[clamav-users] Strange behavior of freshclam
Hello! I got a strange behavior of freshclam Till the oct 31 everything was ok: Tue Oct 31 06:31:03 2017 -> -- Tue Oct 31 06:31:03 2017 -> ClamAV update process started at Tue Oct 31 06:31:03 2017 Tue Oct 31 06:31:03 2017 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Tue Oct 31 06:31:04 2017 -> Downloading daily-24003.cdiff [100%] Tue Oct 31 06:31:09 2017 -> daily.cld updated (version: 24003, sigs: 1767407, f-level: 63, builder: neo) Tue Oct 31 06:31:54 2017 -> Downloading safebrowsing-46596.cdiff [100%] Tue Oct 31 06:32:16 2017 -> safebrowsing.cld updated (version: 46596, sigs: 3172593, f-level: 63, builder: google) Tue Oct 31 06:32:16 2017 -> bytecode.cvd is up to date (version: 313, sigs: 73, f-level: 63, builder: neo) Tue Oct 31 06:32:24 2017 -> Database updated (9506322 signatures) from database.clamav.net (IP: 145.58.29.83) Wed Nov 1 03:16:03 2017 -> -- But: Wed Nov 1 03:16:03 2017 -> -- Wed Nov 1 03:16:03 2017 -> ClamAV update process started at Wed Nov 1 03:16:03 2017 Wed Nov 1 03:16:03 2017 -> WARNING: DNS record is older than 3 hours. Wed Nov 1 03:16:03 2017 -> WARNING: Invalid DNS reply. Falling back to HTTP mode. Wed Nov 1 03:16:03 2017 -> Reading CVD header (main.cvd): Wed Nov 1 03:16:04 2017 -> OK Wed Nov 1 03:16:04 2017 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Wed Nov 1 03:16:04 2017 -> Reading CVD header (daily.cvd): Wed Nov 1 03:16:04 2017 -> OK Wed Nov 1 03:16:04 2017 -> Downloading daily-24004.cdiff [100%] Wed Nov 1 03:16:04 2017 -> Downloading daily-24005.cdiff [100%] Wed Nov 1 03:16:09 2017 -> daily.cld updated (version: 24005, sigs: 1767974, f-level: 63, builder: neo) Wed Nov 1 03:16:09 2017 -> Reading CVD header (safebrowsing.cvd): Wed Nov 1 03:16:09 2017 -> OK Wed Nov 1 03:16:49 2017 -> Downloading safebrowsing-46597.cdiff [100%] Wed Nov 1 03:17:49 2017 -> Downloading safebrowsing-46598.cdiff [100%] Wed Nov 1 03:18:11 2017 -> safebrowsing.cld updated (version: 46598, sigs: 3172105, f-level: 63, builder: google) Wed Nov 1 03:18:11 2017 -> Reading CVD header (bytecode.cvd): Wed Nov 1 03:18:11 2017 -> OK Wed Nov 1 03:18:11 2017 -> bytecode.cvd is up to date (version: 313, sigs: 73, f-level: 63, builder: neo) Wed Nov 1 03:18:19 2017 -> Database updated (9506401 signatures) from database.clamav.net (IP: 145.58.29.83) Later manually: Wed Nov 1 07:16:39 2017 -> -- Wed Nov 1 07:16:39 2017 -> ClamAV update process started at Wed Nov 1 07:16:39 2017 Wed Nov 1 07:16:39 2017 -> WARNING: DNS record is older than 3 hours. Wed Nov 1 07:16:39 2017 -> WARNING: Invalid DNS reply. Falling back to HTTP mode. Wed Nov 1 07:16:39 2017 -> Reading CVD header (main.cvd): Wed Nov 1 07:16:41 2017 -> WARNING: Unknown response from remote server Wed Nov 1 07:16:41 2017 -> WARNING: Can't read main.cvd header from database.clamav.net (IP: 194.109.6.97) Wed Nov 1 07:16:41 2017 -> Trying again in 5 secs... Wed Nov 1 07:16:46 2017 -> ClamAV update process started at Wed Nov 1 07:16:46 2017 Wed Nov 1 07:16:46 2017 -> WARNING: DNS record is older than 3 hours. Wed Nov 1 07:16:46 2017 -> WARNING: Invalid DNS reply. Falling back to HTTP mode. .. After reading the official mirror-faq i resolve manually: host -t txt current.cvd.clamav.net current.cvd.clamav.net descriptive text "0.99.2:58:24005:1509480502:1:63:46598:313" I remove all files from the DatabaseDirectory and re-run freshclam: ClamAV update process started at Wed Nov 1 11:10:13 2017 WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. Falling back to HTTP mode. Downloading main.cvd [100%] main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Downloading daily.cvd [100%] daily.cvd updated (version: 24005, sigs: 1767974, f-level: 63, builder: neo) Downloading safebrowsing.cvd [100%] safebrowsing.cvd updated (version: 46598, sigs: 3172105, f-level: 63, builder: google) Downloading bytecode.cvd [100%] bytecode.cvd updated (version: 313, sigs: 73, f-level: 63, builder: neo) Database updated (9506401 signatures) from database.clamav.net (IP: 145.58.29.83) What's wrong? -- ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [Clamav-users] Strange behavior of Clamav with HTML email from Outlook
Chinh Nguyen Tam wrote: > Christoph Cordes wrote: >> Am 02.10.2007 um 05:05 schrieb Chinh Nguyen Tam: >> >>> Dennis Peterson wrote: Chinh Nguyen Tam wrote: > Greetings, > > We've notice some strange behavior of clamav in our email server > for. > When we try to send some email (HTML format, Outlook 2003) with URL > inside, clamav detects these email as Email.Foolball-2 virus. If > we send > the emails with the same URL in Thunderbird HTML format or in > pure text, > clamav will let the emails pass by. > You can see the example of one Outlook HTML attached in this > messages > (please unpack with gzip). > Please advice if anyone met the same problem before and how to > solve this. > > Thank you very much! If your message contains a url such as http://123.231.255.29/, in other words a URL made up from an IP address, and if that URL is preceded by the word "tracker" then the message will fail. In fact I had to reword this post to get past the av filter. dp >>> Yes, our emails contain urls with IP. We must change it so something >>> like hxxp://123.123.123.123 to pass the filter. But you know, It's >>> a bit >>>noisy for the users. It'd be ok if there's a tip to disable this >>> kind >>> of check from clamav. >>> >> Could you submit such a mail @ http://cgi.clamav.net/sendvirus.cgi >> >> Thank you. >> Christoph Cordes, thank you very much for your quick response. After submitting the case and updating our clamav database as you advice all is OK for now. Thank you very much! Best regards, Chinh Nguyen ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Strange behavior of Clamav with HTML email from Outlook
Dennis Peterson wrote: > Chinh Nguyen Tam wrote: >> Dennis Peterson wrote: >>> Chinh Nguyen Tam wrote: Greetings, We've notice some strange behavior of clamav in our email server for. When we try to send some email (HTML format, Outlook 2003) with URL inside, clamav detects these email as Email.Foolball-2 virus. If we send the emails with the same URL in Thunderbird HTML format or in pure text, clamav will let the emails pass by. You can see the example of one Outlook HTML attached in this messages (please unpack with gzip). Please advice if anyone met the same problem before and how to solve this. Thank you very much! >>> If your message contains a url such as http://123.231.255.29/, in other >>> words a URL >>> made up from an IP address, and if that URL is preceded by the word >>> "tracker" then >>> the message will fail. In fact I had to reword this post to get past the av >>> filter. >>> >>> dp >> Yes, our emails contain urls with IP. We must change it so something >> like hxxp://123.123.123.123 to pass the filter. But you know, It's a bit >>noisy for the users. It'd be ok if there's a tip to disable this kind >> of check from clamav. > > Perhaps setting this option in your clamd.conf file will help. > > # Scan URLs found in mails for phishing attempts using heuristics. > # Default: yes > #PhishingScanURLs yes > > PhishingScanURLs no > > The default is Yes. > > dp Some days ago I tried to set PhisingScanURLs to no but after that clamav failed to restart. My clamav version is 0.90.3. Does this means that an upgrade is needed? [EMAIL PROTECTED] etc]# sh /etc/rc.d/init.d/clamd reload Stopping Clam AntiVirus Daemon:[ OK ] Starting Clam AntiVirus Daemon: ERROR: Parse error at line 234: Unknown option PhishingScanURLs. ERROR: Can't open/parse the config file /etc/clamd.conf [FAILED] Regards, Chinh Nguyen ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Strange behavior of Clamav with HTML email from Outlook
Christoph Cordes wrote: > Am 02.10.2007 um 05:05 schrieb Chinh Nguyen Tam: > >> Dennis Peterson wrote: >>> Chinh Nguyen Tam wrote: Greetings, We've notice some strange behavior of clamav in our email server for. When we try to send some email (HTML format, Outlook 2003) with URL inside, clamav detects these email as Email.Foolball-2 virus. If we send the emails with the same URL in Thunderbird HTML format or in pure text, clamav will let the emails pass by. You can see the example of one Outlook HTML attached in this messages (please unpack with gzip). Please advice if anyone met the same problem before and how to solve this. Thank you very much! >>> If your message contains a url such as http://123.231.255.29/, in >>> other words a URL >>> made up from an IP address, and if that URL is preceded by the >>> word "tracker" then >>> the message will fail. In fact I had to reword this post to get >>> past the av filter. >>> >>> dp >> Yes, our emails contain urls with IP. We must change it so something >> like hxxp://123.123.123.123 to pass the filter. But you know, It's >> a bit >>noisy for the users. It'd be ok if there's a tip to disable this >> kind >> of check from clamav. >> > > Could you submit such a mail @ http://cgi.clamav.net/sendvirus.cgi > > Thank you. > Thank you for your tip. I've just submitted the email to clamav. Regards, Chinh Nguyen ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Strange behavior of Clamav with HTML email from Outlook
Am 02.10.2007 um 05:05 schrieb Chinh Nguyen Tam: > Dennis Peterson wrote: >> Chinh Nguyen Tam wrote: >>> Greetings, >>> >>> We've notice some strange behavior of clamav in our email server >>> for. >>> When we try to send some email (HTML format, Outlook 2003) with URL >>> inside, clamav detects these email as Email.Foolball-2 virus. If >>> we send >>> the emails with the same URL in Thunderbird HTML format or in >>> pure text, >>> clamav will let the emails pass by. >>> You can see the example of one Outlook HTML attached in this >>> messages >>> (please unpack with gzip). >>> Please advice if anyone met the same problem before and how to >>> solve this. >>> >>> Thank you very much! >> >> If your message contains a url such as http://123.231.255.29/, in >> other words a URL >> made up from an IP address, and if that URL is preceded by the >> word "tracker" then >> the message will fail. In fact I had to reword this post to get >> past the av filter. >> >> dp > > Yes, our emails contain urls with IP. We must change it so something > like hxxp://123.123.123.123 to pass the filter. But you know, It's > a bit >noisy for the users. It'd be ok if there's a tip to disable this > kind > of check from clamav. > Could you submit such a mail @ http://cgi.clamav.net/sendvirus.cgi Thank you. -- Best regards, Christoph ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Strange behavior of Clamav with HTML email from Outlook
Chinh Nguyen Tam wrote: > Dennis Peterson wrote: >> Chinh Nguyen Tam wrote: >>> Greetings, >>> >>> We've notice some strange behavior of clamav in our email server for. >>> When we try to send some email (HTML format, Outlook 2003) with URL >>> inside, clamav detects these email as Email.Foolball-2 virus. If we send >>> the emails with the same URL in Thunderbird HTML format or in pure text, >>> clamav will let the emails pass by. >>> You can see the example of one Outlook HTML attached in this messages >>> (please unpack with gzip). >>> Please advice if anyone met the same problem before and how to solve this. >>> >>> Thank you very much! >> If your message contains a url such as http://123.231.255.29/, in other >> words a URL >> made up from an IP address, and if that URL is preceded by the word >> "tracker" then >> the message will fail. In fact I had to reword this post to get past the av >> filter. >> >> dp > > Yes, our emails contain urls with IP. We must change it so something > like hxxp://123.123.123.123 to pass the filter. But you know, It's a bit >noisy for the users. It'd be ok if there's a tip to disable this kind > of check from clamav. Perhaps setting this option in your clamd.conf file will help. # Scan URLs found in mails for phishing attempts using heuristics. # Default: yes #PhishingScanURLs yes PhishingScanURLs no The default is Yes. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Strange behavior of Clamav with HTML email from Outlook
Dennis Peterson wrote: > Chinh Nguyen Tam wrote: >> Greetings, >> >> We've notice some strange behavior of clamav in our email server for. >> When we try to send some email (HTML format, Outlook 2003) with URL >> inside, clamav detects these email as Email.Foolball-2 virus. If we send >> the emails with the same URL in Thunderbird HTML format or in pure text, >> clamav will let the emails pass by. >> You can see the example of one Outlook HTML attached in this messages >> (please unpack with gzip). >> Please advice if anyone met the same problem before and how to solve this. >> >> Thank you very much! > > If your message contains a url such as http://123.231.255.29/, in other words > a URL > made up from an IP address, and if that URL is preceded by the word "tracker" > then > the message will fail. In fact I had to reword this post to get past the av > filter. > > dp Yes, our emails contain urls with IP. We must change it so something like hxxp://123.123.123.123 to pass the filter. But you know, It's a bit noisy for the users. It'd be ok if there's a tip to disable this kind of check from clamav. Chinh Nguyen ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Strange behavior of Clamav with HTML email from Outlook
Chinh Nguyen Tam wrote: > Greetings, > > We've notice some strange behavior of clamav in our email server for. > When we try to send some email (HTML format, Outlook 2003) with URL > inside, clamav detects these email as Email.Foolball-2 virus. If we send > the emails with the same URL in Thunderbird HTML format or in pure text, > clamav will let the emails pass by. > You can see the example of one Outlook HTML attached in this messages > (please unpack with gzip). > Please advice if anyone met the same problem before and how to solve this. > > Thank you very much! If your message contains a url such as http://123.231.255.29/, in other words a URL made up from an IP address, and if that URL is preceded by the word "tracker" then the message will fail. In fact I had to reword this post to get past the av filter. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Strange behavior of Clamav with HTML email from Outlook
Sorry, I missed the attached file. Thank you very much in advance! Chinh Nguyen Tam wrote: Greetings, We've notice some strange behavior of clamav in our email server for. When we try to send some email (HTML format, Outlook 2003) with URL inside, clamav detects these email as Email.Foolball-2 virus. If we send the emails with the same URL in Thunderbird HTML format or in pure text, clamav will let the emails pass by. You can see the example of one Outlook HTML attached in this messages (please unpack with gzip). Please advice if anyone met the same problem before and how to solve this. Thank you very much! From maillog: Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: from=<[EMAIL PROTECTED]>, size=3856, class=0, nrcpts=2, msgid=<00f501c803d2$75465c20$ [EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=[192.168.11.57] Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: Milter add: header: X-Virus-Scanned: ClamAV 0.90.1/4442/Sun Sep 30 19:20:50 2007 on sma il.xxx.com.vn Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: Milter add: header: X-Virus-Status: Infected with Email.Foolball-2 Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: Milter: data, reject=554 5.7.1 virus Email.Foolball-2 detected by ClamAV - http://www.c lamav.net Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: to=<[EMAIL PROTECTED]>, delay=00:00:00, pri=63856, stat=virus Email.Foolball-2 detecte d by ClamAV - http://www.clamav.net Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: to=<[EMAIL PROTECTED]>, delay=00:00:00, pri=63856, stat=virus Email.Foolball-2 detected b y ClamAV - http://www.clamav.net ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Strange behavior of Clamav with HTML email from Outlook
Greetings, We've notice some strange behavior of clamav in our email server for. When we try to send some email (HTML format, Outlook 2003) with URL inside, clamav detects these email as Email.Foolball-2 virus. If we send the emails with the same URL in Thunderbird HTML format or in pure text, clamav will let the emails pass by. You can see the example of one Outlook HTML attached in this messages (please unpack with gzip). Please advice if anyone met the same problem before and how to solve this. Thank you very much! From maillog: Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: from=<[EMAIL PROTECTED]>, size=3856, class=0, nrcpts=2, msgid=<00f501c803d2$75465c20$ [EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=[192.168.11.57] Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: Milter add: header: X-Virus-Scanned: ClamAV 0.90.1/4442/Sun Sep 30 19:20:50 2007 on sma il.xxx.com.vn Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: Milter add: header: X-Virus-Status: Infected with Email.Foolball-2 Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: Milter: data, reject=554 5.7.1 virus Email.Foolball-2 detected by ClamAV - http://www.c lamav.net Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: to=<[EMAIL PROTECTED]>, delay=00:00:00, pri=63856, stat=virus Email.Foolball-2 detecte d by ClamAV - http://www.clamav.net Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: to=<[EMAIL PROTECTED]>, delay=00:00:00, pri=63856, stat=virus Email.Foolball-2 detected b y ClamAV - http://www.clamav.net -- With best regards, Chinh Nguyen Tam [EMAIL PROTECTED] Application Team - IT System Dept. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Strange behavior of ArchiveMaxCompressionRatio
> >Well, the calculations are bad... > > > > > > > That's all? :) Maxim, The calculations from unzip are 'correct' insofar as the percentage in your output represents: (unzipped size - zipped size)/(unzipped size) * 100 so: 874796 Defl:N 151104 83% 04-09-04 13:53 f9d40334 file_name = (874796 - 151104)/874796 * 100 = 82.7 % This isn't a ratio of unzipped size to zipped size. It's more a roundabout way of saying the zipped file represents 17 % of the size of the unzipped file. Common sense suggests that the ratio should be the number of times the size of the zipped file divides into the unzipped file and this is what clamav looks for: I don't see any entry in your unzip output that beats a ratio of 300 though. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange behavior of ArchiveMaxCompressionRatio
On Tue, 1 Feb 2005 15:10:25 +0100 Tomasz Kojm <[EMAIL PROTECTED]> wrote: > On Tue, 01 Feb 2005 14:43:11 +0300 > Maxim Cherniavsky <[EMAIL PROTECTED]> wrote: > > > >Well, the calculations are bad... > > > > > > > > > > > That's all? :) > > You may want to report the problem to the unrar maintainers. Sorry, to the unzip maintainers... -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Feb 1 17:07:12 CET 2005 pgpnKnETNks7q.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange behavior of ArchiveMaxCompressionRatio
On Tue, 01 Feb 2005 14:43:11 +0300 Maxim Cherniavsky <[EMAIL PROTECTED]> wrote: > >Well, the calculations are bad... > > > > > > > That's all? :) You may want to report the problem to the unrar maintainers. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Feb 1 15:09:36 CET 2005 pgpVJkrTL6Bef.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange behavior of ArchiveMaxCompressionRatio
Tomasz Kojm wrote: Nothing strange about compression ratio ... Well, the calculations are bad... That's all? :) -- Best regards, Maxim Cherniavsky Comstar-UTS, Internet Division mailto: maxim (at) comstar.ru ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange behavior of ArchiveMaxCompressionRatio
On Mon, 31 Jan 2005 20:50:30 +0300 Maxim Cherniavsky <[EMAIL PROTECTED]> wrote: > unzip -lv > /tmp/mesh.doc > Archive: /tmp/mesh.doc > Length MethodSize Ratio Date Time CRC-32Name > -- --- - -- > 2028 Defl:N 518 75% 12-27-04 15:28 3e3c312f file_name > 874796 Defl:N 151104 83% 04-09-04 13:53 f9d40334 file_name > 874796 Defl:N 330883 62% 09-10-04 10:13 59aca306 file_name > 874790 Defl:N 330285 62% 12-27-04 14:01 138c1dcc file_name > 289352 Defl:N 239515 17% 12-27-04 14:01 4b632d4a file_name > 1002 Defl:N 440 56% 09-10-04 10:15 2f4702d6 file_name > 713135 Defl:N 236270 67% 06-09-04 15:48 9ad21627 file_name >30709 Defl:N 547 98% 06-09-04 15:48 b31f2ac0 file_name > 2029 Defl:N 513 75% 12-27-04 13:22 d0728aef file_name > 2026 Defl:N 519 74% 12-28-04 09:17 b1bf3090 file_name > 2028 Defl:N 522 74% 12-27-04 14:25 f89a3d3d file_name > 2027 Defl:N 517 75% 12-28-04 11:11 3283f0e5 file_name > 2029 Defl:N 523 74% 12-28-04 10:15 df2fc079 file_name > 437396 Defl:N 2157 100% 06-09-04 15:48 698268c4 file_name > 1722670 Defl:N 303170 82% 05-11-01 16:54 0453936e file_name > 953 Defl:N 526 45% 09-07-04 10:34 ec571065 file_name > 437396 Defl:N 5520 99% 06-09-04 15:48 237ad7c6 file_name > 1085519 Defl:N 407561 63% 12-08-04 16:46 42955402 file_name > 512784 Defl:N 156690 69% 05-11-01 16:52 5c2b0168 file_name > 179488 Defl:N42567 76% 06-09-04 15:48 fde5d6f6 file_name > --- ------ > 8046953 2210347 73%20 files > > > Nothing strange about compression ratio ... Well, the calculations are bad... -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Jan 31 19:01:39 CET 2005 pgptqCZpipwaj.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Strange behavior of ArchiveMaxCompressionRatio
Hi all On some mail attachments Clamav(0.80) reports Oversized.Zip, but the compression ratio of this attachment is good For example: In raw mail message -- Content-Type: application/msword; name="Vane2 OFF-design without mesh.doc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Vane2 OFF-design without mesh.doc" -- After saving this file to mesh.doc: file /tmp/mesh.doc /tmp/mesh.doc: Zip archive data, at least v2.0 to extract unzip -lv /tmp/mesh.doc Archive: /tmp/mesh.doc Length MethodSize Ratio Date Time CRC-32Name -- --- - -- 2028 Defl:N 518 75% 12-27-04 15:28 3e3c312f file_name 874796 Defl:N 151104 83% 04-09-04 13:53 f9d40334 file_name 874796 Defl:N 330883 62% 09-10-04 10:13 59aca306 file_name 874790 Defl:N 330285 62% 12-27-04 14:01 138c1dcc file_name 289352 Defl:N 239515 17% 12-27-04 14:01 4b632d4a file_name 1002 Defl:N 440 56% 09-10-04 10:15 2f4702d6 file_name 713135 Defl:N 236270 67% 06-09-04 15:48 9ad21627 file_name 30709 Defl:N 547 98% 06-09-04 15:48 b31f2ac0 file_name 2029 Defl:N 513 75% 12-27-04 13:22 d0728aef file_name 2026 Defl:N 519 74% 12-28-04 09:17 b1bf3090 file_name 2028 Defl:N 522 74% 12-27-04 14:25 f89a3d3d file_name 2027 Defl:N 517 75% 12-28-04 11:11 3283f0e5 file_name 2029 Defl:N 523 74% 12-28-04 10:15 df2fc079 file_name 437396 Defl:N 2157 100% 06-09-04 15:48 698268c4 file_name 1722670 Defl:N 303170 82% 05-11-01 16:54 0453936e file_name 953 Defl:N 526 45% 09-07-04 10:34 ec571065 file_name 437396 Defl:N 5520 99% 06-09-04 15:48 237ad7c6 file_name 1085519 Defl:N 407561 63% 12-08-04 16:46 42955402 file_name 512784 Defl:N 156690 69% 05-11-01 16:52 5c2b0168 file_name 179488 Defl:N42567 76% 06-09-04 15:48 fde5d6f6 file_name --- ------ 8046953 2210347 73%20 files Nothing strange about compression ratio ... In clamd.conf: ArchiveMaxCompressionRatio 300 . thanks in advance -- Best regards, Maxim Cherniavsky Comstar-UTS, Internet Division mailto: maxim (at) comstar.ru ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] strange behavior when scanning clamav-0.80.tar.gz vs clamav-0.80 source directory
On Sun, 17 Oct 2004 17:32:44 -0500 Mark Reidenbach <[EMAIL PROTECTED]> wrote: > After installing clamav 0.80, I was running some tests and came across > > something I found quite strange. If I run clamdscan or clamscan on > the source directory, it finds the virii in the test directory, but if > I scan the source tarball, it reports 0 of the test virii found. Even > > stranger, if I recreate the tarball from the source directory using > "tar czf test.tar.gz clamav-0.80" and scan the resulting file, it > finds a test virus again. > > Is there some method built into the scanner so it avoids flagging the > test virii in the source tarball? No. Not all tar archive types are currently supported. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 18 02:19:25 CEST 2004 pgpZJs1hfxHGH.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] strange behavior when scanning clamav-0.80.tar.gz vs clamav-0.80 source directory
After installing clamav 0.80, I was running some tests and came across something I found quite strange. If I run clamdscan or clamscan on the source directory, it finds the virii in the test directory, but if I scan the source tarball, it reports 0 of the test virii found. Even stranger, if I recreate the tarball from the source directory using "tar czf test.tar.gz clamav-0.80" and scan the resulting file, it finds a test virus again. Is there some method built into the scanner so it avoids flagging the test virii in the source tarball? Thanks to anyone who could explain this seeminly strange behavior, Mark Reidenbach ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange Behavior
> Do you really want to keep all the viruses people send you? ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange Behavior
On Wed, Oct 13, 2004 at 11:47:37AM -0400, Scott Rothgaber said: > Here are the log entries from the test (trimmed and wrapped)... Take a look: i9DFeFAr011069: from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> Milter: data, reject=554 5.7.1 ClamAV-Test-Signature detected by ClamAV - http://www.clamav.net i9DFeJeO011072: from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> stat=Sent (2256485 message accepted for delivery) Do you have recipient notification turned on for the milter? The original message was rejected, but the _recipient notification_ was sent on and scanned by spamd. If you want recipient notification, but don't want spamass-milter to scan them, turn off spam scanning of emails from localhost for the spam milter. Otherwise, I'd just turn off recipient notification in clamav milter - it's a waste fo time for the most part. -- -- | Stephen Gran | Wanna buy a duck? | | [EMAIL PROTECTED] | | | http://www.lobefin.net/~steve | | -- pgpdyOWJ2lAfB.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange Behavior
[EMAIL PROTECTED] wrote: Are you using the -outgoing switch in clamav-milter ? No. I'm going to do another test and post the headers. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange Behavior
Here are the log entries from the test (trimmed and wrapped)... sm-mta[11069]: i9DFeFAr011069: from=<[EMAIL PROTECTED]>, size=337, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=IPv4, relay=neors.cat.cc.md.us [204.153.79.3] clamd[9893]: stream: ClamAV-Test-Signature FOUND sm-mta[11069]: i9DFeFAr011069: Milter add: header: X-Virus-Scanned: clamd / ClamAV version 0.75.1, clamav-milter version 0.75c\n\ton s3.palmetto.tv sm-mta[11069]: i9DFeFAr011069: Milter add: header: X-Virus-Status: Infected clamav-milter[9895]: i9DFeFAr011069: stream: ClamAV-Test-Signature Intercepted virus from <[EMAIL PROTECTED]> to <[EMAIL PROTECTED]> sendmail[11071]: i9DFeJdg011071: from=clamav, size=347, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, [EMAIL PROTECTED] sm-mta[11072]: i9DFeJeO011072: from=<[EMAIL PROTECTED]>, size=608, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=IPv4, relay=localhost [127.0.0.1] spamd[9831]: connection from localhost [127.0.0.1] at port 3748 spamd[11074]: processing message <[EMAIL PROTECTED]> for root:200. spamd[11074]: clean message (1.0/5.0) for root:200 in 2.0 seconds, 778 bytes. sm-mta[11072]: i9DFeJeO011072: Milter add: header: X-Spam-Flag: NO sm-mta[11072]: i9DFeJeO011072: Milter add: header: X-Spam-Status: Hits=1.0 Required=5.0 Tests=BAYES_01=1 Autolearn=no sm-mta[11072]: i9DFeJeO011072: Milter add: header: X-Spam-Level: = sm-mta[11072]: i9DFeJeO011072: Milter add: header: X-Spam-Checker-Version: SpamAssassin 2.64 on s3.palmetto.tv sm-mta[11072]: i9DFeJeO011072: Milter message: body replaced sendmail[11071]: i9DFeJdg011071: to=<[EMAIL PROTECTED]>, ctladdr=clamav (300/300), delay=00:00:02, xdelay=00:00:02, mailer=relay, pri=30347, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (i9DFeJeO011072 Message accepted for delivery) sm-mta[11069]: i9DFeFAr011069: Milter: data, reject=554 5.7.1 ClamAV-Test-Signature detected by ClamAV - http://www.clamav.net sm-mta[11069]: i9DFeFAr011069: to=<[EMAIL PROTECTED]>, delay=00:00:05, pri=30337, stat=ClamAV-Test-Signature detected by ClamAV - http://www.clamav.net sm-mta[11076]: STARTTLS=client, relay=mail.saberspace.com., version=TLSv1/SSLv3, verify=FAIL, cipher=DES-CBC3-SHA, bits=168/168 sm-mta[11076]: i9DFeJeO011072: to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (300/300), delay=00:00:03, xdelay=00:00:01, mailer=smtp, pri=30608, relay=mail.saberspace.com. [63.82.200.42], dsn=2.0.0, stat=Sent (2256485 message accepted for delivery) ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange Behavior
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > > > Stephen Gran wrote: > > > > I read the FP as saying that after a virus is found sendmail-submit is > called which should only happen if a notification is being sent. > > ___ > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > This rings a bell. I don't know if this is the same problem or not, but I remember having the same problem. It occurred on an upgrade. The upgrade worked but I noticed a new clamav-milter feature :- 0.70q 22/4/04 No need to parse the received line if --headers is given If -outgoing is given put generated emails in the deferred queue to avoid the milter being called twice at the same time (one on the incoming one on the outgoing) I liked the idea of this so I used the -outgoing CLS and my sendmail logs went nuts. I got the same behaviour as you are reporting. Needles to say I just took the CLS off and I haven't had time to back and fix whatever is wrong with my sendmail. Are you using the -outgoing switch in clamav-milter ? Jim :-) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBbUNwRdAZy0oJ0LwRAqMpAJ9Y78rbtoYxNGs1GvchndFNHB2SRACeKzvO kTwtI8bmdhTHTEMorZ/kF4s= =U/GS -END PGP SIGNATURE- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange Behavior
Stephen Gran wrote: On Wed, Oct 13, 2004 at 09:38:03AM -0400, Scott Rothgaber said: Stephen Gran wrote: Well, really, it looks like something sendmail is failing to do. Thanks, Stephen! Here's what I have in .mc (wrapped)... INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock, F=,T=S:4m;R:4m') INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamd/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m') define(`confINPUT_MAIL_FILTERS', `clmilter, spamassassin') Try ending the lines with dnl's? Sendmail's m4 makes my ears bleed, but it looks like something is definitely going wrong. Your setup looks reasonable, and sendmail should be giving a 5xx in response to a virus being found. I read the FP as saying that after a virus is found sendmail-submit is called which should only happen if a notification is being sent. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange Behavior
On Wed, Oct 13, 2004 at 09:38:03AM -0400, Scott Rothgaber said: > Stephen Gran wrote: > > >Well, really, it looks like something sendmail is failing to do. > > Thanks, Stephen! Here's what I have in .mc (wrapped)... > > INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock, > F=,T=S:4m;R:4m') > INPUT_MAIL_FILTER(`spamassassin', > `S=local:/var/run/spamd/spamass-milter.sock, F=, > T=C:15m;S:4m;R:4m;E:10m') > define(`confINPUT_MAIL_FILTERS', `clmilter, spamassassin') Try ending the lines with dnl's? Sendmail's m4 makes my ears bleed, but it looks like something is definitely going wrong. Your setup looks reasonable, and sendmail should be giving a 5xx in response to a virus being found. Can you send a virus email (eicar or something) through that machine, and then paste the logs into an email? -- -- | Stephen Gran | Support wildlife -- vote for an orgy. | | [EMAIL PROTECTED] | | | http://www.lobefin.net/~steve | | -- pgpuJifM7UMFx.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange Behavior
Stephen Gran wrote: Well, really, it looks like something sendmail is failing to do. Thanks, Stephen! Here's what I have in .mc (wrapped)... INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock, F=,T=S:4m;R:4m') INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamd/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m') define(`confINPUT_MAIL_FILTERS', `clmilter, spamassassin') ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange Behavior
On Wed, Oct 13, 2004 at 09:26:08AM -0400, Scott Rothgaber said: > Stephen Gran wrote: > > >Why is clmilter just adding headers and passing the message on, instead > >of 5xx'ing the virus? > > That's what *I* want to know! ;-) > > Joe suggested that spamd be told not to scan locally-generated messages. > First of all, I didn't see any options that address this in 'man spamd'. > Second, I agree with you, Stephen. This looks like something that > clmilter is failing to do. Well, really, it looks like something sendmail is failing to do. Here is how I call it in sendmail.mc here: INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-milter.ctl, F=, T=S:4m;R:4m')dnl define(`confINPUT_MAIL_FILTERS', `clamav') Those two lines may wrap, but it is supposed to be two lines. -- -- | Stephen Gran | A mouse is an elephant built by the | | [EMAIL PROTECTED] | Japanese. | | http://www.lobefin.net/~steve | | -- pgpnbR7DHG9lX.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange Behavior
Stephen Gran wrote: Why is clmilter just adding headers and passing the message on, instead of 5xx'ing the virus? That's what *I* want to know! ;-) Joe suggested that spamd be told not to scan locally-generated messages. First of all, I didn't see any options that address this in 'man spamd'. Second, I agree with you, Stephen. This looks like something that clmilter is failing to do. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange Behavior
On Wed, Oct 13, 2004 at 08:34:56AM -0400, Scott Rothgaber said: > Good Morning! > > I've built a gateway using sendmail, clamav and spamassassin. After > setting the MX records for a test domain to go through this box, the > spam is rolling in! ;-) Then, I threw a virus at it. The resulting > behavior is nothing like what I expected... > > 1) sendmail receives message, calls clamd > 2) clamd identifies virus > 3) clmilter adds headers, hands message to sendmail-submit > 4) sendmail-submit calls spamd > ... > > Say what?!?! > > In an attempt to get rid of sendmail-submit, I renamed submit.cf and > tried again. This time, the message is rejected as it should be but now > I get a bunch of bitching from sendmail about the inability to save > queue files because of permissions. > > H!!! > > Anyone been down this road before? Why is clmilter just adding headers and passing the message on, instead of 5xx'ing the virus? Do you really want to keep all the viruses people send you? -- -- | Stephen Gran | About the time we think we can make | | [EMAIL PROTECTED] | ends meet, somebody moves the ends. - | | http://www.lobefin.net/~steve | - Herbert Hoover| -- pgpJl1ELw1LTv.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Strange Behavior
Scott Rothgaber wrote: Good Morning! I've built a gateway using sendmail, clamav and spamassassin. After setting the MX records for a test domain to go through this box, the spam is rolling in! ;-) Then, I threw a virus at it. The resulting behavior is nothing like what I expected... 1) sendmail receives message, calls clamd 2) clamd identifies virus 3) clmilter adds headers, hands message to sendmail-submit ^^^ You need to disable spamd scanning local generated email. Be wise to do the same for clamav-milter. Currently this is milter-specific. (If you dont mind checking out the bleeding edge there is a patch out there that allows sendmail to control this..milter rulesets...google) 4) sendmail-submit calls spamd Dont go that route. ... Say what?!?! In an attempt to get rid of sendmail-submit, I renamed submit.cf and tried again. This time, the message is rejected as it should be but now I get a bunch of bitching from sendmail about the inability to save queue files because of permissions. H!!! Anyone been down this road before? Thanks! Scott ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Strange Behavior
Good Morning! I've built a gateway using sendmail, clamav and spamassassin. After setting the MX records for a test domain to go through this box, the spam is rolling in! ;-) Then, I threw a virus at it. The resulting behavior is nothing like what I expected... 1) sendmail receives message, calls clamd 2) clamd identifies virus 3) clmilter adds headers, hands message to sendmail-submit 4) sendmail-submit calls spamd ... Say what?!?! In an attempt to get rid of sendmail-submit, I renamed submit.cf and tried again. This time, the message is rejected as it should be but now I get a bunch of bitching from sendmail about the inability to save queue files because of permissions. H!!! Anyone been down this road before? Thanks! Scott ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
