Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc

[Jeff Ramsey]

On Apr 13, 2004, at 11:13 AM, Henry Harvey wrote:
I restarted clamd, amavisd and all went ok.
But when I run sigtool --list it tells me
ERROR: Can't open directory /usr/local/share/clamav
How can I make it point to the new location
of the database files? And how can I make sure
that my clamd is now looking at the new location?


run each command with '--help' at the end of it. This will tell you how 
to call each one with the proper config file locations. Edit your 
config files to point to the proper clamav database dir, and then edit 
the cooresponding lines in /etc/amavis.conf to call the clamscan and 
clamd commands with the necessary switches to use the correct config 
files. I cannot remember for sure, but I think the switch is 
--config-file=/etc/freshclam.conf for freshclam and 
--config-file=/etc/clamav.conf for clamd.

-Jeff



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Netsky P not being blocked, using 0.70-rc

[Jim Maul]

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Henry
 Harvey
 Sent: Tuesday, April 13, 2004 2:14 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc


 I also have the same problem.
 Apparently, I have two locations
 where the updates are stored. ClamAV
 was using /usr/local/share/clamav
 and freshclam was storing updates in
 /var/lib/clamav. So I made clamav.conf
 point to /var/lib/clamav also.

 And just to make sure that nothing is using
 /usr/local/share/clamav anymore, I changed
 the directory name to something else.

 I restarted clamd, amavisd and all went ok.
 But when I run sigtool --list it tells me
 ERROR: Can't open directory /usr/local/share/clamav

 How can I make it point to the new location
 of the database files? And how can I make sure
 that my clamd is now looking at the new location?


I would check /etc/clamav.conf and /etc/freshclam.conf and make sure both
files have

DatabaseDirectory /var/lib/clamav

This should be all you need to change.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc

[Henry Harvey]

I actually did check both config files and
made sure both point to the same database
directory. The only weird part is that when
I do sigtool --list, it still looks at the
old database path.

What I did to fix it is just remove the old
directory, and made a link to the correct
path so that sigtool will work. 

 run each command with '--help' at the end of it.
 This will tell you how 
 to call each one with the proper config file
 locations. Edit your 
 config files to point to the proper clamav database
 dir, and then edit 
 the cooresponding lines in /etc/amavis.conf to call
 the clamscan and 
 clamd commands with the necessary switches to use
 the correct config 
 files. I cannot remember for sure, but I think the
 switch is 
 --config-file=/etc/freshclam.conf for freshclam and 
 --config-file=/etc/clamav.conf for clamd.
 
 -Jeff
 
 
 

---
 This SF.Net email is sponsored by: IBM Linux
 Tutorials
 Free Linux tutorial presented by Daniel Robbins,
 President and CEO of
 GenToo technologies. Learn everything from
 fundamentals to system

administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]

https://lists.sourceforge.net/lists/listinfo/clamav-users





__
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
http://taxes.yahoo.com/filing.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc

[Steve King]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I had this same problem with 0.70-rc; I was finding that the virus got missed 
when it was in email but could be detected in a stand-alone file. I picked up 
each day's snapshot until it started to be detected: this was ClamAV version 
devel-20040327. All along my config files were in synch at all times. 

So perhaps the people having this problem should simply upgrade? Or perhaps 
they are having a different kind of problem.

Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAfGjW94mqX5AIfgARAkmBAJwNIwPFR+exOo9J8GKyU0dsu8McqgCfa3ws
mTa5BYQmLw9zsrzflmOFu5Y=
=gwSV
-END PGP SIGNATURE-



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc

[Stephen Gran]

On Tue, Apr 13, 2004 at 03:50:48PM -0400, Jim Maul said:
  I also have the same problem.  Apparently, I have two locations
  where the updates are stored. ClamAV was using
  /usr/local/share/clamav and freshclam was storing updates in
  /var/lib/clamav. So I made clamav.conf point to /var/lib/clamav
  also.
 
  And just to make sure that nothing is using /usr/local/share/clamav
  anymore, I changed the directory name to something else.
 
  I restarted clamd, amavisd and all went ok.  But when I run sigtool
  --list it tells me ERROR: Can't open directory
  /usr/local/share/clamav
 
  How can I make it point to the new location of the database files?
  And how can I make sure that my clamd is now looking at the new
  location?

sigtool and clamscan both use a hard-coded path set at compile time,
unless overridden with command line options, IIRC.  clamd and freshclam
read their respective config files.  It sounds like you have set one
path at compile time, and another at run time.

-- 
 --
|  Stephen Gran  | Silvrbear Oxymorons?  I saw one   |
|  [EMAIL PROTECTED] | yesterday - the pamphlet on Taco Bell  |
|  http://www.lobefin.net/~steve | Nutritional Information|
 --


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc

[Jeff Ramsey]

On Apr 10, 2004, at 5:44 PM, Bill Randle wrote:

On Sat, 2004-04-10 at 16:49, Jeff Ramsey wrote:
On Apr 10, 2004, at 9:27 AM, Colin A. Bartlett wrote:

Jeff Ramsey Sent: Friday, April 09, 2004 4:23 PM

I have done some further testing, and I am blocking Somefool and
Somefool.B, but I am not blocking variant P.
FWIW, this same thing happened to me when I upgraded from Clam .60 to
the
latest version. Apparently I installed it in a different place so
there were
two version of my daily updates and it wasn't using the new one. Are
you
sure your virus signatures are being updated and include the 
SomeFool.P
variant? Run sigtool --list | grep SomeFool to see if it's listed.

cheers,
Colin
I ran the command above, and here are the results:

Worm.Somefool
Worm.Somefool.B
Worm.Somefool.B.2
Worm.Somefool.D
Worm.Somefool.E
Worm.Somefool.F
These ones are all working. How can I get freshclam to get the P
variant file?
Thanks,
Jeff
As has been implied earlier, double check your /etc/clamav.conf or
/etc/clamd.conf and verify the DatabaseDirectory matches the
DatabaseDirectory entry in /etc/freshclam.conf. Also, make sure
that when freshclam is run, it is using the freshclam.conf file
or explicitly sets the database directory via the command line to
the place you think it should be.
Here's what mine has in it for SomeFool:

Worm.SomeFool.Gen-unp
Worm.SomeFool.O
Worm.SomeFool.P
Worm.SomeFool.P-dll
Worm.SomeFool.Q
Worm.SomeFool.N
Worm.SomeFool.R
Worm.SomeFool.Q.2
Worm.SomeFool
Worm.SomeFool.B
Worm.SomeFool.B.2
Worm.SomeFool.D
Worm.SomeFool.E
Worm.SomeFool.F
Worm.SomeFool.Gen-1
Worm.SomeFool.Gen-2
Worm.SomeFool.I
Worm.SomeFool.K
Worm.SomeFool.L
Worm.SomeFool.M
	-Bill
It is using the same DatabaseDirectory for both. I still see only the 
same variants of Somefool that I listed above with the sigtool 
command. Any other tips?
Thanks,
Jeff


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc

[Jeff Ramsey]

I finally blocked Somefool.P/Netsky.P with clamav:

 copy of message from Amavisd-new 

A virus was found in an email from:

   [EMAIL PROTECTED]

The message was addressed to:

- [EMAIL PROTECTED]

The message has been quarantined as:

   /var/virusmails/virus-20040411-134830-2035

Here is the output of the scanner:

/var/amavis/amavis-milter-XXIqN4W5/parts/msg-2035-1.txt: OK
/var/amavis/amavis-milter-XXIqN4W5/parts/part-1: Worm.SomeFool.P 
FOUND

 end copy of message from Amavisd-new 
--

Thanks to all for the help with this.

I think it had to do with the newer executables having a different 
default config path, and I had to edit the amavis.conf file to force 
clamd  clamscan to use the config file in /etc instead of 
/usr/local/etc/. Also, I called freshclam from the command line with 
the switch for the same config file. Is there any current (0.70 or 
newer) RPMs available for Redhat 9/Fedora? Thanks again.

Jeff



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Netsky P not being blocked, using 0.70-rc

[Colin A. Bartlett]

Jeff Ramsey Sent: Friday, April 09, 2004 4:23 PM

 I have done some further testing, and I am blocking Somefool and
 Somefool.B, but I am not blocking variant P.

FWIW, this same thing happened to me when I upgraded from Clam .60 to the
latest version. Apparently I installed it in a different place so there were
two version of my daily updates and it wasn't using the new one. Are you
sure your virus signatures are being updated and include the SomeFool.P
variant? Run sigtool --list | grep SomeFool to see if it's listed.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc

[Jeff Ramsey]

On Apr 10, 2004, at 9:27 AM, Colin A. Bartlett wrote:

Jeff Ramsey Sent: Friday, April 09, 2004 4:23 PM

I have done some further testing, and I am blocking Somefool and
Somefool.B, but I am not blocking variant P.
FWIW, this same thing happened to me when I upgraded from Clam .60 to 
the
latest version. Apparently I installed it in a different place so 
there were
two version of my daily updates and it wasn't using the new one. Are 
you
sure your virus signatures are being updated and include the SomeFool.P
variant? Run sigtool --list | grep SomeFool to see if it's listed.

cheers,
Colin
I ran the command above, and here are the results:

Worm.Somefool
Worm.Somefool.B
Worm.Somefool.B.2
Worm.Somefool.D
Worm.Somefool.E
Worm.Somefool.F
These ones are all working. How can I get freshclam to get the P 
variant file?

Thanks,
Jeff


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc

[Tomasz Kojm]

On Sat, 10 Apr 2004 16:49:52 -0700
Jeff Ramsey [EMAIL PROTECTED] wrote:

 
 On Apr 10, 2004, at 9:27 AM, Colin A. Bartlett wrote:
 
  Jeff Ramsey Sent: Friday, April 09, 2004 4:23 PM
 
  I have done some further testing, and I am blocking Somefool and
  Somefool.B, but I am not blocking variant P.
 
  FWIW, this same thing happened to me when I upgraded from Clam .60
  to the
  latest version. Apparently I installed it in a different place so 
  there were
  two version of my daily updates and it wasn't using the new one. Are
  
  you
  sure your virus signatures are being updated and include the
  SomeFool.P variant? Run sigtool --list | grep SomeFool to see if
  it's listed.
 
  cheers,
  Colin
 
 I ran the command above, and here are the results:
 
 Worm.Somefool
 Worm.Somefool.B
 Worm.Somefool.B.2
 Worm.Somefool.D
 Worm.Somefool.E
 Worm.Somefool.F

My output is:

[EMAIL PROTECTED]:~$ sigtool -l | grep -i somefool
Worm.SomeFool
Worm.SomeFool.B
Worm.SomeFool.B.2
Worm.SomeFool.D
Worm.SomeFool.E
Worm.SomeFool.F
Worm.SomeFool.Gen-1
Worm.SomeFool.Gen-2
Worm.SomeFool.I
Worm.SomeFool.K
Worm.SomeFool.L
Worm.SomeFool.M
Worm.SomeFool.Gen-unp
Worm.SomeFool.O
Worm.SomeFool.P
Worm.SomeFool.P-dll
Worm.SomeFool.Q
Worm.SomeFool.N
Worm.SomeFool.R
Worm.SomeFool.Q.2

So Jeff was right.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Sun Apr 11 02:23:42 CEST 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc

[Bill Randle]

On Sat, 2004-04-10 at 16:49, Jeff Ramsey wrote:
 On Apr 10, 2004, at 9:27 AM, Colin A. Bartlett wrote:
 
  Jeff Ramsey Sent: Friday, April 09, 2004 4:23 PM
 
  I have done some further testing, and I am blocking Somefool and
  Somefool.B, but I am not blocking variant P.
 
  FWIW, this same thing happened to me when I upgraded from Clam .60 to 
  the
  latest version. Apparently I installed it in a different place so 
  there were
  two version of my daily updates and it wasn't using the new one. Are 
  you
  sure your virus signatures are being updated and include the SomeFool.P
  variant? Run sigtool --list | grep SomeFool to see if it's listed.
 
  cheers,
  Colin
 
 I ran the command above, and here are the results:
 
 Worm.Somefool
 Worm.Somefool.B
 Worm.Somefool.B.2
 Worm.Somefool.D
 Worm.Somefool.E
 Worm.Somefool.F
 
 These ones are all working. How can I get freshclam to get the P 
 variant file?
 
 Thanks,
 Jeff

As has been implied earlier, double check your /etc/clamav.conf or
/etc/clamd.conf and verify the DatabaseDirectory matches the
DatabaseDirectory entry in /etc/freshclam.conf. Also, make sure
that when freshclam is run, it is using the freshclam.conf file
or explicitly sets the database directory via the command line to
the place you think it should be.

Here's what mine has in it for SomeFool:

Worm.SomeFool.Gen-unp
Worm.SomeFool.O
Worm.SomeFool.P
Worm.SomeFool.P-dll
Worm.SomeFool.Q
Worm.SomeFool.N
Worm.SomeFool.R
Worm.SomeFool.Q.2
Worm.SomeFool
Worm.SomeFool.B
Worm.SomeFool.B.2
Worm.SomeFool.D
Worm.SomeFool.E
Worm.SomeFool.F
Worm.SomeFool.Gen-1
Worm.SomeFool.Gen-2
Worm.SomeFool.I
Worm.SomeFool.K
Worm.SomeFool.L
Worm.SomeFool.M

-Bill




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc

[Amish Munshi]

On Wed, 7 Apr 2004 20:22:07 +0100, Antony Stone
[EMAIL PROTECTED] said:
 On Wednesday 07 April 2004 7:59 pm, Jeff Ramsey wrote:
 
 I'm picking up Worm.SomeFool.P (aka Worm/NetSky.P according to Antivir, 
 W32/[EMAIL PROTECTED] according to F-Prot, W32/[EMAIL PROTECTED] according to
 McAfee) 
 with a very old version of ClamAV (0.60 running under MailScanner)


  I am also facing the same problem, I have recently tested and installed
  Clamav, postfix combi. Tests with the sample test viruses given did
  succeed, so I assumed that the installation is successfull. But the
  mail containing a virus was delivered to OE and Norton AV detected it.
  Well, my client is not technical so I manged to convince him that it is
  not a problem and since it is a new virus it will be fixed
  automatically. 
  I scanned the file which had that virus and clamav detected the virus. 
  Any clues what is wrong here?

 
 Regards,
 
 Antony.
 
 -- 
 The lottery is a tax for people who can't do maths.
 
  Please reply to the
  list;
please don't
CC me.
 
 
 
 ---
 This SF.Net email is sponsored by: IBM Linux Tutorials
 Free Linux tutorial presented by Daniel Robbins, President and CEO of
 GenToo technologies. Learn everything from fundamentals to system
 administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users

-- 
http://www.fastmail.fm - Access your email from home and the web


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc

[Antony Stone]

On Wednesday 07 April 2004 7:59 pm, Jeff Ramsey wrote:

 Do I have to use a CVS version to get this one to be detected? Sophos
 detects it fine on this machine.

No.

I'm picking up Worm.SomeFool.P (aka Worm/NetSky.P according to Antivir, 
W32/[EMAIL PROTECTED] according to F-Prot, W32/[EMAIL PROTECTED] according to McAfee) 
with a very old version of ClamAV (0.60 running under MailScanner)

Regards,

Antony.

-- 
The lottery is a tax for people who can't do maths.

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users