by different problems like a 
wrong inode number when mounting CIFS or very large files. (Suggested by 
some websites and old mailing list entries.)


I have three questions:

1. How do I find out which value really causes the issue?
2. How do I scan very large files?
3. How do I find out what the current maximum file size for scanning is? 
The man page says the default is 25 MB but it is not set in /etc/clamav/ 
anywhere and I have scanned files larger than that.


It would be great if you could clear up some of these points for me.

Best,
Simon

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Value too large for defined data type

[Simon Friedberger]

Hi, Al!

On 14.10.2011 11:01, Al Varnell wrote:

On 10/14/11 1:49 AM, Simon Friedbergersimon+gm...@a-oben.org  wrote:


3. How do I find out what the current maximum file size for scanning is?
The man page says the default is 25 MB but it is not set in /etc/clamav/
anywhere and I have scanned files larger than that.


It's in clamd.conf, but if you run clamconf it will tell you all the
settings.


There is nothing related to filesize in /etc/clamav/clamd.conf and 
clamconf doesn't seem to exist either.

This is my version:
ClamAV 0.97.2/13798/Fri Oct 14 08:54:16 2011
from the package:
0.97.2+dfsg-1~lenny1

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Value too large for defined data type

[Simon Friedberger]

Hi, Edwin!

On 14.10.2011 11:02, Török Edwin wrote:

On 10/14/2011 11:49 AM, Simon Friedberger wrote:


It seems that this error can be caused by different problems like a wrong inode 
number when mounting CIFS or very large files. (Suggested by some websites and 
old mailing list entries.)


What is your filesystem? What is your kernel ('uname -mrsp')?
The filesystem is ext3 and the kernel is Linux 2.6.26-2-686 i686 unknown 
(uname -mrsp output).



Are you running a 32-bit or 64-bit ClamAV? ('file /usr/bin/clamscan' will tell 
you)

Well, since the entire system is 32-bit...

/usr/bin/clamscan: ELF 32-bit LSB executable, Intel 80386, version 1 
(SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.8, stripped



I have three questions:

1. How do I find out which value really causes the issue?


Does 'stat myfilename' work?

Yes.


2. How do I scan very large files?


I don't think its the file's size the problem, but rather its inode.
Use a 64-bit clamscan/clamd if your filesystem uses 64-bit inodes.
Well, I don't think that's the problem here, because stat works, right? 
The filesize is 2.8 GB, btw.



3. How do I find out what the current maximum file size for scanning is? The 
man page says the default is 25 MB but it is not set in /etc/clamav/ anywhere 
and I have scanned files larger than that.


If you scan something outside the limits you don't get an error, you get an OK.

Oh, okay. So how do I find out what the limit is?

Best,
Simon

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Value too large for defined data type

[Simon Friedberger]

Am 14.10.2011 11:42, schrieb Török Edwin:

On 10/14/2011 12:30 PM, Simon Friedberger wrote:

Hi, Edwin!

On 14.10.2011 11:02, Török Edwin wrote:

On 10/14/2011 11:49 AM, Simon Friedberger wrote:


It seems that this error can be caused by different problems like a wrong inode 
number when mounting CIFS or very large files. (Suggested by some websites and 
old mailing list entries.)


What is your filesystem? What is your kernel ('uname -mrsp')?

The filesystem is ext3 and the kernel is Linux 2.6.26-2-686 i686 unknown (uname 
-mrsp output).


Are you running a 32-bit or 64-bit ClamAV? ('file /usr/bin/clamscan' will tell 
you)

Well, since the entire system is 32-bit...

/usr/bin/clamscan: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), 
dynamically linked (uses shared libs), for GNU/Linux 2.6.8, stripped


I have three questions:

1. How do I find out which value really causes the issue?


Does 'stat myfilename' work?

Yes.


How big is the inode number printed? Is it bigger than 2^31?
Maybe the stat command is compiled with Large File Support, and ClamAV is not.

Well, the inode number is 131309605 which should be well below 2^31.


Also can you compile and run this testprogram on that file?
$ catx.cEOF
#includestdio.h
#includesys/stat.h
int main(int argc, char *argv[])
{
 struct stat sb;
 if (argc != 2) {
 fprintf(stderr,Usage: %sfilename\n, argv[0]);
 return 1;
 }
 if (stat(argv[1],sb) == -1) {
 perror(stat failed);
 return 2;
 }
 printf(stat successful\n);
 return 0;
}
EOF
$ gcc x.c -o xtest
$ ./xtest myfilename

Does it print an error?

Yes, it does.
stat failed: Value too large for defined data type
Now what does that mean? :)

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Value too large for defined data type

[Simon Friedberger]

Hey, Edwin!

Am 14.10.2011 15:19, schrieb Török Edwin:

On 10/14/2011 04:13 PM, Simon Friedberger wrote:

Does it print an error?

Yes, it does.
stat failed: Value too large for defined data type
Now what does that mean? :)



I think I got it:
 off_t st_size;/* total size, in bytes */

The st_size member of the stat buffer is a signed value, so any file over 2GB 
in size
would be negative. stat() won't allow that so instead it returns an error 
telling us
we should use the stat64() call probably.

Please open a bugreport, the fix is likely to detect the errno and simply skip 
scanning such
files (on 32-bit anyway).

Would you mind filing it, I would have to create a login first.

In any case, thanks for your help so far!

Best,
Simon

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Clamav 0.97.0 to 0.97.1 on squeeze(Debian 6.0)

[Simon Hobson]

OLCESE, Marcelo Oscar. wrote:

Query, why is not avaible in the repositories squeeze 0.97.1 version?
Nor are the volatile repositories.

Simple - because it hasn't made it yet. It has made it into Unstable (Sid), and 
in time it will work it's way through.
http://packages.debian.org/search?keywords=clamavsearchon=namessuite=allsection=all

The way things work is :
The main program gets updated - known as the upstream package from the 
perspective of a distribution.
The maintainer of the packaged version for the distribution spots that it's 
been updated.
He'll pull down the new version, apply any changes to distributionise it, and 
build a package for the distribution.
This distribution specific package then goes through a testing process before 
being released through the distribution specific mechanisms.


In the case of Debian, this means that one of several package maintainers 
(there are three individuals, plus ClamAV Team listed) has observed the new 
upstream version.
It's been debianised, and put into Sid.
At some point, when it's been decided that it's stable etc, it will migrate to 
testing, volatile and backports as appropriate.
Eventually, when the next Debian release happens, it will migrate to stable.


Many of these steps will be automated, but still need checking. For example, 
part of Debianising a package involves moving components from wherever the 
upstream package normally puts them to the locations used by Debian, and 
creating distribution specific files (such as the startup/shutdown script for 
/etc/init.d).
While this would be done with automated scripts and patch files, each time the 
upstream version changes, these need to be checked to see that they still work 
correctly - and of course, the scripts/patches updated if something has changed.

There may of course be distribution specific bugs/issues to be dealt with, and 
some of those may well involve creating a fix to be passed up to the upstream 
package maintainers.


The price you pay for using a distribution rather than doing it yourself is 
that you get a delay between the upstream package getting updated and your 
distribution reflecting that. The upside is that others have done a **LOT** of 
work so that you don't have to.
You have a choice - either wait, try installing the package from Sid, or 
download the upstream package and install it manually. All of these have their 
pros and cons - you would have to work which is best for you.

I hope this gives you some idea of the process involved, and why there is 
inevitably a delay before an update appears when you apt-get update  apt-get 
upgrade.
-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] daily database broken again

[Simon Hobson]

Nathan Gibbs wrote:


  I am not aware of the team issuing a new major version number that they
  then break in a few months with a new major version update.

0.95.x was the latest version less than a year ago.  To me, it seems a little
soon to EOL it.





  At some point the end user has to accept his/her responsibility for keeping

 their machines properly updated. I am not talking about every day, but at
 least every few months,


Agreed.


 six at most,


That is a good way to do it.
That is also your policy/opinion.
It may not work for someone else.


 a user should inventory their system and take appropriate maintenance. To
 expect others to waste valuable time in developing a product and keeping it
  fully compatible with older versions is ludicrous.



Agreed.
Supporting 0.94.x or earlier now would be a waste of resources.

I did feel bad for the 0.94x and 0.93x users who got caught in last years flag
day, but it was a flag day what are you gonna do.
Those running 0.92x or older, IMNSHO were just plain stupid and got what they
deserved.
But I do realize that it is just my not so humble opinion, and they just might
have had good reasons for running software that old.


 If you blame others for your failures, do you credit them with your
 success?



Thats an unsafe question to answer.
No matter how its answered, you shoot yourself in the foot.

Its like  Have you quit beating your wife?
Yes - You were beating her.
No - You are beating her.

The failures are usually all mine.
The successes usually involve other people.

And attribution is always the right way.
Open Source wouldn't work otherwise.
:-)


Thanks Nathan for articulating what I suspect quite a lot of us think.

I too am grateful to the ClamAV team - but I also sometimes think 
their attitude to users lacks sensitivity at times.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] block attachment with certain file endings (also in archives)

[Simon Hobson]

Erwan David wrote:


  gmail blocks attachments with certain file endings (also if the files

 are in certain archives):

 http://mail.google.com/support/bin/answer.py?answer=6590

 I am using clamav-milter with postfix. Is it possible to implement this
 policy through custom clamav signatures? From the signatures pdf I was

  not able to figure it out so far.




amavis may do this (and call clamd for handling viruses)


Yes, Amavis will do it. IIRC it defaults to blocking a small number 
of extensions (such as .exe and .scr). It also unpacks archives (zip, 
tar, etc) to check the contents.


My knowledge isn't enough to say (without searching) where it's 
configured - but I do recall there is a Perl array with a list of 
extensions to block.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Tiered freshclam updates on port443

[Simon Hobson]

Shawn Bakhtiar wrote:

I still say having firewalls from higher security zones to lower 
ones, does not make sense. Security is only valid when it is 
INBOUND. Outbound security is no security at all, just a pain for 
your users.


I used to think like that, but now I'd respectfully disagree.

It's not an answer in it's own right, but used intelligently it 
provides another layer of protection. OK, if your server gets 
compromised then it doesn't protect the server, but it does restrict 
the damage it can do.


For example, if you don't require to access external FTP servers, 
then don't allow outbound FTP connections. Should your server get 
compromised and the  use it to try and brute-force attack other 
FTP servers, instead of using up your bandwidth and causing a 
headache for the targets, the connections fail. On the other hand, if 
the basic software installed by the hack is unable to contact it's 
command centre for instructions (or to install additional software), 
then it's going to be useless to the attacker.


In a similar vein, I ALWAYS configure my routers etc to only allow 
outbound SMTP connections that are actually required. In the general 
case, end user machines should not be sending mail other than through 
specific servers - and if they are trying to send mail elsewhere then 
most likely it's spam from an infected machine. If a user has a 
genuine reason for sending mail, then the Submission port (which I do 
allow) is the way to do it. Again, it's not protecting your systems 
which are already compromised, but it's limiting the damage that then 
follows - damage in bandwidth costs, and reputational damage from 
getting blacklisted.


Just two examples that came to mind for no particular reason - and if 
you believe that you'll believe anything !


Yes it needs more work to set up, and figure out what connections you 
require - but IMO it's worth it in many cases. As you say, there are 
cases where it's not appropriate, and you need to judge each case on 
it's merits in an intelligent way. Strike a reasonable balance 
between protection, being a good netizen, and allowing users to do 
their jobs.



Having said all that, in this case, I'm inclined to agree that the 
requested functionality isn't really a generally useful think to be 
doing.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Some doubts about Clamav upgrade

[Simon Hobson]

Freddie Cash wrote:

  Does it first uninstall the existing version?




If it was installed as a .deb package (via dpkg, apt, aptitude, whatever),
then yes.


dpkg -l | grep clam will show if it was installed as a deb package 
- it should show clamav and freshclam as installed. If it lists 
nothing then they may have been installed manually and the OP will 
have to figure out how and where they are installed - ideally 
removing them before installing the new deb packages.


It may be useful to know which Debian version the OP is using - since 
it it's Lenny he wouldn't have 0.93 installed, and if it's older then 
there isn't an up to date version in the repositories.


If it's Sarge, then Gianluigi Tiesi posted this back on 16th April, 
it worked for me on one of my systems :


  Temporary fix for debian sarge, I suggest anyway to upgrade your 
distribution:

 
  download packages from:
  http://falco.netfarm.it/clamav/clamav-sarge/
 
  then
 
  /etc/init.d/clamav-daemon stop
  /etc/init.d/clamav-freshclam stop
 
  apt-get remove libclamav3
 
  rm -fr /var/lib/clamav/*
  rm -f /var/log/clamav/*
 
  dpkg -i *.deb
  (you can skip docs and testfiles)
 
  apt-get -f install
  if some deps is broken
 

ah forgot, then
dpkg --purge libclamav3



--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Some doubts about Clamav upgrade

[Simon Hobson]

Wagner Pereira wrote:


1. My Debian is a Etch 4.0
2. My sources.list file has
deb http://volatile.debian.org/debian-volatile etch/volatile main 
contrib non-free


3. That's my dpkg -l | grep clam output
ii  clamav   0.93~dfsg-volatile1 
anti-virus utility for Unix - command-line i
ii  clamav-base  0.95.3+dfsg-1~volatile1~etch2   
anti-virus utility for Unix - base package
ii  clamav-daemon0.93~dfsg-volatile1 
anti-virus utility for Unix - scanner daemon
ii  clamav-freshclam 0.93~dfsg-volatile1 
anti-virus utility for Unix - virus database
ii  libclamav4   0.93~dfsg-volatile1 
anti-virus utility for Unix - library


What should I do to upgrade my Clamav? Do I need to backup something 
from Clamav before?


OK, according to 
http://packages.debian.org/search?keywords=clamavsearchon=namessuite=allsection=all, 
etch-voltile has 0.95.3 for i386. So you should be able to upgrade 
with :


apt-get update  apt-get upgrade

this will upgrade everything on your box to the latest versions.

Alternatively, you can apt-get update to update your local package 
indexes, and then apt-get install clamav freshclam to upgrade just 
those two packages and any thing that needs updating to meet 
dependencies. apt-get --no-install-recommends install clamav 
freshclam will limit upgrades to only those that are required.


As with any upgrades, it's always worth having a full backup and a 
means of reverting back if something goes wrong.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

Dennis Peterson wrote:


What they did was a bad call. They wilfully let freshclam download an
update which they knew would crash the clamd service.


This was going to happen anyway when the signatures grew to take 
advantage of the new format. Older versions of clamd were going to 
die sooner or later. It was inevitable this would happen.


The rest only makes sense IF that statement is true. It's already 
been pointed out that it was not inevitable, and had the team cared 
then there were ways of not making old versions die.
More than one technique has been mentioned, and at least one of them 
would have been viable.


The rest of your response rather reinforces Marks point.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

Jim Preston wrote:

The rest only makes sense IF that statement is true. It's already 
been pointed out that it was not inevitable, and had the team cared 
then there were ways of not making old versions die.
More than one technique has been mentioned, and at least one of 
them would have been viable.


The rest of your response rather reinforces Marks point.


Simon, Mark,
Are you ever going to get over it and move on? If you are unhappy 
with ClamAVs decision take your bat and ball and go to some other 
ball park.


I am over it, and I have moved on. However, as long as people keep 
making untrue statements ...


It was the only way
and
it was inevitable
and
ClamAV **was** going to break sooner or later

are all untrue statements.

On the other hand
It was the only way **that the ClamAv team were prepared to act**
and
it was inevitable **given the choices made**
and
ClamAV **was** going to break sooner or later **given the decision 
to make it do so**


are all true statements.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Resources for integrating with spamassassin+amavisd

[Simon Hobson]

Chris Meadors wrote:


Rsync treats all files as binary.  When finding changes it splits a file
into blocks, computes a checksum for each block and performs a
comparison between the sending and receiving side.  Then it only sends
the blocks which have changed.

When dealing with a text file which has been appended to, like a log,
all the initial blocks are the same.  But if the file is sorted, it's
possible only a few additional lines will disrupt most every block by
changing the start offsets through out the entire file.


It's actually more efficient than that !
It uses something similar to a rolling checksum to find throughout 
the file. So in principal, you can add a short bit to the front of a 
large file, or even chop a file up into chunks and rearrange them, 
and it will still only transfer the changes.


Andrew Tridgell's research paper is available at 
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.123.1530rep=rep1type=pdf

rsync is covered from section 3 onwards.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Resources for integrating with spamassassin+amavisd

[Simon Hobson]

Bill Landry wrote:

Why, are you blocking outbound rsync traffic?  If so, after 3 years 
of maintaining this script and many thousands of users, this is the 
first time I've heard this request.


Some of do this by default - set an outbound policy of block and 
allow specific traffic that's allowed. It means that should a machine 
get compromised despite all other precautions, it can't* then be used 
to launch an attack on others (or other servers in your own network) 
and/or is unable to communicate with it's control centre. Just 
another layer of security.


* Yes the attacker (assuming they got root equivalent access) can 
clear iptables - but that means they have to be proactive and risk 
making themselves more visible, not to mention they risk their remote 
install breaking networking (and also making their presence visible).


But then what would I know about administering servers :-/

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Yet more clubbing of deceased equine.

[Simon Hobson]

Sarocet wrote:


The new hostname updates would still have needed the kill signature.
Otherwise, you have the same problem as before, but with a different
hostname.


Someone wasn't reading. The scheme was to remove the original 
hostname BEFORE using any updates that would kill the software. At 
that point, older versions would just stop updating and wouldn't 
break.


Now it's been pointed out that there are a sizeable number of third 
parties providing mirrors, I now agree that this would not have been 
reasonably practical. It may have still worked with different 
filenames, with the added bonus of being able to examine logs and 
work out the scale of the problem - ie how many installations were 
still accessing the old names vs the new names.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

Daniel McDonald wrote:


  I'm a little confused by this (still), is it not true that simply

 turning off freshclam will allow clamav to continue working indefinitely
 on the existing signature set?


No, you need to turn off freshclam *and* delete one signature, or grab an
older copy of the signature file.


You missed a few steps :
- Find out what has happened to your software that was working fine yesterday.
- Work out what to do RIGHT NOW because your phone is ringing with 
people asking where their mail is*
- Put in place a quick workaround (disable scanning) to allow the 
mail queues to get flowing

- Work out what options are available for dealing with it medium term
- Work out where the dig files are stored
- and then disable freshclam and put yesterdays sig files back
- work out what to to get onto newer version


* Yes, we've already heard the arguments that mail shouldn't stop 
when ClamAV does - even though that is logically inconsistent with 
the argument that old versions couldn't be allowed to continue 
without updates.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Yet more clubbing of deceased equine.

[Simon Hobson]

Chris Knight wrote:


  1) Release a new version that pulls updates from a new hostname.

 2) Wait a couple of weeks, or even six months
 3) Shut down old servers,


 4. Orphan *all* previous versions, including the still heavily used, and
 valid, 0.95s which were released before the hostname change, not just the
 buggy 0.94 and older.


What?  Somebody was running .95 and not the absolute latest?  Why
would anyone do that?  I am in absolute shock. Shock and horror and
sarcasm.  Yes, lots of sarcasm.


Forget it, it's been covered, and you'll never persuade this group of 
people that a) there was any alternative, or b) that there was 
anything ethically or legally wrong with the course of action they 
did take. Also, when I suggested this, it was in some way interpreted 
that I meant running two different upgrade servers/processes in 
parallel.


There is one thing though, under step 3, it should have read remove 
old DNS entries


As for orphaning 0.95 versions, lets take a look. According to an 
earlier post, the bug report was filed in Feb last year. 0.95 was 
released in march last year, and 0.95.2 in June last year.


Had they added another hostname to the DNS prior to the 0.95 release, 
then not a single 0.95 release would have been affected. Had they 
done it in June then only two versions, both more than 6 months old 
would have been affected. It could have gone into 0.95.3 which was 
released after the EOL announcement - and it would still have only 
affected versions older than 6 months.

All this has been pointed out, and rubbished already.

Of course, they could have taken the precaution of adding new DNS 
entries, and then not used them if they decided to take a different 
course of action (such as issuing a poison pill ...


If anyone was running an old enough 0.95 version, then their software 
wouldn't have died, they would have seen update errors in their logs, 
and the fix would have been to change just one or two hostnames in 
their freshclam.conf. As you point out, according to the ClamAV 
supporters, they would have been idiots for using such old software, 
and it would have been their fault - so why would the ClamAV team be 
worried about that when they are happy to make other versions 
actually stop running.*


The other 'reason' not to do that is an argument of why should the 
ClamAV team go to the effort and expense of changing the DNS ?, and 
my suggestion that it would have cost next to nothing in both cash 
and effort terms has been completely dismissed. The only argument put 
forward being you don't know what it costs to change a DNS entry - 
well actually I have a pretty good idea of the cost base for a number 
of common scenarios.


* Oh yes, and some people are still clinging to an argument that the 
ClamAV team did not stop any software from working. It's the sort of 
argument that someone would use to claim he didn't poison his 
neighbour's dog : he didn't give any poison to the dog, the dog took 
it when he put it in a piece of meat and left it where the owner 
takes the dog for a walk - so the dog took it, he didn't give it to 
the dog. It's linguistic/logics gymnastics to try and get around the 
fact that they misused the victims actions to cause harm rather than 
going and directly causing that harm first hand - the motive and end 
results were identical, only the means differs.
Actions designed to cause harm to a computer system, and a criminal 
offence in the UK.



--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

Robert Wyatt wrote:


You missed a few steps :
- Find out what has happened to your software that was working fine
yesterday.
- Work out what to do RIGHT NOW because your phone is ringing with
people asking where their mail is*
- Put in place a quick workaround (disable scanning) to allow the mail
queues to get flowing
- Work out what options are available for dealing with it medium term
- Work out where the dig files are stored
- and then disable freshclam and put yesterdays sig files back
- work out what to to get onto newer version


* Yes, we've already heard the arguments that mail shouldn't stop when
ClamAV does - even though that is logically inconsistent with the
argument that old versions couldn't be allowed to continue without updates.


I was talking about turning off freshclam anytime in the last two 
years, not the day after your system broke. Again, you're behaving 
as though you had no way of knowing when that is not true.


That assumes one knows in advance that one has to do that - which 
we've already determined was not the case for quite a few people. 
Most people could have upgraded if they knew in advance it was going 
to be forced - but other than that, why would someone turn off 
updates that are working ?


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Yet more clubbing of deceased equine.

[Simon Hobson]

Stephen Gran wrote:


  1) Release a new version that pulls updates from a new hostname.

You mean, deploy a parallel infrastructure of vhosting, monitoring,
pushing updates, etc?  When most of the mirrors are on third party
servers not under the control of the clamav team?  Do you really think
that's trivial, or were you just making up a solution without knowing
anything about the problem?


There is no parallel infrastructure - though I accept the point about 
mirrors not being under the ClamAv teams control. Presumably they 
aren't going to claim they have no knowledge of who runs mirrors ?


How about this for yet another  option that could have been done at 
the 0.95 release :

Just check for slightly different file names on the same servers.

Before you shout me down about maintaining two sets of sigs etc, I do 
not mean that - you just hard link another file name to the original. 
IFF (and yes, I don't know how the mirrors are updating) the mirrors 
use something like rsync which will deal with hardlinked files, then 
there's no extra bandwidth for updating the mirrors.


When you're ready to cut 0.94 and earlier loose, just stop providing 
the files it looks for.



--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Yet more clubbing of deceased equine.

[Simon Hobson]

Stephen Gran wrote:


Sigh.  I guess you didn't bother to read the part about third party
servers not under the control of the clamav team.  This means updating
the actual edge servers is not trivial.  The 'parallel infrastructure'
wasn't referring to deploying new hardware, it was referring to getting
all the same monitoring, syncing, deploying, serving, etc working with the
new name.  This is fine, although slightly non-trivial given the number
of machines, even when you are the sole admins.  When you're relying on
third parties donating bandwidth and space on 100s of shared servers,
it's less approachable.

But anyway, I think this is end of thread for me.  If you really think
that the clamav team's time is best spent chasing up hundreds of local
admins to make changes to their rsync/webserver/etc vhost configs,
then deploying and testing all the changes necessary to make this work,
instead of working on clamav just to save a few admins a small amount
of work that they should have been doing anyway, you're welcome to your
opinion, and I won't bother you with mine any more.  I just disagree.


Actually, I will thank you for actually putting forward a reasoned 
argument rather than just can't be done. Now the external factors 
have been pointed out, that is somewhat harder than it first 
appears. See, contrary to what some people may be thinking, I can be 
persuaded by **reasoned** debate.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

Thomas Hochstein wrote:


  OK, how's this then. 9.5.3 (IIRC) came out about the time the notice

 was published. It costs virtually nothing to add an extra DNS entry,
 and the release could have had the default server URL changed for
 Freshclam to fetch updates. it wouldn't even have been a great issue
 to have a 9.5.4 just for that - and of course the change would be
 quite prominent in the release notes then as well.


Why didn't you suggest that beforehand?


Because, as has been made quite clear beforehand, I did not know this 
was happening - and I'm far from alone in that. If I had been aware 
at the right time* then I would have suggested it.


* Note that right time does NOT mean spotting the EOL announcement 
when it was made. That was too late as the decisions had already been 
made then.



Why didn't you just DO that if you consider it necessary as it costs
virtually nothing, neither time nor money?


Eh ? Are you suggesting that I have the ability to go back in time 
and make changes to someone else's DNS and code ?


As for costs virtually nothing, yes I believe that is a good 
description of what it would have cost - and don't forget that 
deciding to EOL and forcibly block older versions was not without 
cost. Unless the project has some strange ways to make things tedious 
and difficult to change, then it would probably have cost less in 
time than the discussions (if there were any) on the ethics of 
issuing a kill signal to older software.


But it's a moot point - the team didn't do that, we are where we are, 
and a lot of people are unhappy for various reasons.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

Rob Sterenborg wrote:


  Message of freshclam did not specify that older versions would stop.

 It was the same message as for minor upgrades. This did not give the
 information that something different than usual was planned.


It still means you should upgrade and the message was ignored long 
enough that ClamAV stopped working. The fact that there is no 
*immediate* need to upgrade when the message is first seen, does not 
mean you can wait that long.


The OP use(s|d) an EOL Debian and an EOL ClamAV. If the OP upgrades 
ClamAV to a more recent version then he's back in business, even 
with an EOL Debian.


And ... it proves your argument that there was a warning message so 
it's entirely the users fault is completely bogus. Guess what, with 
a fully up to date installation, with ALL updates installed, 
freshclam still reports THE SAME WARNING.


So does that mean we should expect our fully up to date installation 
to just stop working ? And when, tomorrow, next week, next month, 
... ? Do we have to start checking the ClamAv website to see if 9.5 
is going to be EOL'd and remotely killed before 9.6 gets into Debian 
? Note that just updating a fresh install isn't sufficient to give a 
working system - a fresh Debian install, with all updates installed, 
does not have a working ClamAV on it. Users need to add Volatile for 
that to work.


Yes, it would be an idea to keep a bit more current, but that 
**SHOULD** be the decision of whoever is responsible for the box 
having balanced all the factors that affect his (or her) operations. 
It may not be the case for this particular package, but there are 
often other things that prevent upgrades - I've got several systems 
running various old versions of various OS's for the simple reason 
that I've got various items of hardware that have no support in 
current versions.


I have a system still running DOS 3.something - it's part of a system 
that no longer has any vendor support but which still does the job I 
require it to do. I have a VM running Windows 98 because I have some 
software I need to run on it. I have a pile of CD's here that are 
unreadable in Vista or Win7 - so to access the manuals on them I must 
run an outdated system. I have an old laptop with Mac OS 10.4 because 
my scanner software won't run on 10.5 or 10.6 and the vendor has 
dropped support. And I've got boxes here (still doing useful jobs) 
for which 10.5 is not a supported OS.


And those are only the 'hard' limits - ie stuff that *cannot* be 
upgraded. there are 'soft' reasons too - such as balancing the risk 
of upgrading vs the risk of not upgrading. I have one system where I 
know 100% that applying all updates *will* break it - so I have to 
hold back certain packages until one or other of the imcompatible 
bits gets fixed.


Applying the logic used with some venom here, every one of those 
systems should have been upgraded and/or scrapped - never mind 
whether they would still be capable of doing the job they are there 
for.



Again, not aiming this at you specifically, but at all those who have 
been advocating with religious zeal that there should be, and cannot 
be, any other policy that all updates applied all the time as soon 
as they come out - or something very close to that. And then I note 
that one of those busy telling people they are complete idiots and 
unfit to be running a toaster (OK, slight exaggeration for dramatic 
effect) for running anything but the very latest versions ...


... earlier today admitted that he has a system to take through six - 
yes SIX - OS upgrades to bring it up to date. I can only assume he 
had his reasons, and that he balanced the risks (upgrade vs leave 
alone), and most importantly that if left for as long as it has ... 
he had some expectation that it wouldn't be artificially crippled by 
some outside influence before he got around to upgrading it.



--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

Jerry wrote:


By the way, I still also have an old 8086 with DOS 3? (I don't remember
the version) that still works. I still use it on occasion to copy old
5.25 floppys to other media. Yes, some local government agencies have
valuable documents archived in that format. However, I would never
expect it run Win7, nor do I bitch to Microsoft about it either.


So, it still runs the software it used to run ? Yes
It's running software that is  EOL ? Most definitely
And Microsoft have sent it a poison pill ? No they haven't

There's a difference between not providing any more updates and 
killing something off.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Clubbing a deceased equine

[Simon Hobson]

Dennis Peterson wrote:


I believe that best practice with this sort of thing is to only issue
warnings and not to actually force a potentially harmful change without
*express* consent of the user.


Suggest at least one way to inform all the users successfully that 
obsolete software is going to die soon - and don't let it slip past 
you in your solution that the ClamAV people have know way of knowing 
who they need to inform. And recall too, this: Filling their logs 
with warnings didn't work. Posting the notice on the front page of 
their website didn't work. Running commentary in this list didn't 
work. Announcing it in their Announcements list didn't work.


You don't know a way, they don't know a way, and I know for a fact 
it cannot be done


If you start with the pre-requisite that you must stop old versions 
working then you are correct. Remove that pre-requisite and you are 
not.


More than one suggestion has been made of how the team could have 
just moved on and left the old versions behind - without having to 
kill them. These suggestions have been rubbished for various (mostly 
false) reasons.


People keep saying it's the user/admin's fault, that the user/admin 
should take all the blame, and that the user/admin should suffer the 
consequences. Fair enough - how this for a really odd idea - why not 
just stop providing AV updates to the older versions, and let the 
users/admins take the responsibility and consequences if they 
continue to ignore the warnings that updates have stopped working. If 
they ignore things aren't working errors then I'd agree with you - 
let them deal with it. I don't agree with the argument that things 
are not optimal is a warning to upgrade before things go bang.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] (no subject)

[Simon Hobson]

 available to them - so there isn't 
even any defence of it being absolutely necessary for the public 
good.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] (no subject)

[Simon Hobson]

Christer Boräng wrote:

In message 1271831753.5073.28.ca...@localhost, lists writes:

For instance, if I go to a shop and they give me a radio free. I take
that radio home and use it. If that shop then calls me up and says 'If
you don't change that radio, I'm going to break it' it is a case of
blackmail.


A better analogy would be that the shop calls you up to say We're
switching to digital, your analog radio will stop working in six
months, and, in six months time, the radio no longer has anything to
listen to...


Not a good analogy either.
If you want to use that one, it's more like a 
major broadcaster deciding to go digital - and 
then comeing round to blow up your radio to stop 
you listening to the local station you actually 
want to listen to that is still on analogue.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

h...@dip-systems.de wrote:

After the last signature update, clam av stopped working on our woody
installation.



Is there no more support for this Debian Release?


No, according to certain people on this list, you are a cretin, and 
incompetent to even handle the off switch of a computer. If you check 
the list archives - particular for threads (no subject) and Those 
EOL tweets you'll see that you are far from alone.


There seen to be three groups - those who think it was handled really 
badly and were affected, a small group who think it was handled badly 
but weren't affected, and a group that thinks there is nothing wrong 
and it's all the end users fault - and especially that the ClamAV 
team did nothing wrong, deliberately interfering with other peoples 
servers is both morally and legally acceptable as long as they 
pretended to tell you first, and there was no other possible way they 
could have acted.


Even now when their stance has been shown to be full of logical 
holes, they still persist that anyone disagreeing with their we did 
nothing wrong stance are a bunch of whining losers.


That's how it comes across to me anyway.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Clubbing a deceased equine

[Simon Hobson]

Christopher X. Candreva wrote:


Oh come on. If I tell you you'll get wet when if you go out in the rain
without an umbrella, is that blackmail ?


OK, so if I tell you that if you keep on going out without an 
umbrella, then I'll throw a bucket of acid over you ... then by your 
argument that's not blackmail, and by other arguments, it's perfectly 
OK because I warned you in advance. That wouldn't be assault, it 
wouldn't be a criminal act - it would be all your fault for ignoring 
the warning I gave.


And by the way, I won't tell you directly, I'll put a notice up in my 
front window that you may or may not walk past and may or may not see.



Old versions of Clam crashed on certain input. You were told when that input
was comming.

It's sounding like the Clam team would have been better off releaseing a
too-large signature and going Whoops, I guess old versions can't handle
this. You better upgrade, sorry ! By warning people and releaseing a
known-bad signature with a message, somehow it's their fault now.


No, it's not all their fault. But they sure did handle it badly.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] (no subject)

[Simon Hobson]

Jerry wrote:


I had thought by now that this thread would have died a natural death.
Obviously, I was mistaken. It has continued to pollute this forum for
nearly a week.

What has become conspicuously apparent is that if those who are doing
the most complaining had spend even one percent of that time keeping
their systems up-to-date and keeping themselves abreast of current
development and deployment strategies with the software they employ,
this whole discussion would be academic.

In the interest of eliminating any further waste of my time or computer
resources, I am now instigating a kill filter on this thread.


That's right - if I can't bully everyone round to my way of thinking, 
then I'm taking my ball home. A very grown up attitude !


You (and I mean a small subset of people who are unconditionally 
supporting the action taken by the ClamAV team) have consistently 
used false logic, outright lies, personal insults, and arguments 
worthy of criminal defences to try and weasel out of any blame 
whatsoever for having misjudged things rather badly.


Put bluntly, if people had admitted early on that perhaps it could 
have been handled better, that perhaps they didn't consider all 
classes/types of user, and that it is perhaps not unreasonable that 
users could be a trifle annoyed ... then this **WOULD** have blown 
over ages ago.


It's not that you had to do something that people are complaining 
about, it's not that you ended support for updates to older versions 
that people are complaining about, it's the way you did it and the 
way you refuse to accept that there can be any other valid viewpoint 
that really p***es people off. You may, if you'd read the messages, 
have noted that even people who were not affected by this thought you 
got it wrong.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Clubbing a deceased equine

[Simon Hobson]

At 12:12 -0400 21/4/10, Christopher X. Candreva wrote:


  Knowingly disabling running software on computers that is not your own

 is not acceptable.  It is immoral, unethical and perhaps illegal.


But that's not what happened.


Wierd idea of did not happen - in what way does we will push an 
update that has the sole purpose of making your software stop 
working NOT constitute Knowingly disabling running software ?


- It is a simple fact - the team made the decision to push this update.
- It is a simple fact that the purpose of this update was to make 
running software break.

- It is a simple fact that this was a desired outcome of the update.
These are simple facts supported by their statement that they were 
going to do this, and what the expected outcome was going to be.


Given these simple facts, I really, really cannot understand the 
mindset that still claims that the ClamAV team did NOT knowingly 
disable software running on other people's machines.


Could someone please explain how on earth you can still claim that 
this didn't happen - and by what logic process you arrive at such a 
statement ?


The **ONLY** defence I can think of is that they assumed an implicit 
permission by virtue of the user running the update process to fetch 
signature updates. That's a very tenuous thing to infer when pushing 
an update that is so different in purpose to what would normally be 
fetched.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] (no subject)

[Simon Hobson]

Eric Rostetter wrote:

Put bluntly, if people had admitted early on that perhaps it could 
have been handled better, that perhaps they didn't consider all 
classes/types of user, and that it is perhaps not unreasonable that 
users could be a trifle annoyed ... then this **WOULD** have blown 
over ages ago.


I've admitted this often, from the beginning, and my posts are largely
ignored, or refuted, or I'm insulted/slandered/etc.  So, this isn't
a true statement.


If I've overlooked the one person who did admit that, then I 
apologise to you. there are plenty of people who have not, and it 
appears will never, make such an admission.



--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] illegal or not, make a valid argument (was no subject)

[Simon Hobson]

 the roses unless they 
were directly causing a threat to the property - and you cannot say 
that me running out of date (ie not updated) AV sigs was directly 
threatening the ClamAv project.


You also cannot claim that my downloading of updates constitutes an 
invite - it constitutes an invite to put AV sig updates on there 
for the purpose of detecting new threats. A poison pill update 
doesn't fit that description.


It is a free service they provide, not to you, but to anyone.  So they
owe you nothing.  You didn't sign any contact with them that they would
provide only valid signatures, or any at all.  You assume the risk in
using the feed.


As a point of law, a contract does not need a signature, nor does it 
even need anything in writing - all it needs is an offer and 
acceptance. In the absence of a definitive statement, the legal 
situation would be whatever the court could determine were the facts 
of the case. In that respect, man freshclam says : freshclam is a 
virus database update tool for ClamAV. In any dispute therefore, 
unless there was something of equal prominence to contradict it, then 
it would be inferred that the purpose of the tool was to deliver AV 
signature updates - not a poison pill designed to stop the software 
working.


This goes beyond any clause designed to avoid liability for errors in 
the program. Yes, the clauses above would absolve you of liability 
for any reasonable errors, but it still would not absolve you of 
liability for deliberate malice.


I assume you will have similar laws over their, but over here, there 
are some rights you CANNOT sign away. The extent varies according to 
the situation (eg consumers have more rights than business). As a 
consumer, even if I sign a contract that a supplier is not liable for 
anything (such as the clauses quoted above), that agreement is 
totally worthless as the law says I cannot sign away those rights - 
and in court the clauses would be declared unlawful and 
unenforceable. Similarly, even if I said I didn't mind if you shot 
me, if you took me at my word, you would still find yourself in court 
- my permission might well be accepted as mitigating when it comes to 
the charge laid or the sentence, but it would not absolve you of a 
crime committed.



I'm just saying that the arguments are lame (calling it blackmail when
it isn't, saying they need permission from each and every user when they
don't, etc).  Come on folks, make your arguments at least reasonable!


I didn't make those suggestions BTW.



Christopher X. Candreva wrote:


Let me drive this home. In the state of New York, until recently if the
government wanted to use eminant domain to take your property, all they had
to do was take out an ad in the paper. They do not need to track down the
owner of the building or land, just take out an ad. If you don't read the
paper that day, the first you hear that your building was being knocked down
may be when the wrecking ball shows up.

This was only amended in 2004 after some particularly nasty battles.

http://ownerscounsel.blogspot.com/2009/06/port-chester-offers-apology-for-taking.html


Now that's a very interesting argument to throw in ! Are you now 
claiming that the ClamAV team are now part of government and are 
entitled to my server by Eminent Domain ? If you are, then poppycock, 
if not, then why bring it up. You even point out that the law has 
been changed on that. Over here we have Compulsory Purchase to cover 
situation where a government body needs to acquire property for a 
project - but they cannot just take it like that.


Yes, over here there are notifications for which public notice is 
sufficient action. If someone wants to build in the fields behind my 
house, then they only have to post notices about the planning 
application on the site - but they must post the notice AT THE SITE, 
not at the developers home. They still cannot come and build on my 
land without my permission - even if they've got planning permission 
and misled the planning board into believing that they have the 
landowners permission or own the land.


Note that building in the field will not stop me living in my house. 
It may affect my amenity value, but it won't stop me living there - 
in the same way that not providing AV updates will affect the amenity 
value of my server, but it won't stop me running it. On the other 
hand, knocking down my house would most certainly affect my ability 
to live there - and you cannot do that in this country without 
serving notice to the property and the registered owner (unless the 
latter cannot be found after reasonable efforts I believe).


As a complete aside, there have been cases (one was local-ish) where 
there's been a mix up (for want of a better polite expression) and 
a contractor has knocked the wrong house down. It usually results in 
serious compensation - and some rather negative PR for those 
responsible.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

Eric Rostetter wrote:


Faced with an old release of software that will die if the team uses
new functionality due to a known bug, and people who will not upgrade
to the version that fixes this bug, and a reasonably urgent need to use
the new functionality, what exactly would you have done differently?


They have already answered this.  They would force sourcefire/clamav
to spend lots of time, money, and effort to setup a parallel signature
system; one for older versions, one for newer systems.  They seem to
have no qualm with the idea of making sourcefire/clamav pay this price
so they can use the results free of charge...


OK, how's this then. 9.5.3 (IIRC) came out about the time the notice 
was published. It costs virtually nothing to add an extra DNS entry, 
and the release could have had the default server URL changed for 
Freshclam to fetch updates. it wouldn't even have been a great issue 
to have a 9.5.4 just for that - and of course the change would be 
quite prominent in the release notes then as well.


According to the arguments made in support, all responsible/competent 
admins would have been running this or a later version by the time 
support for 9.5 was dropped. On that basis, no responsible/competent 
admin would have been affected by removing the DNS entry used by the 
older versions. Even if someone was still running a 9,5 version 
earlier than the one with the update, it would be one tiny change in 
freshclam.conf to fix it.


Of course, all this would have a prominent entry, not just on the 
ClanAV homepage, but also on the FAQ page whose URL appears in the 
freshclam logs.


Come cutoff date, support is dropped for older versions, but they 
will continue to run. It will not be silent, as freshclam will 
complain several times a day that it can't get updates. This is a lot 
different to mentioning in passing that your version isn't current 
and you might consider upgrading.


So probably even less work than fashioning the poison pill update. 
Less collateral damage. And these threads would have died several 
days ago with a oh, so that's it !


No parallel signature system at all, in fact no changes at all other 
than a slight change to a DNS entry.



But I can see how this would be rejected by those who appear 
religious attitude to there being only one true way to run a server.




The biggest problem with this suggestion is that it came after the fact,
so it isn't a useful suggestion.  No one bothered to offer this advice
before the change was made.


Well, if I'd known, I could have suggested the above ! And I probably 
would have, even if I'd not been running affected software. If any 
project I *am* involved with suggested such a thing then I would 
speak up on that.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

h...@dip-systems.de wrote:

After the last signature update, clam av stopped working on our woody
installation.



Is there no more support for this Debian Release?


But Gianluigi Tiesi did post this a few days ago - dunno if it will 
work for Woody though.


  Temporary fix for debian sarge, I suggest anyway to upgrade your 
distribution:

 
  download packages from:
  http://falco.netfarm.it/clamav/clamav-sarge/
 
  then
 
  /etc/init.d/clamav-daemon stop
  /etc/init.d/clamav-freshclam stop
 
  apt-get remove libclamav3
 
  rm -fr /var/lib/clamav/*
  rm -f /var/log/clamav/*
 
  dpkg -i *.deb
  (you can skip docs and testfiles)
 
  apt-get -f install
  if some deps is broken
 

ah forgot, then
dpkg --purge libclamav3



--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Clubbing a deceased equine

[Simon Hobson]

Eric Rostetter wrote:


  Knowingly disabling running software on computers that is not your own

is not acceptable.  It is immoral, unethical and perhaps illegal.


But that's not what happened.


Yes, it is what happened...  People are just confused because of all
the bogus complaints like they shutdown my server or they shutdown
my email.  But they did indeed shutdown clamd for some set of older
versions.


I'm confused - are you saying they did, or didn't shut down software 
that people were running on their servers ? I think you are admitting 
(thank you) that the update did what it was supposed to do and 
remotely stopped some versions of ClamAV from running.


The **ONLY** defence I can think of is that they assumed an 
implicit permission by virtue of the user running the update 
process to fetch signature updates. That's a very tenuous thing to 
infer when pushing an update that is so different in purpose to 
what would normally be fetched.


Well, since you pull the updates (they are not pushed to you), and since
while this one signature was indeed different in purpose than the normal,
you have a point.  But, this different in purpose signature was just
a way of warning that soon the same in purpose signatures _would_ stop
the software.  Would you rather they just started pushing the normal in
purpose signatures that crashed it, or that they pushed a different
in purpose one first, where the purpose was to notify users of both
the issue, and how to fix it?


They didn't HAVE to push either to the older software - I'm not the 
first to point out that there was a completely viable alternative 
that would just stop supplying updates to the older software.


So my preference would be simply that they did nothing to my 
software. If they want to stop supporting it with updates, that's 
fine and it still leaves me in control of what I run and when I 
update it.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml