Re: [clamav-users] Windows packaging
On 06/25/12 15:55, Tom Judge wrote: >> Exclusion of the necessary msvc* runtime libraries > > The inclusion of them helps lower the barrier to entry for people to > try ClamAV on windows. So why have you removed them? >> Inclusion of the previously separate libclamunrar libs > > There is no reason for us to package these separately, by including > them we again reduce the barrier to entry for people. FYI unrar license is incompatible with the GPL. That was the rationale in the packaging. -- acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Identifying all infections in a file...
On 06/08/12 15:26, Matt Olney wrote: > Maarten, > > There currently isn't a way to do this. We could look at doing that > in a future release. Feel free to put a bug in > https://bugzilla.clamav.net/ and we'll consider it. Hey Matt, As per the ML rules[*] please avoid top posting or quote excessively large chunks when replying. Thanks, -- acab [*] http://lists.clamav.net/mailman/listinfo/clamav-users http://wiki.clamav.net/Main/TopPost ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Problems with clamav-milter: "clamfi_eom: FD send failed: Broken pipe"
On 06/07/12 11:40, c0re wrote: > I decided to move clamav to dedicated server. Hi, I assume you are running the milter on the same machine as clamd and letting them talk over a unix socket. > Jun 7 12:37:08 avsrv clamav-milter[29989]: clamfi_eom: FD send > failed: Broken pipe > Jun 7 12:37:08 avsrv clamav-milter[29989]: FD send failed It is very likely that clamd got tired of waiting and closed the connection. Try increasing the ***Timeout values in clamd.conf. Or try decreasing MaxFileSize in the clamav-milter.conf. At any rate, make sure you are not heavily IO bound on the milter machine and that the network flow between the sendmail and the milter machines is fast and not congested. If that's the case you may need to rethink your setup as it's way underspec'd. Having said that, please note that rare transient errors occurring during peak times are nicely handled by the SMTP protocol and are generally not considered a big issue. Cheers, -- aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-users] problem with clamav-milter recipient notification
On 05/24/12 16:54, Giles Coochey wrote: > Was a bug / feature request ever opened for this? Was it ever fixed? Yup, https://bugzilla.clamav.net/show_bug.cgi?id=2879 Cheers, -- aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] How can I whitelist certain sender with clamav-milter
On 04/26/12 14:53, Gary Yao wrote: > is there a way I can tell postfix to whitelist this sender? Gary, I don't know about Postfix but you can do some whitelisting in the milter. There is a dedicated "Exclusions" section in its config file[*]. You may want to give a look at it. Cheers, -- aCaB [*] http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob;f=etc/clamav-milter.conf;h=decf06bca33265a66f1482e25782161f7f1e6039;hb=HEAD#l96 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Google Chrome infected?
On 04/24/12 01:31, Frank Chan wrote: > 5974bc2d26dc0f1e9755ccc2806cfda2 chrome.dll > 9652e7d2d40f72c4f4acec0e2dea28a1 chrome.7z I'm sorry Frank, it appears the upload wasn't successful. I can't find neither :/ Cheers, -- acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Google Chrome infected?
On 04/21/12 01:44, Frank Chan wrote: > On 19-04-2012 01:11, aCaB wrote: >> On 04/18/12 23:10, Frank Chan wrote: >>> 9652e7d2d40f72c4f4acec0e2dea28a1 chrome.7z >>> 5974bc2d26dc0f1e9755ccc2806cfda2 chrome.dll > Done. I still can't find them. Do you confirm the above md5's? -- acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Google Chrome infected?
On 04/18/12 23:10, Frank Chan wrote: > 9652e7d2d40f72c4f4acec0e2dea28a1 chrome.7z > 5974bc2d26dc0f1e9755ccc2806cfda2 chrome.dll Hi Frank, Have you submitted them on http://www.clamav.net/sendvirus/submit-fp/ ? I can't seem to find them in our zoo. If you haven't yet please do, so they can be processed ASAP. Cheers, -- aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] trouble compiling clamav 0.97.4
On 04/17/12 17:19, Jasowicz, Artur wrote: > cat /etc/redhat-release > CentOS release 5.8 (Final) > > uname -a > Linux xx.xx.com 2.6.18-128.1.16.el5xen #1 SMP Tue Jun 30 07:20:15 EDT 2009 > i686 athlon i386 GNU/Linux > > Trying to configure calmav with: > configure --enable-milter --disable-zlib-vcheck Jasowicz, You forced configure to skip a check which is there in order to avoid us being flooded with "clamd crashed" bug reports where bzip2 really fails. Configure obeys but it tells you that you are on your own. If you clamd crashes, good luck. Of course if you go through the trouble of tracing the crash and be sure that it's not related to bzip2 (or other configure things you might have messed around with) then you are still welcome to submit a bug report :) Cheers, -- aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAv 0.97.4 win32/64 binaries
On 03/16/12 10:54, Steve Basford wrote: > Hi, > > Any eta on an update to v0.97.4 here... > > http://sourceforge.net/projects/clamav/files/clamav/win32/ I'm building them right now, so probably your late afternoon. BTW, please don't hijack other threads... -- aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Exempting certain users from scanning
On 02/03/12 14:48, Jerry wrote: > sasl_username=t...@pc.network.net [...] > SkipAuthenticated file:/etc/good_guys > > /etc/good_guys > tom Hi Jerry, This will have to be: t...@pc.network.net > Also, is case folding being used in this scenario by the clamav-milter? Yes, the matching is case insensitive. --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] How can I have clamd reject items that can't be scanned?
On 11/08/11 17:41, Peter Bradeen wrote: > I see that there are ways to limit the level of archive that will be > scanned as well as the size of the entities to be scanned. Is there a way > for CLAMAV to then flag them as not allowed? Seem that if you can't scan > it, it should be rejected. Hi Peter, Long ago there were as set of options going under the name of ArchiveBlockMaxXXX. They were really intended to keep the engine safe from loops and abuse, but in the end they did more or less what you ask. The options were dropped because they gave us a lot of headaches with complaints and FP reports (you can still google "oversized.zip" and enjoy the flames). Before dropping the said options a poll was conducted on this very board and the general consensus was that the option was pointless and to be dropped. Long story short, we understand exactly the scenario you describe and the question you raise. However it's very unlikely that suck a feature is going to be added in the future. Cheers, --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] git.clamav.net down?
Sorry folks, wrong ML. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] git.clamav.net down?
Luca, My commit seems to have been pushed [*]. But it seems it didn't propagate to git.clamav.net. Also no commit email is showing up and the bbot wasn't triggered. Is there anything wrong? [*] acab@1337ness:~/git$ git push origin HEAD Counting objects: 12, done. Delta compression using up to 8 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 844 bytes, done. Total 7 (delta 5), reused 0 (delta 0) ssh: connect to host git.clamav.net port 22: Connection timed out fatal: The remote end hung up unexpectedly To a...@git.clam.sourcefire.com:/var/lib/git/clamav-devel.git 47aae0e..ce048a0 HEAD -> master acab@1337ness:~/git$ git push origin HEAD Everything up-to-date acab@1337ness:~/git$ git pull Already up-to-date. Cheers, Albe ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] How to distinguish phiching signatures?
On 09/05/11 16:18, Matus UHLAR - fantomas wrote: > Do you have an idea how should I detect if a mail is a phish, or any > other content (which?) that should our abuse@ teram know about? Hi Matus, You are supposed to recognize phishing from the virus names, for example using a regex like: ^(Email|HTML)\.Phishing Mind you, there are currently 2 spurious entries which are likely not intended to be there. I'm gonna fix them this week: acab@barney:~$ sigtool -l | grep -i phish | egrep -v '^(HTML|Email)[.]Phishing' Catphish.698.A Catphish.698.B E-Mail.Phishing.SMT PDF.Phishing HtH, Albe ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] The error log message "milter=clmilter, tempfail"
On 08/19/11 19:13, Michael Wu wrote: > We will see the following messages in the clamav milter's logs : > > "ERROR: clamfi_eom: FD send failed: Broken pipe" > "ERROR: FD send failed" Michael, Looks like clamd went down. Or was bored for the long wait time and shut the socket down. Either way you probably have some corresponding error in clamd.log. Can you look them up as well? Cheers, --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus database in tarball
On 06/24/11 11:09, Sergey wrote: > Whether to place the virus database in tarball ? It become obsolete > very quickly and take up space. Update is required after installation > in any case. Hi Sergey, this has been discussed many times already. Rationale is: shipping the db in the tarball helps a lot in reducing load and bw usage on our mirrors (which are provided for free to all our userbase) and still allows for quick incremental updates. Cheers, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Solaris 10 compile / unit_tests unrar problem
On 06/21/11 22:54, Paul Kraus wrote: > I suspect that this > is either a unit_tests issue -or- and issue with how the static > executables get built. [...] > $ ./configure --disable-clamav --enable-check --enable-static > --disable-shared Hi Paul, Static unrar is unlikely to work since libclamav dlopen()'s it due to license restrictions and incompatibilities. Do you really need a static build? Cheers, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] 0.97.1 rumor pile? bad safebrowsing update file?
On 06/21/11 20:25, Michael Scheidell wrote: > I can't reproduce it, but installed clamav 097.1 on several amd64 boxes, > and i386 boxes running freebsd 7.3 Hi Michael, do you have any chance to attach gdb to the stuck clamd? Cheers, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] announcing ClamAV 0.97.1
On 06/10/11 12:18, Steve Basford wrote: > Can't see the windows binaries for 0.97.1 yet? > > http://sourceforge.net/projects/clamav/files/clamav/win32/ Hi Steve, Luca's on holidays. He'll upload them as soon as he reaches a PC, probably later today. Cheers, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] problem with clamav-milter recipient notification
On 05/24/11 17:48, Annette Jaekel wrote: > If I understood right, the script > gets the recipients from the sendmail macro rcpt_addr. Now clean mails go > trough > clamav-milter and deliver to all recipients. But always if a virus is found > for > a mail with more than one recipient, only the last recipient gets a > notification. Hi Annette, You understand it right. The macro likely gets overwritten at each new recipient. I should really hook xxfi_envrcpt and build a dynamic list for each message... But then I also need to rework the VirusAction handler and logging to go through it and act accordingly without breaking legacy apps. In a words, it's no quick fix :( Please open a bug/feature request on the bugzilla. I'll take care of it when time permits. Thanks, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Access has been denied page
On 04/17/11 05:05, Dennis Peterson wrote: > Adding the hard-coded > UNOFFICIAL reduces some liability from the Clamav team. That! And lots of daily annoyances with FP reports too. Which is why the suffix won't go away nor an option will be available to get rid of it. Cheers, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Access has been denied page
On 04/16/11 16:48, Nathan Gibbs wrote: > Do you mean something like. > > cat daily.cvd | sigtool -mdb > daily.mdb That won't work. If you want to use an official db you should you "sigtool --unpack". Alternatively you can forge your own custom db. E.g.: acab@1337ness:/tmp$ echo "this is an example" > scanme acab@1337ness:/tmp$ sigtool --md5 scanme > sig.hdb acab@1337ness:/tmp$ clamscan -d sig.hdb scanme scanme: scanme.UNOFFICIAL FOUND --- SCAN SUMMARY --- Known viruses: 1 Engine version: devel-clamav-0.97-65-g82c8e33 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 0.006 sec (0 m 0 s) > or > > Just get a 3rd party DB already. That would work too. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Access has been denied page
On 04/16/11 03:56, Nathan Gibbs wrote: > I don't think passing conf options all the way down into the library is going > to work out too well. I'll try ambushing the virus name on its way back up. > >> As it is I edit the source code at each build and turn it off. >> > > As it is I edit the source code at each build and turn bug 1754 fixes on. > :-) > > Thanks for the idea, its a good one, now if I can just catch it. FYI you can use callbacks, in particular clcb_post_scan. See clamav.h for details. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Access has been denied page
On 04/16/11 06:14, Nathan Gibbs wrote: > Is there some test data that will cause clamd to to emit the .UNOFFICIAL > output without loading any 3rd party DB's Just load any db file in non cvd/cld format. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] freshclam proxy configuration
On 04/06/11 15:41, Leonardo Rodrigues wrote: > is that possible ? Nope, just one. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Database reload improvement
On 03/11/11 14:23, Török Edwin wrote: >> I also looked at a couple of servers where the hardware is 3-4 years >> old and they took 5-7 seconds to reload. But they have a high load >> from all mail related services they do, probably they could shave off >> a second or two if tested separately. Thanks Peter! That's in line with my expectations. > Hmm, Martin Preen has quite a few 3rdparty DBs (in clamconf output), > maybe those cause the load-time slowdown? > Is it any faster without them? Whatever. Still 90 secs is unreasonable especially considering the older version was way better. Let alone 3 minutes... --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Database reload improvement
On 03/10/11 20:58, Peter Bonivart wrote: > You could give our ClamAV package a try: > > http://www.opencsw.org/packages/CSWclamav/ Guys, Anybody tried? I'd be very interested in hearing the results. Cheers, --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] To SUSE users - configure infloops
Hi, SUSE apparently ships a custom patched libbz2 v. 1.0.5. That is the vulnerable libbz2 but, instead of crashing it infloops on the bz2 PoC. SUSE has not yet provided a non vulnerable libbz2 (v.1.0.6). In the meantime the quick and dirty patch found at https://wwws.clamav.net/bugzilla/attachment.cgi?id=1498 allows configure to continue. Cheers, --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] What ever happened to the Release Candidate for 0.96.3??
George Kasica wrote: > In any case its a past event and something to keep in mind next time > probably. Hi George, thanks for sharing your thoughts and sorry for any trouble we might have caused. There are just a copuple of things I'd like to add. The bzip bug was circulating among all the involved parties for a month or more. Additionally the original disclosure date was shifted ahead by two weeks. In such a scenario, I'd personally expect that distro packages are all ready but kept on hold until the disclosure date. Now, even if that wasn't the case, I think it's quite unreasonable to suggest that we (3 developers) hunt down each and every distro maintainer to ack their schedules. As I see it the process is the other way around. In fact there is a clamav mailing list explicitly dedicated to package maintainers where we post the to-be-released tarball some (admittedly small) time in advance. Anyone willing to coordinate or ask for a delay can certainly do through this channel. If it wasn't a security release we would certainly have gone with an RC... which certainly would have mitigated most of the issues. Cheers, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VirusAction Question
Nathan Gibbs wrote: > Here is my working "test" implementation for the milter > > http://www.cmpublishers.com/oss/clamfi.c Hi Nathan, awsome spirit! I'd love to say "awesome code" too but I haven't had a chance to look at it yet. I'll certainly do that before monday. Cheers, --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VirusAction Question
Nathan Gibbs wrote: > * Nathan Gibbs wrote: >> How can I get the clamav-milter to call a virusaction scipt that accepts a >> cmd >> line argument? [snip] > By looking at the code it appears that this common task is being implemented > in three different ways. > The clamav-milter way is definitely incompatible with the other two. Hi Nathan, The main reason the code is different is due to the fact that OnXXX executes a script (with some params) via the shell and VirusEvent does the same but additionally expands %v to the virus name. With the milter I had to face a few more issues. On one hand I decided to drop mail notifications, which suddently made VirusAction the most immediate and obvious work around. On the other hand, everything in the milter is arbitrary, unsanitized and potentially nasty. I conisdered that, for some reason, quite a few OS's/distros run the milter as root and that the old milter had security issues related to insufficient validation[1], and the decision was not to rely on the shell for executing the external scripts. At that point i could reuse the %v logic used employed by VirusEvent except that in this case I had quite a few arguments to manage and not just one. The simpler solution was to avoid % expansion and simply feed all the info I have to the invoked script. From there, the admin can do whatever s/he likes: use some params, use all of them, disregard them all. Hope that sheds some light on the code. Cheers, --aCaB [1] http://www.securityfocus.com/archive/1/477723/30/0/threaded ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] recipient notification
Chris wrote: > I am not sure I follow your logic here though, because I thought it was > clamav-milter that passes those 7 arguments (not sendmail), all of which > look good, except the 4th: "destination". That's correct. But clamav-milter is just a stupid streaming bridge which knows nothing about mails. And that's by design. All the info it passes on to your script it gets from sendmail. If sendmail doesn't fill in some, you get 'UNKNOWN'. Sendmail, by default, doesn't fill in all of the fields passed to your script, hence, you get 'UNKNOWN'. To get sendmail to fill in all the fields you need, you have to explicitly instruct it to do so. And this is done via its configuration file, using the confMILTER_MACROS_EOM as I wrote above. Any clearer now? -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] recipient notification
Chris wrote:
> So, I wrote a nice little script, and it would work fine too, except
> that the 4th argument (the "destination", which I took to mean the
> "recipient") is always "UNKNOWN". So, the message always fails. Maybe
> destination isn't supposed to mean recipient -- if that is so, what does?
Hi Chris,
I think you're doing it right.
You only need to configure sendmail to fill in those macroes, which, by
default, it leaves blank.
It's generally only a matter of adding the following line to your .cf:
define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i')
HtH,
aCaB
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] Problem with lha, lzh, uuencode and pgp files
DAVID BERTHIAU wrote: > I don't know how, but my current system do, I will look if it is because the > encrypted files are blocked. Is it possible to do it with clamav? It is. Look for ArchiveBlockEncrypted in clamd.conf. Cheers, -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Reload process
Nathan Gibbs wrote: > ARGH!!! > Thats all I'm going to say about that. Nathan, After a release, when we see see the bug flow stopping or calming down slightly all bugs (except those already clearly evaluated) are moved to unplanned. Shortly after (in this case tomorrow), unplanned bugs are re-evaluated and either assigned to a release, or closed, or left in the queue. So there's nothing to ARGH about... yet! :) --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Including DB in tarball
Jorge Valdes wrote: > Just a suggestion: > > Can we also have a tarball that does not include a database? Hi Jorge, This has been discussed several times. The tarball includes the db in order to save some bandwidth on our mirrors. If you don't want to download the whole tarball, just pull the code via git. HtH, --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] safebrowsing updates CPU hog
Wolfgang Breyha wrote: > In the last week I noticed several times that freshclam needs up to 30 > minutes using a full CPU to update safebrowsing database. > > Most of the time the next update shows > Empty script safebrowsing-20426.cdiff, need to download entire database > > What's wrong with safebrowsing? There's a bug for that: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2017 --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] False Positives on PDF-Files
Andreas Krauß wrote: > Hi, > > ClamAV 0.96 on our mail server is running very well. We ship every day > many PDf files and have some false positive detections > > How can we solve the problem? Hi Andreas, Have you submitted the false positive files on http://cgi.clamav.net/sendvirus.cgi ? --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] freshclam, updates and EOL.
Jobst Schmalenbach wrote: > Hi. > > I have been following the thread about "EOL" and "Move to next version of > clamav" > which stopped a few mailservers ... I do not want to take sides here, > this is NOT what this email is about. > > This is a suggestion. Mind posting your suggestions to the bugzilla? So other can contribute and there are less chances that it'll be forgotten? Thanks, --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Update problem on daily.cld
Adam Stephens wrote: >> This thread is dead for me. >> > I'm delighted to hear it. Your contribution to date has been > ill-informed, rude, and completely unhelpful. I apologize for being dense and overreacting. The echoes of the recent flames are still in my mind... Back to topic 0.96+dfsg-4~volatile1 was accepted a couple of days ago and it's digging its way to the mirrors. It shouldn't take long till all archs are built and the debs are available. --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Update problem on daily.cld
Adam Stephens wrote: > I'm seeing a similar problem, and I believe it's another issue caused by > ClamAV's aggressive policy of disabling older software versions. If I > run freshclam with debug options I see errors like this: As stated multiple times "ClamAV's aggressive policy of disabling older software versions" has got nothing to do with what mirrors do. In fact, as stated multiple times, the clamav project has got no control over the mirrors nor their admins which are left completely free to make use of THEIR bandwith as THEY prefer. Banning old version is THEIR option as is THEIR choice to serve older clients. > If you're running an OS that hasn't packaged 0.96 yet, I think you now > need to build ClamAV from source if you want timely signature updates. > The odd thing is the ClamAV website still recommends using the Debian > Volatile packages. Right. Because, as everybody knows, the clamav guys maintain Debian and have control over volatile... ...and world hunger must be the clamav folks fault as well. Anyway, that being said (for the milionth time), feel free to keep complaining about free services and people behind them as much as you like. This thread is dead for me. --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Update problem on daily.cld
Test Andrea wrote: > http://nopaste.info/6ce68caae7.html Ciao Andrea, I assume from you address that you are based in Italy. The problem is very likely related to db.it.clamav.net failing to properly sync the database files. These kind of issues are generally only temporary and are fixed within a few days. In the meantime you can either ignore the error or temporarly add another DatabaseMirror directive in freshclam.conf (specify another european mirror like db.de.clamav.net). If you choose to add a mirror make sure that you also remove mirrors.dat as by now freshclam has probably blacklisted all the servers. HtH, -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus
Paul Whelan wrote: >> I think your amavis tried to decode the message, and pass only parts of >> it to ClamAV. > > In general then, clamav may only recognise some malware when it is > still attached to a mail message and not after it has been > separately stored. Is that correct? It may or may not, depending on the message and the signature that catches it. Since clamav internally process the mail message and all its attachments anyway, having this done twice (by amavis and by clamav) is probably pointless... ---acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
h...@dip-systems.de wrote: > Is there no more support for this Debian Release? Debian Woody became old-stable in Jun 2005 and support was discontinued since June 2006. Your version of ClamAV is also obsolete. --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
Paul Reading wrote: > I am using OSX Server 10.4.11 and it is at least five years old and the > latest version of Snow Leopard server includes a more recent version of > clamav. I assumed that the use of clamav was negotiated by Apple and > Clamav and that there would have been some direct contact. The Apple > boards of full of users with dead mail servers. No negotiation needed, it's free software. Apple takes it and package it as they like. They decide what version to ship and if/when to deliver updates. No question asked. --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The news keeps getting better
lists wrote: > Multiple vulnerabilities has been found and corrected in clamav: Guys, just a bit of generic (i.e. not specific to the above) background about such evasion advisories. How it works aka how to get fame and glory with no effort (nor skills): 1. Pick up eicar.com and pack it up with the chosen archive type 2. Fuzz it into several thousand different files 3. Run N unpacking utilities and M AV toolkits against the above fileset 4. Find any tool in N succeeding against a sample for which at least one AV in M fails 5. Get yourself a 1337 name and post your 3v4510n!!1 advisory 6. Wait for mitre to pick it up and assign a CVE id to it (don't worry no matter how crappy or inaccurate your description is, they surely will) Now this sounds quite severe, doesn't it? Since an antivirus is a security tool, if we can bypass it then we have a security bug. And that's quite correct. However (and that's what most people don't realise), is an archive handler bypass sufficient to bypass the AV as a whole? Fortunately no. ClamAV (but I'm sure this is the case with every other AV on the planet) uses archive and runtime packers handlers as mere helpers. They simply make it easier and more efficient to write signatures. But nothing stops us from publishing signatures against the raw archive. In fact, that's exactly what we do against archive formats and runtime packers that we don't currently handle. So, what's the practical impact of evasion sploits? In most cases, close to zero. How many malicious samples have we seen that actively exploit archive evasion? Zero. What happens if, in the future, we'll see malware exploiting them? We'll simply catch them with a signature (or bytecode) based on the raw archive file. What happens when we receive such advisories? We file comments to the reporter and, in the next stable version, we improve the code to handle more bastardized samples. We then notify the reporter which in no case have ever bothered to integrate our comments. Oh and one final note about the accuracy: > ClamAV before 0.96 does not properly handle the (1) CAB and (2) 7z file > formats, which allows remote attackers to bypass virus detection via It's quite funny to hear that the 7z handler is vulnerable in versions <0.96 because it was, in fact, introduced in 0.96... :) Cheers, --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ClamAV over Network
Michelle Konzack wrote: > SpamAssassin works already, but what must I do if I like to use ClamAV > over network with 4-12 scanning machines?. Hi Michelle, a definite answer would require a better knowledge about your environment. Also I'm not a courier-mta user. However here are some generic suggestions that may help you. First of all, ClamAV is generally faster and much less resource hungry than SpamAssassin. The obvious choice is to set ClamAV first, SA next. Second, avoid middleware generated overhead whenever possible. As an example if your MTA can interface natively with SA and clam, then don't use amavis. If it can't then just use amavis as a glue and disable all its checks. Of course both suggestions imply that you don't care about amavis functionalities and just use it as a glue. Since I've discussed amavis, please also be aware that, under the most common config, it will cause each message to be basically scanned twice: each attachment separately first, then the full message (with all the attachments). If you can just let clamav scan only the full message. Third, carefully balance latency and performance. You can control the number of scanning threads in clamd via the MaxThreads directive. Performance wise, the optimal number of threads is something between N and N*2 (with N+1 or N+2 being likely the absolute best) where N is the total number of cpu cores. Please note however that when all the scan threads are busy, further requests will be queued and possibly refused. You certainly want to have enough threads available so that scan requests from the mta are not refused or delayed for too long. At the same time avoid an excessive amount of threads as this only wastes resources. Fourth, avoid IO as much as possible. Despite the fact that clamav mostly bottlenecks on the cpu, disk IO can very badly impact the performance of clamd in busy environments. Besides reading the files to be checked, clamd may internally generate quite a few temporary files. Under small load these files are very short lived and never really touch the disk, hence no time is spent on IO. However, under heavy load, the kernel may decide to actually commit them to the disk (or to the journal) in order to free some memory. This increases iowait and negatively affects the scan performance. If you have the choice, pick a box with more ram and slower disks and use tmpfs for the clamd tempdir and the mta (or amavis) scan spool (not the mail spool directory!). Back to your specific issue, clamd can scan streams from the network. All you have to do is to set up a tcp socket instead of (or in addition to) the unix socket. Then you need a clamd client that can properly communicate to a remote clamd. Since clamav-milter is not an option in your case, the most obvious choice is probably clamdscan via a tiny courier perlfilter script or via amavisd. Finally if you have more clamd's than mta's then you may want to fairly distribute (load balance and fail over) scan requests to all the available scanners. Again you have several options here ranging from writing a piece of perl filter to do manage the scan requests, to routing mails to a second line of mta's (or amavisd's) in a (possibly dns based) round robin fashion. HtH, --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-0.96rc1-19.1.i586.rpm
Si St wrote: > Whats the difference between: > clamav-0.96rc1-19.1.i586.rpm > and: > clamav-0.96-27.1.i586.rpm > ? The RC is a release canditate package. It was issued before the final 0.96 release (the non-RC package). > I am thinking of the "RC" specification of the package. > Which one should I choose for my SLED_10_SP3? There you go http://software.opensuse.org/search?baseproject=SUSE%3ASLE-10&p=1&q=clamav ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] LibClamAV Error: Can't load /usr/share/clamav/daily.cvd: Malformed database
Christian Gonzalez wrote: > Hi list, > > As many, I've been affected by 0.94 EOL process. I successfully upgraded > Clamav to 0.96 version but I'm still suffering from not being able to use > it. I got this error: Hi Christian, please open a ticket at http://bugs.clamav.net Just copy/paste the info in your email and also state your zlib version and attach the problematic daily.cvd. Cheers, acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Sender and recipient of blocked messages not appearing in logs, only
Nathan Gibbs wrote: > * Dennis Peterson wrote: >> This simple idea can be added to the clamd.conf configuration as a >> VirusEvent script. >> > Now thats a pretty cool idea ( since the milter can't send email anymore > ) and would work in his config. Guys, please open a ticket. It's too late for 0.96, but will likely make it into 0.96.1. Thanks, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Sender and recipient of blocked messages not appearing in logs, only
Robert S wrote:
> I have been getting these messages in my logs when a message is detected as
> a virus:
>
> Mar 8 08:44:56 mypc clamav-milter[6112]: Message o27LiRP8029635 from
> to with subject 'Important notice: Google'
> message-id 'UNKNOWN' date 'UNKNOWN' infected by
> Sanesecurity.Junk.22168.UNOFFICIAL
>
> Is it possible to get some more information appearing than as
> the sender and recipient?
Hi Robert,
You get "UNKNOWN" because you, your distro, or your package provider has
tuned the confMILTER_MACROS_ENVFROM variable (aka Milter.macros.envfrom
in .cf) in a way that hides those info from the milters.
For the records clamav-milter use: i, mail_addr, rcpt_addr, auth_authen
whenever available.
The sendmail default is: i, {auth_type}, {auth_authen}, {auth_ssf},
{auth_author},{mail_mailer}, {mail_host}, {mail_addr}.
If you are using postfix, double check your milter_XXX_macros directives.
HtH,
-aCaB
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] clamd, clamav-milter: socket permissions
Noah Sheppard wrote: > When I start clamav-milter, it creates clmilter.socket like so: > $ ls -l /var/clamav/clmilter.socket > srwxr-xr-x 1 clamav clamav 0 Dec 29 16:02 /var/clamav/clmilter.socket > > Because of the mode 755, postfix cannot write to clamav-milter's > socket, so I have to manually 'chmod 755 /var/clamav/clmilter.socket' in > order to make virus checking work. Unless somebody tells me otherwise, > I am sure the modes are the default, at least for my distribution. Hi Noah, the milter socket is created by libmilter, which should obey the umask. Just set it to suit your needs. As for adding a dedicated option to clamav-milter, that's sure something that can be done. Please open a feature request ticket so it doesn't get forgotten. Cheers, -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ExcludePath, defining absolute path
dev.ad...@ntlworld.com wrote: > Hi, > > I know this is an old topic that seems to have caused > some problems in the past and has apparently been fixed > in version .3, but I still can't get it to work. > > I'm using OSX and I would like to scan the boot volume > but one of the directories is called 'Volumes' which > contains directories and links to other volumes which I > scan separately. > > Is it possible to exclude an absolute path using the > configure variable ExcludePath? > > A. Not sure I got the right picture but is "--cross-fs=no" what you are looking for? -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ClamAV Memory Usage
Gordan Bobic wrote: > Hi, > > Can anyone explain why clamd 0.95.3 might use 190MB of RAM after 5 days The figure is "normal". In those 190MB there are likely ~110MB of database and ~80MB of unused memory which is retained (by either libc or the kernel) inside the process. Unfortunately it's not very easy to determine the exact amount of *really* used memory: you should subtract all unused maps (i.e. /proc//maps) and libc non-returned heaps from the above figure. You may be able to see a more ram usage figure via clamdtop. > The database files under /var/lib/clamav use about 70MB. > So, even assuming this is kept in memory at all times, where does the > other 120MB come from? Database files are not stored in ram as they are on disk. In fact, for performance reasons, signatures are mostly arranged in tries. This involves lots of pointers, structure alignment and other nasty things. 70MB are roughly equivalent to 90-100MB on 32 bit systems and 110-10MB on a 64bit system. -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Quarantine issue with new 0.95.x clamav-milter
Mark Costlow wrote: > Prior to 0.95, I had my clamav-milter configured to quarantine messages > and reject them. So the sender got a 550 SMTP response, and we got > a copy of the payload they were trying to send. > > In 0.95.3, I have the choice to tell the milter to Reject the message > (which results in no quarantine) or to quarantine the message (which > results in sendmail giving the sender a 200 "message accepted" > response). Hi, This was requested and tried before. However it never worked and the code was reverted. Despite libmiter api's theorically allowing quarantine+reject, in practice, sendmail doesn't obey and only performs one of the actions (reject but not quarantine, IIRC). -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Thoughts on software QA Testing (or lack thereof...)
George R. Kasica wrote: > In any case, if you're looking for a test spot for FC10, Solaris 9, > RHEL4 I'd be happy to try to run some stuff here on a box - I'm not a > programmer but I can do basic things if given clear steps or test the > ability to at least get it to make etc in our QA/Test environment. Hi George, That would be cool! There are basically two options. The least intrusive is a small shell script to be run daily or so from cron which posts resuts available here: http://farm.0xacab.net/ This only requires git, a compatible compiler and an ftp client. The other one is to run a buildbot slave. Results are available at http://www.0xacab.net:8010/waterfall If you want to help with either, please mail Edwin or me off list. Thanks, -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] load issues due to sanesecurity signatures
Steve, I see more and more custom db related issues on this list... Last week I offered some help to early diagnose possible problems before they hit the end users and I was trying to establish some cooperation with you and the other db providers in order to improve your QA process. Just in case you missed that mail... -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [Fwd: [sanesecurity] x86_64 users: possible malformed database problems]
G.W. Haywood wrote: > I suspect that rather than QA, what you do is just a lot of hap-hazard > testing. That's why, whenever I see a new release of ClamAV, first I > will suppress a groan and then, before I risk it on any of my servers, > I'll wait a while and watch the users' list to see how much trouble it > causes. This approach serves me well, although I can't say I'm proud > of the fact that I'm letting a lot of poor innocents do my acceptance > testing for me. Hi G.W. Haywood, My mail was about custom databases provided by 3rd parties, not about ClamAV release cycles. Besides, you miss another point: ClamAV is an open source software, consisting of roughly 150K lines of C code and 65 signatures, currently maintained by three full time developers, one and a half full time sigmakers and a system administrator. We ALWAYS ask our users to test the development head and provide feedbacks because we cannot do it all on our own: we lack the man power and we lack the infrastructure, but, most importantly we lack YOUR setup, YOUR deployment and YOUR envirnonment. With some very notable exceptions (which I would really like to thank), it is a fact that, despite the repeated requests, not many people test the code. You can look at the bugzilla being all quiet for weeks, then, as soon as we release a new version, it suddently gets flooded with tickets. So, to conclude, if you want to get better releases, do your bit. The only alternative is that we release what WE think is ok and we re-release when YOU tell us it's not. Thanks for the lesson, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav Postfix unix socket integration
clamavl...@encambio.com wrote: > Hello list, > > Excuse the beginner question please. Hi Brian, To answer your final question: yes, it is possible. Yes you don't need amavis. However you seem a bit confused about postix interfaces. In particular the content_filter interface is not the same as the milter interface. I'd suggest you to start from http://www.postfix.org/MILTER_README.html which will answer all your other questions. Cheers, -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [Fwd: [sanesecurity] x86_64 users: possible malformed database problems]
Steve Basford wrote: > LibClamAV Error: mpool_malloc(): Attempt to allocate 2097152 bytes. > Please report to http://bugs.clamav.net > LibClamAV Error: cli_ac_addpatt: Can't realloc ac_pattable > LibClamAV Error: cli_parse_add(): > > Thanks to the ClamAV team, the bug was fixed in the clamav-devel version: > > clamav-devel: > > +Sat Oct 24 15:06:50 CEST 2009 (acab) > + * libclamav/mpool.c: increase max pool to 8M to allow loading huge > custom dbs Hi Steve, The (now) increased pool size is around 16 times bigger than the largest pool used by the offical db, so it'll probably be ok for a while. That said, we should still figure out a way to avoid this kind of troubles in the future (same goes for the infamous "clamd crashes while loading 3rd party db's" bug which plagued the early 0.95's). On our side we do a lot of QA over our own signatures to make sure things like that won't happen, but of course we can't guarantee the same for 3rd party databases. At the end of the day, any service disruption, even if caused by the use custom databases, is problematic and affects the entire ClamAV user community. I'm wondering if it would make sense for us to open up the QA side of our infrastructure to you guys, in order to minimize this kind of inconvenence. I really believe something needs to happen here so that these type of bugs can be caught quickly before they affect a number of users. Thoughts? aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Help with clamav-milter white list
Jerry wrote: > I am getting some legitimate mail tagged as SPAM. Below is the header > from one such e-mail. > > Return-Path: [...] > From: freebsd-stable-requ...@freebsd.org [...] > Now, if I understand it correctly, just putting the following: > "From:freebsd-stable-requ...@freebsd.org" sans quotation marks in a text Jerry, You should use something like "From:owner-freebsd-sta...@freebsd.org" > Now, would this work: "from:hub.freebsd.org"? I am having a hard time > figuring out exactly what needs to be in that file to white-list > mail. :-( No. Whitelisting based on the "Received" header is not supported as it doesn't make much sense. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VirusEvent based on signature file
li...@truthisfreedom.org.uk wrote: > I guess my question is two-fold: > > a) Is this possible with ClamAV or do I need to look elsewhere? > b) What's the best way to achieve this. Hi, It is certainly possible. As for the HOW, that mostly depends on how you interface with the ftp server. If your ftpd accepts only a YES/NO type of answer (which I presume), and can't take actions based on the reported virus name then you'll need to be a bit creative. For example you run a main clamd with the full db loaded which reports to the ftpd. This should keep away most of the known badware. Then you scan each uploaded file a second time but with only one or a few custom signatures (e.g. "base64_decode") and report the "suspect" file to yourself. How to trigger this second scan depends again on your ftpd. If it's got post-upload hooks, then you should probably use them. Otherwise you can setup a small cron job using "find -mtime" and clamscan to check the whole ftp space. HtH, -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter whitelist not always working
Jerry wrote: > OK, I see. I am not sure who created the default clamav-milter.conf for > FreeBSD; however, the instruction could have been clearer. As you can > see from the snippet I supplied in the original post, the only > specifications are either 'To:' or 'From:', not the "MAIL FROM" or > "RCPT TO" commands. Hi Jerry, The wording can sure be improved however it seems pretty clear to me that "From:" and "To:" are referred to the whitelist file format and not to the mail headers: "Optionally each line can start with the string "From:" or "To:" (note: no whitespace after the colon) indicating if it is, respectively, the sender or recipient that is to be whitelisted." -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter whitelist not always working
Jerry wrote: > FreeBSD-7.2 > > I am having a problem getting the clamav-milter whitelist to work > correctly. This is a snippet of the clamav-whitelist.txt file: > To:freebsd-questi...@freebsd.org Whitelisting is NOT based on the mail header fields (To:, From:) but on the "MAIL FROM" and "RCPT TO" SMTP commands. In this very case, from a wild guess, it looks like they are: From: vvv > Return-Path: > Received: from scorpio.seibercom.net (localhost [127.0.0.1]) > by scorpio.seibercom.net (Postfix) with ESMTP id 41CFB2290F > for ; Thu, 3 Sep 2009 09:04:30 -0400 (EDT) TO: HtH, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Configuring "SkipAuthenticated" users in clamav-milter
Jerry wrote: > How clamav-milter would handle an external file is also a concern. > Would it read it only upon start up, or reread it whenever it is > modified? The latter method would eliminate the need to restart the > milter if the file is modified making system management easier. Perhaps > having it reread the file a preset interval like clamd does with it's > definition files would be acceptable. That would not be the unix way. The unix way is to read config files on startup and on HUP or USR. However signaling in the milter is problematic because libmilter does its own signal catching; that's braindead, if you ask me, but that's the way it is. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Configuring "SkipAuthenticated" users in clamav-milter
Jerry wrote: > If not, would this syntax work in the > clamav-milter.conf file? > > SkipAuthenticated ^(m...@hostname.mydomain.net \ > y...@hostname.mydomain.net \ > ot...@hostname.mydomain.net)$ Unfortunately not. The feature was requested by a single person (who also provided a draft patch to whitelist *all* auth'ed users). I took the idea and made it use a regex as i thought it would allow to whitelist things like "@domain" with ease. If this doesn't work for you (i can certainly see why) then please open a ticket on the bugzilla to optionally make it read entries from a file. When time permits I'll work on that. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] HAVP + Linux RAMdisk errors
Strykar wrote: > Good question, could ClamAV developers comment on this? > Would TmpFS be more effective as it would start writing to /swap if the > system runs out of memory instead of stating "Out of memory" and stopping > the process? Hi, My suggestion is that, if you are using sane limits in havp, which is BTW a good idea, tmpfs is the best approach. Let's put it this way... If your system is swapping due to a few 5-10 megs tmpfs files, then it's likely that it's going to be swapping anyway. In fact, in most cases, scanning any file is going to take up more memory that it's bare size. Cheers, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamd socket stops responding during databas reload
Sergey Yudin wrote: > When clamd reloads new database it stops responding requests via local > socket. For example DansGuardian reports "Exception whist reading ClamD > socket: Can't read from socket" Hi Sergey, Please head to http://bugs.clamav.net/ and open a ticket. Thanks, acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How do I send a link to a site with virus?
elias alves wrote: > I received an email saying to be called a bank Bradesco, he is a > Brazilian bank, the more it does not link to the site of Bradesco, is > most often contains malware, to capture the password of users, how do > I send the link? > > > Because here I can send it without problems? Please save the mail and upload it to http://www.clamav.net/sendvirus/ Thanks, -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter with postfix
Jerry wrote: > I am about to set up a new installation of Postfix and clamav-milter on > a FreeBSD-7.2 system. On my present system I have clamsmtp installed. I > was thinking that clamav-milter might be a better choice. > > Can anyone supply me with a basic template for getting clamav-milter > working with Postfix? I have the latest version of Postfix-2.6x and > clamav installed. For the postfix side, all you need is something like: smtpd_milters = unix:/path/to/clamav-milter.socket non_smtpd_milters = unix:/path/to/clamav-milter.socket in your main.cf. For the clamav-milter side I'd suggest to start from the provided sample config, fix the sockets and paths and try running it. If things work, you can get back to it and tweak the other options so that it suits your needs. > also, am I correct in assuming that clamav-milter will only add a > header to the the infected email but not modify the SUBJECT: line? You are correct. -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Permission changes and STREAM command depreciation
Thiyaga wrote: > Hi, > > We are using Clamd in our organization for catching viruses. It would be > very helpful if you consider doing the following few minor changes or > suggestions Hi, Please open 2 feature request tickets on the bugzilla. > Also, could you please let us know if STREAM command will be completely > removed from Clamd in future versions (as it has been deprecated > recently)? We use STREAM command through load balancer (VIP) and it is > very useful to us. This is totally undecided, anyway not anytime soon. Maybe in one year from now or so. This should give anyone enough time to switch to INSTREAM or FILDES. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Suggestion - make the source package available without the main.cvd database
Per Jessen wrote: > Any chance of making the source package available without the current > cvd databases? The current package is 24Mb, without the CVD it's only > 3Mb. Just a suggestion, but it might just save some bandwidth. Hi Per, we packe main cvd into the tarball to alleviate some load from the mirrors. If you only want the code you can simply grab a branch off the svn. -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Upgrade very old Clamav
M. Lewis wrote: > I have a client who for a variety of reasons is still running Fedora > Core 3. I know he has worse problems that Clamav being out of date with > this, but I'm wondering if there is a way to get Clamav up to date on > this system. > > Previously all upgrades were done via RPM, which of course has not been > possible for a long time. > > If I were to remove the existing clamav (clamav-0.88.7-1) and install > the current version from source, are the libraries and all there that > are needed to compile the current version on this old machine? I would > think probably they are not, but I'd like to confirm this with someone > more knowledgable. Hi, you you have gcc 2.95 or less, then forget about compiling it. You will get any sort of compilation errors. Working them around is not trivial BTW. If you can somehow get a gcc 3.x installed then you should be able to compile clamav without major problems. Old libraries should link ok (although most of them are probably exploitable), with the exception of libmilter. If you don't need clamav-milter that shouldn't really bother you. -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus submission timing
Dan wrote: > So you would prefer we submit directly to ClamAV at > <http://cgi.clamav.net/sendvirus.cgi> Yes, we do. -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How exactly does the API function in ClamAV source?
Stormont, Stephen (IMS) wrote: > We are thinking of utilizing ClamAV, but we wanted to know exactly > how the API is implemented. Does the client makes a socket connection to a > daemon. Or does the client load a shared object file which includes the > provided functionality. Or does the client make a shell call to use a > command line utility. Or is there some other method? Hi, All the three. Your options are: 1- link your code to libclamav 2- run the clamav daemon (clamd), connect to it via a tcp or unix socket, and speak the clamd proto 3- run one of the provided clients and parse their output. clamscan is linked to libclamav, clamdscan talks to the daemon instead. Everything is documented at http://www.clamav.net/doc/latest/html/ and in the tools manpages. -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus submission timing
Dan wrote: > Hi, > > After submitting something to VirusTotal, and getting the response > back that shows only one or two products detected it as a virus... > > VirusTotal then automatically forwards the item to all the vendors? Yes, if the vendor asks for the stuff. Yes we do receive samples we miss at VT. > Or is there further action required by me to initiate this? Since VT feeds are pretty massive and contains very random files (including false positives from other vendors, lots of tests - the bad guys know about VT as well) we generally classify those samples as low priority. On the other hand, user sumbissions have a much higher priority and are generally processed first. > Once the ClamAV team receives the virus, on average currently how > long before its sig is added to the database? Due to the huge number of submissions we have to process it is really hard to tell. It mostly depends on the severity of the threat, that is, how many of such samples we've already received. Big outbreaks generally take less than one hour. Unique samples may need several days to be processed. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] disable milter syslog
martinnitram wrote: > and at maillog, milter always log like this (set "LogClean no" at > clamd.conf): >sendmail[3783]: Milter change (add): header: X-Virus-Scanned: > clamav-milter 0.95.1 at localhost >sendmail[3783]: Milter change (add): header: X-Virus-Status: Clean > > > so, the milter message at maillog related to sendmail or clamav-milter? Note the "sendmail[3783]:" prefix. This stuff doesn't come from the milter, otherwise it would read "clamav-milter:...". Any milter loglevel setting > 8 in *sendmail* makes those line appear in your logs. HtH, acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] disable milter syslog
martinnitram wrote: > Becasue just want milter to log message to file that specify at 'LogFile', > so set LogSyslog no to disable syslog logging. But found that milter still > log to the maillog file (at FC9) no matter the email is infected or clean > one. > > Is it normail for clamav 0.95.1? Thank for helping Hi, It is not. However make sure the loglevel *in sendmail* is setup properly. -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VIRUS? PHISH? "Western Union Transfer MTCN: 0258258718"
Charles Gregory wrote: > Greetings! > Hi, The right place for malware and suspected malware submissions is: http://www.clamav.net/sendvirus/ aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Problems with upgrade to 0.95.1
Frank Bures wrote: > May 4 09:13:13 alchemy sendmail[27492]: n44DDBf8027492: Milter (clamav): > write(L) returned -1, expected 61: Broken pipe > May 4 09:13:13 alchemy sendmail[27492]: n44DDBf8027492: Milter (clamav): > to error state > May 4 09:13:13 alchemy sendmail[27454]: n44DDAda027454: Milter (clamav): > write(L) returned -1, expected 91: Broken pipe > May 4 09:13:13 alchemy sendmail[27454]: n44DDAda027454: Milter (clamav): > to error state > May 4 09:13:19 alchemy sendmail[27261]: n44DCvN5027261: Milter (clamav): > write(D) returned -1, expected 201: Broken pipe > May 4 09:13:19 alchemy sendmail[27261]: n44DCvN5027261: Milter (clamav): > to error state > May 4 09:13:37 alchemy sendmail[27057]: n44DCaW0027057: Milter (clamav): > write(Q) returned -1, expected 5: Broken pipe > May 4 09:13:37 alchemy sendmail[27057]: n44DCaW0027057: Milter (clamav): > to error state > May 4 09:13:57 alchemy sendmail[27255]: n44DCvuW027255: Milter (clamav): > write(Q) returned -1, expected 5: Broken pipe > May 4 09:13:57 alchemy sendmail[27255]: n44DCvuW027255: Milter (clamav): > to error state > May 4 09:14:11 alchemy sendmail[27332]: n44DD1nU027332: Milter (clamav): > write(Q) returned -1, expected 5: Broken pipe > May 4 09:14:11 alchemy sendmail[27332]: n44DD1nU027332: Milter (clamav): > to error state > May 4 09:14:51 alchemy sendmail[28578]: n44DEpeg028578: Milter (clamav): > error connecting to filter: Connection refused by > /var/run/clamd/clamav-milter.sock > May 4 09:14:57 alchemy sendmail[28611]: n44DEvw8028611: Milter (clamav): > error connecting to filter: Connection refused by > /var/run/clamd/clamav-milter.sock > May 4 09:15:03 alchemy sendmail[28661]: n44DF34I028661: Milter (clamav): > error connecting to filter: Connection refused by > /var/run/clamd/clamav-milter.sock Up to this point ^^^ clamav milter was not running or hung or the socket privs were not right. > May 4 09:15:07 alchemy clamav-milter[28717]: Local socket > unix:/var/run/clamd/clamav.sock added to the pool (slot 1) > May 4 09:15:07 alchemy clamav-milter[28717]: Probe for slot 1 returned: > success This ^^^ is clamav milter talking to clamd. Usually you get this kind of messages at startup so my guess is that before 9:15 clamav-milter was not running at all. > May 4 09:15:20 alchemy sendmail[28865]: n44DFI7f028865: Milter change: > header X-Virus-Scanned: from by amavisd-new at nmrweb.chem.utoronto.ca to > clamav-milter 0.95.1 at alchemy.chem.utoronto.ca > > May 4 09:16:37 alchemy sendmail[29470]: n44DGbHN029470: Milter change: > header X-Virus-Scanned: from Debian amavisd-new at ldl.fc.hp.com to > clamav-milter 0.95.1 at alchemy.chem.utoronto.ca These ^^^ are the sign that clamav-milter is alive and working fine. However these lines are NOT coming from clamav milter but rather from sendmail. > There were many incoming messages between 09:15:20 and 09:16:37 that were > silently ignored by the Milter. No idea TBH... Were they whitelisted? Try setting LogVerbose yes or increase verbosity in confMILTER_LOG_LEVEL. --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] "Virus Infected" Message for recipient
martinnitram wrote: > At clamav 0.94, it can config clamav-milter that send a "Virus Infected" > notify email to recipient when a virus scanned. But from 0.95.1, the milter > only had 'Blackhole' option that direct drop the virus email without any > user notification like 0.94. Is that had any option for milter at 0.95.1 to > do this? Thank. http://lurker.clamav.net/message/20090326.132413.b9e348ec.hu.html -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Using milter_watch
cla...@pcez.com wrote: > clamav-milter[3037]: ClamAV: st_optionneg[-162030672]: 0x1f does not > fulfill action requirements 0x30 > > Anyone have an idea on how to fix this problem? Not really but from the look of it I believe it's a protocol version mismatch between the milter tan the watcher. Maybe check if a newer version of milter watch is available. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-0.95.1/clamav-milter does not insert headers in messages
Robert S wrote: > Can this be changed to the original detailed form? An altered header could > potentially cause a mail system to break. Hi, Sorry, Not at this point. Next time please submit such requests during the RC stage. > Where can I find a list of _all_ the options for /etc/clamav-milter.conf? For 0.95.1: http://svn.clamav.net/svn/clamav-devel/tags/clamav-0.95.1/etc/clamav-milter.conf -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-0.95.1/clamav-milter does not insert headers in messages
Robert S wrote: > Is there a missing option in my configs or You are probably looking for the "AddHeader" option. --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter 0.95.1 logging deficiencies
Kevin Clark wrote: > Craig is correct - I would like clamav-milter to log clean files as well as > infected ones much like it used to. Hi Kevin, I think this is pretty pointless as that would basically duplicate any line already in the logs. That's expecially true if you are logging via syslog. Try opening a request on the bugzilla. It may or may not be considered, mostly depending on how many people need such a feature. > Also, I like having the log entries in /var/log/maillog because then I have a > single log file from which I can determine that a message was scanned by all > (or maybe none because of whitelisting) of the Milters we have running on the > system. Clamav-milter already gives you enough logging options to achieve that. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter 0.95.1 logging deficiencies
Kevin Clark wrote: > I appreciate the quick response but I'm sorry to say that making the changes > you suggested to clamav-milter.conf does not have the desired effect. > > With these values in clamav-milter.conf... > > LogFile /var/log/clamav/clamav-milter.log > LogSyslog yes > LogFacility LOG_MAIL > LogInfected Full > > ...clamav-milter still does not log every scanning event to either > /var/log/maillog or its own logfile /var/log/clamav/clamav-milter.log Hi Kevin, As you may guess, "LogInfected" logs infected messages. Your mail log should already have logs for each mail passed through your box. With the above setup Clamav milter additionally tells you which of those mails were infected. What am I missing? -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter 0.95.1 logging deficiencies
Kevin Clark wrote: > I'm following up on a previous post about logging to maillog: > > http://lurker.clamav.net/message/20090408.063308.16623e5a.en.html > > I am using Sendmail 8.13 on CentOS-4 but whereas previously with 0.94.2 I > would get a log entry in /var/log/maillog for every scanned message I now > only get a log event for infected messages or those with an existing > "X-Virus-Scanned" or "X-Virus-Status" header. This won't happen with: > LogSyslog disabled > LogFacility = "LOG_LOCAL6" If you want messages logged to syslog, please config those options properly. > I have configured clamd to log every scanning event to > /var/log/clamav/clamd.log but whereas before it would log a message ID and > status I can now only get entries like these: Clamd has got no idea about message ids. Clamav-milter does. The place to look for them is therefore clamav-milter.log (or syslog if you follow the advice above). > I would appreciate some guidance on whether I am missing something obvious in > the configuration that would allow me to: See above. > 1) log every scanning event in /var/log/maillog In *clamav-milter.conf* set: LogSyslog yes LogFacility LOG_MAIL LogInfected Basic or LogInfected Full > 2) get more detailed log entries in /var/log/clamav/clamd.log If "more detailed" means "i want the message id's" then forget about that. Clamd does not know what a message id is. Again, the place for id's is clamav-milter's log. HtH, --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How do I prevent ClamAV from renaming quarantined files?
Aditya Nag wrote: > Hi, > > I'm running ClamAV on a Samba server. It's working fine, doing everything > it's supposed to and all that, but I have a small problem. I've configured > it to quarantine suspected files, but it automatically renames the files to > vir-XYZABC, where XYZABC is a random string. I'd like to preserve the > original filename, so that I know what has been infected. How do I go about > doing this? Hi Aditya, Please clarify how you are running clamav to scan your files. This sounds like a 3rd party tool. --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter 0.95 ReadTimeout
James Kosin wrote: > Everyone, > > Ok, new thread. > > The ReadTimeout description in the configuration file for > clamav-milter.conf says that setting this value to 0 disables the > timeout. This appears not to be the case and actually honors a timeout > value of 0-seconds, meaning clamav-milter is reporting that clamd is not > responding or failed. Fixed in r5030. Thanks, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] logging to maillog
Ebrahim Abrahams wrote: > Hi > > I am having trouble getting the clamav-milter to log what has been scanned > or infected to the maillog. > > I have enable the following settings in clamav-milter.conf > > AddHeader yes > LogSyslog yes > LogFacility LOG_MAIL > LogVerbose yes > > Can someone please assist. > > Regards Hi Ebrahim, What's the problem? It works fine here: 1337ness:/home/acab# grep clamav-milter /var/log/mail.log Apr 6 15:28:13 1337ness clamav-milter[3546]: Local socket unix:/tmp/clamd.socket added to the pool (slot 1) Apr 6 15:28:13 1337ness clamav-milter[3546]: Remote socket tcp:192.168.0.105:3310 added to the pool (slot 2) Apr 6 15:28:13 1337ness clamav-milter[3546]: Remote socket tcp:192.168.0.107:44203 added to the pool (slot 3) Apr 6 15:28:13 1337ness clamav-milter[3546]: Probe for slot 1 returned: success Apr 6 15:28:13 1337ness clamav-milter[3546]: Failed to establish a connection to clamd Apr 6 15:28:13 1337ness clamav-milter[3546]: Probe for slot 2 returned: failed Apr 6 15:28:13 1337ness clamav-milter[3546]: Failed to establish a connection to clamd Apr 6 15:28:13 1337ness clamav-milter[3546]: Probe for slot 3 returned: failed Apr 6 15:29:09 1337ness clamav-milter[3546]: Message D3BC2126B54 from to with subject 'eicar' message-id '<20090406132909.ga4...@darqness>' date 'Mon, 6 Apr 2009 15:29:09 +0200' infected by ClamAV-Test-File Cheers, -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter 0.95
Ed Kasky wrote: > Any idea when a new release can be expected? My 0.95 milter install > has found nothing since upgrading and was quarantining between 8 and > 20 weekly (small company) since my first installation. Hi Ed, 0.95.1 is currently being tested and is planned to be released later today or tomorrow, unless some of the tests fail. -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How do I handle quarantined messages on clamav-milter-0.95?
Robert S wrote: > I've just installed 0.95. The quarantine system seems to have changed - > messages are in /var/spool/mqueue and the sendmail queue now. It used to be > possible to use the --quarantine-dir command-line option to set a quarantine > directory but this is no longer available. What is the best way to handle > these? Should I set up a cron job to delete these after a certain number of > days or does sendmail do this for me? Hi Robert, the idea with the quarantine feature is that it gives the SA a chance to review virus or otherwise tagged messages instead of rejecting/dev-nulling them right away. The quarantine queue is pretty much like the main message queue, except it is generally managed with the '-qQ' option to mailq and sendmail. Refer to the manpage for a complete description and usage examples. A quick google search also reveals a few ready made sendmail quarantine managers. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] vmlinux broken executable
Mark Grieveson wrote: > Thanks for the response. So, out with these broken files. When in > doubt, throw it out, as they say. Hi, The broken exe detection was introduced as a form of cheap heuristics against buggy mail worms which fails to properly attach to the message. These may go unnoticed by ClamAV if the data is corrupted or missing. So while enabling it on a mail scanner can help filter out a bunch of junk, turning it on for ordinary filesystems scans can result in a few false positives. HtH, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] old milter with 0.95
Robert Schetterer wrote: > Hi,i noticed i have to update to 0.95 by security issuses > but i dont wanna change milters on many mailsservers if not needed. > Is there a chance using old clamav-milter setups ( i. with commandline > options ) and clamd 0.95. ( guess i read so in the list ) > If yes are there any online faqs about it? Hi Robert, your best option is probably to run clamav-milter from 0.94.2 against a 0.95(.1) clamd. -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamAV-0.95 0n Solaris 10 x86 Build
John Goubeaux wrote: > Has anyone done a successful build of clamAV-0.95 0n Solaris 10 x86 ? Builds fine for me with gcc: http://farm.0xacab.net/build/show/2335 -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Missing option on freshclam 0.95?
Charles Gregory wrote: > Oh, and FTR, I could not find a "change log" or "version notes" on the > main clamav website, or I could have answered this question myself > A link in the left-side menu would be nice. :) It's not that hard... http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] I386--FreeBSD7.1-RELEASE-p4--Sendmail-8.14.3Clamav-milter 0.95 doesn't scan emails
lyubom...@cablebg.net wrote: > I am executing the following command: > > [lyubo...@evaluate ~]$ cat test1.txt | mail -s "Test" root > > Where test1.txt is an Eicar test file See: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1531 Can you please test the SVN version? Thanks, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] MaxQueue in clamd.conf?
Odhiambo Washington wrote:
> Thu Apr 2 08:33:07 2009 -> ERROR: Configuration error: MaxQueue should be
> at least twice MaxThreads
> Thu Apr 2 08:33:07 2009 -> ERROR: thrmgr_new failed
>
> ...yet there is no such param as MaxQueue in clamd.conf, but
>
> FreeBSD-7# find clamav-0.95 -type f -exec grep -li 'MaxQueue' {} \;
> clamav-0.95/clamd/server-th.c
> clamav-0.95/clamd/thrmgr.c
> clamav-0.95/unit_tests/test-clamd.conf
> clamav-0.95/shared/optparser.c
> clamav-0.95/clamdtop/clamdtop.c
>
> Did someone forget to add a new config variable in clamd.conf with 0.95??
Hi Odhiambo,
There is already an open bug on the bugzilla.
Problem will be fixed in 0.95.1.
-aCaB
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] I386--FreeBSD7.1-RELEASE-p4--Sendmail-8.14.3 Clamav-milter 0.95 doesn't scan emails
lyubom...@cablebg.net wrote: > I decided to upgrade and > clmilter stopped to scan email messages. There was also no SMTP header > modification from ClamAV. I decided to fresh install clamav-0.95 on another > box and the effect was exactly the same. > It seems milter works as a simple loopback without any scan functionality. > Could you, please, advise how to solve this problem? [...] > clamav-milter.conf: > ... > FixStaleSocket yes > User clamav > MilterSocket /var/run/clamav/clmilter.sock PidFile > /var/run/clamav/clamav-milter.pid ClamdSocket > unix:/var/run/clamav/clamd.sock LogFile /var/log/clamav/clamav-milter.log Hi Lyubomir, If you want X-Virus-XXX headers set "AddHeader Yes". If you want some more info logged from the milter, use "LogVerbose yes". HtH, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
