Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc
On Apr 13, 2004, at 11:13 AM, Henry Harvey wrote: I restarted clamd, amavisd and all went ok. But when I run sigtool --list it tells me ERROR: Can't open directory /usr/local/share/clamav How can I make it point to the new location of the database files? And how can I make sure that my clamd is now looking at the new location? run each command with '--help' at the end of it. This will tell you how to call each one with the proper config file locations. Edit your config files to point to the proper clamav database dir, and then edit the cooresponding lines in /etc/amavis.conf to call the clamscan and clamd commands with the necessary switches to use the correct config files. I cannot remember for sure, but I think the switch is --config-file=/etc/freshclam.conf for freshclam and --config-file=/etc/clamav.conf for clamd. -Jeff --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Netsky P not being blocked, using 0.70-rc
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Henry Harvey Sent: Tuesday, April 13, 2004 2:14 PM To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc I also have the same problem. Apparently, I have two locations where the updates are stored. ClamAV was using /usr/local/share/clamav and freshclam was storing updates in /var/lib/clamav. So I made clamav.conf point to /var/lib/clamav also. And just to make sure that nothing is using /usr/local/share/clamav anymore, I changed the directory name to something else. I restarted clamd, amavisd and all went ok. But when I run sigtool --list it tells me ERROR: Can't open directory /usr/local/share/clamav How can I make it point to the new location of the database files? And how can I make sure that my clamd is now looking at the new location? I would check /etc/clamav.conf and /etc/freshclam.conf and make sure both files have DatabaseDirectory /var/lib/clamav This should be all you need to change. Jim --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc
I actually did check both config files and made sure both point to the same database directory. The only weird part is that when I do sigtool --list, it still looks at the old database path. What I did to fix it is just remove the old directory, and made a link to the correct path so that sigtool will work. run each command with '--help' at the end of it. This will tell you how to call each one with the proper config file locations. Edit your config files to point to the proper clamav database dir, and then edit the cooresponding lines in /etc/amavis.conf to call the clamscan and clamd commands with the necessary switches to use the correct config files. I cannot remember for sure, but I think the switch is --config-file=/etc/freshclam.conf for freshclam and --config-file=/etc/clamav.conf for clamd. -Jeff --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users __ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I had this same problem with 0.70-rc; I was finding that the virus got missed when it was in email but could be detected in a stand-alone file. I picked up each day's snapshot until it started to be detected: this was ClamAV version devel-20040327. All along my config files were in synch at all times. So perhaps the people having this problem should simply upgrade? Or perhaps they are having a different kind of problem. Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAfGjW94mqX5AIfgARAkmBAJwNIwPFR+exOo9J8GKyU0dsu8McqgCfa3ws mTa5BYQmLw9zsrzflmOFu5Y= =gwSV -END PGP SIGNATURE- --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70alloc_id638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc
On Tue, Apr 13, 2004 at 03:50:48PM -0400, Jim Maul said: I also have the same problem. Apparently, I have two locations where the updates are stored. ClamAV was using /usr/local/share/clamav and freshclam was storing updates in /var/lib/clamav. So I made clamav.conf point to /var/lib/clamav also. And just to make sure that nothing is using /usr/local/share/clamav anymore, I changed the directory name to something else. I restarted clamd, amavisd and all went ok. But when I run sigtool --list it tells me ERROR: Can't open directory /usr/local/share/clamav How can I make it point to the new location of the database files? And how can I make sure that my clamd is now looking at the new location? sigtool and clamscan both use a hard-coded path set at compile time, unless overridden with command line options, IIRC. clamd and freshclam read their respective config files. It sounds like you have set one path at compile time, and another at run time. -- -- | Stephen Gran | Silvrbear Oxymorons? I saw one | | [EMAIL PROTECTED] | yesterday - the pamphlet on Taco Bell | | http://www.lobefin.net/~steve | Nutritional Information| -- pgp0.pgp Description: PGP signature
Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc
On Apr 10, 2004, at 5:44 PM, Bill Randle wrote: On Sat, 2004-04-10 at 16:49, Jeff Ramsey wrote: On Apr 10, 2004, at 9:27 AM, Colin A. Bartlett wrote: Jeff Ramsey Sent: Friday, April 09, 2004 4:23 PM I have done some further testing, and I am blocking Somefool and Somefool.B, but I am not blocking variant P. FWIW, this same thing happened to me when I upgraded from Clam .60 to the latest version. Apparently I installed it in a different place so there were two version of my daily updates and it wasn't using the new one. Are you sure your virus signatures are being updated and include the SomeFool.P variant? Run sigtool --list | grep SomeFool to see if it's listed. cheers, Colin I ran the command above, and here are the results: Worm.Somefool Worm.Somefool.B Worm.Somefool.B.2 Worm.Somefool.D Worm.Somefool.E Worm.Somefool.F These ones are all working. How can I get freshclam to get the P variant file? Thanks, Jeff As has been implied earlier, double check your /etc/clamav.conf or /etc/clamd.conf and verify the DatabaseDirectory matches the DatabaseDirectory entry in /etc/freshclam.conf. Also, make sure that when freshclam is run, it is using the freshclam.conf file or explicitly sets the database directory via the command line to the place you think it should be. Here's what mine has in it for SomeFool: Worm.SomeFool.Gen-unp Worm.SomeFool.O Worm.SomeFool.P Worm.SomeFool.P-dll Worm.SomeFool.Q Worm.SomeFool.N Worm.SomeFool.R Worm.SomeFool.Q.2 Worm.SomeFool Worm.SomeFool.B Worm.SomeFool.B.2 Worm.SomeFool.D Worm.SomeFool.E Worm.SomeFool.F Worm.SomeFool.Gen-1 Worm.SomeFool.Gen-2 Worm.SomeFool.I Worm.SomeFool.K Worm.SomeFool.L Worm.SomeFool.M -Bill It is using the same DatabaseDirectory for both. I still see only the same variants of Somefool that I listed above with the sigtool command. Any other tips? Thanks, Jeff --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc
I finally blocked Somefool.P/Netsky.P with clamav: copy of message from Amavisd-new A virus was found in an email from: [EMAIL PROTECTED] The message was addressed to: - [EMAIL PROTECTED] The message has been quarantined as: /var/virusmails/virus-20040411-134830-2035 Here is the output of the scanner: /var/amavis/amavis-milter-XXIqN4W5/parts/msg-2035-1.txt: OK /var/amavis/amavis-milter-XXIqN4W5/parts/part-1: Worm.SomeFool.P FOUND end copy of message from Amavisd-new -- Thanks to all for the help with this. I think it had to do with the newer executables having a different default config path, and I had to edit the amavis.conf file to force clamd clamscan to use the config file in /etc instead of /usr/local/etc/. Also, I called freshclam from the command line with the switch for the same config file. Is there any current (0.70 or newer) RPMs available for Redhat 9/Fedora? Thanks again. Jeff --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Netsky P not being blocked, using 0.70-rc
Jeff Ramsey Sent: Friday, April 09, 2004 4:23 PM I have done some further testing, and I am blocking Somefool and Somefool.B, but I am not blocking variant P. FWIW, this same thing happened to me when I upgraded from Clam .60 to the latest version. Apparently I installed it in a different place so there were two version of my daily updates and it wasn't using the new one. Are you sure your virus signatures are being updated and include the SomeFool.P variant? Run sigtool --list | grep SomeFool to see if it's listed. cheers, Colin Colin A. Bartlett Kinetic Web Solutions www.kineticweb.biz --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc
On Apr 10, 2004, at 9:27 AM, Colin A. Bartlett wrote: Jeff Ramsey Sent: Friday, April 09, 2004 4:23 PM I have done some further testing, and I am blocking Somefool and Somefool.B, but I am not blocking variant P. FWIW, this same thing happened to me when I upgraded from Clam .60 to the latest version. Apparently I installed it in a different place so there were two version of my daily updates and it wasn't using the new one. Are you sure your virus signatures are being updated and include the SomeFool.P variant? Run sigtool --list | grep SomeFool to see if it's listed. cheers, Colin I ran the command above, and here are the results: Worm.Somefool Worm.Somefool.B Worm.Somefool.B.2 Worm.Somefool.D Worm.Somefool.E Worm.Somefool.F These ones are all working. How can I get freshclam to get the P variant file? Thanks, Jeff --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc
On Sat, 10 Apr 2004 16:49:52 -0700 Jeff Ramsey [EMAIL PROTECTED] wrote: On Apr 10, 2004, at 9:27 AM, Colin A. Bartlett wrote: Jeff Ramsey Sent: Friday, April 09, 2004 4:23 PM I have done some further testing, and I am blocking Somefool and Somefool.B, but I am not blocking variant P. FWIW, this same thing happened to me when I upgraded from Clam .60 to the latest version. Apparently I installed it in a different place so there were two version of my daily updates and it wasn't using the new one. Are you sure your virus signatures are being updated and include the SomeFool.P variant? Run sigtool --list | grep SomeFool to see if it's listed. cheers, Colin I ran the command above, and here are the results: Worm.Somefool Worm.Somefool.B Worm.Somefool.B.2 Worm.Somefool.D Worm.Somefool.E Worm.Somefool.F My output is: [EMAIL PROTECTED]:~$ sigtool -l | grep -i somefool Worm.SomeFool Worm.SomeFool.B Worm.SomeFool.B.2 Worm.SomeFool.D Worm.SomeFool.E Worm.SomeFool.F Worm.SomeFool.Gen-1 Worm.SomeFool.Gen-2 Worm.SomeFool.I Worm.SomeFool.K Worm.SomeFool.L Worm.SomeFool.M Worm.SomeFool.Gen-unp Worm.SomeFool.O Worm.SomeFool.P Worm.SomeFool.P-dll Worm.SomeFool.Q Worm.SomeFool.N Worm.SomeFool.R Worm.SomeFool.Q.2 So Jeff was right. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Sun Apr 11 02:23:42 CEST 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc
On Sat, 2004-04-10 at 16:49, Jeff Ramsey wrote: On Apr 10, 2004, at 9:27 AM, Colin A. Bartlett wrote: Jeff Ramsey Sent: Friday, April 09, 2004 4:23 PM I have done some further testing, and I am blocking Somefool and Somefool.B, but I am not blocking variant P. FWIW, this same thing happened to me when I upgraded from Clam .60 to the latest version. Apparently I installed it in a different place so there were two version of my daily updates and it wasn't using the new one. Are you sure your virus signatures are being updated and include the SomeFool.P variant? Run sigtool --list | grep SomeFool to see if it's listed. cheers, Colin I ran the command above, and here are the results: Worm.Somefool Worm.Somefool.B Worm.Somefool.B.2 Worm.Somefool.D Worm.Somefool.E Worm.Somefool.F These ones are all working. How can I get freshclam to get the P variant file? Thanks, Jeff As has been implied earlier, double check your /etc/clamav.conf or /etc/clamd.conf and verify the DatabaseDirectory matches the DatabaseDirectory entry in /etc/freshclam.conf. Also, make sure that when freshclam is run, it is using the freshclam.conf file or explicitly sets the database directory via the command line to the place you think it should be. Here's what mine has in it for SomeFool: Worm.SomeFool.Gen-unp Worm.SomeFool.O Worm.SomeFool.P Worm.SomeFool.P-dll Worm.SomeFool.Q Worm.SomeFool.N Worm.SomeFool.R Worm.SomeFool.Q.2 Worm.SomeFool Worm.SomeFool.B Worm.SomeFool.B.2 Worm.SomeFool.D Worm.SomeFool.E Worm.SomeFool.F Worm.SomeFool.Gen-1 Worm.SomeFool.Gen-2 Worm.SomeFool.I Worm.SomeFool.K Worm.SomeFool.L Worm.SomeFool.M -Bill --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc
On Wed, 7 Apr 2004 20:22:07 +0100, Antony Stone [EMAIL PROTECTED] said: On Wednesday 07 April 2004 7:59 pm, Jeff Ramsey wrote: I'm picking up Worm.SomeFool.P (aka Worm/NetSky.P according to Antivir, W32/[EMAIL PROTECTED] according to F-Prot, W32/[EMAIL PROTECTED] according to McAfee) with a very old version of ClamAV (0.60 running under MailScanner) I am also facing the same problem, I have recently tested and installed Clamav, postfix combi. Tests with the sample test viruses given did succeed, so I assumed that the installation is successfull. But the mail containing a virus was delivered to OE and Norton AV detected it. Well, my client is not technical so I manged to convince him that it is not a problem and since it is a new virus it will be fixed automatically. I scanned the file which had that virus and clamav detected the virus. Any clues what is wrong here? Regards, Antony. -- The lottery is a tax for people who can't do maths. Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users -- http://www.fastmail.fm - Access your email from home and the web --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc
On Wednesday 07 April 2004 7:59 pm, Jeff Ramsey wrote: Do I have to use a CVS version to get this one to be detected? Sophos detects it fine on this machine. No. I'm picking up Worm.SomeFool.P (aka Worm/NetSky.P according to Antivir, W32/[EMAIL PROTECTED] according to F-Prot, W32/[EMAIL PROTECTED] according to McAfee) with a very old version of ClamAV (0.60 running under MailScanner) Regards, Antony. -- The lottery is a tax for people who can't do maths. Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users