RE: [Clamav-users] tempfile creation failed
On Mon, 2004-04-26 at 15:15, Pad Hosmane wrote: > I upgraded clamav to 0.70 from 0.70-rc on Friday. It worked until > Saturday afternoon and stopped working, it started giving error in > mail.log as > > Apr 24 13:58:27 mailserver clamav-milter[16797]: tempfile creation > failed > > > > All mail processing stopped after these. Today morning I disabled > clamav-milter in sendmail.cf. > > Nothing changed in regards to directories from clamav-0.70-rc to > clamav-0.70. I had kept the same directories and permissions. > Do you run clam with debug enabled? If so, I expect your filesystem has filled up, and so you need to disable debug. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] segmentation fault in 0.70 ?due to filename of infected virus?
On Wed, 2004-05-05 at 14:32, Chris Conn wrote: > Tomasz Kojm wrote: > > > > >> Tue May 4 16:08:13 2004 -> Segmentation fault :-( Bye.. > >> > >>and at precisely 16:08:13, MailScanner reports the following virus: > >> > >>May 4 16:08:13 MailScanner[16448]: > >>/var/spool/MailScanner/incoming/16448/.i44K7gOj020343/%nTips.exe: > >>Worm.Klez.H FOUND > >> > >>Is it possible that a %n in the filename (*which is surely illegal*) > >>could cause clamd to crash in such a way? This is obviously the scan > >>that caused the segmentation fault, however is this the reason? No, it isn't "obviously the scan that caused the segmentation fault". That's a wholly unfounded assumption on your part. > > This server processes between 30 and 100 thousand emails per day, > calling clamdscan on every one. It will find 2 to 5 hundred Klez > viruses per day. In your expert opinion, what would be the reason for > this segmentation fault that occurred at the exact second it scanned > this Klez virus? > Thats unknown. Most likely, one of the other messages being scanned caused a problem. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Temp file issues
On Wed, 2004-05-05 at 15:00, Matthew Myers wrote: > Is there a way to auto delete the temp files created when scanning? > My system (v 0.70) hung yesterday due to the temp files not being > deleted...they tend to grow and grow and grow. Today I already have > over 10,000 temp files, and although it may take a month or so, this > will eventually become an issue again. Any help you can provide to > resolve this matter is appreciated. > > Thanks, > Matthew Disable the debug option -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Latest stable version 0.70 doesn't detect dummy viruses
On Thu, 2004-05-06 at 09:10, Clamav wrote: > Hi! > I'm using sendmail with clamav-milter and the latest stable version > 0.70. > > I used a german website which provides dummy viruses for checking clamav > (http://www.heise.de/security/dienste/emailcheck/). > > I realised that the following dummy viruses pass clamav: > Virus Bagle.Q > Virus Netsky.P > > Anyone who knows the reason for this behaviour? Because it's a useless test. It doesn't send any kind of viral code (dummy or otherwise). -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Exploit-ObjectData trojan
On Fri, 2004-05-21 at 16:15, Kevin W. Gagel wrote: > Not only does ClamAV seem to miss it but so does uvscan. I have ClamAV and > uvscan both scan email here. My Virscan Enterprise 7.1 catches these all the > time. I just haven't had time to investigate fully. > - Original Message Follows - > From: "Jona Tallieu" <[EMAIL PROTECTED]> > > It seems Clam does not detect following trojan, which our McAfee > > engine did detect: > > > > Exploit-ObjectData trojan > > > > > > Is this normal? Well, it's an IE exploit rather than a virus, but I shall be looking at adding improved HTML scanning next week. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] freshclam: NotifyClamd or not NotifyClamd
On Tue, 2004-05-25 at 13:59, Samuel Benzaquen wrote: > Hi all, > > We've been running clamd / clamav-milter for some weeks without problems, > but this morning one of the clamd processes hanged up on freshclam's > notification. > > We have 8 RH7.3 Linux servers, running sendmail 8.12.11 + clamd / ClamAV > version 0.70, clamav-milter version 0.70j. > > 7 out of 8 servers continued working after notification, but one hanged up > and queued the clamav-milter processes. > > It this a NotifyClamd problem? > Should I disable it and wait for clamd's auto check? Upgrade to 0.71. It was most likely waiting for a scanning thread to finish, which it has to do before it can reload the sig DB. If a scanning thread fails to finish, that indicates a bug in the scanner somewhere (which may have been fixed already). You should try and recover the file that is has a problem scanning. -trog signature.asc Description: This is a digitally signed message part
RE: [Clamav-users] freshclam: NotifyClamd or not NotifyClamd
On Tue, 2004-05-25 at 15:41, Samuel Benzaquen wrote: > > Upgrade to 0.71. > > > > It was most likely waiting for a scanning thread to finish, which it has > > to do before it can reload the sig DB. If a scanning thread fails to > > finish, that indicates a bug in the scanner somewhere (which may have > > been fixed already). > > Is there any way I can reproduce this problem? > Just to see if the upgrade fixes it. Only if you have positively identified a file that caused it. > > > > > You should try and recover the file that is has a problem scanning. > > How can I do that? > We have no quarantine directory configured. > If clamd still has a file descriptor open to a file you can recover it through the /proc filesystem (even if it's been deleted). cat /proc//fd/ > file.msg -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Upgrading ClamAV
On Sat, 2004-05-29 at 10:48, Terry Allen wrote: > 2 - Did I update ClamAV incorrectly? > > If my problem was caused by question 2 - is what is the > process to update ClamAV correctly. Many thanks for any assistance. With a major upgrade like that, it is strongly advised to uninstall the old version first, by going into your old install directory and typing 'make uninstall', and then installing the new version. That will make sure all the old libs are also removed, much is what most people miss. Note, you probably want to save a copy of your old clamav.conf file first. Then configure the clamav.conf and new freshclam.conf files. -trog --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] [0.72] {OpenBSD} .cab ?
On Fri, 2004-06-04 at 05:56, Jerome Loyet wrote: > Hello, > > I'm running 0.72 on OpenBSD 3.5. I've seen that the support for MS cab has > been included in this version. But neither a clamscan and clamdscan on > test/test.cab show me non infected file. > > Is there any reasons ? Is a librairie needed ? MS CAB support is not included in 0.72. 0.72 is a bug fix release only, and fixes a few possible crashes. It is advised to upgrade ASAP. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] ClamAV says "ERROR: Database initialization error."
On Fri, 2004-06-04 at 14:44, Webb, Paul wrote: > > I initially thought that I needed to download a database to start > with, so I configured freshclam, set up my cron job to run it every > other hour, and ran it. It states that I'm up to date. > And is freshclam configured to download it to the same directory, in the freshclam.conf file? -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] clamd dieing again, got some debug information.
On Mon, 2004-06-21 at 17:02, Christopher X. Candreva wrote: > My server's clamd (0.73) has starting dyeing off regularly again (every > 10-30 minutes). I've managed to capture some debug information, but somehow > haven't gotten it to make a core file yet. > > Again, compiled under gcc 3.4.0, Solaris 8 on UltraSparc hardware (Sun Ultra > 2) > > Output from running under debug is attached. Are there any files left in this directory: LibClamAV debug: Saving attachment in /tmp/clamav/clamav-5bce8e8e51ede379/textportion LibClamAV debug: _5_SummaryInformationLibClamAV debug: [file]LibClamAV debug: bLibClamAV debug: 21 856 0 ---^^ ^^^ ^ There are only two values ever printed here, not three. Is that a typo? If you could catch a copy of the file, that would be great. The LeaveTemporaryFiles may be useful - BUT it will fill up your hard disk in your TMPDIR, and you'll have to manually remove the files. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] clamd dieing again, got some debug information.
On Mon, 2004-06-21 at 17:57, Christopher X. Candreva wrote: > Going through the debug output since the last crash, I see about 20 errors > where a VBA scan dir failed on a "can't open". It seems to be in the same > context as when the last crash occurred. Here is an example: > > LibClamAV debug: Root EntryLibClamAV debug: [root]LibClamAV > debug: bLibClamAV debug: 0 0 > LibClamAV debug: _5_SummaryInformationLibClamAV debug: [file]LibClamAV > debug: bLibClamAV debug: 4096 0 > LibClamAV debug: WorkbookLibClamAV debug: [file]LibClamAV > debug: bLibClamAV debug: 99316 0 > LibClamAV debug: _5_DocumentSummaryInformationLibClamAV debug: [file]LibClamAV > debug: bLibClamAV debug: 4096 0 > LibClamAV debug: VBA scan dir: /tmp/clamav/clamav-d3a98e07086bc832 > LibClamAV debug: in vba56_dir_read() > LibClamAV debug: Can't open /tmp/clamav/clamav-d3a98e07086bc832/_VBA_PROJECT > LibClamAV debug: Open WordDocument failed These are harmless. It just means there wasn't any macro code in the document. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] clamd dieing again, got some debug information.
On Mon, 2004-06-21 at 18:35, Christopher X. Candreva wrote:
> Here's the latest crash output:
>
> LibClamAV debug: Recognized Raw mail file
> LibClamAV debug: Starting cli_scanmail(), reclev 3
> LibClamAV debug: in mbox()
> LibClamAV debug: Recognized Raw mail file
> LibClamAV debug: Saving attachment in /tmp/clamav/clamav-f02b7dc39cc84330/textportion
> LibClamAV debug: Saving attachment as
> /tmp/clamav/clamav-f02b7dc39cc84330/textportionaxbaTb (365 bytes long)
> LibClamAV debug: blobDestroy
> LibClamAV debug: parseEmailBody() returning 1
> LibClamAV debug: cli_mbox returning 0
> LibClamAV debug: Recognized OLE2 container file
> LibClamAV debug: in cli_scanole2()
> LibClamAV debug: in cli_ole2_extract()
> LibClamAV debug: mmap'ed file
> LibClamAV debug:
> Magic:0xLibClamAV debug: d0LibClamAV debug: cfLibClamAV
> debug: 11LibClamAV debug: e0LibClamAV debug: a1LibClamAV debug: b1LibClamAV debug:
> 1aLibClamAV debug: e1LibClamAV debug:
> LibClamAV debug: CLSID: {LibClamAV debug: 0 LibClamAV debug: 0
> LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0
> LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0
> LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0
> LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: }
> LibClamAV debug: Minor version: 0x3e
> LibClamAV debug: DLL version: 0x3
> LibClamAV debug: Byte Order: -2
> LibClamAV debug: Big Block Size: 9
> LibClamAV debug: Small Block Size:6
> LibClamAV debug: BAT count: 145
> LibClamAV debug: Prop start: 18551
> LibClamAV debug: SBAT cutoff: 4096
> LibClamAV debug: SBat start: 18552
> LibClamAV debug: SBat block count:1
> LibClamAV debug: XBat start: 18548
> LibClamAV debug: XBat block count:1
>
> LibClamAV debug: Root EntryLibClamAV debug: [root]LibClamAV
> debug: bLibClamAV debug: 2816 0
> LibClamAV debug: _5_SummaryInformationLibClamAV debug: [file]LibClamAV
> debug: bLibClamAV debug: 4096 0
> Segmentation Fault
I really need a copy of this file. I assume it is just an incoming email
message.
Can you identify from the logs the addressing information of the
message, who it is from and to?
If so, could you contact the sender and try and get them to send you/me
a copy of the message (with attachments) in a password encoded zip file.
Or disable clam scanning temporarily and allow the message through and
recover it from the recipients mail box.
Thanks
-trog
signature.asc
Description: This is a digitally signed message part
Re: [Clamav-users] clamd dieing again, got some debug information.
On Mon, 2004-06-21 at 18:35, Christopher X. Candreva wrote: > Segmentation Fault Please test with current CVS (as of now). Thanks -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] OLE Problem WARNING: not scanned; untested big block size - please report
On Thu, 2004-07-01 at 15:27, Samuel Benzaquen wrote: > > Then searching the changelog I found that it was fixed to skip 'probably > corrupt' OLE files, so I tried with 0.74 and the result was: > --- > [EMAIL PROTECTED] tmp]# clamscan /var/tmp/Seguimiento\ RON\ SANTA\ TERESA\ -\ > carta.docKd0l57 > LibClamAV Error: WARNING: not scanned; untested big block size - please > report > /var/tmp/Seguimiento RON SANTA TERESA - carta.docKd0l57: OK > --- > > It doesn't segfault anymore. > As the message says *please report*, that is what I am doing. > Is this the way to report it ? > Do you need the .doc file ? If you have the original email message the document was in, please send it to me, or send the .doc file if that is all you have. Thanks -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] not in gzip format
On Fri, 2004-07-02 at 14:13, ghooton wrote: > When I try to install clamav I get thefollowing : > [EMAIL PROTECTED] ~]$ > [EMAIL PROTECTED] ~]$ zcat clamav-0.74.tar.gz | tar xvf - > >zcat: > clamav-0.74.tar.gz: not in gzip format > [EMAIL PROTECTED] ~]$ > > Any ideas ? Maybe your web browser unzipped it already. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] [clamav-users]CVD extractio failure URGENT !!!
On Mon, 2004-07-19 at 15:20, deborah malka wrote: > HEllo, > > I'm new to clamav. I have the versio 0.73. I'm on > Debian 3.0 > I setted up clamav the first time, and when I tun > clamd, it worked well. > I stopped it , and when I wanted to restart it, I had > the following error : > Unpacking .../tmp/db > LibClamav Error: Wrote 0 instead of 512 (/tmp/...db) > LibClamav Error : cli_cvdload: Cant't unpack CVD file > ... Is your /tmp disk partition full? -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] ClamAV + P3Scan problem
On Tue, 2004-07-20 at 14:46, Willem Kossen wrote: > I added clamav to the mail group. still it doesn't work and i can't > understand why > Did you enable AllowSupplementaryGroups in clamav.conf and then restart clamd as root? -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Clamd Dies
On Mon, 2004-07-26 at 08:03, Thomas Kinghorn wrote: > Hi List > > I have a problem with clamd dying without warning. > Nothing appears in the log files. > This morning I got in to work and it had failed. > > Clamd -V produces: > > clamd / ClamAV version 0.72 > > Any ideas where to look would be appreciated. > Update to 0.75 -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Clamav-devel vs. clamav-0.75
On Mon, 2004-07-26 at 04:07, Albert Whale wrote: > Just attempted a trial with clamav-0.75 here are the results: > > clamscan --mbox * > Notification: OK > Virus-Sample.070104: OK > VirusSample.072504: OK > VirusSample2.txt: Worm.SomeFool.Gen-1 FOUND > VirusSample3.txt: Worm.SomeFool.P FOUND > VirusSample.txt: Worm.SomeFool.P FOUND > Work/msg-12403-1.txt: Worm.SomeFool.P FOUND > While when the latest development snapshot detects more with: > > clamscan --mbox * > Notification: OK > Virus-Sample.070104: Worm.SomeFool.P FOUND > VirusSample.072504: OK > VirusSample2.txt: Worm.SomeFool.Gen-1 FOUND > VirusSample3.txt: Worm.SomeFool.P FOUND > VirusSample.txt: Worm.SomeFool.P FOUND > Work/msg-12403-1.txt: Worm.SomeFool.P FOUND Whats your point? I'd be worried if the development version caught *less* viruses. The development version has more features, hence it catches more viruses. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Clamav-devel vs. clamav-0.75
On Mon, 2004-07-26 at 13:15, Albert Whale wrote: > Trog wrote: > > >On Mon, 2004-07-26 at 04:07, Albert Whale wrote: > > > > > >Whats your point? > > > >I'd be worried if the development version caught *less* viruses. > > > >The development version has more features, hence it catches more > >viruses. > > > >-trog > > > > > > > My point is two fold. First, the 0.75 release was made on 072204, same > date as the snapshot was taken. Why the difference? Because 0.75 is a stable release, snapshots are development releases. 0.75 contains only bug fixes, not new features. > > Secondly, the addition of the changes for detecting Viruses in Mangled > Email has been present for sometime, and while I am using the > Development Release to utilize this functionality, I am also waiting > patiently for this update to migrate into the Stable package. Any idea > when that Migration can make it into the Fold? In the best traditions of answering this question: "When it's ready". ..which really means it's an unknown. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] New variant Bagle not being detected?
On Tue, 2004-07-27 at 10:05, Mike Brodbelt wrote: > I'm glad to hear it's sorted - I thought that was likely, but the tone > of the message was worrying. Can I be a pedant and suggest you change > the auto-response systems to give a reject reason like duplicate > submission or something. > The submission system is already capable of doing that. However, due to the large number of submissions, I didn't have the hours to spare typing the same thing on countless submissions. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Suggestion: Feature Freeze
On Mon, 2004-07-26 at 21:59, John Madden wrote: > > Could we perhaps stop adding features for a few days and get a stable > > release out? It would really help. > > I'd like to second that. Those of us depending on clamav to catch stuff > can't afford to upgrade in the middle of the day for new signatures to > work. Why not? If you say "because it's a production system and it needs to be tested", then that is a business decision to accept the risk of letting in known viruses. Most people would prefer that updates to the code to catch more viruses are released. > And why don't these new signatures work? Has that interface not > yet stabilized? No. Adding more powerful features to the scanning engine requires changes to the signature format. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] My.Doom.o
On Tue, 2004-07-27 at 16:26, Scott Ryan wrote: > with a zip file attached containing a pif file. > > I submitted the zip file only to have the message returned to me advising that > it is not a virus, but "Binary fragment. Harmless." > If you unpack it and look at the actual content of the attachment you'll see it's not a valid executable, just some rubbish. If you want to attempt to write a signature that matches ALL the possible email messages and broken attachments, then I'm sure the sig team would be happy to receive it. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] mydoom.m zipped version getting through clamav
On Tue, 2004-07-27 at 22:48, Jim wrote: > The new [EMAIL PROTECTED] zipped versions are getting through my > clamav/amavisd-new/spamassassin box. > > It is stopping and dropping zipped versions of Bagle, but no luck with > zipped versions of mydoom.M > > Any one else expereincing this? The only Mydoom.M I've seen not get detected are in fact just broken binary rubbish that are harmless as they are not executable. This includes files that are zipped and doubly zipped. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)
On Tue, 2004-07-27 at 21:45, Jim Maul wrote: > > Well, we upgraded to 0.75.. And since last sunday out of > > 2171 viruses there've been 64 Mydoom variants. Including > > Mydoom.M, J, etc.. > > > > > > Indeed, but i am running 0.74 which i thought was "unable" to catch these. > 0.74 is able to catch many Mydoom.M samples, but not all of them in email messages. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Strange DNS lookup failure and freshclam again - strace info appended
On Wed, 2004-07-28 at 08:49, Brian Morrison wrote: > > Now, I don't know whether freshclam itself decides to call the nscd UNIX > socket or whether the resolver library does it The resolver library does it. > > Actually, on further investigation of the failed freshclam strace, there > is no call to libresolv.so at all. strace doesn'yt show calls to libraries, only system calls. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Some Mydoom.M found, not all
On Wed, 2004-07-28 at 11:31, Thomas Lamy wrote: > > So it seems that clamav 0.75 + latest signature files are not > > catching all > > > Yes - submit them (from your quarantine directory) on http://www.clamav.net/ > Don't submit them if they are binary fragments that are not executable, they simply waste the time of the signature team. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] mydoom.m zipped version getting through clamav
On Wed, 2004-07-28 at 14:47, Scott Ryan wrote: > I have upgraded to latest snapshot, but I am still seeing zipped My.Doom.m > viruses coming through. > When I run clamdscan on the zip file that get's through, clamav identifies it > as My.Doom.m > > Is there something i am missing here? > Possibly. Please send me a sample email (not just a zip) in a password protected zip. Thanks -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] clamd segment violations
On Wed, 2004-07-28 at 23:16, Doug Hardie wrote: > I was using clamav-0.70-rc for a long time because it was stable and > never crashed. However, it started missing a lot of newer viruses so I > upgraded to the version above. > > Clamd is giving a segment violation every 2 to 6 hours and I have to > restart it. Thousands of messages are scanned while it is still > running. I have used the following different configure commands and I > don't see any real change in the behavior: > Please attach gdb to the running clamd and do a backtrace when it crashes. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] 0.75 dies quietly on Linux
On Thu, 2004-07-29 at 00:30, Scott Call wrote: > > I've gone back to 0.73 for now, but any hints or tips would be greatly > apreciated. > If you are using any version of zlib (libz) other than 1.1.4 (including 1.2.x) then install 1.1.4. Otherwise please attach gdb to the running clamd process and do a backtrace when it crashes. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] RE: dot qmail files
On Fri, 2004-07-30 at 02:16, Jason wrote: > What I ultimately need to do is take the delivery, check it for a virus, > and take an action. This needs to be configurable by account and > maintainable by an inexperienced admin that can follow directions. > Updates should be easily performed and the entire system should be > installable without ever having compiled anything. If no work has been > done in this area I am happy to embark on it and even make more in doing > so however I would be remiss if I did not look for existing works. > OdeiaVir will probably do what you want. http://odeiavir.sourceforge.net/ -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] clamd timeout?
On Fri, 2004-07-30 at 02:32, Brian Bruns wrote: > Is there any way to have clamd stop scanning a file/archive/etc fed to > it after a set amount of seconds, and return an error? No, but you can limit the amount of data/files in an archive it will scan. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] online scanner doesn't recognize (at least one) virus
On Fri, 2004-07-30 at 10:17, Giorgio Bellussi wrote: > Good day all. > Online scanner http://www.gietl.com/test-clamav/ doesn't recognize > mabutu.a (same way as clamav-0.75) > The same file results infected at > http://www.kaspersky.com/scanforvirus (*I-Worm.Mabutu.a)* > and > h > <http://www.ravantivirus.com/scan/indexn.php>ttp://www.ravantivirus.com/scan/indexn.php. > > <http://www.ravantivirus.com/scan/indexn.php>(Win32/HLLW.Mabutu.B). > > clamav-devel-20040728 recognizes it as Worm.Mabutu.A-upx. clamav-devel-20040728 contains a UPX unpacker, clamav-0.75 does not. Hence, it is able to unpack the file and finds the worm. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] ClamAV 0.75 assertion failure (reproducible)
On Fri, 2004-07-30 at 10:37, Ollie Cook wrote: > Hi, > > While investigating the crashes I've been seeing with ClamAV 0.75 on FreeBSD I > have discovered a place where an assertion fails. The assertion that fails is > on line 331 of message.c: > > assert(m->base64chars == 0); This doesn't crash with clamav-0.75.1 (currently here: http://www.clamav.net/snapshot/clamav-0.75.1.tar.gz) -trog signature.asc Description: This is a digitally signed message part
RE: [Clamav-users] ClamAV 0.75 assertion failure (reproducible)
On Fri, 2004-07-30 at 14:42, Christopher X. Candreva wrote: > On Fri, 30 Jul 2004, Nigel Horne wrote: > > > > > > assert(m->base64chars == 0); > > > > This was fixed in 0.75-1, please update. > > This might be a silly question, but does 0.75-1 have all the fixes from > CVS ? (Specificly the Solaris crashing ?) > If you look in the announcement, or the ChangeLog, you will see this: * libclamav/mbox.c: Fix crash when debugging on SPARC so I guess it does. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] 0.75.1 not detecting many more viruses :-(
On Tue, 2004-08-03 at 10:32, BG Mahesh wrote: > I upgraded to 0.75.1. I also use, > > MailScanner 4.32.5-1 and SA 2.63. > After upgrading many infected emails are not being deleted/detected. When I download > my email Norton Anti Virus 2004 is deleting those emails > > The viruses that are not being detected are, > > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > In MailScanner.info I do see > > Virus Scanning = yes > Virus Scanners = clamav > > What could have gone wrong? I suspect a configuration error. You can submit files to see if Clam finds them here http://www.gietl.com/test-clamav/ Are you using clamscan or clamdscan? What options are you passing on the command line and in clamav.conf? -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] 0.75.1 not detecting many more viruses :-(
On Tue, 2004-08-03 at 12:55, Bad Apple wrote: > I just got virus which was not detected by Clam but > got detected by F-prot Command line scanner . > > > I submitted the sample to the link mentioned above it > said > "Clamav DID NOT identify your sample as malicious > content" > > And after reporting the same file to > http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi > It displayed > This virus is already recognized by clamscan / ClamAV > version devel-20040726 as Worm.Mabutu.A-unp . Be > careful when submitting samples and remember to run > freshclam! > Ok, clamav-devel-20040726 contains a UPX unpacker, which isn't in 0.75.1 So, clamav-devel-20040726 is able to unpack the file and then recognises it as Worm.Mabutu.A-unp The file you have is obviously not matching the signature for the packed version. Please put the file in a password protected zip and upload it to the submissions page, and please add a note explaining the above. Thanks -trog signature.asc Description: This is a digitally signed message part
[Clamav-users] [PATCH] catch Mydoom.M "binary fragments"
The attached patch for clamav-0.75.1 will catch the files sent by
Mydoom.M that have been reported as "binary fragments".
They will get reported as Mydoom.M.log
Thanks,
-trog
--- clamav-0.75.1.dist/libclamav/scanners.c 2004-06-29 22:58:37.0 +0100
+++ clamav-0.75.1/libclamav/scanners.c 2004-08-05 08:35:26.0 +0100
@@ -29,6 +29,7 @@
#include
#include
#include
+#include
#ifdef CL_THREAD_SAFE
# include
@@ -958,6 +959,40 @@
return ret;
}
+static int cli_scan_mydoom_log(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *reclev)
+{
+int32_t record[8], check;
+int i, retval=CL_VIRUS, j;
+
+cli_dbgmsg("in mydoom_log\n");
+
+/* Check upto the first five records in the file */
+for (j=0 ; j<5 ; j++) {
+ if (cli_readn(desc, &record, 32) != 32) {
+ break;
+ }
+
+ /* Decode the key */
+ record[0] = ~ntohl(record[0]);
+ cli_dbgmsg("key: %lu\n", record[0]);
+ check = 0;
+ for (i=1 ; i<8; i++) {
+ record[i] = ntohl(record[i]) ^ record[0];
+ check += record[i];
+ }
+ cli_dbgmsg("check: %lu\n", ~check);
+ if ((~check) != record[0]) {
+ return CL_CLEAN;
+ }
+}
+if (j < 2) {
+ retval = CL_CLEAN;
+} else if (retval==CL_VIRUS) {
+ *virname = "Mydoom.M.log";
+}
+return retval;
+}
+
static int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *reclev)
{
char magic[MAGIC_BUFFER_SIZE+1];
@@ -982,7 +1017,6 @@
/* return CL_EMAXREC; */
return CL_CLEAN;
-
(*reclev)++;
lseek(desc, 0, SEEK_SET);
bread = read(desc, magic, MAGIC_BUFFER_SIZE);
@@ -1057,6 +1091,11 @@
}
}
+if (ret == CL_CLEAN) {
+ lseek(desc, 0, SEEK_SET);
+ ret = cli_scan_mydoom_log(desc, virname, scanned, root, limits, options, reclev);
+}
+
return ret;
}
signature.asc
Description: This is a digitally signed message part
Re: [Clamav-users] Ignoring option -r
On Tue, 2004-08-10 at 09:42, Arthur Kerpician wrote: > Hi all, > Is anybody getting this message in the mail notifications? > ---clamdscan results --- > WARNING: Ignoring option -r: please edit clamav.conf instead. > --- > > Couldn't find anything related to thet -r switch. I start clamd only > with -c to point to the configuration file. > Thanks for any ideas. > Arthur > You're giving options to clamdscan which it doesn't understand. -trog signature.asc Description: This is a digitally signed message part
RE: [Clamav-users] Worm.Mydoom.M
On Thu, 2004-08-12 at 09:02, Кирилл Усатов wrote: > >Кирилл Усатов said the following on 8/12/2004 5:44 AM GMT+2: > >> I scan mail with clamav 0.75 on my gentoo. > >> > >> My bases is up to date. > >> > >> Clamdscan /virus_file > >> > >> Not catch a virus. > > > >You are probably scanning a broken sample. > >In any case, update to clamav 0.75.1. > > > I update clamav from 0.70 to 0.75 Update to 0.75.1 as you were advised. It catches additional Mydoom.M samples. -trog signature.asc Description: This is a digitally signed message part
RE: [Clamav-users] Worm.Mydoom.M
On Thu, 2004-08-12 at 10:31, Кирилл Усатов wrote: > I'm update clamav to 0.75.1 > Clamscan catch virus > But clamdscan don't > & clamav-milter don't stop infected mail Make sure you have ScanMail enabled in clamav.conf, that you've restarted clamd and that you don't have any old libclamav libraries on your system. -trog signature.asc Description: This is a digitally signed message part
RE: [Clamav-users] Worm.Mydoom.M
On Thu, 2004-08-12 at 12:25, Кирилл Усатов wrote: > > I have old libmilter.a: is it ? > I wouldn't have thought so. I guess you are scanning the file by hand rather than pushing it back through the mail system. You are running clamd as the user clamav - does that user have access rights to the file you are trying to scan? What does the clamd.log file say? -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Mail-ClamAV installed virus
On Thu, 2004-08-12 at 15:07, [EMAIL PROTECTED] wrote: > > If this is the wrong list to post this or these CPAN modules have nothing > to do with the clamav project I apologize for the interruption. The second of those two options. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Oversized zips with clamscan
On Thu, 2004-08-12 at 15:58, Plant, Dean wrote: > I need to increase the ArchiveMaxCompressionRatio in clamscan as I have had > a few zips being incorrectly identified as oversized zips. > > I first increased the ArchiveMaxCompressionRatio in clamav.conf but the zip > file was still incorrectly identified. From reading the changelog it looks > like that the ArchiveMaxCompressionRatio in clamav.conf is only applicable > to clamd and not clamscan, is this assumption correct? If this is correct > how do I increase the ratio in clamscan. Reading the documentation would probably be a good way of finding out. Don't you think? Do you? --max-ratio=#n Set maximum archive compression ratio limit. This option pro- tects your system against DoS attacks (default: 200). -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Clamd - reloading of database delayed after freshclam update
On Mon, 2004-08-16 at 08:05, Brian Morrison wrote: > > *Clamd successfully notified about the update.* > > Yes, I get that too. > > However, clamd does not immediately report that it has reloaded the > database, that happens the next time the Database check happens. Is that > what you see? If so, then I suppose it is correct. Clamd won't immediately reload the database. It notes the request the reload the database, and only does the reload when a request comes in to actually do some work. So, on a lightly loaded server, there will be a time difference. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Leak on Linux 2.4
On Mon, 2004-08-16 at 16:42, Daniel Tiefnig wrote: > Roman Suzi wrote: > > I am not sure why do you worry. Can't see anything unusual. > > So you say it's usual, that clamd uses 14M of memory for about one day, > and then suddenly jumps to 27M? Weird. Thats not unusual. > > > The number of clamd processes is dynamic except for two watchdogs. > > That's not the problem. I see I wasn't clear on that in my original > mail. The problem is that clamd is using nearly twice as much memory as > it was a minute before... It uses memory to scan files, especially to scan email messages. An email message could make the memory usage jump. Also, the libc memory allocation routines will almost certainly not free the used memory, but keep it in reserve to later usage. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Freshclam errors
On Tue, 2004-08-17 at 16:28, Randall Perry wrote: > > main.cvd is up to date (version: 24, sigs: 21793, f-level: 2, builder: tomek) > > ERROR: Can't open new file ./clamav-18d5879888c45d2c to write > So, where is freshclam trying to write this file -- I assume I need to > change perms for a directory? It writes it to the directory where daily.cvd and main.cvd are stored. -trog signature.asc Description: This is a digitally signed message part
RE: [Clamav-users] Freshclam cron interval {Revisado por Antivirus}
On Tue, 2004-08-17 at 11:36, [EMAIL PROTECTED] wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > What about a freshclam cache. > > Many users probably have several if not many servers all running clamav. > If we had a freshcached daemon running on a secure server we could point > all other servers to that cache. Or better yet have that daemon notify a > list of clamd's on different machines that there is an update. There are > pros and cons with all the suggestions so far but I think this one has > more pros than cons. Also it should not be to hard to implement and give > us time to come up with a better approach. You can do that already by using your own web server. > Do it the unix way -> "split the problem into separate processes that do > their job and only their job the best way possible". and thats what freshclam does. It updates the virus signatures. All you need to do is tell it where to update them from. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Freshclam cron interval {Revisado por Antivirus}
On Tue, 2004-08-17 at 16:40, [EMAIL PROTECTED] wrote: > so in addition to our servers, there are some 50 client machines all > querying the clamav databases, probably every hour most likely more often > if I know M$ lovers. > > Making all users aware of the proxy cache will now mean we will only have > one machine check and download. Everyone else can get it from that server. > > How do I (as admin) stop internal clients going outside for updates and > force them to use my cache. (Once I set it up). Many ways. > > They have all just installed it themselves when their commerical scanners > license ran out and I can't really stop them from connecting to my www > proxy on port 80. > You can stop them connecting to your proxy - it may not make for happy clients very happy though. You could: - Block access to just the databse update site - Set a policy for using clam updates, and apply it. - Add a DNS authoritative domain on your INTERNAL DNS so updates get directed to your own server. - Use a redirector on your proxy server. I'm sure there are other methods. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Bagle.AQ not detected
On Wed, 2004-08-18 at 13:15, Nicolas Aulas wrote: > Hello all, > I have a amavis-clamav(0.75.1)-postfix system installed on a fedora core 1 > and it works very well. My "little" problem is about the "price_new.zip" > virus (seems to be bagle.aq) tht's is not detected. Have you the same > problem ? No. Make sure it's not a empty or corrupt zip file. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Leak on Linux 2.4
On Thu, 2004-08-19 at 05:17, Lutz Petersen wrote: > Sure, but that's only a workaround. We have mailservers that > get clamd restartet (via clamdwatch.pl) nearly 10-15 times a day. > Every time clamd hangs that has consequences to the mail-flow, and > that's a real problem. Running clamd without softlimit ends in > clamd (after some time, some hours, some days or a week, I never > found out why) eating up all memory until the servers hook off. > So softlimit is a workaround, but not the solution. These memory > leaks may be the only real reason not to deal with clamav, in all > other relations this project is nice and fine. It would be very > positive to get the code 'de-leaked'. I'm not the C-programmer > to work on it, but if it helps our company could make some > donations to get clamd more (memory-) stable. I run clamd for weeks at a time (until I choose to upgrade it) without any memory leaks. It appears people that report 'memory leaks' are running either Solaris or FreeBSD. It may be that there is a library on those systems that leaks memory. Until someone who can reproduce these memory leaks puts the effort in to find the cause, by using a memory bebugger, this issue is unlikely to get resolved. Needless to say, the developers don't see any leaks in our test systems, otherwise we would fix them. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Leak on Linux 2.4
On Thu, 2004-08-19 at 10:50, Jason Haar wrote:
> Linux too. I've seen this on Redhat 8 and Fedora Core 2.
>
> > Until someone who can reproduce these memory leaks puts the effort in to
> > find the cause, by using a memory bebugger, this issue is unlikely to
> > get resolved.
>
> Can you give an example of how to do that? Just because I know how to run
> "make", doesn't make me a programmer :-)
>
> [in fact, I know a lot of (Windows) programmers: none of them know how to
> run debuggers either... ;-)]
First, make sure you are using 0.75.1 (or the latest CVS code), reports
from older versions are likely to be useless.
On Linux, its easy:
1. install valgrind http://valgrind.kde.org/
2. set clamd to run in the Foreground and not to change user away from
root - in clamav.conf uncomment the Foreground option, and comment out
the User option.
3. Run clamd under valgrind:
valgrind --leak-check=yes /usr/local/sbin/clamd > valgrind.out 2>&1
4. Wait for 'leak' to occur.
5. Shut down clamd cleanly, so that valgrind can process the memory
information. Killing clamd will make the whole process worthless.
a. TCP Sockets: telnet to the TCP port and type 'QUIT'
b. UNIX Sockets: use the attachment perl script.
TEST IT BEFORE YOU START IN EARNEST
Send the valgrind.out file to bugs[at]clamav.net
For other systems (Solaris, FreeBSD, etc.) the same methodology applies,
but you'll need to use a different memory debugger. I haven't tested any
yet but, some possible free candidates are:
Dmalloc - http://dmalloc.com/
mpatrol - http://www.cbmamiga.demon.co.uk/mpatrol/
-trog
#!/usr/bin/perl
use IO::Socket::UNIX;
my $LocalSocket = "/tmp/clamd";
my $timeout = 15;
if ( ! -e $LocalSocket ) {
print "It doesn't look like clamd is running.\n";
exit 0;
}
my $sock = new IO::Socket::UNIX(Type => SOCK_STREAM,
Timeout => $timeout,
Peer => $LocalSocket );
if (!$sock || $@ ) {
print "Clamd Not Running\n";
exit 0;
}
if ( $sock->connected ) {
my $err = "";
# ask clamd to quit
$sock->send("QUIT");
# set the $timeout and die with a useful error if
# clamd isn't responsive
eval {
local $SIG{ALRM} = sub { die "timeout\n" };
alarm($timeout);
$sock->recv($err, 200);
alarm(0);
};
if ($@) {
die unless $@ eq "timeout\n";
print "Clamd not responding to QUIT request\n";
exit 0;
} else { # clamd responded to the request
print "Clamd qutting!\n";
}
} else {
# you should never get here either
print "Unknown State (Clamd Useless)\n";
exit 0;
}
$sock->close();
sleep(1);
my $sock = new IO::Socket::UNIX(Type => SOCK_STREAM,
Timeout => $timeout,
Peer => $LocalSocket );
if (!$sock || $@ ) {
print "Clamd Has Quit\n";
exit 0;
}
$sock->close();
sleep(1);
my $sock = new IO::Socket::UNIX(Type => SOCK_STREAM,
Timeout => $timeout,
Peer => $LocalSocket );
if (!$sock || $@ ) {
print "Clamd Has Quit\n";
}
signature.asc
Description: This is a digitally signed message part
Re: [Clamav-users] clamfi_eom: read nothing from clamd
On Mon, 2004-08-23 at 07:14, Derya ESEL ALTINEŞİK wrote: > > __ > > clamav-0.68 + clamav-milter > > Any ideas as to what could be causing this or what I can do to prevent > it? Unfortunately, this is all of the information I have been able to > get. It's happened twice now.. the first time was a couple of months > ago, with clamav-0.67. > Upgrade to 0.75.1 immediately. Every version less than 0.75.1 has known crashing issues. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Clamd 0-.75 Segmentation fault :-( Bye..
On Mon, 2004-08-23 at 22:51, Niek wrote: > On 8/23/2004 8:46 PM +0200, Dale Anderson wrote: > > Is there a fix? I am Segment faulting serveral times a > > day. The system is a FreeBSD 5.0. I am running Qmail > > with qmail-scanner calling clamd. I switched from > > clamscan because clamscan was clogging the mail system > > with to many scans at the same time. clamdscan is good > > until it segment faults. I not sure where to turn > > next. > > Any Ideas? > > Calling clamdscan with this line > > clamdscan -r --disable-summary --max-recursion=10 --max-space=100 > > Probably "broken" mydoom.m. > Update to clamav 0.75.1 or newer devel. versions. You should also try: 1. The latest development version, it's possible that fixes for gethostbyname usage will resolve your problem. 2. I'm not sure if this still applies with FreeBSD 5.0, but try linking against LinuxThreads instead of native threads. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] clamd segment faults -- zip archives
On Tue, 2004-08-24 at 17:54, Matt wrote: > Dale Anderson wrote: > > > I have been having segment faults with clamd. I think > > I am finding it happens on zip archives. I have sent a > > few test virus zip files to the system each of them > > causing a segment fault. Can someone help me out? > > > > A little more info would probably help. > Which version of libz are you using? Anything other than 1.1.4 is liable to crash or have security problems. -tony signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] clamd segment faults -- zip archives
On Wed, 2004-08-25 at 12:34, Christopher X. Candreva wrote: > On Wed, 25 Aug 2004, Trog wrote: > > > Which version of libz are you using? Anything other than 1.1.4 is liable > > to crash or have security problems. > > Just to be clear -- you are saying the latest verion 1.2.1 has problems ? Yes, that is what I am saying. > > Is this documented any place ? > It's documented in the archives of this mailing list. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] LibClamAV Warning: Not all attachments will be scanned
On Wed, 2004-09-01 at 09:24, Tomasz Papszun wrote:
> On Tue, 31 Aug 2004 at 13:55:39 -0500, Daniel J McDonald wrote:
> [...]
> > Incidentally, I've gotten a number of .chm files lately in a unicode
> > message. Clamav hasn't twigged on them, but I ban them with amavis-new
> > anyway. Are there any known exploits with .chm files, or is that just
> > another way to move SPAM around?
>
> Yes, there are known exploits with .chm files.
CHM ("Compiled HTML") is just another archive format with some extra
files in it with meta-information. Despite the name, they can contain
any type of file, including exe's.
The ClamAV development version contains an unpacker for CHM archives.
-trog
signature.asc
Description: This is a digitally signed message part
Re: [Clamav-users] Next Stable?
On Mon, 2004-09-13 at 09:24, D Walsh wrote: > They only problem with updating versions is when the tools required to > build the update change as well. autoconf is only required to build devel/CVS versions. > I updated autocon to 2.59 (latest), ./configure went OK but build > produced some errors. > What System / OS are you building on? What compiler and version? -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Next Stable?
On Mon, 2004-09-13 at 10:07, D Walsh wrote: > > What System / OS are you building on? What compiler and version? > > Mac OSX Server 10.3.5 (Darwin/FreeBSD) > gcc 3.3 > Ok, I think this warning: chmunpack.c:175: warning: integer constant is too large for "long" type is a result of new checks in gcc 3.3 I don't think it is going to cause a problem, but I'll look into testing an explicit type specifier when I get the time. Cheers, -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] kernel: Out of Memory:Killed process xxxxx (clamd).
On Tue, 2004-09-14 at 06:30, Meni Shapiro wrote: > > Clamd works great for lots of people, but some have reported memory > > leaks on latest stable (0.75.1), > > which could cause your system to be "out of memory". A few people (out of the thousands who run ClamAV) have reported "memory leaks" in stable versions of clamd. However, none of those people have submitted a report from a memory debugging tool to show where the leak occurs on their systems, despite being asked to by the development team. None of the development team have seen such a leak. Until one of the people complaining produces a useful report, nothing can be done. It is just as likely a leak in a system library than in clamd. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] kernel: Out of Memory:Killed process xxxxx (clamd).
On Tue, 2004-09-14 at 09:42, Jason Haar wrote: > On Tue, Sep 14, 2004 at 08:38:57AM +0100, Trog wrote: > > A few people (out of the thousands who run ClamAV) have reported "memory > > leaks" in stable versions of clamd. > > > > However, none of those people have submitted a report from a memory > > debugging tool to show where the leak occurs on their systems, despite > > being asked to by the development team. None of the development team > > have seen such a leak. > > > > I tried to help out with valgrind as you suggested - but within 10 mins it > took 1.5Gb of RAM on my workstation (I wasn't going to put it up on > production now was I? :-) and - well - I turned it off. I really don't have > the equipment to handle running 1.5Gb debugging processes... On my 512MB FC-1 system: %MEM VSZ RSS COMMAND 12.8 1566524 66012 valgrind --leak-check=yes --tool=memcheck clamd The virtual size may get up to 1.5GB, but the resident size (which is the actual amount of memory it is using) shouldn't. So, unless you are running with No-Overcommit Memory settings, which certainly isn't required on a workstation (and is of arguable use at all) it shouldn't be an issue. Apart from that, even running it for 10 mins may be enough to show a problem. Did you generate a result, or just kill it? -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Re: [Clamav-users] CVS Clamav status
On Tue, 2004-09-14 at 10:38, [EMAIL PROTECTED] wrote: > Strange...I must messed with sources becouse program based on old clamav snapshot > worked with archves > properly but now test signature is only detected in plain text files and any > decompression like zip, gzip, > cab etc seems that cannot open or read file. > I use cs_scanfile. So you have your own code that uses libclamav? Sounds like you haven't enabled CL_SCAN_ARCHIVE -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] kernel: Out of Memory:Killed process xxxxx (clamd).
On Tue, 2004-09-14 at 11:04, Fajar A. Nugraha wrote: > > > >That is not evidence of a memory leak. It is evidence of as lot of memory > >being used at runtime which is a very different thing. > > > > > > > BTW, what IS the evidence of memory leak? There is no substantiated evidence at this point. > Would you call memory usage of 128MB leak? > Would you call clamd memory usage of 3GB leak? Neither. I would call losing reference to allocated memory a memory leak. > Is there anumber which says "x amount of memory used by clamd is normal" ? No, it depends entirely upon your usage. > I know that the amount of memory used should be varied depending on > system activity, > but when clamd uses 1 or 2 GB memory when it does nothing (well, it WAS > very busy > earlier, but it's doing nothing now) is _weird_ If you're scanning multiple 1GB files concurrently, then your going to use 1-2GB of memory. It's up to your systems malloc/free implementation to decide when memory is released back to the system, not clams. So memory not going down during inactive periods is not "_weird_", it is entirely normal behaviour. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] kernel: Out of Memory:Killed process xxxxx (clamd).
On Tue, 2004-09-14 at 12:07, Fajar A. Nugraha wrote: > Trog wrote: > > > >If you're scanning multiple 1GB files concurrently, then your going to > >use 1-2GB of memory. > > > That's just it. I put a size limit on my mail system, BEFORE clamd has a > chance to scan it, > so I know for a fact that no mail ever exceeds 50MB. > Perhaps MaxThreads 32 has something to do with the 3 GB memory usage MaxThreads doesn't have a direct correlation to memory usage. clamd will not start threads it doesn't need, and unused threads will exit if there is no work for them to do. > Now comes a question : what does clamd (the devel versions) do when it > cannot allocate additional memory ? > I was under the impressions that old versions simply "returns an error > and wait" instead of just died. > Which makes running daemontools alone insufficient. It'll return an error and attempt to continue in most instances. > > If that were true, is there a plan to change that behaviour to > "die/panic on memory errors"? > Is there any plan to implement some kind of built-in memory-limiter on > clamd? As Nigel has stated on more than one occassion, memory usage in the current development tree is much more predictable than in the current stable version. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Re: kernel: Out of Memory:Killed process xxxxx (clamd).
On Wed, 2004-09-15 at 10:16, Fajar A. Nugraha wrote: > Do you have any suggestion as to how to get back the free()d memory? > Will (borrowing Apache's way) using a prefork-kind of daemon, with > limited lifetime > for each child, be better (in sense of memory management) than the current > thread implementation? Or perhaps limiting the lifetime of each thread > sufficient? Apache has been moving away from the "prefork-kind of daemon" towards threads for a number of years. The lifetime of threads in clamd is limited by the workload. If they don't have any work to do for a period of time, then they exit. Have you tried the current CVS version?? If not, do. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] kernel: Out of Memory:Killed process xxxxx (clamd).
On Wed, 2004-09-15 at 12:27, Ralf Hildebrandt wrote: > * Jason Haar <[EMAIL PROTECTED]>: > > On Wed, Sep 15, 2004 at 09:58:41AM +0200, Ralf Hildebrandt wrote: > > > > Because current clamd implementation is not to "die" on > > > > memory allocation error, but sleep. > > > > > > It doesn't die, it's being killed by the kernel. > > > > No - clamd does a malloc and that fails. Then instead of dying (which would > > be the proper thing to do IMHO), it sleeps a few microsecs and then tries to > > malloc the memory again. Infinite loop occurs... > > Ok, THAT's bad - and should be fixed. If it were true it would be. Please point me at some code in clamd that does that. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] kernel: Out of Memory:Killed process xxxxx (clamd).
On Wed, 2004-09-15 at 15:17, Ralf Hildebrandt wrote: > * Trog <[EMAIL PROTECTED]>: > > > > Ok, THAT's bad - and should be fixed. > > > > If it were true it would be. Please point me at some code in clamd that > > does that. > > That was not my claim, but the other person's. I know, I believe I correctly kept the attribution. You merely believed it at face value. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Re: kernel: Out of Memory:Killed process xxxxx (clamd).
On Thu, 2004-09-16 at 04:58, Fajar A. Nugraha wrote: > Trog wrote: > > >Apache has been moving away from the "prefork-kind of daemon" towards > >threads for a number of years. > > > > > Yes, but in case you didn't notice prefork is STILL the default MPM if > no specific one > is chosen. It's for "compatibility purposes" mostly, for modules that > are not thread-safe yet. > So it's still pretty much alive. Sure, and I still use it extensively. But, the point is that you were using the fact that Apache uses fork()ing as an argument for not using threads, when in fact they are moving towards threads away from fork()ing. > > >The lifetime of threads in clamd is limited by the workload. If they > >don't have any work to do for a period of time, then they exit. > > > > > What if they have lots of things to do all the time? (e.g. busy > mailservers). Then they will keep processing work requests. > The 3G memory usage that I talk about happens on the busiest server. > The not-so-busy only uses hundreds of MB max. > It might be a good idea to force-limit thread lifetime to a number of scans > if it indeed helps return memory back to the OS (not sure about this one > though. > Logically it should work). Won't make any difference. The thread manager is completely separate from the scanning engine. A memory leak in the scanning engine won't get magically recovered by thread termination. You can limit the number of concurrent threads, and hence memory by using the MaxThreads directive. That also limits the number of concurrent scans. > >Have you tried the current CVS version?? If not, do. > > > > > > > I did. Upgraded daily, in fact. I build (and use) daily CVS snapshot for > many > platforms, including Solaris (available on clamav.or.id). > > Most recent CVS snapshot still have this problem (e.g memory not > returned to the OS). > This clamd has been running for 7 hours, on a not-so-busy maliserver. > > PID USERNAME LWP PRI NICE SIZE RES STATETIMECPU COMMAND > 1706 exim 9 580 41M 8064K sleep 16:43 4.30% clamd > It's using only 8M of memory. Nothing wrong with that. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Re: kernel: Out of Memory:Killed process xxxxx
On Thu, 2004-09-16 at 06:28, Mar Matthias Darin wrote: > Fajar A. Nugraha writes: > > > Do you have any suggestion as to how to get back the free()d memory? > > Will (borrowing Apache's way) using a prefork-kind of daemon, with limited > > lifetime > > for each child, be better (in sense of memory management) than the current > > thread implementation? Or perhaps limiting the lifetime of each thread > > sufficient? > > From experience with pthreads and Linux v2.4, pthreads was a royal pain. I > initially used threads as a method of a limited lifetime model for my > firewall design... I kept getting unusual and unpredictable segfaults. The > process would run anywhere from 2 days to several months, then for no > appearent reason,segfault in a routine that had been tested a thousand times > under high stress conditions and not failed. Such things are generally due to memory usage bugs in the code, they just don't trigger very often. My pthread'ed web proxy has been running very stable on RH 6.2 on kernel 2.2.19) for a very long time, current stats: connections(24104670) requests(54869840) threads(4/24) [The threads stat means there are 24 worker threads started, and 4 of them are currently actively doing something useful at this moment in time - in this model, all networking is non-blocking, so threads don't wait for network I/O - this means that the churn rate for threads is very high, while the actual number of threads remains relatively low.] > > After moving to fork() and named pipes, the same code hasn't broken once in > nearly a year of hard testing. My tested often included 10 or more icmp > floods of at least 65535 packets. I drove my load to 240 during the test... > > Now the forked process uses and frees memory thousands of time per second > with no issue... > > Pthreads work well for light duty non-daemon processes... If its heavy duty It depends how good your model and implementation are in my experience. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] announcing ClamAV 0.80rc
On Tue, 2004-09-21 at 12:44, Fajar A. Nugraha wrote: > Tomasz Kojm wrote: > > > >Almost all changes are backward compatible but the point of the renaming > >was to force users to review/edit their config files. Most of you are > >simply too lazy to add, activate, or tune new options without such > >dramatic changes. > > > > > > > Is there a particular reason to FORCE people to take-a-look at their > clamd options? > Is it not enough to leave it as-is if they're happy with it? > Most of the stable option (such as ScanMail) are enabled by default anyway. You'll probably be missing ScanHTML and ScanPE, and possibly ScanOLE2 if your clamav.conf is really old. Also, your freshclam.conf will be missing DNSDatabaseInfo -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] announcing ClamAV 0.80rc
On Tue, 2004-09-21 at 13:42, Bill Maidment wrote: > Trog wrote: > > > > > Also, your freshclam.conf will be missing DNSDatabaseInfo > > > > My freshclam.conf is indeed missing DNSDatabaseInfo, but I don't see > anything replacing that. It's not a replacement, it's an addition to the existing freshclam.conf -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] announcing ClamAV 0.80rc
On Tue, 2004-09-21 at 14:11, Bill Maidment wrote: > Trog wrote: > > > > > It's not a replacement, it's an addition to the existing freshclam.conf > > > So why wasn't freshclam.conf renamed to force people to look at that too? The new options in clamd.conf have an affect on the number of viruses/malware that clamd will detect. The options to freshclam don't affect virus detection (per se). The DNSDatabaseInfo will reduce the load on the signature mirror sites, and allow you to check for updates more often, so it is advantageous to use it, but not strictly required. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] announcing ClamAV 0.80rc
On Tue, 2004-09-21 at 14:23, Frank Elsner wrote: > On Tue, 21 Sep 2004 13:03:32 +0200 Tomasz Kojm wrote: > > [ ... ] > > > Almost all changes are backward compatible but the point of the renaming > > was to force users to review/edit their config files. Most of you are > > simply too lazy to add, activate, or tune new options without such > > dramatic changes. > > Unfortunatly the "make install" overwrites an existing file. No it doesn't. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] announcing ClamAV 0.80rc
On Tue, 2004-09-21 at 14:30, Stefan Hornburg wrote: > In that case we should probably rot somewhere, but you make the life for packager's > of ClamAV (e.g. Debian) unnecessarily hard. Are you saying that you would otherwise have simply left the existing clamav.conf file unaltered, thereby leaving users open to known malware/viruses? -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] announcing ClamAV 0.80rc
On Tue, 2004-09-21 at 15:24, Rob Evers wrote: > Trog wrote: > > On Tue, 2004-09-21 at 14:30, Stefan Hornburg wrote: > > > > > >>In that case we should probably rot somewhere, but you make the life for packager's > >>of ClamAV (e.g. Debian) unnecessarily hard. > > > > > > Are you saying that you would otherwise have simply left the existing > > clamav.conf file unaltered, thereby leaving users open to known > > malware/viruses? > > > > -trog > > > > Maybe parsing the old configure file and warn during install or > runtime if there are obsolete or missing options ? And what prevents that happening now, prefixed by a 'mv'? The only difference is that now the packagers have to actually think about it, rather than just ignoring the issue of new config directives. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] make fails with 0.80rc2
On Wed, 2004-09-22 at 10:53, Bill Maidment wrote: > Hi > > I've built clamav-0.80rc2 on FC1 FC2 and FC3, but > when I tried it on a RH 7.2 machine the make fails as follows: > > gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./zziplib -I./mspack -g -O2 -MT > mbox.lo -MD -MP -MF .deps/mbox.Tpo -c mbox.c -fPIC -DPIC -o .libs/mbox.lo > mbox.c: In function `getURL': > mbox.c:2735: `CURLOPT_DNS_USE_GLOBAL_CACHE' undeclared (first use in > this function) > > Actually, I'm surprised I got this far, but I live in hopes. > BTW the reason this machine is RH 7.2 is for technical reasons. So I'm > stuck with this old distro. > Disable libcurl support: ./configure --without-libcurl -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Problem to compile clamav+milter under Linux/Debian
On Wed, 2004-09-22 at 10:58, Marc ROMERO wrote: > Dear clamav-users > > I've a Linux Debian (2.4.20) whose running clamav-0.75.1. I'm trying to compile > clamav-0.80rc2 and I didn't manage to compile a new version because I'm > getting the following error message (The error message is given at the > end of the message). Can you help me ? > > gcc -DHAVE_CONFIG_H -I. -I. -I.. -I../clamd -I../libclamav -I../shared > -DSENDMAIL_BIN=\"/opt/sendmail/sbin/sendmail\" -L/opt/sendmail/include -c > clamav-milter.c > clamav-milter.c: In function `main': > clamav-milter.c:834: `LC_ALL' undeclared (first use in this function) > clamav-milter.c:834: (Each undeclared identifier is reported only once > clamav-milter.c:834: for each function it appears in.) > make[2]: *** [clamav-milter.o] Error 1 > make[2]: Leaving directory `/staff/clamav-0.80rc2/clamav-milter' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory `/staff/clamav-0.80rc2' > make: *** [all] Error 2 Does this patch fix it? You may have to apply by hand. --- clamav-milter.c 20 Sep 2004 12:46:05 - 1.131 +++ clamav-milter.c 22 Sep 2004 10:23:49 - @@ -454,6 +454,7 @@ #ifdef C_LINUX #include +#include #definegettext_noop(s) s #define_(s)gettext(s) signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] .80RC2 Signature error
On Thu, 2004-09-23 at 16:28, James Turnbull wrote: > >>LibClamAV Error: Malformed database file > >>/tmp/clamav-50dd544511651de2/viruses.db You have a problem somewhere because this filename is not used anymore. So you either have some stale db files, or your downloaded from a stale site. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] test windows exploit sigs
On Sat, 2004-09-25 at 10:35, Andy Fiddaman wrote: > A quick question for the database maintainers though - are you planning to > add a signature for this exploit (particularly now that an exploit toolkit > exists) ? All of my commercial scanners here now detect it - F-Prot even > released a new version yesterday to specifically catch it. Yes. There is an issue with the current 0.80rc2 that will cause false positives with this signature though, so it'll need to wait until after that is fixed, which should be this weekend. -trog --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamd hang in rc4
On Tue, 2004-10-12 at 18:56, [EMAIL PROTECTED] wrote: > On Tue, 12 Oct 2004, Scott Rothgaber wrote: > > Doug Hardie wrote: > > > > > have encountered quite a few situations in the last month where clamav > > > just stopped working properly and had to be manually restarted. > > > > I had the same problem with spamass-milter a while back. What you need > > is a "watchdog" script, something like this... > > > > We had a problem similar to this this week, however, the problem wasn't > due to a dead/core'd process. clamdscan actually hung for one reason or > another and clamd had to be shot down with a -9. This took place just > after the upgrade to .80rc4 and I attributed it to (possibly) having a rc3 > clamd running with a rc4 clamdscan. Perhaps I did not adequately shut > down rc3 before the update. Either way, I assume that clamdscan shouldn't > hang if clamd is dead. I noticed that mail was backed up because the > amavis delivery agent (ADA?) hung when it relayed to amavisd. Eventually > the problem was found to be clamdscan hanging and restarting clamd (after > a -9) seemed to work. > > Is anyone else experiencing similar problems? The only known crashing issue with clamd is due to broken versions of libz. Either run zlib-1.1.4 or a fixed version of 1.2.1 (which some vendors have issued, see CAN-2004-0797) -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Re: Upgrade to 0.80rc3 breaks Exim malware acl (still broken in 0.80rc4)
On Tue, 2004-10-12 at 21:11, Philip Ross wrote: > Philip Ross wrote: > > Another change to the HAVE_POLL code in clamd/others.c has now been > > checked in to CVS: > > > > http://cvs.sourceforge.net/viewcvs.py/clamav/clamav-devel/clamd/others.c?r1=1.18&r2=1.19 > > > > > > I haven't yet tried this to see if this fixes the problem. > > I'm now running 0.80rc4 and am still seeing the same problem. This > change to others.c hasn't fixed the problem with Exim/exiscan. > > Can anyone else confirm that this is still a problem with 0.80rc4? > > Are the developers aware of this issue? Is there a fix pending? I've never used exiscan, but it sounds like a bug in exiscan (or a configuration issue). exiscan must be closing it's side of the connection to clamd without waiting for clamd to finish scanning. This signals to clamd to abort the scan. exiscan must not do that. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Virus Definitions update website
On Thu, 2004-10-14 at 07:55, Robert Fleming wrote: > --On Wednesday, October 13, 2004 12:52 PM -0500 Jeff Bilder is rumoured to > have written: > > > Hey group, > > > > Was curious if there is a website the shows a chart of which companies, > > and clam, rate in terms of updating their Virus Definitions. I need to > > put some documentation together for my director. Thanks! > > > > Nothing recent, but here area couple URLs comparing 'the other guys' > including information on the mydoom outbreak with a message from this list > showing how clamav fared in with that one (attached) If you want to pay for it, I'm sure Andreas Marx (http://www.av-test.org) will be able to supply you with the data your require. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: AW: [Clamav-users] virus submission problem
On Tue, 2004-09-28 at 21:35, Steffen Heil wrote: > Hi > > > I have a serious issue with the current way virus samples are submitted. > Right now, many viruses, such as the currently-spreading jpeg virus (see > http://www.easynews.com/virus.txt) are detected by 0.80rc# or by some CVS > version. But we can't be expected to run those on production servers. > > Yes, I understand that 0.7x can't do a heuristic check for the jpeg > exploit. However, it *can* look for this particular file (get your free > copy from http://easynews.com/virus/virus-jpeg.zip), and a signature should > be released. > > This is not an isolated case. The virus submission page must be changed > to run the latest RELEASED version of clamav. > > I totally agree. > It is great to know, that some soon coming version will detect things better > and can detect generic problems instead of single viri only. > However I have somehow the feeling, that right now our servers are under > attack and we are left in the rain alone. One of the major advantages of ClamAV over commercial products is that you are able to add your own signatures. Signatures for the JPEG exploit for non-80rc versions have been posted to the list. The only signatures in the new format in the current db are there because old style signatures would either produce false positives, or are not possible to create. There are less than 10 of them. The main advantage of the 0.80 version is the new unpackers and file type support. As such it is able to spot existing signatures in more file types. It does not inherently support a huge number of new signatures. The ClamAV team have very limited resources, and our time is better spent creating new signatures for unknown viruses, rather than wading through old viruses we already have signatures for, just because they happen to be in some archive type that old versions of clam don't know about. > > Maybe, development could be split into two parts: engine and program host. > Then updates to the engine (to accomodate new virus signature types) could > be added, while the program can be developed more slowly. Are you volunteering to build 'engine' binaries for every platform that every user would conceivably use ClamAV on in order to support this? > > I like clam-av very much, but knowing, that I got a virus that was happily > detected by McAfee some weeks ago and that I tried to submit to the clamav > team, is still not detected by my server and may still hit my customers is a > nightmare. I've said this before, and I'll say it again. Thats a business decision on your part. You have to way up the pro and cons of the options and make a decision based on those. You can do things to mitigate the perceived risks of deploying the 0.80rc3 version, like doing internal testing, having an warm backup of your production system with which to continually test CVS versions (and supply feedback), re-configure your system to use clamscan rather than clamdscan, etc. Personally, I chucked 15GB of customer email through CVS versions prior to 0.80rc in order to check it's integrity. And continued to do so until I was happy with the results. As such I have confidence in it's stability. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] virus submission problem
On Wed, 2004-09-29 at 11:21, Paul Boven wrote: > Hi everyone, > > Bogusław Brandys wrote: > > >>>> This is not an isolated case. The virus submission page must be > >>>> changed to run the latest RELEASED version of clamav. > > Seconded. I run an up-to-date release version of ClamAV (0.75), there The current stable version is 0.75.1 > are virusses getting trough, but I can't submit them because 0.80rc3 > would have recognised them. And we know clamav 0.75 would be able to > detect these given specific examples. Your clairvoyance astounds me. You are free to add your own signatures to spot your samples. They almost certainly wouldn't catch any other samples of the same virus though. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] virus submission problem
On Wed, 2004-09-29 at 12:42, Bill Maidment wrote: > Trog wrote: > > > > > The current stable version is 0.75.1 > > > > > > The stable webpage points me to 0.80rc3 as the latest!!! > No it doesn't. It takes you to a page containing a number of links and information, one such link is to clamav-0.80rc3.tar.gz another such link is clamav-0.75.1.tar.gz. The page states this: "Before downloading, you may want to read Release Notes and ChangeLog" The README with 0.80rc3 clearly states it is a "release candidate". -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] ERROR: JPEG.Comment
On Thu, 2004-09-30 at 08:26, Damian Menscher wrote: > false positive. Only the third rule: > Exploit.JPEG.Comment.3:5:0:ffd8fffe00(00|01) > is 100% safe. (Note that I work for the Imaging Technology Group, so a > false positive on a jpeg would be a Very Bad Thing. And even a 0.01% > failure rate is bad when you have 1765217 jpegs.) > > Of course, one option would be to handle a .jpg in the same way as a > .zip, .tar, etc and actually look at it with an understanding of the > file format. That means not scanning the comments themselves, only the > data headers. Of course, that means writing an entire scanning module > just for .jpg files. This does NOT scale well. > CVS contains some code to parse JPEG files *only* when they match against a Exploit.JPEG.Comment signature. This should remove false positives, and hopefully still not miss any real samples. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Suspected Zip?
On Thu, 2004-09-30 at 10:49, Dave Ewart wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hello ClamAV users, > > Using 0.80rc2 ... one local user sent another a zip file containing > various text files and an EXE program (compiled application from Delphi, > I think). > > This file was blocked by ClamAV as "Suspected.Zip". > > Can someone explain the reasons for this? Is it simply the presence of > the EXE file in the Zip archive which triggered this response? The Zip > was not password-protected, or encrypted in any other way. It means the zip contains either a file with zero length name, or a file thats zero bytes in length, or possibly that the unzip failed. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Latest snapshot greatly increases scanning speed
On Sun, 2004-10-17 at 05:16, Christopher X. Candreva wrote: > I posted a week or so ago about problems scanning OLE files, where some > files took upwards of 2 minutes to scan. > > Tomasz e-mailed me about an updated in the latest CVS that addresses this > problem. That same file is now scanning in about 2 seconds. > > For anyone else having this problem, give the 20041017 snapshot a try. > Working great here. Just for the record, the problem described was nothing to do with the OLE2 unpacker, but rather a problem in the scanner. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] GDI+ bug exploit Mutations
On Mon, 2004-10-18 at 15:40, Brian Morrison wrote: > On Mon, 18 Oct 2004 11:22:01 +0200 in > [EMAIL PROTECTED] Tomasz Kojm <[EMAIL PROTECTED]> > wrote: > > > > > For those running 0.80rc4 or 0.80 final, you can catch all jpeg > > > > exploits with the following signature (add it to a local.ndb file > > > > in your database directory): > > > > > > > > Exploit.JPEG.Comment.FalsePos:5:0:ffd8ff > > > > > > > > Warning: do NOT use this if you're running 0.80rc[123], since it > > > > WILL cause false positives. Also, do NOT change the name. The > > > > ClamAV code > > > > > > Please do not use it. It seems the JPEG exploit verificator is > > > still not perfect and may not eliminate all false positive matches. > > > > False alert. It appeared some Japanese camera software creates broken > > pictures. > > So that signature *is* safe to use? Or have I read your comment wrongly? It should be safe to use with 0.80, but on the other hand, it'll match *every* JPEG file and process them through the false positive elimination code, which will impact performance (very slightly). -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] What Just Happened??
On Tue, 2004-10-19 at 15:07, Scott Ryan wrote: > I saw on my monitoring application just now that clamav was outdated and that > i must update immediately. I was running 0.80rc3, and the moment I got this > message i was inundated with users complaining that any jpeg attachment is > flagged as a virus / comment 1. > I upgraded to 0.80rc4 and the jpeg problem went away, but i still get the > warning telling me to upgrade... > > is there a release i am missing ?? Yes, 0.80 You should leave your cave more often :-) -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] What Just Happened??
On Tue, 2004-10-19 at 15:49, Christopher X. Candreva wrote: > On Tue, 19 Oct 2004, Trog wrote: > > > You should leave your cave more often :-) > . . This from someone calling himself trog ? :-) > Ohh, the irony :-) -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Unable to open file or directory ERROR
On Wed, 2004-10-20 at 16:33, Grant Supp wrote: > It seems to happen when scanning the same files. "Untitled Attachment" seems to > cause the problem evey time. I think this attachment might be generated by Outlook > 2003 when assigning a task to a user, although I'm not sure, since I don't have a > copy of Outlook 2003. I see several lines with the error for "Order - Hearing and > Appeal.pdf" so that file seems to be a problem as well. I've already disabled OLE2 > support since I was having this same problem a lot with Microsoft Word .doc files. > I even got one today with a gif file: > Wed Oct 20 09:27:51 2004 -> > /var/spool/qmailscan/tmp/newmail01.readyhosting.com10982824714822434/image001.gif: > Unable to open file or directory ERROR > Here's my startup output to show the scanning options: Looks to me that whatever you are using to dissect messages into their parts is creating files with incorrect permissions. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamd/clamscan core on some files under IRIX
On Wed, 2004-10-20 at 20:25, Rob Dueckman wrote: > I'm running mimedefang/spamassassin/clamav on an IRIX 6.5 machine and > have found that some files cause both clamd and clamscan to core. > > Since I'm still running this combo, I can't forward the message to the > list, but it can be found at: ftp://ftp.heloc.com/pub/message.txt.gz > > Here is the last bit of output from clamscan when run on the file: > > LibClamAV debug: Mixed message part 25 is of type 3 > LibClamAV debug: messageToFileblob > LibClamAV debug: blobSetFilename: image.jpg > LibClamAV debug: Saving attachment as > /var/tmp//clamav-ee97fcadd47b2acf/image.jpgy023QP > LibClamAV debug: Mixed message part 26 is of type 3 > LibClamAV debug: messageToFileblob > LibClamAV debug: blobSetFilename: image.jpg > LibClamAV debug: Saving attachment as > /var/tmp//clamav-ee97fcadd47b2acf/image.jpgz023QP > LibClamAV debug: Mixed message part 27 is of type 3 > LibClamAV debug: messageToFileblob > LibClamAV debug: blobSetFilename: image.jpg > LibClamAV Error: Can't create temporary file : No such file or directory > LibClamAV debug: 4 257 0 > Segmentation fault (core dumped) > > > I've built clam on Linux and have had no probems with the same file. > Could this somehow be a 64-bit issue? I'm not aware of much testing on 64-bit big endian systems, so it may be an issue. Please run clamscan under gdb with this file and do a backtrace, like this: $ gdb clamscan (gdb) run /path/to/message.txt (wait for seg fault) (gdb) bt Thanks, -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Please explain ?
On Thu, 2004-10-21 at 14:48, Bogusław Brandys wrote: > Hello, > > Could someone explain why there are sometimes a few signatures for one > malware ? Does it mean that malware has small change and that are MD5 > signatures ? Well, it depends what the signature is for. > Today was for example submission of > > HTML.Phishing.Auction-1 > HTML.Phishing.Auction-2 > HTML.Phishing.Bank-5 > HTML.Phishing.Bank-6 > These are different signatures (non MD5 in this case) for different instances of phishing emails. So I wouldn't really call that malware. You'll see a lot of sigs like Dialer-135, just because there are a large number of these types of malware, and it's a pain to invent names for them all :-) Occasionally you'll see sigs like Worm.Bagle.AG.2, which may be a second signature to match a different instance of the same malware. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Please explain ?
On Thu, 2004-10-21 at 16:09, Bogusław Brandys wrote: > I must ask.I have many spam messages in my email folder. Do I consider > sending them as a submission ? Should people know what are the > differences , to stop submit just junk emails? Or it is accepted ? > No. Definitely not. I get over 200 spam emails *per day*. I know what spam and phishing email looks like. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Performance Help - 100% cpu usage
On Tue, 2004-10-26 at 03:45, Eric Worthy wrote: > > This is a vanilla install off qmailrocks.org site. This may be your problem. I seem to remember they are guilty of doing very bad things to the clamav install, like linking clamdscan to clamscan. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Performance Help - 100% cpu usage
On Tue, 2004-10-26 at 14:20, Jim Maul wrote: > Trog wrote: > > On Tue, 2004-10-26 at 03:45, Eric Worthy wrote: > > > >>This is a vanilla install off qmailrocks.org site. > > > > > > This may be your problem. I seem to remember they are guilty of doing > > very bad things to the clamav install, like linking clamdscan to > > clamscan. > > > the QMR install doesnt really do very bad things. It clearly explains > why it does what it does and that for high volume servers you may not > want to follow the directions entirely. Yes, it links clamdscan to > clamscan so you are ALWAYS calling clamscan once per message. On a high > volume server this isnt ideal. I would undo this linking, start clamd > and run the real clamdscan as opposed to the linked one. Your > performance should get noticeably better. So, I was correct, QMR completely screws up the ClamAV installation for no reason other than ignorance and gross stupidity. It also tells it's misguided users to run freshclam on-the-hour. Another bad decision. So, don't follow anything they say about installing ClamAV, and you'll be ok. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Performance Help - 100% cpu usage
On Tue, 2004-10-26 at 14:41, Niek wrote: > On 10/26/2004 3:33 PM +0200, Trog wrote: > > So, I was correct, QMR completely screws up the ClamAV installation for > > no reason other than ignorance and gross stupidity. > > > > It also tells it's misguided users to run freshclam on-the-hour. Another > > bad decision. > > > > So, don't follow anything they say about installing ClamAV, and you'll > > be ok. > > > > -trog > > QMR delivers the community with the open source equivelant of > 'next, next, next, next, next, next, finish' installations. I don't have a problem with the theory, just they way they have fd up the practice. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Performance Help - 100% cpu usage
On Tue, 2004-10-26 at 15:01, Jim Maul wrote: > Keep in mind while i agree the instructions are a little messed up for > the current versions of the software it uses, the instructions are the > way they are to correct problems and certain small errors that occured > in older versions of the sofware. Basically the instructions are > outdated in my opinion. I dont believe the reason for the > clamscan/clamdscan linking is still a valid reason as well as other > "workarounds" that were put in place. The instructions should be updated. They were updated four days ago, and they are still grossly wrong. > > With that said, the person, yes, only 1 person, who created qmr is > obviously busy and this is not his full time job. I think it is great > that he has taken this amount of time out of his everyday life to > provide this great service for everyonecut him some slack will ya? I believe the same problems have been in there for over a year. > Saying "for no reason other than ignorance and gross stupidity" is quite > incorrect and even downright rude. You don't think it's rude to break other peoples software, for which we then have to deal with the resulting mess, as witnessed by this thread? > You have NO idea why he set up the > instructions this way and you yourself are making huge assumptions. If > you have some constructive criticism here im sure it would be > appreciated but you previous comments were IMO not helpful at all. 1. Install ClamAV as per it's documentation, and then don't break it by linking clamdscan to clamscan. 2. If you want to use clamscan rather than clamdscan (for no reason, other then to send your CPU load to 100%, as per this thread), configure qmail-scanner to do so, it has a configure option for this). -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
