[Clamav-users] freshclam problem with internal logger
No doubt a problem with logrotate. Is there a fix for this? ERROR: /var/log/clamav/freshclam.log is locked by another process ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log). lsof | grep freshclam.log freshclam 16920 root3wW REG 104,617408 30851 /var/log/clamav/freshclam.log Once i restart, the 3wW changes to 3w. The logrotate clamav files looks like/var/log/clamav/freshclam.log { missingok #/etc/init.d/clamd logfix postrotate /bin/kill -HUP `cat /var/run/clamav/freshclam.pid 2 /dev/null` 2/dev/null || true endscript } This logfix (with or without) makes no difference. Thanks Vernon ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Keeping Trend Micro and Symantec fed
D.J. Fan wrote: Thanks again ClamAV developers and maintainers. Today will be the fourth time I submit a virus caught by ClamAV and missed by both Trend Micro and Symantec to them. Obviously yet another new Bagle variant caught by an older ClamAV signature: A virus was found: Worm.Bagle.BB-gen Add McAfee as well! Initially, ClamAV was the only scanner for several hours that detected this virus - (BitDefender, AVG, McAfee and Sophos). Bitdefender did start catching this after a few hours. Vernon Vernon ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Managing the CLAM
Chris Heiner wrote: Are there any good command mode instructions to retrieve update information and other log information on the Clam AV.? The only command we are aware of is freshclam. Commands: freshclam (config file: /etc/freshclam.conf) clamd (config file: /etc/clamd.conf) sigtool helpful for getting information about daily.cvd or main.cvd or listing signatures. man freshclam or man clamd or man sigtool Vernon ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Any way to add a line to cleaned email?
Noel Jones wrote: On Fri, Jan 07, 2005 at 01:12:02AM +, Thalador Du'Fosnee wrote: Ok, let me get this right. Clamav cannot clean? What good is it? Cleaning of viruses is a marketing ploy. Very few viruses in recent years infect files, they overwrite the good data in the file with their own code. There is nothing left after cleaning but a corrupted file. The days when a virus would simply add x number of bytes to the end of a file are long gone. Excellent point! 99.9% of todays email borne viruses contain absolutely nothing but the virus. If clamav were to clean the files, there would be nothing left but a few lines of text - what good is that? Prevention is the preferred medicine of choice, in my humble opinion, and ClamAV is doing a superb job! Vernon ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] thank you
Mike Lambert wrote: Thank you, team ClamAV, for your your hard work on the latest release. ClamAV 0.80 (FreeBSD 4.9) is by far the most stable and memory efficient clamd yet. *applause* Regards, Mike Lambert ___ I concur!! I did have problem with keeping freshclam and clamd running on previous version but with the release of .80, all process have continue to run flawlessly on 60+ servers. Flexible, efficient and hassle-free virus scanning - the way it should BE! My hats off to the ClamAV team! Vernon ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Freshclam warning
Tomasz Kojm wrote: On Tue, 19 Oct 2004 14:58:56 -0500 "Vernon A. Fort" [EMAIL PROTECTED] wrote: I have been getting the following warning with freshclam for the last several hours. WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. All cvd files seem to be up-to-date but why am I getting this? Please read my today's post in this case. Thanks and understood, I overlooked that post O:-) Vernon ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] GDI+ bug exploit Mutations
Vernon A. Fort wrote: Steve Basford wrote: Hi, Can someone test ClamAV with these files: http://www.hiddenbit.org/demo_files/jpeg.zip Source: http://lists.netsys.com/pipermail/full-disclosure/2004-October/027530.html Cheers, Steve ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Tested with McAfee uvscan, Avgscan, clamscan. Only uvscan detected a virus Found the Exploit-MS04-028 trojan !!! I also have sophos but not currently installed. I tested both on the uncompress zip and uncompressed. Again, only McAcee Uvscan detected anything. Vernon ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Also just scanned with Sophos sweep - lastest version and it detected both files as well. Virus 'Exp/MS04-028' found in file 1.jpg Virus 'Exp/MS04-028' found in file 2.jpg Vernon ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Redhat 7.2 and 7.3 clamav-devel-latest
Attempting to compile clamav-devel-latest on a redhat 7.2 or 7.3 box but I'm getting autoconf / automake errors. Can I re-run the automake and autoconf and if so, what are the command line args. Here's the output just after the configure runs: cd . /bin/sh /tmp/clamav-20040731/missing --run aclocal-1.8 /tmp/clamav-20040731/missing: aclocal-1.8: command not found WARNING: `aclocal-1.8' is missing on your system. You should only need it if you modified `acinclude.m4' or `configure.in'. You might want to install the `Automake' and `Perl' packages. Grab them from any GNU archive site. cd . /bin/sh /tmp/clamav-20040731/missing --run automake-1.8 --gnu /tmp/clamav-20040731/missing: automake-1.8: command not found WARNING: `automake-1.8' is missing on your system. You should only need it if you modified `Makefile.am', `acinclude.m4' or `configure.in'. You might want to install the `Automake' and `Perl' packages. Grab them from any GNU archive site. cd . /bin/sh /tmp/clamav-20040731/missing --run autoconf configure.in:20: error: Autoconf version 2.58 or higher is required aclocal.m4:529: AM_INIT_AUTOMAKE is expanded from... configure.in:20: the top level autom4te: /usr/bin/m4 failed with exit status: 1 make: *** [configure] Error 1 Vernon. --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Sigtool Build Time
I'm tring to understand the Build time string in the sigtoo -i daily.cvd file: Build time: 27 Jul 2004 15-12 +0200 specifically with the 15-12 +0200. I want to convert this to Central time (US), any pointers. Vernon --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Sigtool Build Time
Steven Stern wrote: On Wed, 28 Jul 2004 10:15:53 -0500, Vernon A. Fort [EMAIL PROTECTED] wrote: I'm tring to understand the Build time string in the sigtoo -i daily.cvd file: Build time: 27 Jul 2004 15-12 +0200 specifically with the 15-12 +0200. I want to convert this to Central time (US), any pointers. CDT is GMT -0500 (CST is -6), so 15:12 GMT is 10:12 AM, CDT. The local time at which the build was produced was 5:12 PM. -- Steve OK - thats exactly what confused me - if 15:12 was the Local Time or 15:12 + 2 hours. Thanks Vernon --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Bagle Varient
I have email messages that are being detected as Worm.Bagle.Gen-zippwd but when I unzip, clamav detects the binary as Bagle.AF. I cannot submit a sample because its already detected. If someone wants a few sample email messages, let me know where to send them. Vernon --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Bagle Varient
Steve Lenti wrote: On Fri, 16 Jul 2004 08:39:16 -0500, Vernon A. Fort [EMAIL PROTECTED] wrote: I have email messages that are being detected as Worm.Bagle.Gen-zippwd but when I unzip, clamav detects the binary as Bagle.AF. I cannot submit a sample because its already detected. If someone wants a few sample email messages, let me know where to send them. I might be way off base here, but isnt the virus you are talking about a Zipped Bagel generation virus? Which would explain why its being detected as Worm.Bagle.Gen-zippwd right? OK - the virus was NOT detected by uvscan, AGV or Sophos but WAS detected by clamav - a good thing. This is why I use clamav on several mail server in conjunction with a commercial scanner. This e-Mail virus WAS a password protected zip file but when unzipped, the files were detected as the Bagle.AF virus by all scanners including clamav. My only reason for sending the original post was to see if 'Maybe' the virus programmers wanted a sample of this message because some were detected as Bagel.AF but not all. But then again, maybe it is being detected correctly? Vernon --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamscan didn't work in the real world
Victor Yu wrote: Greeting, I just installed Clam on a Linux server. After installation, I run #clamscan /usr/local/share/clamav/test, it found the virus, the output like this: - /usr/local/share/clamav/test/test1: ClamAV-Test-Signature FOUND /usr/local/share/clamav/test/README: OK /usr/local/share/clamav/test/rarfail.rar: RAR module failure. /usr/local/share/clamav/test/rarfail.rar: OK /usr/local/share/clamav/test/debugm.c: OK /usr/local/share/clamav/test/test1.bz2: ClamAV-Test-Signature FOUND /usr/local/share/clamav/test/test2.zip: ClamAV-Test-Signature FOUND /usr/local/share/clamav/test/test3.rar: ClamAV-Test-Signature FOUND /usr/local/share/clamav/test/test2.badext: ClamAV-Test-Signature FOUND --- SCAN SUMMARY --- Known viruses: 21303 Scanned directories: 1 Scanned files: 8 Infected files: 5 Data scanned: 0.00 MB I/O buffer size: 131072 bytes Time: 0.726 sec (0 m 0 s) - But when I scanned a file with virus, it found nothing. I scanned the file using clamav online specimen scanner (http://www.gietl.com/test-clamav/), it said found something: Worm.SomeFool.Gen-1 I listed signature names in my virus signature database by running #sigtool --list-sigs, and found Worm.SomeFool.Gen-1 in it. so why clamscan could not catch the virus in the file? Any idea? The type of FILE you reference would help. Would this file by chance be a mime encoded email message? Either way, use the option: -m (-mbox, treat file as a message file) or clamscan --help Vernon --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Question on SomeFool Virus
Antony Stone wrote: On Tuesday 06 April 2004 9:57 am, Vernon A. Fort wrote: I have several emails which clamav detects as 'Worm.SomeFool.Gen-2', but Sophos nor McAcfee will detect the virus. Would this be some new varient that clamav fould. From the description, this sig was added to detect possible future varients of the NetSky viruses. Sound like it's working then :) Should I submit this? or just be thankful or both? No point submitting a virus which ClamAV already detects :) Be thankful the team did a better job than Sophos McAfee again. I use ClamAV in addition to commercial scanners for exactly this reason - ClamAV does detect new viruses sooner that any other commerical scanner. I was just curious if any of the virus admins wanted a look at the message file. If so, let me know how and where to send. Vernon --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Question on SomeFool Virus
I have several emails which clamav detects as 'Worm.SomeFool.Gen-2', but Sophos nor McAcfee will detect the virus. Would this be some new varient that clamav fould. From the description, this sig was added to detect possible future varients of the NetSky viruses. Should I submit this? or just be thankful or both? Vernon --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Virus DB Update
I noticed that virusdb was updated, according to the clamav-virusdb list, to daily version 226 but my freshclam is still reporting that 225 is the latest. Am I missing something? Vernon --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus DB Update
Colin A. Bartlett wrote: Vernon A. Fort Sent: Tuesday, March 30, 2004 11:11 AM I noticed that virusdb was updated, according to the clamav-virusdb list, to daily version 226 but my freshclam is still reporting that 225 is the latest. Am I missing something? FYI, my freshclam returns version 227. cheers, Colin Colin A. Bartlett Kinetic Web Solutions www.kineticweb.biz --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users Your right - it's at 227 now. I just happen to see the 226 post but all my server still reported 225. Normally once you see the post on the virusdb list, it been updated for a while. I'll have to be more patient :) Vernon --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users