Re: [clamav-users] clamav-users Digest, Vol 201, Issue 22
Mit freundlichen Grüßen Simon Eigeldinger Informatik Nebengebäude 1, OG1 Stadt Hohenems Kaiser-Franz-Josef-Straße 4 6845 Hohenems T: +43 5576 7101-1143 | E: simon.eigeldin...@hohenems.at | www.hohenems.at Diese Nachricht und allfällige angehängte Dokumente sind vertraulich und nur für den/die Adressaten bestimmt. -Ursprüngliche Nachricht- Von: clamav-users Im Auftrag von clamav-users-requ...@lists.clamav.net Gesendet: Donnerstag, 26. August 2021 14:00 An: clamav-users@lists.clamav.net Betreff: clamav-users Digest, Vol 201, Issue 22 Send clamav-users mailing list submissions to clamav-users@lists.clamav.net To subscribe or unsubscribe via the World Wide Web, visit https://lists.clamav.net/mailman/listinfo/clamav-users or, via email, send a message with subject or body 'help' to clamav-users-requ...@lists.clamav.net You can reach the person managing the list at clamav-users-ow...@lists.clamav.net When replying, please edit your Subject line so it is more specific than "Re: Contents of clamav-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: ClamAV? blog: ClamAV 0.104.0 Second Release Candidate is here! (Paul Kosinski) 2. Re: Authenticity token element not found (Philipp Ewald) -- Message: 1 Date: Wed, 25 Aug 2021 10:25:37 -0400 From: Paul Kosinski To: "clamav-users@lists.clamav.net" Subject: Re: [clamav-users] ClamAV? blog: ClamAV 0.104.0 Second Release Candidate is here! Message-ID: <20210825102537.76e2f05b@ime1.iment.local> Content-Type: text/plain; charset=US-ASCII On Tue, 24 Aug 2021 23:08:52 + "Micah Snyder (micasnyd)" wrote: > This conversation is a fun read! But don't worry really no point removing > the docs from the source package or the pre-compiled packages. Including it > is painless at this point. If you're curious why, here's the process... > > The documentation website source is hosted in our > Cisco-Talos/clamav-documentation<https://github.com/Cisco-Talos/clamav-documentation> > repo. > > Any time there is a change to the docs, GitHub Actions automatically > re-builds the static site using mdBook and force-pushes it to the > gh-pages<https://github.com/Cisco-Talos/clamav-documentation/tree/gh-pages> > branch to publish it. > > To include the docs in the source tarball, all we do (Jenkins does) is copy > the contents of that branch into the > clamav/docs/html<https://github.com/Cisco-Talos/clamav/tree/main/docs/html> > directory before building the source package. > > >From there, the build system takes care of it. The docs/html directory is > >bundled into the tarball, and when building the pre-compiled packages, the > >html directory is marked for installation and so is included in each > >package. > > That also means that if you're not building from the release tarball (i.e. if > you're building from a git clone), you won't get an offline copy of the > documentation. > > -Micah > > Micah Snyder > ClamAV Development > Talos > Cisco Systems, Inc. Sounds good! -- Message: 2 Date: Wed, 25 Aug 2021 16:31:56 +0200 From: Philipp Ewald To: clamav-users@lists.clamav.net Subject: Re: [clamav-users] Authenticity token element not found Message-ID: <672df378-8b5e-232b-0c46-57b9c3ecb...@digionline.de> Content-Type: text/plain; charset=utf-8; format=flowed interesting: * Expire in 0 ms for 6 (transfer 0x5591a10a4710) * Expire in 1 ms for 1 (transfer 0x5591a10a4710) * Expire in 0 ms for 1 (transfer 0x5591a10a4710) * Expire in 1 ms for 1 (transfer 0x5591a10a4710) * Expire in 0 ms for 1 (transfer 0x5591a10a4710) * Expire in 0 ms for 1 (transfer 0x5591a10a4710) * Expire in 2 ms for 1 (transfer 0x5591a10a4710) * Expire in 0 ms for 1 (transfer 0x5591a10a4710) * Expire in 1 ms for 1 (transfer 0x5591a10a4710) * Expire in 4 ms for 1 (transfer 0x5591a10a4710) * Expire in 1 ms for 1 (transfer 0x5591a10a4710) * Expire in 1 ms for 1 (transfer 0x5591a10a4710) * Expire in 4 ms for 1 (transfer 0x5591a10a4710) * Expire in 2 ms for 1 (transfer 0x5591a10a4710) * Expire in 2 ms for 1 (transfer 0x5591a10a4710) * Expire in 4 ms for 1 (transfer 0x5591a10a4710) * Expire in 2 ms for 1 (transfer 0x5591a10a4710) * Expire in 2 ms for 1 (transfer 0x5591a10a4710) * Expire in 4 ms for 1 (transfer 0x5591a10a4710) * Expire in 3 ms for 1 (transfer 0x5591a10a4710) * Expire in 3 ms for 1 (transfer 0x5591a10a4710) * Expire in 4 ms for 1 (transfer 0x5591a10a4710) * Expire in 4 ms for 1 (transfer 0x5591a10a4710) * Expire in 4 ms for 1 (transfer 0x5591a10a4710) * Expire in 4 ms for 1 (transfer 0x5591a10a4710) * Expire in 4 ms for 1 (transfer 0x5591a10a4710) * Expire
Re: [clamav-users] Warning: No matches found for: clamav on CentOS Linux release 7.9.2009 (Core)
- Message from Kaushal Shriyan via clamav-users - Date: Mon, 19 Jul 2021 14:34:30 +0530 From: Kaushal Shriyan via clamav-users Reply-To: ClamAV users ML Subject: [clamav-users] Warning: No matches found for: clamav on CentOS Linux release 7.9.2009 (Core) To: ClamAV users ML Cc: Kaushal Shriyan Hi, I am running CentOS Linux release 7.9.2009 (Core) and installed epel repository. # rpm -qa | grep epel epel-release-7-13.noarch # cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core) #yum search clamav Loaded plugins: fastestmirror Determining fastest mirrors * base: mirrors.piconets.webwerks.in * extras: mirrors.piconets.webwerks.in * updates: mirrors.piconets.webwerks.in base | 3.6 kB 00:00:00 docker-ce-stable | 3.5 kB 00:00:00 elastic-7.x | 1.3 kB 00:00:00 extras | 2.9 kB 00:00:00 ius | 1.3 kB 00:00:00 mariadb | 2.9 kB 00:00:00 nginx | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 (1/10): base/7/x86_64/group_gz | 153 kB 00:00:00 (2/10): extras/7/x86_64/primary_db | 242 kB 00:00:00 (3/10): elastic-7.x/primary | 288 kB 00:00:00 (4/10): docker-ce-stable/7/x86_64/primary_db | 62 kB 00:00:00 (5/10): docker-ce-stable/7/x86_64/updateinfo | 55 B 00:00:00 (6/10): ius/x86_64/primary | 100 kB 00:00:01 (7/10): updates/7/x86_64/primary_db | 8.8 MB 00:00:04 (8/10): base/7/x86_64/primary_db | 6.1 MB 00:00:05 (9/10): nginx/7/x86_64/primary_db | 67 kB 00:00:04 (10/10): mariadb/primary_db | 36 kB 00:00:05 elastic-7.x 880/880 ius 467/467 Warning: No matches found for: clamav No matches found Am I missing anything? Please suggest further. Thanks in Advance. Best Regards, Kaushal - End message from Kaushal Shriyan via clamav-users - Doesn't look like EPEL is being checked - look at the list of repos. Is it enabled? See below on a CentOS 7 server: [root@emp75 ~]# yum search clamav Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.mirror.ausnetservers.net.au * epel: epel.mirror.digitalpacific.com.au * extras: centos.mirror.ausnetservers.net.au * updates: centos.mirror.ausnetservers.net.au = N/S matched: clamav == clamav-filesystem.noarch : Filesystem structure for clamav clamav-unofficial-sigs.noarch : Scripts to download unofficial clamav signatures clamav.x86_64 : End-user tools for the Clam Antivirus scanner clamav-data.noarch : Virus signature data for the Clam Antivirus scanner clamav-devel.x86_64 : Header files and libraries for the Clam Antivirus scanner clamav-lib.x86_64 : Dynamic libraries for the Clam Antivirus scanner clamav-milter.x86_64 : Milter module for the Clam Antivirus scanner clamav-update.x86_64 : Auto-updater for the Clam Antivirus scanner data-files Name and summary matches only, use "search all" for everything. -- Simon Wilson M: 0400 12 11 16 ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] configure: error: Your libcurl is misconfigured. libcurl (e.g. libcurl-devel) is required in order to build freshclam and clamsubmit
- Message from "G.W. Haywood via clamav-users" - Date: Thu, 15 Jul 2021 11:32:37 +0100 (BST) From: "G.W. Haywood via clamav-users" Reply-To: ClamAV users ML Subject: Re: [clamav-users] configure: error: Your libcurl is misconfigured. libcurl (e.g. libcurl-devel) is required in order to build freshclam and clamsubmit To: Kin Sou via clamav-users Cc: "G.W. Haywood" Hi there, On Thu, 15 Jul 2021, Kin Sou via clamav-users wrote: I am installing clamav 0.102.3 on CentOS8.4 ... Please can you confirm that you're trying to install version 0.102.3? If so, I suggest that you don't do that. Better to install the latest version (which is 0.103.3) and, in view of very recent events (see the mailing list for the last day or so), perhaps even wait for 0.103.4 to be released which I guess will be soon. checking for curl-config... /usr/bin/curl-config ./configure: line 30064: auto=yes: command not found checking for curl_easy_init in -lcurl... no configure: error: Your libcurl is misconfigured. libcurl (e.g. libcurl-devel) is required in order to build freshclam and clamsubmit. How to solve this hurdle? The line number 30064 doesn't seem to match with the version of the script which I have in the original tarball. Is this a RedHat source package? It seems to be saying that you don't have /usr/bin/curl-config which might mean that you haven't installed it, or that you've installed it somewhere strange, or this might be a red herring. Anyway I'd suggest starting with a clean sheet and at least downloading the latest official source tarball from the ClamAV site before you try again. - End message from "G.W. Haywood via clamav-users" - It would be FAR easier to install Clamav 103.3 from EPEL repository for CentOS / RH than build from source, especially when releases get published through EPEL very quickly. Simon -- Simon Wilson M: 0400 12 11 16 ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Restriction of downloads
- Message from "Joel Esler (jesler) via clamav-users" - Date: Sat, 13 Mar 2021 01:49:34 + From: "Joel Esler (jesler) via clamav-users" Reply-To: ClamAV users ML Subject: Re: [clamav-users] Restriction of downloads To: ClamAV users ML Cc: "Joel Esler (jesler)" Would the community be willing to pay for updates? The thing I can't get over is the sense of entitlement coming out of some of the emails to this list for a service provided at no cost that is now being reasonably restricted because of impact on the people providing it *at no charge*, which if not resolved could potentially remove the ability for *any* of us to use it. Go figure... Even more bizarre is people trying to create and share workarounds. Ah well... From my POV Clamav has provided me with a great (free) tool for many years at only the cost of my time to learn it, and with a great and supportive community. If it were to move to a model wherein there was reasonable contribution I'd sign up for it. Purely selfishly :) perhaps a model appropriately structured for home users like me (with < 10 users) to get updates with more for corporate / govt users. :-D -- Simon Wilson M: 0400 12 11 16 ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Freshclam failing to get update
Ah, OK, thanks. S. On Thu, 11 Feb 2021 at 13:49, G.W. Haywood via clamav-users < clamav-users@lists.clamav.net> wrote: > Hi there, > 41;344;0c > > On Thu, 11 Feb 2021, Simon Banton via clamav-users wrote: > > > Is there anything about ClamAV v0.97.3 that would mean it's suddenly > unable > > to fetch the daily updates via freshclam? I know it's an old version, but > > this is on a very old box running Centos 4 so upgrading isn't practical > at > > the moment (for, you know, *reasons*). > > You need to upgrade. > > All versions of ClamAV before 0.100 are now past End Of Life and obsolete. > > You should also at least subscribe to the 'clamav-announce' mailing list, > where this was announced (yesterday). > > -- > > 73, > Ged. > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Freshclam failing to get update
Hi, Is there anything about ClamAV v0.97.3 that would mean it's suddenly unable to fetch the daily updates via freshclam? I know it's an old version, but this is on a very old box running Centos 4 so upgrading isn't practical at the moment (for, you know, *reasons*). Suddenly started seeing this whenever freshclam tries to run: Feb 11 13:07:01 ptah freshclam[24470]: ClamAV update process started at Thu Feb 11 13:07:01 2021 Feb 11 13:07:01 ptah freshclam[24470]: main.cvd is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr) Feb 11 13:07:07 ptah freshclam[24470]: nonblock_connect: connect(): fd=4 errno=101: Network is unreachable Feb 11 13:07:07 ptah freshclam[24470]: Can't connect to port 80 of host db.gb.clamav.net (IP: 2606:4700::6810:da54) Feb 11 13:07:07 ptah freshclam[24470]: Trying host db.gb.clamav.net (2606:4700::6810:db54)... Feb 11 13:07:07 ptah freshclam[24470]: nonblock_connect: connect(): fd=4 errno=101: Network is unreachable Feb 11 13:07:07 ptah freshclam[24470]: Can't connect to port 80 of host db.gb.clamav.net (IP: 2606:4700::6810:db54) Feb 11 13:07:07 ptah freshclam[24470]: getpatch: Can't download daily-26077.cdiff from db.gb.clamav.net Feb 11 13:07:07 ptah freshclam[24470]: nonblock_connect: connect(): fd=4 errno=101: Network is unreachable Feb 11 13:07:07 ptah freshclam[24470]: Can't connect to port 80 of host db.gb.clamav.net (IP: 2606:4700::6810:da54) Feb 11 13:07:07 ptah freshclam[24470]: Trying host db.gb.clamav.net (2606:4700::6810:db54)... Feb 11 13:07:07 ptah freshclam[24470]: nonblock_connect: connect(): fd=4 errno=101: Network is unreachable Feb 11 13:07:07 ptah freshclam[24470]: Can't connect to port 80 of host db.gb.clamav.net (IP: 2606:4700::6810:db54) Feb 11 13:07:07 ptah freshclam[24470]: getpatch: Can't download daily-26077.cdiff from db.gb.clamav.net Feb 11 13:07:14 ptah freshclam[24470]: nonblock_connect: connect(): fd=4 errno=101: Network is unreachable Feb 11 13:07:15 ptah freshclam[24470]: Can't connect to port 80 of host db.gb.clamav.net (IP: 2606:4700::6810:db54) Feb 11 13:07:15 ptah freshclam[24470]: Trying host db.gb.clamav.net (2606:4700::6810:da54)... Feb 11 13:07:15 ptah freshclam[24470]: nonblock_connect: connect(): fd=4 errno=101: Network is unreachable Feb 11 13:07:15 ptah freshclam[24470]: Can't connect to port 80 of host db.gb.clamav.net (IP: 2606:4700::6810:da54) Feb 11 13:07:15 ptah freshclam[24470]: getpatch: Can't download daily-26077.cdiff from db.gb.clamav.net Feb 11 13:07:16 ptah freshclam[24470]: Incremental update failed, trying to download daily.cvd Feb 11 13:07:16 ptah freshclam[24470]: nonblock_connect: connect(): fd=4 errno=101: Network is unreachable Feb 11 13:07:16 ptah freshclam[24470]: Can't connect to port 80 of host db.gb.clamav.net (IP: 2606:4700::6810:da54) Feb 11 13:07:16 ptah freshclam[24470]: Trying host db.gb.clamav.net (2606:4700::6810:db54)... Feb 11 13:07:16 ptah freshclam[24470]: nonblock_connect: connect(): fd=4 errno=101: Network is unreachable Feb 11 13:07:16 ptah freshclam[24470]: Can't connect to port 80 of host db.gb.clamav.net (IP: 2606:4700::6810:db54) Feb 11 13:07:16 ptah freshclam[24470]: Can't download daily.cvd from db.gb.clamav.net Feb 11 13:07:16 ptah freshclam[24470]: Trying again in 5 secs... This started to happen yesterday after years of trouble free operation. Nothing on my box's configuration has changed between freshclam working and it not working. Any pointers as to a possible cause would be most welcome. Cheers Simon ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Services Difference & Memory Utilization
CentOS 8 needs 2GB just to install. In my experience you will struggle to get *anything* useful to run with 2GB. Simon Wilson From: bobby via clamav-users Sent: Monday, 14 September 2020 10:34 am To: clamav-users@lists.clamav.net Cc: bobby Subject: [clamav-users] Services Difference & Memory Utilization I noticed on my CentOS 8 machine, there are two different services listed: clamd@multi-user.service and system-clamd.slice. I don't have enough memory to run the first one, but only the second one (192M). Is clamd really running? What is the difference between these two services? I only have 2 GB of memory. Is there any way to run clamd? I get this error when I try to run it: [201060.293876] Out of memory: Killed process 254784 (clamd) total-vm:830500kB, anon-rss:682068kB, file-rss:0kB, shmem-rss:0kB, UID:983 [201095.669009] out_of_memory+0x1ba/0x490 ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scanning files with ClamAV on Windows
Hi, Thanks for writing back. Will have a look at the documentation and at the archive. Greetings, Simon Am 22.04.2020 um 01:48 schrieb G.W. Haywood via clamav-users: Hi there, On Wed, 22 Apr 2020, Simon Eigeldinger wrote: I plan to set up some ClamAV instances on Windows Servers to scan some office documents and other files. If I were going to scan files for Windows malware, I wouldn't use a Windows box to scan them - but that's up to you. So helping the other scanner which is already installed and to see if it is missing a virus. I'd expect you'd have more luck if you used the other scanner to see what was missed by ClamAV. I have just some stupid questions :-) : They're not stupid, but they do really only scratch the surface. Which signatures to use? The default ones that come with the example config? Any that you can get hold of. There are a lot of them about. The Sansecurity signatures get a good press but I use them to fight spam rather than protect against malware. I personally think that if you can find malware on a machine, it's already too late to be looking. Any config i should take a look at? There's a lot of documentation, you should read it. As far as i have seen ClamAV isn't scanning the whole file just a part of it. Do viruses sit at a special point of a file or do traces of them exist at special spots? It's not really like that. Drink deep, or taste not... ClamAV needs to know something about the different types of files, so it can do a better job of scanning, and there's an upper limit to the amount of data that ClamAV will scan in any event. There have been discussions about it on this list, please spend some quality time with the archives. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Scanning files with ClamAV on Windows
Hi all, I plan to set up some ClamAV instances on Windows Servers to scan some office documents and other files. So helping the other scanner which is already installed and to see if it is missing a virus. I have just some stupid questions :-) : Which signatures to use? The default ones that come with the example config? Any config i should take a look at? As far as i have seen ClamAV isn't scanning the whole file just a part of it. Do viruses sit at a special point of a file or do traces of them exist at special spots? Greetings and thanks for helping. It is very apreciated. Simon ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV reputation rating
Epicon Elysium via clamav-users wrote: > Does ClamAV support in enabling the reputation rating? Seems I couldn't find > any info when searching for it. There's nothing mentioned in the config file > as well. AIUI no, it doesn't have anything for that. However, a very common setup is use AMaViS to scan mail, with ClamAV as just one of the tools it uses - the other tools can include things like reputation rating (eg sender real-time blacklists and so on). You might also want to have a look at PolicyD (aka Cluebringer) which brings other tools to the party - such as greylisting and quotas. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Possible problem with daily.cld 25460 / CVE-2019-0903
Hi Same here UK clamav with our mailcleaner Every one of our backup pdfs are being marked with this even tho they have been fine for years Prob a false positive Regards Simom Sent from my iPhone > On 25 May 2019, at 21:54, Hans Morten Kind via clamav-users > wrote: > > Seems like evry pdf-file is marked as infected by > Win.Exploit.CVE_2019_0903-6966169-0 > > I have put it into local.ign2 and restarted my clamd > hmk > > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] clamscan, fmap errors and --max-filesize
Hi, Longtime user, first-time poster ;) I'm having some issues with trying to get clamscan to skip over some very large files, without running into memory allocation issues. A problem directory looks like this: # ls -alh total 2.6G drwxr-xr-x 2 root root 72 May 22 12:17 . drwxrwxrwt. 12 root root 4.0K May 22 12:16 .. -rw-r--r-- 1 root root 1.7G May 22 12:13 bigfile1 -rw-r--r-- 1 root root 851M May 22 12:14 bigfile2 -rw-r--r-- 1 root root 10K May 22 12:10 file1 -rw--- 1 root root 94M May 22 12:13 file2 -rw-r--r-- 1 root root 264K May 22 12:14 file3 and scanning it does this: # clamscan -r . ./file1: OK LibClamAV Warning: fmap: map allocation failed LibClamAV Error: CRITICAL: fmap() failed ./bigfile1: Can't allocate memory ERROR ./bigfile2: OK ./file3: OK ./file2: OK --- SCAN SUMMARY --- Known viruses: 6133971 Engine version: 0.101.2 Scanned directories: 1 Scanned files: 4 Infected files: 0 Total errors: 1 Data scanned: 0.00 MB Data read: 2624.80 MB (ratio 0.00:1) Time: 47.989 sec (0 m 47 s) So, ah-ha, I think, obviously I need to limit the file size being scanned, so add a --max-filesize flag, but: # clamscan -r --max-filesize=1024 . ./file1: OK LibClamAV Warning: fmap: map allocation failed LibClamAV Error: CRITICAL: fmap() failed ./bigfile1: Can't allocate memory ERROR ./bigfile2: OK ./file3: OK ./file2: OK --- SCAN SUMMARY --- Known viruses: 6133971 Engine version: 0.101.2 Scanned directories: 1 Scanned files: 4 Infected files: 0 Total errors: 1 Data scanned: 0.00 MB Data read: 2624.80 MB (ratio 0.00:1) Time: 49.758 sec (0 m 49 s) Same outcome. Tried with the debug flag and this was the relevant bit: LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV Warning: fmap: map allocation failed LibClamAV Error: CRITICAL: fmap() failed LibClamAV debug: cli_magic_scandesc: returning 20 at line 3891 (no post, no cache) ./bigfile: Can't allocate memory ERROR So it looks like clamscan is trying to determine the file type before it then decides if its too large (in case it's a container?), so fmap()'s it and then can't allocate memory? I've got a fair number of servers and VMs being scanned, and I'm make sure that scan errors (ie exit code 2, unknown error) like this are sent to the monitoring system for investigation, and this generating noise. How do I work around this? (I've considered running a find / -type f -size -50M or similar, dumping that to a file and feeding that to clamscan via the -f flag, but any transitory file that's gone away by the time that clamscan gets to it produces a missing file error, and also exits with code 2, so that's not great either) Thanks, Simon -- Simon Oxwell | Hosting Team Funnelback P: +61 2 6176 3170 | F: +61 2 6230 7313 soxw...@funnelback.com | www.funnelback.com A: Ground Floor, 51 Allara Street, Civic, Canberra 2601 ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV Central Management tools
Robert Schetterer wrote: > Div monitors should be fine to code for such things > like monit, munin, xymon, icinga, nagios , zabbix etc Nagios has a plugin for it (someone's already done the coding), I used to use it at my last job. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] FreshClam - DNS issues since October 31st
Hi, We started seeing the same problem here It was fine during the night but then this morning started again with the WARNING messages? [root@mailgw ~]# host -t txt current.cvd.clamav.net current.cvd.clamav.net descriptive text "0.99.2:58:24027:1510207861:1:63:46632:318" [root@mailgw ~]# date Thu Nov 9 10:27:43 GMT 2017 [root@mailgw ~]# Regards Simon > On 9 Nov 2017, at 10:05, Adolf Belka <adolf.be...@gmail.com> wrote: > > I am still seeing the message. Periodically it stops and when I check that is > when the time from the DNS record has become closer to my computers time but > then the delta progressively increases and exceeds the 3 hours and the > message starts again. Today it started again at 10:12 (Netherlands time > zone). At 9:56 it was fine. > > Here is the DNS TXT value I get:- > > current.cvd.clamav.net descriptive text > "0.99.2:58:24027:1510207861:1:63:46632:318" > > My current computer time was 1510221600. > > The following came from the dig command:- > > ; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> current.cvd.clamav.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20331 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;current.cvd.clamav.net.INA > > ;; AUTHORITY SECTION: > cvd.clamav.net.3600INSOAns3.clamav.net. > hostmaster.oltrelinux.com. 2006375260 1800 900 604800 7200 > > ;; Query time: 281 msec > ;; SERVER: 192.168.26.254#53(192.168.26.254) > ;; WHEN: Thu Nov 09 11:03:50 CET 2017 > ;; MSG SIZE rcvd: 116 > > Regards, > > Adolf Belka > > Sent from my Desktop Computer > > On 08/11/17 20:47, David Raynor wrote: >> The DNS records are being updated at the source properly now. If you are >> still seeing an error, then the proper record is not reaching the server >> you are contacting for DNS or not propagating correctly to your area or >> something like that. >> >> If you are still seeing those errors, let us know what the value of the DNS >> TXT record you are seeing for current.cvd.clamav.net. You can use "host" or >> "dig" or another command to check it. >> >> Example (with current value): >> >> $ host -t txt current.cvd.clamav.net >> current.cvd.clamav.net descriptive text >> "0.99.2:58:24025:1510165084:1:63:46630:318" >> >> Dave R. >> >> On Wed, Nov 8, 2017 at 11:34 AM, Noel Jones <njo...@megan.vbhcs.org> wrote: >> >>> I'm still getting these errors too. :\ >>> >>> >>> >>> >>> -- Noel Jones >>> >>> >>> On 11/8/2017 9:50 AM, Joel Esler (jesler) wrote: >>>> The team working on these issues is seeing these emails, so it’s good >>> that you are writing in, if you are still experiencing issues. >>> ___ >>> clamav-users mailing list >>> clamav-users@lists.clamav.net >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >>> >> >> > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] FreshClam - DNS issues since October 31st
Maybe not every day but every week maybe? Has the issue been resolved yet? Simon > On 8 Nov 2017, at 14:02, Reindl Harald <h.rei...@thelounge.net> wrote: > > > > Am 08.11.2017 um 14:43 schrieb Jeff: >> Since October 31st, I get the following DNS warnings every time freshclam >> runs: >> ... >> ClamAV update process started at Tue Nov 07 09:26:33 2017 >> +++WARNING: DNS record is older than 3 hours.+++ >> +++WARNING: Invalid DNS reply. Falling back to HTTP mode.+++ > > do we really need each day a new thread about it? > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] fail updates
Hi, Still having a few issues here, even after ' rm -rfv mirrors.dat ' Reading CVD header (main.cvd): WARNING: main.cvd not found on remote server WARNING: Can't read main.cvd header from db.gb.clamav.net (IP: 193.1.193.64) WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. Falling back to HTTP mode. Regards Simon > On 7 Nov 2017, at 00:41, Paul Kosinski <clamav-us...@iment.com> wrote: > > I killed our "mirrors.dat" at 2017-11-06 19:35:35 (EST). It was last > modified at 2017-11-06 18:06:29 (EST). We'll see what happens. > > Paul Kosinski > > > > On Mon, 6 Nov 2017 21:21:58 + > "Joel Esler (jesler)" <jes...@cisco.com> wrote: > >> It would be helpful, if, starting now, deleting mirrors.dat and >> *then* telling us about failing mirrors…. Cause…. We’ve done many >> changes in the past month, it would be good to start from a clean >> slate. >> >> >> -- >> Joel Esler | Talos: Manager | >> jes...@cisco.com<mailto:jes...@cisco.com> > >> http://www.clamav.net/contact.html#ml > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] update mirror trouble?
Hi, Same here still having problems but slightly different ClamAV update process started at Mon Nov 6 09:46:22 2017 WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. Falling back to HTTP mode. junk.ndb is up to date (version: custom database) jurlbl.ndb is up to date (version: custom database) phish.ndb is up to date (version: custom database) rogue.hdb is up to date (version: custom database) sanesecurity.ftm is up to date (version: custom database) scam.ndb is up to date (version: custom database) spamimg.hdb is up to date (version: custom database) winnow_malware.hdb is up to date (version: custom database) winnow_malware_links.ndb is up to date (version: custom database) sigwhitelist.ign2 is up to date (version: custom database) spamattach.hdb is up to date (version: custom database) spear.ndb is up to date (version: custom database) spearl.ndb is up to date (version: custom database) blurl.ndb is up to date (version: custom database) winnow.attachments.hdb is up to date (version: custom database) winnow_bad_cw.hdb is up to date (version: custom database) winnow_extended_malware.hdb is up to date (version: custom database) bofhland_cracked_URL.ndb is up to date (version: custom database) bofhland_malware_URL.ndb is up to date (version: custom database) bofhland_phishing_URL.ndb is up to date (version: custom database) bofhland_malware_attach.hdb is up to date (version: custom database) crdfam.clamav.hdb is up to date (version: custom database) malwarehash.hsb is up to date (version: custom database) porcupine.ndb is up to date (version: custom database) phishtank.ndb is up to date (version: custom database) porcupine.hsb is up to date (version: custom database) hackingteam.hsb is up to date (version: custom database) badmacro.ndb is up to date (version: custom database) Sanesecurity_sigtest.yara is up to date (version: custom database) Sanesecurity_spam.yara is up to date (version: custom database) Reading CVD header (main.cvd): WARNING: Can't read main.cvd header from database.clamav.net (IP: ) Trying again in 5 secs… Regards Simon > On 6 Nov 2017, at 06:16, Tsutomu Oyamada <oyam...@promark-inc.com> wrote: > > Hi, > > It looks like that Updating of CVD in database.clamav.net is not working > (stopping). > Do you have any trouble problem happened? > > We are in Japan, and it set CNAME for database.clamav.net as > db.jp.clamav.net. > db.jp.clamav.net has 4 IP addresses and those are working in roundrobin. > Every sites are working, but CVD version stops at 24010 as follows. > > db.jp.clamav.net. 39 IN A 218.44.253.75 > db.jp.clamav.net. 39 IN A 203.178.137.175 > db.jp.clamav.net. 39 IN A 27.96.54.66 > db.jp.clamav.net. 39 IN A 124.35.85.83 > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Mirror Sync Outage for ClamAV updates
Would this explain why all morning ive been getting this error ? WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. Falling back to HTTP mode. Regards Simon > On 1 Nov 2017, at 14:43, Joel Esler (jesler) <jes...@cisco.com> wrote: > > http://blog.clamav.net/2017/11/mirror-sync-outage-for-clamav-av-updates.html > > ClamAV Community -- > > ClamAV is currently experiencing an issue with one of our sync servers that > provides updates from our infrastructure out to the ClamAV mirrors. > > Since end-users receive their updates from the ClamAV mirrors, this means > that currently, ClamAV AV updates are currently not available. > > Our operations team is currently working on the issue, and we will provide > updates as needed. > > -- > Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com> > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Ppt.Exploit.CVE_2017_0199-6336815-1 FP?
Hi, We have a few this morning from a few of our servers too which contain docx files thisisasecretfile.docx: Ppt.Exploit.CVE_2017_0199-6336815-1 FOUND Regards Simon > On 5 Oct 2017, at 09:49, Al Varnell <alvarn...@mac.com> wrote: > > Please don't include signatures that apply to "Any File" in an e-mail as it > was detected as infected upon arrival and could easily be blocked by > intermediate mail servers. > > -Al- > > On Thu, Oct 05, 2017 at 01:42 AM, Hajo Locke wrote: >> since yesterday we found a lot of malware called >> Ppt.Exploit.CVE_2017_0199-6336815-1 >> Hitrate is extremly increasing. Currently i believe this is a FP. >> Signature looks short: >> Ppt.Exploit.CVE_2017_0199-6336815-1 >> This decodes to: >> >> >> Unfortunately i cant sent samples of found docx-files, because they are >> privat. >> Anybody else noticed this behaviour? >> >> Thanks, >> Hajo > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Freshclam failure - Still ongoing???
Hi I think the is a fault with that particular provider of the mirror whois 193.1.193.64 os showing as HEANET-MIRROR My 'dig database.clamav.net <http://database.clamav.net/>' in the UK Liverpool here WAS showing as that IP address, however the round-robin doesn’t seem to use that server anymore strangely enough? and NOW using others instead Maybe contact heanet and ask them if the is an issue with there mirror server Or change ya freshclam.conf to use another dns like db.uk.clamav.net <http://db.uk.clamav.net/> Regards Simon > On 25 Aug 2017, at 09:37, briancullen <briancul...@netspace.net.au> wrote: > > The problem has me (also in Australia) still stuck on 23695: > > main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: > sigmgr) > WARNING: getpatch: Can't download daily-23695.cdiff from database.clamav.net > WARNING: getpatch: Can't download daily-23695.cdiff from database.clamav.net > ERROR: getpatch: Can't download daily-23695.cdiff from database.clamav.net > WARNING: Incremental update failed, trying to download daily.cvd > WARNING: getfile: daily.cvd not found on remote server (IP: 193.1.193.64) > ERROR: Can't download daily.cvd from database.clamav.net > Giving up on database.clamav.net... > >> On 25 Aug 2017, at 6:24 pm, Paul Dean <c...@thecave.ws> wrote: >> >> Hi, >> >> I've checked the lists and nuked the mirror.dat file as suggested, but still >> getting failure on dling daily-23699.cdiff via freshclam. >> Also tried via wget, and got a 404 error. So currently I'm stuck on 23698. >> >> Also nuked all .cld files and still failed. >> >> I've got a few servers/machines that use ClamAV, so hoping a overall fix >> instead of each machine would be preferable. >> >> All machines are based in AU and failures happen with db.local.clamav.net >> and database.clamav.net. >> >> -- >> >> Thanks >> >> Paul Dean. >> >> "Life is not WHAT you make it, it's WHO you have in it..." >> ___ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Unable to download database
Managed to get it working again from a user who helped Toss your /usr/lib/clamav/mirrors.dat file to eliminate the Ignoring mirror messages. And then seemed to start working again Simon Sent from my iPhone > On 24 Aug 2017, at 11:49, Gene Heskett <ghesk...@shentel.net> wrote: > >> On Thursday 24 August 2017 04:11:55 Simon Mousey Smith wrote: >> >> Hi All >> >> Still having issue here in UK Liverpool >> >> WARNING: getfile: daily.cvd not found on database.clamav.net (IP: >> 193.1.193.64) >> >> Regards >> >> Simon >> >> Sent from my iPhone > > I'm having trouble with a couple sites in the last few hours too: > > Wed Aug 23 03:10:11 2017 -> main.cld is up to date (version: 58, sigs: > 4566249, f-level: 60, builder: sigmgr) > Wed Aug 23 03:10:31 2017 -> WARNING: getfile: daily-23700.cdiff not found > on db.us.clamav.net (IP: 204.130.133.50) > Wed Aug 23 03:10:31 2017 -> WARNING: getpatch: Can't download > daily-23700.cdiff from db.us.clamav.net > Wed Aug 23 03:10:33 2017 -> WARNING: getfile: daily-23700.cdiff not found > on db.us.clamav.net (IP: 194.8.197.22) > Wed Aug 23 03:10:34 2017 -> WARNING: getpatch: Can't download > daily-23700.cdiff from db.us.clamav.net > Wed Aug 23 03:10:34 2017 -> Trying host db.us.clamav.net > (69.163.100.14)... > Wed Aug 23 03:11:04 2017 -> nonblock_connect: connect timing out (30 > secs) > Wed Aug 23 03:11:04 2017 -> Can't connect to port 80 of host > db.us.clamav.net (IP: 69.163.100.14) > Wed Aug 23 03:11:04 2017 -> Trying host db.us.clamav.net > (200.236.31.1)... > Wed Aug 23 03:11:10 2017 -> WARNING: getfile: daily-23700.cdiff not found > on db.us.clamav.net (IP: 200.236.31.1) > Wed Aug 23 03:11:10 2017 -> WARNING: getpatch: Can't download > daily-23700.cdiff from db.us.clamav.net > Wed Aug 23 03:11:40 2017 -> nonblock_connect: connect timing out (30 > secs) > Wed Aug 23 03:11:40 2017 -> Can't connect to port 80 of host > db.us.clamav.net (IP: 69.12.162.28) > Wed Aug 23 03:11:40 2017 -> Trying host db.us.clamav.net > (64.6.100.177)... > Wed Aug 23 03:12:10 2017 -> nonblock_connect: connect timing out (30 > secs) > Wed Aug 23 03:12:10 2017 -> Can't connect to port 80 of host > db.us.clamav.net (IP: 64.6.100.177) > Wed Aug 23 03:12:10 2017 -> Trying host db.us.clamav.net > (150.214.142.197)... > Wed Aug 23 03:12:40 2017 -> nonblock_recv: recv timing out (30 secs) > Wed Aug 23 03:12:40 2017 -> WARNING: getfile: Error while reading > database from db.us.clamav.net (IP: 150.214.142.197): Operation now in > progress > Wed Aug 23 03:12:40 2017 -> WARNING: getpatch: Can't download > daily-23700.cdiff from db.us.clamav.net > Wed Aug 23 03:12:40 2017 -> Trying host db.us.clamav.net > (194.186.47.19)... > Wed Aug 23 03:13:38 2017 -> nonblock_recv: recv timing out (30 secs) > Wed Aug 23 03:13:38 2017 -> WARNING: getfile: Error while reading > database from db.us.clamav.net (IP: 194.186.47.19): Operation now in > progress > Wed Aug 23 03:13:38 2017 -> WARNING: getpatch: Can't download > daily-23700.cdiff from db.us.clamav.net > Wed Aug 23 03:13:38 2017 -> WARNING: Incremental update failed, trying to > download daily.cvd > Wed Aug 23 03:14:08 2017 -> nonblock_connect: connect timing out (30 > secs) > Wed Aug 23 03:14:08 2017 -> Can't connect to port 80 of host > db.us.clamav.net (IP: 204.130.133.50) > Wed Aug 23 03:14:38 2017 -> nonblock_connect: connect timing out (30 > secs) > Wed Aug 23 03:14:38 2017 -> Can't connect to port 80 of host > db.us.clamav.net (IP: 207.57.106.31) > Wed Aug 23 03:14:38 2017 -> Trying host db.us.clamav.net > (69.12.162.28)... > Wed Aug 23 03:15:08 2017 -> nonblock_connect: connect timing out (30 > secs) > Wed Aug 23 03:15:08 2017 -> Can't connect to port 80 of host > db.us.clamav.net (IP: 69.12.162.28) > Wed Aug 23 03:15:08 2017 -> Trying host db.us.clamav.net > (64.6.100.177)... > Wed Aug 23 03:15:38 2017 -> nonblock_connect: connect timing out (30 > secs) > Wed Aug 23 03:15:38 2017 -> Can't connect to port 80 of host > db.us.clamav.net (IP: 64.6.100.177) > Wed Aug 23 03:15:38 2017 -> Trying host db.us.clamav.net (64.22.33.90)... > Wed Aug 23 03:16:08 2017 -> nonblock_connect: connect timing out (30 > secs) > Wed Aug 23 03:16:08 2017 -> Can't connect to port 80 of host > db.us.clamav.net (IP: 64.22.33.90) > Wed Aug 23 03:16:08 2017 -> Trying host db.us.clamav.net > (200.236.31.1)... > Wed Aug 23 03:29:28 2017 -> Downloading daily.cvd [100%] > Wed Aug 23 03:29:29 2017 -> ERROR: Verification: Can't verify database > integrity > Wed A
Re: [clamav-users] Freshclam failure
BINGO!!! GENIUS!!! FIXED!!! Been banging my head against the wall all morning trying to resolve it Simon > On 24 Aug 2017, at 11:05, Al Varnell <alvarn...@mac.com> wrote: > > Toss your mirrors.dat file to eliminate the Ignoring mirror messages. > > -Al- > > On Aug 24, 2017, at 3:02 AM, Simon Mousey Smith <simonsmith5...@gmail.com> > wrote: > >> Still having probs here in the uk liverpool and sadly can’t change the DNS >> records as its using a local dns internally >> >> Retrieving http://database.clamav.net/daily-23702.cdiff >> Ignoring mirror 81.91.100.173 (due to previous errors) >> Ignoring mirror 129.67.1.218 (due to previous errors) >> Ignoring mirror 193.1.193.64 (due to previous errors) >> Ignoring mirror 178.79.177.182 (due to previous errors) >> WARNING: getpatch: Can't download daily-23702.cdiff from database.clamav.net >> Retrieving http://database.clamav.net/daily-23702.cdiff >> Ignoring mirror 193.1.193.64 (due to previous errors) >> Ignoring mirror 81.91.100.173 (due to previous errors) >> Ignoring mirror 178.79.177.182 (due to previous errors) >> Ignoring mirror 129.67.1.218 (due to previous errors) >> WARNING: getpatch: Can't download daily-23702.cdiff from database.clamav.net >> Retrieving http://database.clamav.net/daily-23702.cdiff >> Ignoring mirror 193.1.193.64 (due to previous errors) >> Ignoring mirror 129.67.1.218 (due to previous errors) >> Ignoring mirror 178.79.177.182 (due to previous errors) >> Ignoring mirror 81.91.100.173 (due to previous errors) >> ERROR: getpatch: Can't download daily-23702.cdiff from database.clamav.net >> WARNING: Incremental update failed, trying to download daily.cvd >> Whitelisting short-term blacklisted mirrors >> Retrieving http://database.clamav.net/daily.cvd >> Ignoring mirror 81.91.100.173 (due to previous errors) >> Ignoring mirror 129.67.1.218 (due to previous errors) >> Trying host database.clamav.net (193.1.193.64)... >> Trying to download http://database.clamav.net/daily.cvd (IP: 193.1.193.64) >> WARNING: getfile: daily.cvd not found on database.clamav.net (IP: >> 193.1.193.64) >> ERROR: Can't download daily.cvd from database.clamav.net >> Querying daily.0.82.0.0.C101C140.ping.clamav.net >> Giving up on database.clamav.net... >> Update failed. Your network may be down or none of the mirrors listed in >> /etc/freshclam.conf is working. Check >> http://www.clamav.net/doc/mirrors-faq.html for possible reasons. >> >> [root@mailgw etc]# dig database.clamav.net >> >> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> database.clamav.net >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14816 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;database.clamav.net. IN A >> >> ;; ANSWER SECTION: >> database.clamav.net.24 IN CNAME db.local.clamav.net. >> db.local.clamav.net.7200IN CNAME db.uk.clamav.net. >> db.uk.clamav.net. 24 IN A 81.91.100.173 >> db.uk.clamav.net. 24 IN A 193.1.193.64 >> db.uk.clamav.net. 24 IN A 178.79.177.182 >> db.uk.clamav.net. 24 IN A 129.67.1.218 >> >> ;; Query time: 79 msec >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> ;; WHEN: Thu Aug 24 11:00:42 2017 >> ;; MSG SIZE rcvd: 144 >> >> Any ideas? >> >> Simon >> >>> On 24 Aug 2017, at 10:49, Bill Maidment <b...@maidment.me> wrote: >>> >>> Yeah that worked. Thanks >>> I guess that server will get a good working over now. >>> >>> >>> -Original message- >>>> From:Simon Wilson <si...@simonandkate.net> >>>> Sent: Thursday 24th August 2017 19:26 >>>> To: clamav-users@lists.clamav.net >>>> Subject: Re: [clamav-users] Freshclam failure >>>> >>>> I got mine working by pointing it to 'de' in /etc/freshclam.conf >>>> >>>> - Message from Bill Maidment <b...@maidment.me> - >>>> Date: Thu, 24 Aug 2017 19:24:04 +1000 >>>> From: Bill Maidment <b...@maidment.me> >>>> Reply-To: ClamAV users ML <clamav-users@lists.clamav.net> >>>> Subject: Re: [clamav-users] Freshclam failure >>>> To: ClamAV users ML <clamav-users@lists.clamav.net> >>>> >>>> >>>>> It's stil fa
Re: [clamav-users] Freshclam failure
Still having probs here in the uk liverpool and sadly can’t change the DNS records as its using a local dns internally Retrieving http://database.clamav.net/daily-23702.cdiff Ignoring mirror 81.91.100.173 (due to previous errors) Ignoring mirror 129.67.1.218 (due to previous errors) Ignoring mirror 193.1.193.64 (due to previous errors) Ignoring mirror 178.79.177.182 (due to previous errors) WARNING: getpatch: Can't download daily-23702.cdiff from database.clamav.net Retrieving http://database.clamav.net/daily-23702.cdiff Ignoring mirror 193.1.193.64 (due to previous errors) Ignoring mirror 81.91.100.173 (due to previous errors) Ignoring mirror 178.79.177.182 (due to previous errors) Ignoring mirror 129.67.1.218 (due to previous errors) WARNING: getpatch: Can't download daily-23702.cdiff from database.clamav.net Retrieving http://database.clamav.net/daily-23702.cdiff Ignoring mirror 193.1.193.64 (due to previous errors) Ignoring mirror 129.67.1.218 (due to previous errors) Ignoring mirror 178.79.177.182 (due to previous errors) Ignoring mirror 81.91.100.173 (due to previous errors) ERROR: getpatch: Can't download daily-23702.cdiff from database.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Whitelisting short-term blacklisted mirrors Retrieving http://database.clamav.net/daily.cvd Ignoring mirror 81.91.100.173 (due to previous errors) Ignoring mirror 129.67.1.218 (due to previous errors) Trying host database.clamav.net (193.1.193.64)... Trying to download http://database.clamav.net/daily.cvd (IP: 193.1.193.64) WARNING: getfile: daily.cvd not found on database.clamav.net (IP: 193.1.193.64) ERROR: Can't download daily.cvd from database.clamav.net Querying daily.0.82.0.0.C101C140.ping.clamav.net Giving up on database.clamav.net... Update failed. Your network may be down or none of the mirrors listed in /etc/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons. [root@mailgw etc]# dig database.clamav.net ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> database.clamav.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14816 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;database.clamav.net. IN A ;; ANSWER SECTION: database.clamav.net.24 IN CNAME db.local.clamav.net. db.local.clamav.net.7200IN CNAME db.uk.clamav.net. db.uk.clamav.net. 24 IN A 81.91.100.173 db.uk.clamav.net. 24 IN A 193.1.193.64 db.uk.clamav.net. 24 IN A 178.79.177.182 db.uk.clamav.net. 24 IN A 129.67.1.218 ;; Query time: 79 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Aug 24 11:00:42 2017 ;; MSG SIZE rcvd: 144 Any ideas? Simon > On 24 Aug 2017, at 10:49, Bill Maidment <b...@maidment.me> wrote: > > Yeah that worked. Thanks > I guess that server will get a good working over now. > > > -Original message- >> From:Simon Wilson <si...@simonandkate.net> >> Sent: Thursday 24th August 2017 19:26 >> To: clamav-users@lists.clamav.net >> Subject: Re: [clamav-users] Freshclam failure >> >> I got mine working by pointing it to 'de' in /etc/freshclam.conf >> >> - Message from Bill Maidment <b...@maidment.me> - >> Date: Thu, 24 Aug 2017 19:24:04 +1000 >> From: Bill Maidment <b...@maidment.me> >> Reply-To: ClamAV users ML <clamav-users@lists.clamav.net> >> Subject: Re: [clamav-users] Freshclam failure >> To: ClamAV users ML <clamav-users@lists.clamav.net> >> >> >>> It's stil failing here: >>> >>> wget http://database.clamav.net/main.cvd >>> --2017-08-24 19:21:28-- http://database.clamav.net/main.cvd >>> Resolving database.clamav.net (database.clamav.net)... 193.1.193.64 >>> Connecting to database.clamav.net >>> (database.clamav.net)|193.1.193.64|:80... connected. >>> HTTP request sent, awaiting response... 404 Not Found >>> 2017-08-24 19:21:29 ERROR 404: Not Found. >>> >>> >>> >>> -Original message- >>>> From:Al Varnell <alvarn...@mac.com> >>>> Sent: Thursday 24th August 2017 18:42 >>>> To: ClamAV users ML <clamav-users@lists.clamav.net> >>>> Subject: Re: [clamav-users] Freshclam failure >>>> >>>> See previous discussion >>>> <http://lists.clamav.net/pipermail/clamav-users/2017-August/004990.html> >>>> >>>> And Blog announcement earlier today >>>> <http://blog.clamav.net/2017/08/cvd-download-issues-for-august-23-2017.html>. >>>&
Re: [clamav-users] Freshclam failure
I got mine working by pointing it to 'de' in /etc/freshclam.conf - Message from Bill Maidment <b...@maidment.me> - Date: Thu, 24 Aug 2017 19:24:04 +1000 From: Bill Maidment <b...@maidment.me> Reply-To: ClamAV users ML <clamav-users@lists.clamav.net> Subject: Re: [clamav-users] Freshclam failure To: ClamAV users ML <clamav-users@lists.clamav.net> It's stil failing here: wget http://database.clamav.net/main.cvd --2017-08-24 19:21:28-- http://database.clamav.net/main.cvd Resolving database.clamav.net (database.clamav.net)... 193.1.193.64 Connecting to database.clamav.net (database.clamav.net)|193.1.193.64|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2017-08-24 19:21:29 ERROR 404: Not Found. -Original message- From:Al Varnell <alvarn...@mac.com> Sent: Thursday 24th August 2017 18:42 To: ClamAV users ML <clamav-users@lists.clamav.net> Subject: Re: [clamav-users] Freshclam failure See previous discussion <http://lists.clamav.net/pipermail/clamav-users/2017-August/004990.html> And Blog announcement earlier today <http://blog.clamav.net/2017/08/cvd-download-issues-for-august-23-2017.html>. Except that users are having some continuing issues tonight. -Al- On Aug 24, 2017, at 1:34 AM, Bill Maidment <b...@maidment.me> wrote: > Hi > I've been using clamav for many years ans suddenly yesterday freshclam failed, first on the JP mirror, then on the AU mirror and now everywhere. > I've tried all the suggested solutions, but nothing obvious in the logs apart from the following: > > ERROR: getpatch: Can't download daily-23699.cdiff from db.AU.clamav.net > ERROR: Can't download daily.cvd from db.AU.clamav.net > ERROR: getpatch: Can't download daily-23699.cdiff from db.local.clamav.net > ERROR: Can't download daily.cvd from db.local.clamav.net > ERROR: getpatch: Can't download daily-23699.cdiff from database.clamav.net > ERROR: Can't download daily.cvd from database.clamav.net > > Cheers > Bill Maidment ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml - End message from Bill Maidment <b...@maidment.me> - -- Simon Wilson M: 0400 12 11 16 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Unable to download database
Hi All Still having issue here in UK Liverpool WARNING: getfile: daily.cvd not found on database.clamav.net (IP: 193.1.193.64) Regards Simon Sent from my iPhone > On 24 Aug 2017, at 08:48, maxal <m...@sbg.at> wrote: > > hi, > > also some issues here on 193.1.193.64 > > Thu Aug 24 09:40:07 2017 -> ERROR: getpatch: Can't download daily- > 23699.cdiff from database.clamav.net > Thu Aug 24 09:40:07 2017 -> WARNING: Incremental update failed, trying > to download daily.cvd > Thu Aug 24 09:40:07 2017 -> WARNING: getfile: daily.cvd not found on > database.clamav.net (IP: 193.1.193.64) > > http://193.1.193.64/daily-23699.cdiff --header > "Host:database.clamav.net" > --2017-08-24 09:42:00-- http://193.1.193.64/daily-23699.cdiff > Connecting to 193.1.193.64:80... connected. > HTTP request sent, awaiting response... 404 Not Found > 2017-08-24 09:42:00 ERROR 404: Not Found. > > inetnum:193.1.193.0 - 193.1.193.127 > org:ORG-HA8-RIPE > netname:HEANET-MIRROR > country:IE > > regards > max > >> On Thu, 2017-08-24 at 09:21 +0200, lukn555 wrote: >> Thank you for your effort, Joel. >> >> I still have issues with the following server from >> db.centraleu.clamav.net group: >> >> $ wget http://193.230.240.8/daily-23697.cdiff --header >> "Host:database.clamav.net" >> --2017-08-24 09:02:01-- http://193.230.240.8/daily-23697.cdiff >> Connecting to 193.230.240.8:80... connected. >> HTTP request sent, awaiting response... 403 Forbidden >> 2017-08-24 09:02:01 ERROR 403: Forbidden. >> >> >>> On 23.08.2017 23:21, Joel Esler (jesler) wrote: >>> All — I sent a note earlier, but this should be fixed/recovering >>> now. We are working on an idea that may prevent this kind of thing >>> from happening in the future. >>> >>> Dennis — If you do a health check, and you find things that are… >>> not matching up with our results… please let me know your failure >>> list? >>> >>> >>> -- >>> Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jesler@cisco. >>> com> >>> >>> >>> >>> >>> >>> >>> On Aug 23, 2017, at 3:16 PM, Dennis Peterson <denni...@inetnw.com>> ailto:denni...@inetnw.com>> wrote: >>> >>> After testing several of the DNS round robin aliases I found the >>> db.ca.clamav.net<http://db.ca.clamav.net> had the most reliable >>> server set for North America. After editing the freshclam.conf file >>> the files updated on the next cron.hourly cycle. >>> >>> I also found that the number of viable mirror sites is a small >>> portion of the total number of mirrors. I also found that a lot of >>> "local" mirrors are not all that local. >>> >>> I think I'll run a health check of every mirror in the western >>> hemisphere and use the results in a local DNS round robin running >>> my own servers. It is a form of dynamic load balancing using real- >>> time network response time. If nothing else it will stop most if >>> not all attempts to missing mirrors which seem to be the majority. >>> Obviously it will also ignore mirrors that disallow icmp traffic. >>> >>> dp >>> >>> On 8/23/17 9:48 AM, Dennis Peterson wrote: >>> nslookup db.local.clamav.net<http://db.local.clamav.net> |awk >>> '/Address:/ {print $2}' |xargs -L1 ping -c 1 >>> >>> nslookup db.us.clamav.net<http://db.us.clamav.net> |awk '/Address:/ >>> {print $2}' |xargs -L1 ping -c 1 >>> >>> nslookup db.ca.clamav.net<http://db.ca.clamav.net> |awk '/Address:/ >>> {print $2}' |xargs -L1 ping -c 1 >>> >>> nslookup db.ru.clamav.net<http://db.ru.clamav.net> |awk '/Address:/ >>> {print $2}' |xargs -L1 ping -c 1 >>> >>> nslookup db.uk.clamav.net<http://db.uk.clamav.net> |awk '/Address:/ >>> {print $2}' |xargs -L1 ping -c 1 >>> >>> >>> Nobody home. >>> >>> dp >>> >>> On 8/23/17 12:26 AM, lukn555 wrote: >>> Good Day ClamAV List >>> >>> Since yesterday at around noon CET I've been having issues >>> downloading >>> the ClamAV database: >>> >>> freshclam --version >>> ClamAV 0.99.2/23696/Tue Aug 22 14:36:14 2017 >>> >>> >>> # /usr/local/bin/freshclam --verbose >>> Current working dir is /usr/local/share/clamav &g
Re: [clamav-users] Unable to download database
Same here from UK Liverpool datacenter Was able to download a few hours ago but then stopped again Simon Sent from my iPhone > On 23 Aug 2017, at 18:33, Maarten Broekman <maarten.broek...@gmail.com> wrote: > > Similar issues with addresses for db.us.clamav.net. 7 of 16 mirrors aren't > reachable. > > $ host db.us.clamav.net > db.us.clamav.net is an alias for db.us.big.clamav.net. > *db.us.big.clamav.net <http://db.us.big.clamav.net> has address > 208.72.56.53* > *db.us.big.clamav.net <http://db.us.big.clamav.net> has address > 64.6.100.177* > *db.us.big.clamav.net <http://db.us.big.clamav.net> has address 64.22.33.90* > db.us.big.clamav.net has address 69.12.162.28 > db.us.big.clamav.net has address 69.163.100.14 > db.us.big.clamav.net has address 104.131.196.175 > db.us.big.clamav.net has address 128.199.133.36 > db.us.big.clamav.net has address 150.214.142.197 > *db.us.big.clamav.net <http://db.us.big.clamav.net> has address > 155.98.64.87* > *db.us.big.clamav.net <http://db.us.big.clamav.net> has address > 168.143.19.95* > db.us.big.clamav.net has address 194.8.197.22 > *db.us.big.clamav.net <http://db.us.big.clamav.net> has address > 194.186.47.19* > db.us.big.clamav.net has address 198.148.78.4 > db.us.big.clamav.net has address 200.236.31.1 > db.us.big.clamav.net has address 204.130.133.50 > *db.us.big.clamav.net <http://db.us.big.clamav.net> has address > 207.57.106.31* > > $ host db.us.clamav.net | awk '/address/ { print $NF }' | xargs -L1 ping -c > 1 > > *--- 208.72.56.53 ping statistics ---* > *1 packets transmitted, 0 received, 100% packet loss, time 0ms* > > *--- 64.6.100.177 ping statistics ---* > *1 packets transmitted, 0 received, 100% packet loss, time 0ms* > > *--- 64.22.33.90 ping statistics ---* > *1 packets transmitted, 0 received, 100% packet loss, time 0ms* > > --- 69.12.162.28 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > > --- 69.163.100.14 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > > --- 104.131.196.175 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > > --- 128.199.133.36 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > > --- 150.214.142.197 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > > *--- 155.98.64.87 ping statistics ---* > *1 packets transmitted, 0 received, 100% packet loss, time 0ms* > > *--- 168.143.19.95 ping statistics ---* > *1 packets transmitted, 0 received, 100% packet loss, time 0ms* > > --- 194.8.197.22 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > > *--- 194.186.47.19 ping statistics ---* > *1 packets transmitted, 0 received, 100% packet loss, time 0ms* > > --- 198.148.78.4 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > > --- 200.236.31.1 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > > --- 204.130.133.50 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > > *--- 207.57.106.31 ping statistics ---* > *1 packets transmitted, 0 received, 100% packet loss, time 0ms* > > > On Wed, Aug 23, 2017 at 1:26 PM, Maarten Broekman < > maarten.broek...@gmail.com> wrote: > >> For me, 3 of the 5 db.local.clamav.net addresses have 100% packet loss: >> >> $ host db.local.clamav.net >> db.local.clamav.net is an alias for db.us.rr.clamav.net. >> db.us.rr.clamav.net has address 200.236.31.1 >> db.us.rr.clamav.net has address 208.72.56.53 >> db.us.rr.clamav.net has address 69.12.162.28 >> db.us.rr.clamav.net has address 150.214.142.197 >> db.us.rr.clamav.net has address 194.186.47.19 >> >> $ host db.local.clamav.net | awk '/address/ { print $NF }' | xargs -L1 >> ping -c 1 >> --- 200.236.31.1 ping statistics --- >> 1 packets transmitted, 1 received, 0% packet loss, time 0ms >> >> *--- 208.72.56.53 ping statistics ---* >> *1 packets transmitted, 0 received, 100% packet loss, time 0ms* >> >> --- 69.12.162.28 ping statistics --- >> 1 packets transmitted, 1 received, 0% packet loss, time 0ms >> >> *--- 150.214.142.197 ping statistics ---* >> *1 packets transmitted, 0 received, 100% packet loss, time 0ms* >> >> *--- 194.186.47.19 ping statistics ---* >> *1 packets transmitted, 0 received, 100% packet loss, time 0ms* >> >> >> >> >> On Wed, Aug 23, 2017 at 12:48 PM, Dennis Peterson <denni...@inetnw.com> >> wrote: >> >>>
Re: [clamav-users] Scanning IMAP traffic without user credential storage
Beeblebroxwrote: >> ... If clamd finds something (it does happen), what's the plan? >> The message is *already* in the user's mail box, and I'd say it should >> *not* be there in your scenario, because the user can pick up the bad >> mail simply by connecting other than through your gateway. > > I was thinking "somehow" to move the email to a quarantine folder and > then sending an advisory to the user "message from joe has been > quarantined, please take following steps". Perhaps even some process to > strip all attachments, convert message to text-only (risky?) and send > the text-only content along with the advisory. > > Moving the message to quarantine folder on the host server (Gmail) > would require user credential by MTA, so there's another hole in my > concept. I wonder if there's an MTA that stores hashed credentials but > is also able to auto-update such credentials as received from client > device / MUA so that no direct user interaction with the Gateway is > necessary. Well if you could act as a MiM then you'd act as an IMAP server to the client and get the credentials from them as they log in. You'd then log into the real upstream server using those credentials. You'd have to proxy everything so that the client sees the contents of the mailboxes - but you'd have the access you'd need to move the infected mail and add a new warning message. BUT, two problems. I have no idea at all if there is such a proxy mechanism in existence. Most of all, it can't be done with SSL connections without either the client users getting security warnings which they'd have to accept, or the clients having your own root certificate installed. Neither of these are a good idea - one teaches users to ignore certificate errors, the other opens the door to all manner of "mischief". ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scanning IMAP traffic without user credential storage
Dave McMurtriewrote: > The original poster doesn't mention which IMAP server he's using. As I read it, he's looking at "random users accessing random servers" - eg a user connecting his phone to the guest network and it then accessing Gmail. I really don't think it's possible to do what he wants. In principle it would work for non-SSL connections, but the whole point of SSL is to prevent the sort of MiM connection he is trying to do. For it to work, the proxy would need to talk SSL to the server (no problem), process the non-protected stream internally, and talk SSL to the client. The latter is the problem as the proxy will not be able to sign the connection using a (eg) Google certificate - which is, of course, the whole point of SSL, the client should flash up a big "this site is bogus" warning to the user ! In a corporate environment, with control of the clients, it's possible to install your own root certificate on the clients and then use that to sign the client-side connection. Obviously that won't work with any other clients, and it's a really really bad idea anyway from the security PoV (breaks all client-side verification - eg the "green bar" for banking websites). ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Apparently legitimate Paypal email disguises domain name in links - thus identified as likely phishing
Andy Schmidtwrote: > If Paypal expects their emails to be delivered, then the CONTENT of their > emails must not use phishing techniques. In my experience, most PayPal emails are a catalogue of the things people are told not to do ! Things like "click here to check your account" come immediately to mind ! The fact that they feel the need to put "we've put your full name in to show it's really us" is indicative to me that they must realise what they are doing. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Central management server?
robert k Wildwrote: > Can I install a clamav server and point all my clamav end users ie Mac > Linux windows to the server to get update definitions Yes. Setup your own mirror and point everything at it. > and can I manage my > clients from the server ie see if there online run scans and lock clients > so they can't change settings? As already said, that's the province of enterprise systems. You should be able to "roll your own" with a combination of local permissions management (stop users fiddling with settings), configuration management systems (such as Puppet already mentioned, set configuration), centralised logging and log analysis (see what is running when), and monitoring systems (e.g. I use Nagios to monitor if ClamAV is up to date on my servers). ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] TTL of DNS recode
Tsutomu Oyamadawrote: > Our environment is a local mirror. > However, it does not matter. > > I wanted to know if there is the case that the DNS TXT of ClamAV have > not been updated for few days. > Could it be possibe? > Is this issue caused by the problem on our enviroment of querying DNS? > The daily.cvd is updated in real time now. > Could this issue be happened when the freshclam try to query DNS? Given that no-one else has seen the same issue, it was most likely a problem local to you. It's is unlikely that any of us could guess what that problem was given that we can't see your systems. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] TTL of DNS recode
Tsutomu Oyamadawrote: > ClamAV update process started at Sat Nov 5 05:01:15 2016 > Using IPv6 aware code > Querying current.cvd.clamav.net > TTL: 1797 > Software version from DNS: 0.99.2 > main.cvd version from DNS: 57 > main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: > amishhamner) > daily.cvd version from DNS: 22473 > > This log shows that freshclam was started at 5:01 of 5th Nov. and the result > of querying DNS was "daily.cvd version: 22473". > According to the mail [clamav-virusdb] which is sent daily, the daily.cvd > version should be 22479 at 5:01 of 5th Nov. > > We want to know why freshclam cannot get the latest daily.cvd version. > Is this difference of daily.cvd version caused by cache of DNS? OK, try restarting freshclam and see what comes up in the logs. 5th Nov is quite a while ago ! If it still doesn't get the correct information, give us the output of "dig current.cvd.clamav.net txt" - you may need to install the dig (Domain Internet Groper) package. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] TTL of DNS recode
I realise English is not your main language and this is probably very difficult for you to explain in what is to you a foreign language, but I don't think we are able to figure out just what is not working ... Tsutomu Oyamadawrote: > In the present situation fail. What is failing ? Does your local mirror update ? If not, post logs from freshclam showing the failures to update. Also post your freshclam config. If your local mirror does update, then we assume your local clients are failing to update from your mirror. If that is the case, post the freshclam logs from a failing client, and it's config. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] TTL of DNS recode
Al Varnellwrote: > So I think I have the answer for this one. From my research it would seem > that TTL values are set by the DNS server you are accessing, not by the > ClamAV and is the same for all records on that server. You would have to > check with the DNS ISP to find out if it has changed or not. OK, there seems to be some confusion about how DNS works and what the TTL value does, and what lookups report. Dennis has sort of covered some of this, but it might help to see the whole process. When you do a lookup for a name, your client asks the locally configured resolver the question - eg what is the TXT record for current.cvd.clamav.net. Assuming the resolver has nothing in the cache, then it will go to the root servers and ask the same question. The root servers won't know, so they will reply to the effect of "I don't know, but the name servers have a better answer" - ie the name servers for .net So your resolver goes and asks the same question of one or more of those servers. They'll get the same "I don't know, but ..." answer, this time with a list of name servers handling clamav.net. The resolver will continue in this manner until it reaches far enough down the tree to get find a server that knows the answer. In this case, the nameservers for clamav.net (ns[2-7].clamav.net here*) know the answer and will return it. Using DIG, this is the chain of results, note that when using +trace, DIG deliberately ignores cached records and so the TTL values are those of the records as served by the relevant name server (except for the root servers which I assume it still uses the local resolver cache for - it has to start somewhere !) : $ dig +trace current.cvd.clamav.net txt ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +trace current.cvd.clamav.net txt ;; global options: +cmd . 45003 IN NS h.root-servers.net. . 45003 IN NS b.root-servers.net. . 45003 IN NS l.root-servers.net. . 45003 IN NS e.root-servers.net. . 45003 IN NS g.root-servers.net. . 45003 IN NS m.root-servers.net. . 45003 IN NS j.root-servers.net. . 45003 IN NS c.root-servers.net. . 45003 IN NS i.root-servers.net. . 45003 IN NS a.root-servers.net. . 45003 IN NS d.root-servers.net. . 45003 IN NS f.root-servers.net. . 45003 IN NS k.root-servers.net. ;; Received 508 bytes from 192.168.0.33#53(192.168.0.33) in 21 ms net.172800 IN NS e.gtld-servers.net. net.172800 IN NS m.gtld-servers.net. net.172800 IN NS f.gtld-servers.net. net.172800 IN NS a.gtld-servers.net. net.172800 IN NS l.gtld-servers.net. net.172800 IN NS b.gtld-servers.net. net.172800 IN NS j.gtld-servers.net. net.172800 IN NS c.gtld-servers.net. net.172800 IN NS d.gtld-servers.net. net.172800 IN NS h.gtld-servers.net. net.172800 IN NS k.gtld-servers.net. net.172800 IN NS g.gtld-servers.net. net.172800 IN NS i.gtld-servers.net. ;; Received 509 bytes from 2001:7fe::53#53(2001:7fe::53) in 43 ms clamav.net. 172800 IN NS ns3.clamav.net. clamav.net. 172800 IN NS ns4.clamav.net. clamav.net. 172800 IN NS ns7.clamav.net. clamav.net. 172800 IN NS ns6.clamav.net. clamav.net. 172800 IN NS ns4a.clamav.net. clamav.net. 172800 IN NS ns1a.clamav.net. ;; Received 302 bytes from 192.42.93.30#53(192.42.93.30) in 44 ms current.cvd.clamav.net. 1800IN TXT "0.99.2:57:22593:1479972755:1:63:45272:285" cvd.clamav.net. 7200IN NS ns3.clamav.net. cvd.clamav.net. 7200IN NS ns4.clamav.net. cvd.clamav.net. 7200IN NS ns5.clamav.net. cvd.clamav.net. 7200IN NS ns6.clamav.net. cvd.clamav.net. 7200IN NS ns7.clamav.net. ;; Received 184 bytes from 2a01:4f8:160:8421::2#53(2a01:4f8:160:8421::2) in 38 ms Naturally it would be wasteful if the resolver did all these lookups every time, so it stores all the results it gets back in a local cache. So next time you lookup the same answer, it already has it. If you lookup a different .net address, it already knows which servers handle .net. And so on.
Re: [clamav-users] GPL license question
Borough Rumfordwrote: > I know clamav is released under GPL license, and third-party commercial app > shouldn’t link libclamav. Is the library under the GPL or LGPL - the answer is different for the two licences ? https://www.gnu.org/licenses/gpl-faq.en.html#GPLStaticVsDynamic https://www.gnu.org/licenses/gpl-faq.en.html#LGPLStaticVsDynamic AIUI, if you link against a GPL library then your code needs to be compatible with the GPL, if you link dynamically against an LGPL library then it doesn't. That's the reason for having the LGPL. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Threading (Was: How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?)
Mark Allanwrote: > >> For my, I use Mail.app the majority of the time. Apparently if I delete >> lines and inline reply like I do in Thunderbird, Mail.app just tells me to >> eat dust and unthreads the whole thing. Guess I should file a bug with >> Apple. > > That's strange. I use Mail.app as well, and as far as I'm aware, there's > never been a problem replying to emails and keeping the threading and quoted > text. Me too, never come across that. But then I'm still on 10.8 (Mountain Lion) so can't speak for later versions, I know Apple does have a history of taking something that works and "fixing" it - in the same way people talk of taking their dog to the vet to be "fixed" (by removing bits that worked). Groach wrote: > Consider my explanation of 'notification' above. So now, how do I post a > 'reply' to someone elses comment if I no longer have an "email notification" > (to click 'REPLY' on)? What I usually do in that situation is to carefully copy the email subject as it appears in the archives and create a new email. The new email won't have any references headers to link it to the thread, but any half decent client and list archive should be capable of recognising the subject as being the same as the existing thread and link it in that way. Your message won't appear in the right place in the threaded view in the archives, but it should appear in the same thread. The same issue occurs for people getting a list digest. In theory, if it's presented, you could copy the message header from the archive and add that as a custom header (In-Replay-To:) to your email. Looking at the Mailman archive for the list it doesn't seem to be presented, but I suspect some archives may keep and display it. The key headers are : Message-Id: This should be a globally unique ID generated by your mail client. In-Reply-To: If you reply to an email, the In-Reply-To: header should be set to the Message-Id: of the message you reply to. References: This builds up as a message gets replied to over time. Each reply should be adding the Message-Id: to this so there ends up a chain of which messages let to this one. In-Reply-To: should be sufficient to put your message in the right place in the thread. What you must never ever do is select some random list message in an unrelated thread and hit reply - either to respond to an existing thread or to start a new one. Because this reply will include In-Reply-To: and probably References: headers, this will cause your unrelated message to get threaded into the wrong thread. If you are browsing an archive and find a seemingly unrelated thread intermingled with another one - this is probably the cause. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] mail server and clamav in different machine
M.hafez wdeln...@yahoo.com wrote: can i install the mail server (win or Linux based ) and the clamav in different machine, that may allow me to filter more than one mailer server using the same Clamav machine. In principle yes, though it very much depends on how you are going to pass the email to it. If you do file based scanning - ie the server saves a file (or files) and then calls ClamAV - you will need to arrange shared files and ensure the file paths remain consistent for both ends. If you run it as a filter and pass the message in via that, then it should only be a case of pointing each mail server at the right socket. But why not duplicate the ClamAV installation and distribute the workload ? I built a small cluster (Postfix+PostfixAdmin+MySQL+Courier+Amavis+ClamAV) and configured each server to do before-queue scanning of inbound emails. I made so there is one master machine which holds the mail store, and a number of other mail servers that will accept connections, scan the mail, and if accepted put it in the mail store via NFS. This was because of the potential delays introduced by before-acceptance scanning and to spread the load of that scanning across multiple hosts. My experience is that by far the highest load on my mail servers is the scanning. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamd and Systemd
Scott Kitterman deb...@kitterman.com wrote: Is harmless supposed to include not installable ? No. What's not installable? Install clamav-daemon (with the lib) and don't worry about it. Given that I wouldn't be bothered at all if SystemD was just an init system, it's all the other crap I want to keep out. Do you really think I'm going to allow a SystemD library (who's package description gives no clues about it's functions or intentions) onboard ? If ClamD is only using this library if SystemD is installed, then presumably it'll work without that library when SystemD isn't installed ? So all I need is a dummy (empty) package that provides whatever apt is looking for to satisfy the installation dependency ? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamd and Systemd
G.W. Haywood cla...@jubileegroup.co.uk wrote: I would http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installation Been there, done that, but what a right PITA it creates - specifically trying to figure what package is triggering a chain of dependencies that's trying to pull in part of SystemD and then install ClamAV from source. I wouldn't use packages for things like ClamAV anyway. I have to consider maintainability - and given the skills (or lack of) left in the business when I find a better job or get hit by the proverbial bus, I've been making a point of sticking to packages. Not at all, it's just Debian doing what Debian does (i.e. drive me nuts). It's been driving me nuts today. Perhaps it's just what I'm used to but I prefer Debian to most other distros - I learned my first Unix with SCO Xenix and then Openserver5. Scott Kitterman deb...@kitterman.com wrote: Also, does anyone know how important this dependency is ? Is it just some small optional features, or something fundamental that can't be removed ? My gut feeling is that given the range or platforms ClamAV runs on (inc many without SystemD), it can't be that important. It's there because of the way we build the package to support the default init system. I don't recall exactly why. It doesn't, however, do anything if systemd isn't the active init system. Other than taking a small amount of disk space it's harmless. Is harmless supposed to include not installable ? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] unsubscribe
Cmos35 x.lep...@laposte.net wrote: I never asked to be unsubscribed, I asked a question and I unsubscribed by David Barr No, he didn't unsubscribe you - only you can do that (or someone forging your email address in the sender field) I assume he wanted to unsubscribe from the list, but ignored the email he would have had when first signing up (which contained information) and made no effort to find out how to do it properly. If he'd made any effort at all, he'd have found these helpful headers in any list email : List-Id: ClamAV users ML clamav-users.lists.clamav.net List-Unsubscribe: http://lists.clamav.net/cgi-bin/mailman/options/clamav-users, mailto:clamav-users-requ...@lists.clamav.net?subject=unsubscribe List-Archive: http://lists.clamav.net/pipermail/clamav-users/ List-Post: mailto:clamav-users@lists.clamav.net List-Help: mailto:clamav-users-requ...@lists.clamav.net?subject=help List-Subscribe: http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users, mailto:clamav-users-requ...@lists.clamav.net?subject=subscribe Like most mailing lists, all he had to do was to send a blank message to whatever the list is-request with unsubscribe in the subject - or click on the link and go to the mail manager website and do it. I see this periodically on every mailing list I'm on - even the ones where there is a help message clearly visible in the footer of every list message :-/ ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV installation is OUTDATE!
Marcio Fiorette marcio.fiore...@gmail.com wrote: Não estou conseguindo atualizar o ClamAV da versão 0.98.5 para 0.98.6 no Debian 7. Já segui os procedimentos que estão no site www.clamav.net e mesmo assim não obtive sucesso. Google tells me you're trying to update but it's not working. Did you install ClamAV as a Debian package ? If so then do NOT use any other tools to update it, just use the Debian supplied package tools. This applies to any distribution - if you installed the distribution package then you should update using the distro specific tools/packages. If you include wheezy-updates as a repository (see /etc/apt/sources) then 0.98.6 is already there - apt-get update apt-get upgrade should update it (and anything else that needs updating. If you don't include wheezy-updates (which you should do - it's your security updates) then you'll still only get 0.98.5 https://packages.debian.org/search?keywords=clamavsearchon=namessuite=allsection=all ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
Daniel Spies ds20150222c...@pskx.net wrote: I don't get how you find it more appropriate to silently reject someone's e-mail I don't. I don't know where you got that from - perhaps it's from seeing so many examples of bad practice that's become the norm so you assume everyone is that bad ? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
Daniel Spies ds20150222c...@pskx.net wrote: In my opinion, it doesn't make any sense to scan e-mail leaving the server. The recipient will never trust these tags anyway. So why scan at all? It's important to scan incoming mail, be it from a local or an external client. I disagree. Recipients may not trust the tags, but it *should* stop outbound spam/infected mail should your machine (or one of the clients) get compromised. IMO spam and malware is not just something to stop coming in, it's something to porevent going out - if more networks prevented it going out then there'd be less of a problem. On my systems I scan *everything*, and I firewall off everything I can - including preventing outbound connections to port 25. At work I run mail servers that are used by customers - including as smart relays. It's not all that uncommon to find one of the customer compromised and sending out thousands (or millions) of spam emails - so my latest server also does rate limiting to limit the damage done before it gets spotted and blocked. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
OK, this is getting well off-topic for this list, this will be my final say on the matter - and from some of the other comments I see I'm not alone in considering you part of the problem. Daniel Spies ds20150222c...@pskx.net wrote: Recipients may not trust the tags, but it *should* stop outbound spam/infected mail should your machine (or one of the clients) get compromised. IMO spam and malware is not just something to stop coming in, it's something to porevent going out - if more networks prevented it going out then there'd be less of a problem. It's not always black and white. I assume you're responsible for the clients you're talking about, i.e. they are your customers or colleagues. It varies, but in the general case they may be managed customers (where we look after the network, servers, and clients) through to customers only in that they use our mail servers. Regardless, all mail they send through my servers is scanned - and I do block anything that reaches a sufficient spamminess score or fails the AV checks. While spoon-feeding colleagues or customers may be okay for the sake of security, my clients would certainly raise hell if they would receive errors due to false positives. Most people expect their system to just work -- no matter what. Which is one reason it's very important to make sure you are not part of the problem. Allowing a customer to sent nasties through your mail server is a good way of getting it blacklisted - and then it certainly doesn't just work. I can assure you that when your server gets on a blacklist, your customers do complain - and they complain a lot louder than if you block one or two spammy messages. The best way to stay off blacklists is to block spam and nasties at source - not just rely on the recipient to catch it later ... By the way: I don't even reject virus/spam mail, I just tag them. If a client is dumb enough to open the attachment of a tagged e-mail, so be it. So you are part of the problem. It's already been said that tagging is meaningless - yet you assume it's reasonable to expect others to act on your tags. On my systems I scan *everything*, and I firewall off everything I can - including preventing outbound connections to port 25. I am not in the situation where all my clients sit in a firewalled private network; it's more the free-mail kind of situation. What and when my clients send e-mail is non of my concern, as long as they do it in common dimensions, i.e. in a way that matches a real person. Most of the customers are also not on managed networks. But on my own systems I block outbound connections to port 25 other than what's needed (actually, I mostly have a block everything and allow what's needed policy). It's all part of a layered approach - you protect your systems, but you also add a layer that limits the damage if they do get compromised. However, rejecting outgoing e-mail right away is not an option, which ultimately makes the scanning of these messages redundant. Which makes you part of the problem. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-users-bounces DKIM signature verify error
Scott Kitterman ubu...@kitterman.com wrote: ... but isn't this a bit off topic? Yes it is - but the OP asked here as he was having problems with this list. In this particular case, he's got a local configuration issue nothing really to do with clamav, SPF, or DKIM (as a protocol). Yes it's a local config problem (he needs to turn off DKIM, or at least turn it down to the point where it's virtually useless), but it's a hard stretch to say it's nothing to do with DKIM since DKIM *IS* his problem ! ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav-users-bounces DKIM signature verify error
Scott Kitterman ubu...@kitterman.com wrote: No, sending bounces to the list is his problem. Sorry, but that's a relatively common techie attitude - ignore the fact that the end user probably has no idea what's going on (else why ask for help about it ?) From the USER perspective, he has a problem with using this list, and has asked for help identifying WHY. His problem is **NOT** sending bounces, his problem is list server is unsubbing him and/or he isn't getting all the mails - bouncing mails is a *cause* of that, and DKIM is a *cause* of that. As you say, the discussion of the merits or otherwise of DKIM and/or SPF out OT for this list, but the OP didn't know that that was the problem until he asked the question. Now he knows what the underlying issue is - he can address it, asking for help in an appropriate forum if required. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav-users-bounces DKIM signature verify error
Marcello Lupo ml...@itspecialist.it wrote: Have you any idea of the reason for this problem and how to let it go away? Other than DKIM breaks stuff As now I’m loosing some messages from the list for sure. Stop using mailing lists OR stop using DKIM Or you might be able to tune DKIM to exclude the message content - which rather defeats the object. http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail#Annotations_by_mailing_lists SPF has the same problem. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav stops boot
Alain Zidouemba azidoue...@sourcefire.com wrote: The ClamAV engine won't update itself automatically. You will have to manually perform that operation. The latest version of ClamAV (version 0.98.1) can be downloaded here: http://www.clamav.net/lang/en/download/sources/ However, as the OP is using Debian, is new to Debian, and assuming it's been installed as a package, then he'd be better just using the system update tools. apt-get update apt-get upgrade to upgrade everything, or apt-get upgrade followed by apt-get install clamav-daemon clamav-freshclam should pull in updates for the ClamAv stuff. That is, assuming it's a moderately up to date Debian version. But he has to get it booted first ! The system should continue past that message, so I'm not sure what's going on. As a quick hack, booting into recovery mode (should be a boot option at the Grub menu) and rm /etc/rc2.d/S*clamav-daemon should get the machine to a bootable state. Once the system boots, dpkg -l '*clamav*' should show what's installed. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Problem with Freshclam and local mirror
Shawn Webb sw...@sourcefire.com wrote: I suspect the fault lies in a rather small piece of code that was supposed to make the call to recv() a little more robust. If you have the ability (or desire) to compile from source, can you please try the attached patch? If the patch works, I'll integrate it into our next release. Thanks, but I'm not really in a position to test it - I don't have build tools on any of my machines, and don't really have the skills to use them anyway. In response to my bug report (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743305), Andreas Cadhalpun has pointed out that there is now a PrivateMirror option in freshclam.conf. I've configured this and things now seem to work, though I need to leave it for a while to be sure. The only reference to the new option I could find on my system was on line 962 of the changelog. And thanks for the other suggestions. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] Problem with Freshclam and local mirror
Because I've several machines using it, I've setup one to act as a local server, with the others pulling their updates from it. It's been generally reliable for years, but since updating to 0.98.1 I'm having repeated problems where the slaves just stop fetching updates. As an example, one of them as of this morning was 7 revisions out of date. Freshclam log says : main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) ERROR: Can't download daily.cvd from virusdb.back.mydomain Giving up on virusdb.back.mydomain... Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/support/mirror-problem for possible reasons. Invariably, if I delete mirrors.dat and restart Freshclam it will then download daily.cvd : main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) Downloading daily.cvd [100%] daily.cvd updated (version: 18725, sigs: 863475, f-level: 63, builder: neo) bytecode.cvd is up to date (version: 236, sigs: 43, f-level: 63, builder: dgoddard) Database updated (3287743 signatures) from virusdb.back.mydomain (IP: 172.nn.nn.nn) Systems are running Debian Wheezy and fully up to date. Checking the logs, I can see one system at 6:50 said : ClamAV update process started at Tue Apr 1 06:50:35 2014 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) Downloading daily.cvd [100%] WARNING: Mirror 172.nn.nn.nn is not synchronized. Trying again in 5 secs... ClamAV update process started at Tue Apr 1 06:50:42 2014 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) WARNING: Can't download daily.cvd from virusdb.back.mydomain Trying again in 5 secs... And on the Apache logs of the main server, I can see daily.cvd being fetched at 06:50 then nothing at all after that. It looks like Freshclam just flags the mirror as bad and never checks it again. Any ideas ? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Problem with Freshclam and local mirror
Greg Folkert g...@donor.com wrote: I had this problem and have used a brute force solution to remove the mirrors.dat file every day so it'll ignore previous problems (like the machine being unavailable or other such issues) I had already considered the same. Since I've got two machines that have dropped 3 revisions behind already today (ie in the last 8 hours) I'll do that unless anyone has any more elegant suggestions or knows how to fix the underlying problem. In the meantime, I've logged a bug against the Debian package. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Debian packaging
Greg Folkert g...@donor.com wrote: Debian Stable is that. If you must have 0.98.1, you should also be using backports... at least I used to until I just used Sid for everything. Backports help extend Stable's longevity and freshness a bit... but it is no guarantee 0.98.1 will be there. Actually it should filter down once it's gone through some testing. Stable means different things to different packages - and AFAIK policy hasn't changed much in terms of updating volatile security related packages like ClamAV. Matthew Newton m...@leicester.ac.uk wrote: Debian's policy is to ensure that stable means stable - so they only generally apply security patches. There was a volatile repository once as they realised that software like ClamAV needs updating more but conflicted with normal policy; it looks like it's been replaced, but I don't know if they still maintain the ClamAV package there. It is still there, just under a different name - should be covered by the version/updates (eg wheezy/updates) source. http://www.debian.org/security/ As for installing the update, as pointed out there are several options. If you have wheezy/updates in your apt-sources list then it should appear (eventually) after passing through Debian's quality processes. If you want it sooner, then pull it from testing - something I've done with a few packages from time to time. I've found that mostly things are fairly reliable by the time they reach testing - but it's worth a scan of the bugs list first. Or if you want bleeding edge - either install from upstream source, or install from unstable. Unstable can be, well, unstable - so you roll your dice and take your chances. Personally, I try to avoid installing from source. Not because I can't do it (I have done it when I've had no option), but I have to consider maintainability - especially if I've moved on and the system gets inherited by someone with limited Linux/FOSS skills. YMMV - what you do on a home system (only you to consider) or in an environment where there are plenty of experienced Linux/FOSS admins is one thing; what you do when there's no such people around is another. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Is there any chance of the 97.8 version as shipped by ubuntu 10.04.4 LTS, working?
Gene Heskett ghesk...@wdtv.com wrote: So, is there any hope of making it work again using what the repo's for ubuntu 10.04.4 LTS will put back in (version 97.8) using synaptic? Or has the data format changed so much its hopeless? 97.8 is the current stable version in Debian (98 has just hit unstable) and Freshclam is working fine for me. I don't see there being any problems. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Debian packaging
Greg Folkert wrote: Simon, Why not open a Bug, or look to see if there is one. Oh wait: In Pending Upload bugs for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727027 Just gotta look. Rending since Oct 2013 Yes indeed. And lookit that, some Simon Hobson li...@thehobsons.co.uk Commented on it Fri, 15 Nov 2013 9:54:48 +. And look what a positive response it's had so far ! Make noise on the list or continue to bomb the bug(s)... This place ain't gonna be helpful in this regard. Well since no-one's come back with something like the package maintainer's gone AWOL or similar, I'll keep bumping that bug ticket. Does seem strange, I don't recall such a long delay in the past. Updating from source isn't really an option since I need to leave these systems maintainable by people who need the simplicity of apt-get upgrade. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] Debian packaging
Does anyone know what the situation is with Debian packages ? It's been something like 2 months now and 0.98 still doesn't appear to have made it to unstable, let alone testing. I'm assuming this also affects Debian derived distros like Mint and Ubuntu. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Virus names - a rose by any name?
Pancho wrote: Hi - thanks to everyone for the replies. I have seen 2 replies now and it may well be that I have not been clear enough because both are at cross purposes. Then it might help if you alaborated on what you meant. Unfortunately I don't have further time to invest in this topic but I do hope that someone at ClamAV sees value in the suggestions. They might if they could understand what the suggestions were. It;s clear from your response that what people took away from your post is not what you meant. Hence it's unlikely that anyone will see value in something they haven't seen. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus names - a rose by any name?
Pancho wrote: While I understand the comment, it makes it risky I believe from a security perspective to tell users anything more than file contains virus. I say this because if we find a virus and provide the message file contains virus with name ClamAV proprietary virus name XYZ then malicious users can effectively deduce our virus engine simply by using the custom name. See the site http://virusscan.jotti.org/en for a very easy illustration of how to do this. Once the malicious user knows this again, it is a fairly straightforward thing for them to test exploits against a site like jotti until they find one not detected by ClamAV - then submit that exploit to our site knowing that it will successfully bypass our anti virus. AFAIK ClamAV doesn't tell outside users anything - that is up to the software that calls it and the administrator that set it up. For example, suppose we are using ClamAV to scan inbound mail - using Amavis as integration software as that's a fairly common setup. So when the email is submitted by the outside MTA, our MTA hands off the message the Amavis, and Amavis (amongst other things) halds it off to ClamAV. The response sent to the outside MTA can be anything from message blocked at one extreme to ClamAV found XXX at the other - and where in that spectrum is down to not just ClamAV (which should correctly identify what it found IMO), but also the config of Amavis and the config of our MTA. Of course, what is reported to the outside MTA can be different to what is logged in our mail log. We may just report blocked to outside while logging full details (as is usually the case) in the mail log so that the administrator has more information if the reason is queried. Much the same applies if you scan innbound file on a web site that allows uploads - what ClamAV reports to your software, and what your software reports to the end user may be different things. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] linux scan of WordPress directories
Vid Luther wrote: I'm wondering if it's possible to run ClamAV on a file system that has a ton of WordPress installs. Yes, use (IIRC) clamscan to scan the directories. I've done that on my servers when there's been any question about a customer site. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Licensing DLLs
Chuck Swiger wrote: What if WE made an AV plugin DLL to link our software with libclamav? If your software license isn't GPL-miscible, then you should not redistribute the combination of your software, the plugin, and ClamAV. Isn't this a case where the component they've linked with (in this case) ClamAV would need to be GPL, but the other component it talks to doesn't need to be ? I'm assuming these are separate units - ie there's the closed main system, and the GPL plugin code linked with ClamAV. The fact that the closed main system is distributed alongside the GPL code doesn't mean it has to be GPL - provided they are clear in the documentation etc which parts are closed, and which are GPL. Very much a flip round of the case where software uses non-free libraries (http://www.gnu.org/licenses/gpl-faq.html#FSWithNFLibs) Also, http://www.gnu.org/licenses/gpl-faq.html#GPLInProprietarySystem says : However, in many cases you can distribute the GPL-covered software alongside your proprietary system. To do this validly, you must make sure that the free and non-free programs communicate at arms length, that they are not combined in a way that would make them effectively a single program. It then goes on to say : The difference between this and incorporating the GPL-covered software is partly a matter of substance and partly form. The substantive part is this: if the two programs are combined so that they become effectively two parts of one program, then you can't treat them as two separate programs. So the GPL has to cover the whole thing. My interpretation of this would be that in the case the OP asked about, provided he makes the plugin a distinctly separate program (and GPLs any code he adds to the GPLd code to make it work with his API) then it would qualify. It would require the plugin to be separate and optional - but i see no reason it can't be shipped on the same disk. The GPL is actually not as all encompasing and restricted as many believe - it *IS* possible to combine GPL and non-free software in a system if you do it right, and using GPL software does *NOT* automatically mean the entire system has to be GPL. Perpetuating these myths doesn't do anyone any good. If in doubt, the OP could always as FSF who I'm sure would be quite happy to have someone ask them rather than make assumptions and/or get it wrong. I dare say they'd be happier if the whole lot was GPLd, but Rome wasn't built in a day. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Some questions about setting up ClamAV
Andy Newby wrote: How can we have clamAV automatically scan the images after they are uploaded (to catch any viruses as quickly as possible)? You'd need to get your software to do that. Between accepting the upload and doing anything with it, call Clamscan to scan it. Alternatively, and I don't know if this is possible, I believe some OSs have facilities to monitor a filesystem for changes. If you can get the system to tell you when a new file has been created in your upload directory, then you could scan it then - but of course you may need to wait for the upload to complete. If it is not possible to set up clamAV like this, how can we set up a cron job to scan the image folders and domain / server ? You create a cron job, to run at whatever schedule you want, that calls Clamscan with the options you want. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Some questions about setting up ClamAV
Andy Newby wrote: We're using ClamAV on a Unix Centos Server, with WHM and Cpanel, we would like to do this: 1) Set up a cron job to scan a single domain (via Cpanel), and a cron job for the entire server (via WHM), how? Create cron jobs to call clamscan with the options you want ? 2) We would like to set up a cron job to update ClamAV with the latest virus DB on a single domain (via Cpanel), and a cron job for the entire server (via WHM), how? Ditto. Setup cron jobs to call freshclam. Or just let freshclam do it's job automatically. If you have a lot of instances to update, you might consider setting up a central server to fetch updates and then let individual servers/instances fetch from that. 3) our web site allows users to upload images via a standard form. We would like to set up ClamAV to be able to scan their file before it gets uploaded to the server, how can we do this? You can't - it's not there to scan before it's been uploaded. You'd need to look at the software being used and get it to scan all new files before it goes on to use them. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] How can I have clamd reject items that can't be scanned?
Per Jessen wrote: It's not about not being able to scan, it's about not wanting to scan. Regardless, clamav doesn't reject or approve mails, that's for your MTA to do. If you use ClamAV as milter, it's up to ClamAV to tell the MTA what to do so I guess there's a task for ClamAV too.. Well, I guess it depends on your point of view. Personally I see the MTA doing the rejection, possibly based on information from elsewhere (DNS, blacklists, clamav, wherever). This is a rather pointless argument about semantics which doesn't answer the original question. I'll rephrase it for the pedants : I see that there are ways to limit the level of archive that will be scanned as well as the size of the entities to be scanned. Is there a way for CLAMAV to then flag them as not allowed? Oh, I see it works without modification. Is it possible for ClamAV to flag that the message should be rejected if it can't be scanned - seems a reasonable question to me. The OP didn't say is it possible for ClamAV to reject the message, they rather correctly asked about flagging it for rejection. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] How can I have clamd reject items that can't be scanned?
Per Jessen wrote: The OP started by saying there are ways to limit the level of archive that will be scanned as well as the size of the entities to be scanned, which are performance optimizing options one can use if desired. To which I commented that it's not about a message that can't be scanned, but whether your limits allow it to be scanned. Remove the limits, and everything is scanned (presumbly only limited by hardware resources). Well of course there have to be limits somewhere, and I recall one issue is malevalent attachments designed specifically to crash extractors. A second issue I recall from the past is the sending of password protected archives - the scanner is unable to check it, but of course a user taken in by the message may well open it. So that's a separate consideration - whether to allow password protected archives or to reject them. Nonetheless, it is actually an interesting question - should/does clamav return not-scanned-due-to-user-restriction in such cases? I guess that's the key question, and is it possible to set the reported result to reject in that case ? -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Value too large for defined data type
Am 14.10.2011 20:02, schrieb Christoph Moench-Tegeder: Simon, can you recompile the test program with gcc -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE x.c -o xtest and test again? Yes, that works. :) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Value too large for defined data type
Hello everybody, I'm getting the following error trying to scan a file: WARNING: myfilename: Can't access file myfilename: Value too large for defined data type It seems that this error can be caused by different problems like a wrong inode number when mounting CIFS or very large files. (Suggested by some websites and old mailing list entries.) I have three questions: 1. How do I find out which value really causes the issue? 2. How do I scan very large files? 3. How do I find out what the current maximum file size for scanning is? The man page says the default is 25 MB but it is not set in /etc/clamav/ anywhere and I have scanned files larger than that. It would be great if you could clear up some of these points for me. Best, Simon ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Value too large for defined data type
Hi, Al! On 14.10.2011 11:01, Al Varnell wrote: On 10/14/11 1:49 AM, Simon Friedbergersimon+gm...@a-oben.org wrote: 3. How do I find out what the current maximum file size for scanning is? The man page says the default is 25 MB but it is not set in /etc/clamav/ anywhere and I have scanned files larger than that. It's in clamd.conf, but if you run clamconf it will tell you all the settings. There is nothing related to filesize in /etc/clamav/clamd.conf and clamconf doesn't seem to exist either. This is my version: ClamAV 0.97.2/13798/Fri Oct 14 08:54:16 2011 from the package: 0.97.2+dfsg-1~lenny1 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Value too large for defined data type
Hi, Edwin! On 14.10.2011 11:02, Török Edwin wrote: On 10/14/2011 11:49 AM, Simon Friedberger wrote: It seems that this error can be caused by different problems like a wrong inode number when mounting CIFS or very large files. (Suggested by some websites and old mailing list entries.) What is your filesystem? What is your kernel ('uname -mrsp')? The filesystem is ext3 and the kernel is Linux 2.6.26-2-686 i686 unknown (uname -mrsp output). Are you running a 32-bit or 64-bit ClamAV? ('file /usr/bin/clamscan' will tell you) Well, since the entire system is 32-bit... /usr/bin/clamscan: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.8, stripped I have three questions: 1. How do I find out which value really causes the issue? Does 'stat myfilename' work? Yes. 2. How do I scan very large files? I don't think its the file's size the problem, but rather its inode. Use a 64-bit clamscan/clamd if your filesystem uses 64-bit inodes. Well, I don't think that's the problem here, because stat works, right? The filesize is 2.8 GB, btw. 3. How do I find out what the current maximum file size for scanning is? The man page says the default is 25 MB but it is not set in /etc/clamav/ anywhere and I have scanned files larger than that. If you scan something outside the limits you don't get an error, you get an OK. Oh, okay. So how do I find out what the limit is? Best, Simon ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Value too large for defined data type
Am 14.10.2011 11:42, schrieb Török Edwin: On 10/14/2011 12:30 PM, Simon Friedberger wrote: Hi, Edwin! On 14.10.2011 11:02, Török Edwin wrote: On 10/14/2011 11:49 AM, Simon Friedberger wrote: It seems that this error can be caused by different problems like a wrong inode number when mounting CIFS or very large files. (Suggested by some websites and old mailing list entries.) What is your filesystem? What is your kernel ('uname -mrsp')? The filesystem is ext3 and the kernel is Linux 2.6.26-2-686 i686 unknown (uname -mrsp output). Are you running a 32-bit or 64-bit ClamAV? ('file /usr/bin/clamscan' will tell you) Well, since the entire system is 32-bit... /usr/bin/clamscan: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.8, stripped I have three questions: 1. How do I find out which value really causes the issue? Does 'stat myfilename' work? Yes. How big is the inode number printed? Is it bigger than 2^31? Maybe the stat command is compiled with Large File Support, and ClamAV is not. Well, the inode number is 131309605 which should be well below 2^31. Also can you compile and run this testprogram on that file? $ catx.cEOF #includestdio.h #includesys/stat.h int main(int argc, char *argv[]) { struct stat sb; if (argc != 2) { fprintf(stderr,Usage: %sfilename\n, argv[0]); return 1; } if (stat(argv[1],sb) == -1) { perror(stat failed); return 2; } printf(stat successful\n); return 0; } EOF $ gcc x.c -o xtest $ ./xtest myfilename Does it print an error? Yes, it does. stat failed: Value too large for defined data type Now what does that mean? :) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Value too large for defined data type
Hey, Edwin! Am 14.10.2011 15:19, schrieb Török Edwin: On 10/14/2011 04:13 PM, Simon Friedberger wrote: Does it print an error? Yes, it does. stat failed: Value too large for defined data type Now what does that mean? :) I think I got it: off_t st_size;/* total size, in bytes */ The st_size member of the stat buffer is a signed value, so any file over 2GB in size would be negative. stat() won't allow that so instead it returns an error telling us we should use the stat64() call probably. Please open a bugreport, the fix is likely to detect the errno and simply skip scanning such files (on 32-bit anyway). Would you mind filing it, I would have to create a login first. In any case, thanks for your help so far! Best, Simon ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Clamav 0.97.0 to 0.97.1 on squeeze(Debian 6.0)
OLCESE, Marcelo Oscar. wrote: Query, why is not avaible in the repositories squeeze 0.97.1 version? Nor are the volatile repositories. Simple - because it hasn't made it yet. It has made it into Unstable (Sid), and in time it will work it's way through. http://packages.debian.org/search?keywords=clamavsearchon=namessuite=allsection=all The way things work is : The main program gets updated - known as the upstream package from the perspective of a distribution. The maintainer of the packaged version for the distribution spots that it's been updated. He'll pull down the new version, apply any changes to distributionise it, and build a package for the distribution. This distribution specific package then goes through a testing process before being released through the distribution specific mechanisms. In the case of Debian, this means that one of several package maintainers (there are three individuals, plus ClamAV Team listed) has observed the new upstream version. It's been debianised, and put into Sid. At some point, when it's been decided that it's stable etc, it will migrate to testing, volatile and backports as appropriate. Eventually, when the next Debian release happens, it will migrate to stable. Many of these steps will be automated, but still need checking. For example, part of Debianising a package involves moving components from wherever the upstream package normally puts them to the locations used by Debian, and creating distribution specific files (such as the startup/shutdown script for /etc/init.d). While this would be done with automated scripts and patch files, each time the upstream version changes, these need to be checked to see that they still work correctly - and of course, the scripts/patches updated if something has changed. There may of course be distribution specific bugs/issues to be dealt with, and some of those may well involve creating a fix to be passed up to the upstream package maintainers. The price you pay for using a distribution rather than doing it yourself is that you get a delay between the upstream package getting updated and your distribution reflecting that. The upside is that others have done a **LOT** of work so that you don't have to. You have a choice - either wait, try installing the package from Sid, or download the upstream package and install it manually. All of these have their pros and cons - you would have to work which is best for you. I hope this gives you some idea of the process involved, and why there is inevitably a delay before an update appears when you apt-get update apt-get upgrade. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] daily database broken again
Nathan Gibbs wrote: I am not aware of the team issuing a new major version number that they then break in a few months with a new major version update. 0.95.x was the latest version less than a year ago. To me, it seems a little soon to EOL it. At some point the end user has to accept his/her responsibility for keeping their machines properly updated. I am not talking about every day, but at least every few months, Agreed. six at most, That is a good way to do it. That is also your policy/opinion. It may not work for someone else. a user should inventory their system and take appropriate maintenance. To expect others to waste valuable time in developing a product and keeping it fully compatible with older versions is ludicrous. Agreed. Supporting 0.94.x or earlier now would be a waste of resources. I did feel bad for the 0.94x and 0.93x users who got caught in last years flag day, but it was a flag day what are you gonna do. Those running 0.92x or older, IMNSHO were just plain stupid and got what they deserved. But I do realize that it is just my not so humble opinion, and they just might have had good reasons for running software that old. If you blame others for your failures, do you credit them with your success? Thats an unsafe question to answer. No matter how its answered, you shoot yourself in the foot. Its like Have you quit beating your wife? Yes - You were beating her. No - You are beating her. The failures are usually all mine. The successes usually involve other people. And attribution is always the right way. Open Source wouldn't work otherwise. :-) Thanks Nathan for articulating what I suspect quite a lot of us think. I too am grateful to the ClamAV team - but I also sometimes think their attitude to users lacks sensitivity at times. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] block attachment with certain file endings (also in archives)
Erwan David wrote: gmail blocks attachments with certain file endings (also if the files are in certain archives): http://mail.google.com/support/bin/answer.py?answer=6590 I am using clamav-milter with postfix. Is it possible to implement this policy through custom clamav signatures? From the signatures pdf I was not able to figure it out so far. amavis may do this (and call clamd for handling viruses) Yes, Amavis will do it. IIRC it defaults to blocking a small number of extensions (such as .exe and .scr). It also unpacks archives (zip, tar, etc) to check the contents. My knowledge isn't enough to say (without searching) where it's configured - but I do recall there is a Perl array with a list of extensions to block. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Tiered freshclam updates on port443
Shawn Bakhtiar wrote: I still say having firewalls from higher security zones to lower ones, does not make sense. Security is only valid when it is INBOUND. Outbound security is no security at all, just a pain for your users. I used to think like that, but now I'd respectfully disagree. It's not an answer in it's own right, but used intelligently it provides another layer of protection. OK, if your server gets compromised then it doesn't protect the server, but it does restrict the damage it can do. For example, if you don't require to access external FTP servers, then don't allow outbound FTP connections. Should your server get compromised and the use it to try and brute-force attack other FTP servers, instead of using up your bandwidth and causing a headache for the targets, the connections fail. On the other hand, if the basic software installed by the hack is unable to contact it's command centre for instructions (or to install additional software), then it's going to be useless to the attacker. In a similar vein, I ALWAYS configure my routers etc to only allow outbound SMTP connections that are actually required. In the general case, end user machines should not be sending mail other than through specific servers - and if they are trying to send mail elsewhere then most likely it's spam from an infected machine. If a user has a genuine reason for sending mail, then the Submission port (which I do allow) is the way to do it. Again, it's not protecting your systems which are already compromised, but it's limiting the damage that then follows - damage in bandwidth costs, and reputational damage from getting blacklisted. Just two examples that came to mind for no particular reason - and if you believe that you'll believe anything ! Yes it needs more work to set up, and figure out what connections you require - but IMO it's worth it in many cases. As you say, there are cases where it's not appropriate, and you need to judge each case on it's merits in an intelligent way. Strike a reasonable balance between protection, being a good netizen, and allowing users to do their jobs. Having said all that, in this case, I'm inclined to agree that the requested functionality isn't really a generally useful think to be doing. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Some doubts about Clamav upgrade
Freddie Cash wrote: Does it first uninstall the existing version? If it was installed as a .deb package (via dpkg, apt, aptitude, whatever), then yes. dpkg -l | grep clam will show if it was installed as a deb package - it should show clamav and freshclam as installed. If it lists nothing then they may have been installed manually and the OP will have to figure out how and where they are installed - ideally removing them before installing the new deb packages. It may be useful to know which Debian version the OP is using - since it it's Lenny he wouldn't have 0.93 installed, and if it's older then there isn't an up to date version in the repositories. If it's Sarge, then Gianluigi Tiesi posted this back on 16th April, it worked for me on one of my systems : Temporary fix for debian sarge, I suggest anyway to upgrade your distribution: download packages from: http://falco.netfarm.it/clamav/clamav-sarge/ then /etc/init.d/clamav-daemon stop /etc/init.d/clamav-freshclam stop apt-get remove libclamav3 rm -fr /var/lib/clamav/* rm -f /var/log/clamav/* dpkg -i *.deb (you can skip docs and testfiles) apt-get -f install if some deps is broken ah forgot, then dpkg --purge libclamav3 -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Some doubts about Clamav upgrade
Wagner Pereira wrote: 1. My Debian is a Etch 4.0 2. My sources.list file has deb http://volatile.debian.org/debian-volatile etch/volatile main contrib non-free 3. That's my dpkg -l | grep clam output ii clamav 0.93~dfsg-volatile1 anti-virus utility for Unix - command-line i ii clamav-base 0.95.3+dfsg-1~volatile1~etch2 anti-virus utility for Unix - base package ii clamav-daemon0.93~dfsg-volatile1 anti-virus utility for Unix - scanner daemon ii clamav-freshclam 0.93~dfsg-volatile1 anti-virus utility for Unix - virus database ii libclamav4 0.93~dfsg-volatile1 anti-virus utility for Unix - library What should I do to upgrade my Clamav? Do I need to backup something from Clamav before? OK, according to http://packages.debian.org/search?keywords=clamavsearchon=namessuite=allsection=all, etch-voltile has 0.95.3 for i386. So you should be able to upgrade with : apt-get update apt-get upgrade this will upgrade everything on your box to the latest versions. Alternatively, you can apt-get update to update your local package indexes, and then apt-get install clamav freshclam to upgrade just those two packages and any thing that needs updating to meet dependencies. apt-get --no-install-recommends install clamav freshclam will limit upgrades to only those that are required. As with any upgrades, it's always worth having a full backup and a means of reverting back if something goes wrong. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
Dennis Peterson wrote: What they did was a bad call. They wilfully let freshclam download an update which they knew would crash the clamd service. This was going to happen anyway when the signatures grew to take advantage of the new format. Older versions of clamd were going to die sooner or later. It was inevitable this would happen. The rest only makes sense IF that statement is true. It's already been pointed out that it was not inevitable, and had the team cared then there were ways of not making old versions die. More than one technique has been mentioned, and at least one of them would have been viable. The rest of your response rather reinforces Marks point. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
Jim Preston wrote: The rest only makes sense IF that statement is true. It's already been pointed out that it was not inevitable, and had the team cared then there were ways of not making old versions die. More than one technique has been mentioned, and at least one of them would have been viable. The rest of your response rather reinforces Marks point. Simon, Mark, Are you ever going to get over it and move on? If you are unhappy with ClamAVs decision take your bat and ball and go to some other ball park. I am over it, and I have moved on. However, as long as people keep making untrue statements ... It was the only way and it was inevitable and ClamAV **was** going to break sooner or later are all untrue statements. On the other hand It was the only way **that the ClamAv team were prepared to act** and it was inevitable **given the choices made** and ClamAV **was** going to break sooner or later **given the decision to make it do so** are all true statements. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
Chris Meadors wrote: Rsync treats all files as binary. When finding changes it splits a file into blocks, computes a checksum for each block and performs a comparison between the sending and receiving side. Then it only sends the blocks which have changed. When dealing with a text file which has been appended to, like a log, all the initial blocks are the same. But if the file is sorted, it's possible only a few additional lines will disrupt most every block by changing the start offsets through out the entire file. It's actually more efficient than that ! It uses something similar to a rolling checksum to find throughout the file. So in principal, you can add a short bit to the front of a large file, or even chop a file up into chunks and rearrange them, and it will still only transfer the changes. Andrew Tridgell's research paper is available at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.123.1530rep=rep1type=pdf rsync is covered from section 3 onwards. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
Bill Landry wrote: Why, are you blocking outbound rsync traffic? If so, after 3 years of maintaining this script and many thousands of users, this is the first time I've heard this request. Some of do this by default - set an outbound policy of block and allow specific traffic that's allowed. It means that should a machine get compromised despite all other precautions, it can't* then be used to launch an attack on others (or other servers in your own network) and/or is unable to communicate with it's control centre. Just another layer of security. * Yes the attacker (assuming they got root equivalent access) can clear iptables - but that means they have to be proactive and risk making themselves more visible, not to mention they risk their remote install breaking networking (and also making their presence visible). But then what would I know about administering servers :-/ -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Yet more clubbing of deceased equine.
Sarocet wrote: The new hostname updates would still have needed the kill signature. Otherwise, you have the same problem as before, but with a different hostname. Someone wasn't reading. The scheme was to remove the original hostname BEFORE using any updates that would kill the software. At that point, older versions would just stop updating and wouldn't break. Now it's been pointed out that there are a sizeable number of third parties providing mirrors, I now agree that this would not have been reasonably practical. It may have still worked with different filenames, with the added bonus of being able to examine logs and work out the scale of the problem - ie how many installations were still accessing the old names vs the new names. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
Daniel McDonald wrote: I'm a little confused by this (still), is it not true that simply turning off freshclam will allow clamav to continue working indefinitely on the existing signature set? No, you need to turn off freshclam *and* delete one signature, or grab an older copy of the signature file. You missed a few steps : - Find out what has happened to your software that was working fine yesterday. - Work out what to do RIGHT NOW because your phone is ringing with people asking where their mail is* - Put in place a quick workaround (disable scanning) to allow the mail queues to get flowing - Work out what options are available for dealing with it medium term - Work out where the dig files are stored - and then disable freshclam and put yesterdays sig files back - work out what to to get onto newer version * Yes, we've already heard the arguments that mail shouldn't stop when ClamAV does - even though that is logically inconsistent with the argument that old versions couldn't be allowed to continue without updates. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Yet more clubbing of deceased equine.
Chris Knight wrote: 1) Release a new version that pulls updates from a new hostname. 2) Wait a couple of weeks, or even six months 3) Shut down old servers, 4. Orphan *all* previous versions, including the still heavily used, and valid, 0.95s which were released before the hostname change, not just the buggy 0.94 and older. What? Somebody was running .95 and not the absolute latest? Why would anyone do that? I am in absolute shock. Shock and horror and sarcasm. Yes, lots of sarcasm. Forget it, it's been covered, and you'll never persuade this group of people that a) there was any alternative, or b) that there was anything ethically or legally wrong with the course of action they did take. Also, when I suggested this, it was in some way interpreted that I meant running two different upgrade servers/processes in parallel. There is one thing though, under step 3, it should have read remove old DNS entries As for orphaning 0.95 versions, lets take a look. According to an earlier post, the bug report was filed in Feb last year. 0.95 was released in march last year, and 0.95.2 in June last year. Had they added another hostname to the DNS prior to the 0.95 release, then not a single 0.95 release would have been affected. Had they done it in June then only two versions, both more than 6 months old would have been affected. It could have gone into 0.95.3 which was released after the EOL announcement - and it would still have only affected versions older than 6 months. All this has been pointed out, and rubbished already. Of course, they could have taken the precaution of adding new DNS entries, and then not used them if they decided to take a different course of action (such as issuing a poison pill ... If anyone was running an old enough 0.95 version, then their software wouldn't have died, they would have seen update errors in their logs, and the fix would have been to change just one or two hostnames in their freshclam.conf. As you point out, according to the ClamAV supporters, they would have been idiots for using such old software, and it would have been their fault - so why would the ClamAV team be worried about that when they are happy to make other versions actually stop running.* The other 'reason' not to do that is an argument of why should the ClamAV team go to the effort and expense of changing the DNS ?, and my suggestion that it would have cost next to nothing in both cash and effort terms has been completely dismissed. The only argument put forward being you don't know what it costs to change a DNS entry - well actually I have a pretty good idea of the cost base for a number of common scenarios. * Oh yes, and some people are still clinging to an argument that the ClamAV team did not stop any software from working. It's the sort of argument that someone would use to claim he didn't poison his neighbour's dog : he didn't give any poison to the dog, the dog took it when he put it in a piece of meat and left it where the owner takes the dog for a walk - so the dog took it, he didn't give it to the dog. It's linguistic/logics gymnastics to try and get around the fact that they misused the victims actions to cause harm rather than going and directly causing that harm first hand - the motive and end results were identical, only the means differs. Actions designed to cause harm to a computer system, and a criminal offence in the UK. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
Robert Wyatt wrote: You missed a few steps : - Find out what has happened to your software that was working fine yesterday. - Work out what to do RIGHT NOW because your phone is ringing with people asking where their mail is* - Put in place a quick workaround (disable scanning) to allow the mail queues to get flowing - Work out what options are available for dealing with it medium term - Work out where the dig files are stored - and then disable freshclam and put yesterdays sig files back - work out what to to get onto newer version * Yes, we've already heard the arguments that mail shouldn't stop when ClamAV does - even though that is logically inconsistent with the argument that old versions couldn't be allowed to continue without updates. I was talking about turning off freshclam anytime in the last two years, not the day after your system broke. Again, you're behaving as though you had no way of knowing when that is not true. That assumes one knows in advance that one has to do that - which we've already determined was not the case for quite a few people. Most people could have upgraded if they knew in advance it was going to be forced - but other than that, why would someone turn off updates that are working ? -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Yet more clubbing of deceased equine.
Stephen Gran wrote: 1) Release a new version that pulls updates from a new hostname. You mean, deploy a parallel infrastructure of vhosting, monitoring, pushing updates, etc? When most of the mirrors are on third party servers not under the control of the clamav team? Do you really think that's trivial, or were you just making up a solution without knowing anything about the problem? There is no parallel infrastructure - though I accept the point about mirrors not being under the ClamAv teams control. Presumably they aren't going to claim they have no knowledge of who runs mirrors ? How about this for yet another option that could have been done at the 0.95 release : Just check for slightly different file names on the same servers. Before you shout me down about maintaining two sets of sigs etc, I do not mean that - you just hard link another file name to the original. IFF (and yes, I don't know how the mirrors are updating) the mirrors use something like rsync which will deal with hardlinked files, then there's no extra bandwidth for updating the mirrors. When you're ready to cut 0.94 and earlier loose, just stop providing the files it looks for. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Yet more clubbing of deceased equine.
Stephen Gran wrote: Sigh. I guess you didn't bother to read the part about third party servers not under the control of the clamav team. This means updating the actual edge servers is not trivial. The 'parallel infrastructure' wasn't referring to deploying new hardware, it was referring to getting all the same monitoring, syncing, deploying, serving, etc working with the new name. This is fine, although slightly non-trivial given the number of machines, even when you are the sole admins. When you're relying on third parties donating bandwidth and space on 100s of shared servers, it's less approachable. But anyway, I think this is end of thread for me. If you really think that the clamav team's time is best spent chasing up hundreds of local admins to make changes to their rsync/webserver/etc vhost configs, then deploying and testing all the changes necessary to make this work, instead of working on clamav just to save a few admins a small amount of work that they should have been doing anyway, you're welcome to your opinion, and I won't bother you with mine any more. I just disagree. Actually, I will thank you for actually putting forward a reasoned argument rather than just can't be done. Now the external factors have been pointed out, that is somewhat harder than it first appears. See, contrary to what some people may be thinking, I can be persuaded by **reasoned** debate. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
Thomas Hochstein wrote: OK, how's this then. 9.5.3 (IIRC) came out about the time the notice was published. It costs virtually nothing to add an extra DNS entry, and the release could have had the default server URL changed for Freshclam to fetch updates. it wouldn't even have been a great issue to have a 9.5.4 just for that - and of course the change would be quite prominent in the release notes then as well. Why didn't you suggest that beforehand? Because, as has been made quite clear beforehand, I did not know this was happening - and I'm far from alone in that. If I had been aware at the right time* then I would have suggested it. * Note that right time does NOT mean spotting the EOL announcement when it was made. That was too late as the decisions had already been made then. Why didn't you just DO that if you consider it necessary as it costs virtually nothing, neither time nor money? Eh ? Are you suggesting that I have the ability to go back in time and make changes to someone else's DNS and code ? As for costs virtually nothing, yes I believe that is a good description of what it would have cost - and don't forget that deciding to EOL and forcibly block older versions was not without cost. Unless the project has some strange ways to make things tedious and difficult to change, then it would probably have cost less in time than the discussions (if there were any) on the ethics of issuing a kill signal to older software. But it's a moot point - the team didn't do that, we are where we are, and a lot of people are unhappy for various reasons. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
Rob Sterenborg wrote: Message of freshclam did not specify that older versions would stop. It was the same message as for minor upgrades. This did not give the information that something different than usual was planned. It still means you should upgrade and the message was ignored long enough that ClamAV stopped working. The fact that there is no *immediate* need to upgrade when the message is first seen, does not mean you can wait that long. The OP use(s|d) an EOL Debian and an EOL ClamAV. If the OP upgrades ClamAV to a more recent version then he's back in business, even with an EOL Debian. And ... it proves your argument that there was a warning message so it's entirely the users fault is completely bogus. Guess what, with a fully up to date installation, with ALL updates installed, freshclam still reports THE SAME WARNING. So does that mean we should expect our fully up to date installation to just stop working ? And when, tomorrow, next week, next month, ... ? Do we have to start checking the ClamAv website to see if 9.5 is going to be EOL'd and remotely killed before 9.6 gets into Debian ? Note that just updating a fresh install isn't sufficient to give a working system - a fresh Debian install, with all updates installed, does not have a working ClamAV on it. Users need to add Volatile for that to work. Yes, it would be an idea to keep a bit more current, but that **SHOULD** be the decision of whoever is responsible for the box having balanced all the factors that affect his (or her) operations. It may not be the case for this particular package, but there are often other things that prevent upgrades - I've got several systems running various old versions of various OS's for the simple reason that I've got various items of hardware that have no support in current versions. I have a system still running DOS 3.something - it's part of a system that no longer has any vendor support but which still does the job I require it to do. I have a VM running Windows 98 because I have some software I need to run on it. I have a pile of CD's here that are unreadable in Vista or Win7 - so to access the manuals on them I must run an outdated system. I have an old laptop with Mac OS 10.4 because my scanner software won't run on 10.5 or 10.6 and the vendor has dropped support. And I've got boxes here (still doing useful jobs) for which 10.5 is not a supported OS. And those are only the 'hard' limits - ie stuff that *cannot* be upgraded. there are 'soft' reasons too - such as balancing the risk of upgrading vs the risk of not upgrading. I have one system where I know 100% that applying all updates *will* break it - so I have to hold back certain packages until one or other of the imcompatible bits gets fixed. Applying the logic used with some venom here, every one of those systems should have been upgraded and/or scrapped - never mind whether they would still be capable of doing the job they are there for. Again, not aiming this at you specifically, but at all those who have been advocating with religious zeal that there should be, and cannot be, any other policy that all updates applied all the time as soon as they come out - or something very close to that. And then I note that one of those busy telling people they are complete idiots and unfit to be running a toaster (OK, slight exaggeration for dramatic effect) for running anything but the very latest versions ... ... earlier today admitted that he has a system to take through six - yes SIX - OS upgrades to bring it up to date. I can only assume he had his reasons, and that he balanced the risks (upgrade vs leave alone), and most importantly that if left for as long as it has ... he had some expectation that it wouldn't be artificially crippled by some outside influence before he got around to upgrading it. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
Jerry wrote: By the way, I still also have an old 8086 with DOS 3? (I don't remember the version) that still works. I still use it on occasion to copy old 5.25 floppys to other media. Yes, some local government agencies have valuable documents archived in that format. However, I would never expect it run Win7, nor do I bitch to Microsoft about it either. So, it still runs the software it used to run ? Yes It's running software that is EOL ? Most definitely And Microsoft have sent it a poison pill ? No they haven't There's a difference between not providing any more updates and killing something off. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
Dennis Peterson wrote: I believe that best practice with this sort of thing is to only issue warnings and not to actually force a potentially harmful change without *express* consent of the user. Suggest at least one way to inform all the users successfully that obsolete software is going to die soon - and don't let it slip past you in your solution that the ClamAV people have know way of knowing who they need to inform. And recall too, this: Filling their logs with warnings didn't work. Posting the notice on the front page of their website didn't work. Running commentary in this list didn't work. Announcing it in their Announcements list didn't work. You don't know a way, they don't know a way, and I know for a fact it cannot be done If you start with the pre-requisite that you must stop old versions working then you are correct. Remove that pre-requisite and you are not. More than one suggestion has been made of how the team could have just moved on and left the old versions behind - without having to kill them. These suggestions have been rubbished for various (mostly false) reasons. People keep saying it's the user/admin's fault, that the user/admin should take all the blame, and that the user/admin should suffer the consequences. Fair enough - how this for a really odd idea - why not just stop providing AV updates to the older versions, and let the users/admins take the responsibility and consequences if they continue to ignore the warnings that updates have stopped working. If they ignore things aren't working errors then I'd agree with you - let them deal with it. I don't agree with the argument that things are not optimal is a warning to upgrade before things go bang. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
available to them - so there isn't even any defence of it being absolutely necessary for the public good. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
Christer Boräng wrote: In message 1271831753.5073.28.ca...@localhost, lists writes: For instance, if I go to a shop and they give me a radio free. I take that radio home and use it. If that shop then calls me up and says 'If you don't change that radio, I'm going to break it' it is a case of blackmail. A better analogy would be that the shop calls you up to say We're switching to digital, your analog radio will stop working in six months, and, in six months time, the radio no longer has anything to listen to... Not a good analogy either. If you want to use that one, it's more like a major broadcaster deciding to go digital - and then comeing round to blow up your radio to stop you listening to the local station you actually want to listen to that is still on analogue. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
h...@dip-systems.de wrote: After the last signature update, clam av stopped working on our woody installation. Is there no more support for this Debian Release? No, according to certain people on this list, you are a cretin, and incompetent to even handle the off switch of a computer. If you check the list archives - particular for threads (no subject) and Those EOL tweets you'll see that you are far from alone. There seen to be three groups - those who think it was handled really badly and were affected, a small group who think it was handled badly but weren't affected, and a group that thinks there is nothing wrong and it's all the end users fault - and especially that the ClamAV team did nothing wrong, deliberately interfering with other peoples servers is both morally and legally acceptable as long as they pretended to tell you first, and there was no other possible way they could have acted. Even now when their stance has been shown to be full of logical holes, they still persist that anyone disagreeing with their we did nothing wrong stance are a bunch of whining losers. That's how it comes across to me anyway. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
Christopher X. Candreva wrote: Oh come on. If I tell you you'll get wet when if you go out in the rain without an umbrella, is that blackmail ? OK, so if I tell you that if you keep on going out without an umbrella, then I'll throw a bucket of acid over you ... then by your argument that's not blackmail, and by other arguments, it's perfectly OK because I warned you in advance. That wouldn't be assault, it wouldn't be a criminal act - it would be all your fault for ignoring the warning I gave. And by the way, I won't tell you directly, I'll put a notice up in my front window that you may or may not walk past and may or may not see. Old versions of Clam crashed on certain input. You were told when that input was comming. It's sounding like the Clam team would have been better off releaseing a too-large signature and going Whoops, I guess old versions can't handle this. You better upgrade, sorry ! By warning people and releaseing a known-bad signature with a message, somehow it's their fault now. No, it's not all their fault. But they sure did handle it badly. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
Jerry wrote: I had thought by now that this thread would have died a natural death. Obviously, I was mistaken. It has continued to pollute this forum for nearly a week. What has become conspicuously apparent is that if those who are doing the most complaining had spend even one percent of that time keeping their systems up-to-date and keeping themselves abreast of current development and deployment strategies with the software they employ, this whole discussion would be academic. In the interest of eliminating any further waste of my time or computer resources, I am now instigating a kill filter on this thread. That's right - if I can't bully everyone round to my way of thinking, then I'm taking my ball home. A very grown up attitude ! You (and I mean a small subset of people who are unconditionally supporting the action taken by the ClamAV team) have consistently used false logic, outright lies, personal insults, and arguments worthy of criminal defences to try and weasel out of any blame whatsoever for having misjudged things rather badly. Put bluntly, if people had admitted early on that perhaps it could have been handled better, that perhaps they didn't consider all classes/types of user, and that it is perhaps not unreasonable that users could be a trifle annoyed ... then this **WOULD** have blown over ages ago. It's not that you had to do something that people are complaining about, it's not that you ended support for updates to older versions that people are complaining about, it's the way you did it and the way you refuse to accept that there can be any other valid viewpoint that really p***es people off. You may, if you'd read the messages, have noted that even people who were not affected by this thought you got it wrong. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
At 12:12 -0400 21/4/10, Christopher X. Candreva wrote: Knowingly disabling running software on computers that is not your own is not acceptable. It is immoral, unethical and perhaps illegal. But that's not what happened. Wierd idea of did not happen - in what way does we will push an update that has the sole purpose of making your software stop working NOT constitute Knowingly disabling running software ? - It is a simple fact - the team made the decision to push this update. - It is a simple fact that the purpose of this update was to make running software break. - It is a simple fact that this was a desired outcome of the update. These are simple facts supported by their statement that they were going to do this, and what the expected outcome was going to be. Given these simple facts, I really, really cannot understand the mindset that still claims that the ClamAV team did NOT knowingly disable software running on other people's machines. Could someone please explain how on earth you can still claim that this didn't happen - and by what logic process you arrive at such a statement ? The **ONLY** defence I can think of is that they assumed an implicit permission by virtue of the user running the update process to fetch signature updates. That's a very tenuous thing to infer when pushing an update that is so different in purpose to what would normally be fetched. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
Eric Rostetter wrote: Put bluntly, if people had admitted early on that perhaps it could have been handled better, that perhaps they didn't consider all classes/types of user, and that it is perhaps not unreasonable that users could be a trifle annoyed ... then this **WOULD** have blown over ages ago. I've admitted this often, from the beginning, and my posts are largely ignored, or refuted, or I'm insulted/slandered/etc. So, this isn't a true statement. If I've overlooked the one person who did admit that, then I apologise to you. there are plenty of people who have not, and it appears will never, make such an admission. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] illegal or not, make a valid argument (was no subject)
the roses unless they were directly causing a threat to the property - and you cannot say that me running out of date (ie not updated) AV sigs was directly threatening the ClamAv project. You also cannot claim that my downloading of updates constitutes an invite - it constitutes an invite to put AV sig updates on there for the purpose of detecting new threats. A poison pill update doesn't fit that description. It is a free service they provide, not to you, but to anyone. So they owe you nothing. You didn't sign any contact with them that they would provide only valid signatures, or any at all. You assume the risk in using the feed. As a point of law, a contract does not need a signature, nor does it even need anything in writing - all it needs is an offer and acceptance. In the absence of a definitive statement, the legal situation would be whatever the court could determine were the facts of the case. In that respect, man freshclam says : freshclam is a virus database update tool for ClamAV. In any dispute therefore, unless there was something of equal prominence to contradict it, then it would be inferred that the purpose of the tool was to deliver AV signature updates - not a poison pill designed to stop the software working. This goes beyond any clause designed to avoid liability for errors in the program. Yes, the clauses above would absolve you of liability for any reasonable errors, but it still would not absolve you of liability for deliberate malice. I assume you will have similar laws over their, but over here, there are some rights you CANNOT sign away. The extent varies according to the situation (eg consumers have more rights than business). As a consumer, even if I sign a contract that a supplier is not liable for anything (such as the clauses quoted above), that agreement is totally worthless as the law says I cannot sign away those rights - and in court the clauses would be declared unlawful and unenforceable. Similarly, even if I said I didn't mind if you shot me, if you took me at my word, you would still find yourself in court - my permission might well be accepted as mitigating when it comes to the charge laid or the sentence, but it would not absolve you of a crime committed. I'm just saying that the arguments are lame (calling it blackmail when it isn't, saying they need permission from each and every user when they don't, etc). Come on folks, make your arguments at least reasonable! I didn't make those suggestions BTW. Christopher X. Candreva wrote: Let me drive this home. In the state of New York, until recently if the government wanted to use eminant domain to take your property, all they had to do was take out an ad in the paper. They do not need to track down the owner of the building or land, just take out an ad. If you don't read the paper that day, the first you hear that your building was being knocked down may be when the wrecking ball shows up. This was only amended in 2004 after some particularly nasty battles. http://ownerscounsel.blogspot.com/2009/06/port-chester-offers-apology-for-taking.html Now that's a very interesting argument to throw in ! Are you now claiming that the ClamAV team are now part of government and are entitled to my server by Eminent Domain ? If you are, then poppycock, if not, then why bring it up. You even point out that the law has been changed on that. Over here we have Compulsory Purchase to cover situation where a government body needs to acquire property for a project - but they cannot just take it like that. Yes, over here there are notifications for which public notice is sufficient action. If someone wants to build in the fields behind my house, then they only have to post notices about the planning application on the site - but they must post the notice AT THE SITE, not at the developers home. They still cannot come and build on my land without my permission - even if they've got planning permission and misled the planning board into believing that they have the landowners permission or own the land. Note that building in the field will not stop me living in my house. It may affect my amenity value, but it won't stop me living there - in the same way that not providing AV updates will affect the amenity value of my server, but it won't stop me running it. On the other hand, knocking down my house would most certainly affect my ability to live there - and you cannot do that in this country without serving notice to the property and the registered owner (unless the latter cannot be found after reasonable efforts I believe). As a complete aside, there have been cases (one was local-ish) where there's been a mix up (for want of a better polite expression) and a contractor has knocked the wrong house down. It usually results in serious compensation - and some rather negative PR for those responsible. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk
Re: [Clamav-users] No debian woody support anymore?
Eric Rostetter wrote: Faced with an old release of software that will die if the team uses new functionality due to a known bug, and people who will not upgrade to the version that fixes this bug, and a reasonably urgent need to use the new functionality, what exactly would you have done differently? They have already answered this. They would force sourcefire/clamav to spend lots of time, money, and effort to setup a parallel signature system; one for older versions, one for newer systems. They seem to have no qualm with the idea of making sourcefire/clamav pay this price so they can use the results free of charge... OK, how's this then. 9.5.3 (IIRC) came out about the time the notice was published. It costs virtually nothing to add an extra DNS entry, and the release could have had the default server URL changed for Freshclam to fetch updates. it wouldn't even have been a great issue to have a 9.5.4 just for that - and of course the change would be quite prominent in the release notes then as well. According to the arguments made in support, all responsible/competent admins would have been running this or a later version by the time support for 9.5 was dropped. On that basis, no responsible/competent admin would have been affected by removing the DNS entry used by the older versions. Even if someone was still running a 9,5 version earlier than the one with the update, it would be one tiny change in freshclam.conf to fix it. Of course, all this would have a prominent entry, not just on the ClanAV homepage, but also on the FAQ page whose URL appears in the freshclam logs. Come cutoff date, support is dropped for older versions, but they will continue to run. It will not be silent, as freshclam will complain several times a day that it can't get updates. This is a lot different to mentioning in passing that your version isn't current and you might consider upgrading. So probably even less work than fashioning the poison pill update. Less collateral damage. And these threads would have died several days ago with a oh, so that's it ! No parallel signature system at all, in fact no changes at all other than a slight change to a DNS entry. But I can see how this would be rejected by those who appear religious attitude to there being only one true way to run a server. The biggest problem with this suggestion is that it came after the fact, so it isn't a useful suggestion. No one bothered to offer this advice before the change was made. Well, if I'd known, I could have suggested the above ! And I probably would have, even if I'd not been running affected software. If any project I *am* involved with suggested such a thing then I would speak up on that. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
h...@dip-systems.de wrote: After the last signature update, clam av stopped working on our woody installation. Is there no more support for this Debian Release? But Gianluigi Tiesi did post this a few days ago - dunno if it will work for Woody though. Temporary fix for debian sarge, I suggest anyway to upgrade your distribution: download packages from: http://falco.netfarm.it/clamav/clamav-sarge/ then /etc/init.d/clamav-daemon stop /etc/init.d/clamav-freshclam stop apt-get remove libclamav3 rm -fr /var/lib/clamav/* rm -f /var/log/clamav/* dpkg -i *.deb (you can skip docs and testfiles) apt-get -f install if some deps is broken ah forgot, then dpkg --purge libclamav3 -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
Eric Rostetter wrote: Knowingly disabling running software on computers that is not your own is not acceptable. It is immoral, unethical and perhaps illegal. But that's not what happened. Yes, it is what happened... People are just confused because of all the bogus complaints like they shutdown my server or they shutdown my email. But they did indeed shutdown clamd for some set of older versions. I'm confused - are you saying they did, or didn't shut down software that people were running on their servers ? I think you are admitting (thank you) that the update did what it was supposed to do and remotely stopped some versions of ClamAV from running. The **ONLY** defence I can think of is that they assumed an implicit permission by virtue of the user running the update process to fetch signature updates. That's a very tenuous thing to infer when pushing an update that is so different in purpose to what would normally be fetched. Well, since you pull the updates (they are not pushed to you), and since while this one signature was indeed different in purpose than the normal, you have a point. But, this different in purpose signature was just a way of warning that soon the same in purpose signatures _would_ stop the software. Would you rather they just started pushing the normal in purpose signatures that crashed it, or that they pushed a different in purpose one first, where the purpose was to notify users of both the issue, and how to fix it? They didn't HAVE to push either to the older software - I'm not the first to point out that there was a completely viable alternative that would just stop supplying updates to the older software. So my preference would be simply that they did nothing to my software. If they want to stop supporting it with updates, that's fine and it still leaves me in control of what I run and when I update it. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml