RE: [Clamav-users] Sasser Worm Virus not shown with sigtool
| |You probably have 2 versions of the database. Happened to me I finally figured that out when I tried doing sigtool --unpack-current and it prepended the directory it was using to my entry. |and many others. Simple to rectify: search for main.cvd on |your box. Then find which one is being updated by freshclam. |Delete the others and setup symbolic links to the one that's Symolic Links, why didn't I think of that? Sometimes a good poke in the head is in order. |updated by freshclam. I'm sure there are better ways to do |this like recompile with the proper path but I couldn't be bothered. |Works like a charm for me now. | |cheers, |Colin | |Colin A. Bartlett |Kinetic Web Solutions Lots of good discussion on this one. Maybe some improvements will come of it. Thanks L. A. Duerksen Technical Manager Futureware Distributing, Inc OpenBSD 3.4 amavisd-new-20030616-p9 spamassassin 2.63 postfix-2.0.19 ClamAV version 0.70 --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Sasser Worm Virus not shown with sigtool
It would be nice if clamscan, clamd, freshclam, sigtool, etc printed out the full path of the database files they are using (maybe only if -v is specified?). That would help people track down what's happening. --Eric -- Eric Wieling * BTEL Consulting * 504-899-1387 x2111 "In a related story, the IRS has recently ruled that the cost of Windows upgrades can NOT be deducted as a gambling loss." --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Sasser Worm Virus not shown with sigtool
Colin A. Bartlett wrote: Lynn Duerksen Sent: Wednesday, May 05, 2004 11:26 AM Freshclam reports: RELAY:root>[sbin] freshclam ClamAV update process started at Wed May 5 10:07:25 2004 Reading CVD header (main.cvd): OK main.cvd is up to date (version: 22, sigs: 20229, f-level: 1, builder: tkojm) Reading CVD header (daily.cvd): OK daily.cvd is up to date (version: 303, sigs: 1196, f-level: 2, builder: trog) However when I run: sigtool -l | grep -i sasser I get nothing. Shouldn't Worm.Sasser.A, Worm.Sasser.D and Worm.Sasser.B all show up using this? You probably have 2 versions of the database. Happened to me and many others. Happens to everybody it seems. Perhaps a command line option for database path and a corresponding entry in --help output to show where the default location is for the database? Perhaps a lookup into clamav.conf? Joe --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Sasser Worm Virus not shown with sigtool
Lynn Duerksen Sent: Wednesday, May 05, 2004 11:26 AM > Freshclam reports: > > RELAY:root>[sbin] freshclam > ClamAV update process started at Wed May 5 10:07:25 2004 > Reading CVD header (main.cvd): OK > main.cvd is up to date (version: 22, sigs: 20229, f-level: 1, builder: > tkojm) > Reading CVD header (daily.cvd): OK > daily.cvd is up to date (version: 303, sigs: 1196, f-level: 2, builder: > trog) > However when I run: > > sigtool -l | grep -i sasser > > I get nothing. Shouldn't Worm.Sasser.A, Worm.Sasser.D and Worm.Sasser.B all > show up using this? You probably have 2 versions of the database. Happened to me and many others. Simple to rectify: search for main.cvd on your box. Then find which one is being updated by freshclam. Delete the others and setup symbolic links to the one that's updated by freshclam. I'm sure there are better ways to do this like recompile with the proper path but I couldn't be bothered. Works like a charm for me now. cheers, Colin Colin A. Bartlett Kinetic Web Solutions www.kineticweb.biz --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Sasser Worm Virus not shown with sigtool
On Wed, 5 May 2004 10:26:16 -0500, "Lynn Duerksen" <[EMAIL PROTECTED]> wrote: >Freshclam reports: > >RELAY:root>[sbin] freshclam >ClamAV update process started at Wed May 5 10:07:25 2004 >Reading CVD header (main.cvd): OK >main.cvd is up to date (version: 22, sigs: 20229, f-level: 1, builder: >tkojm) >Reading CVD header (daily.cvd): OK >daily.cvd is up to date (version: 303, sigs: 1196, f-level: 2, builder: >trog) > >However when I run: > >sigtool -l | grep -i sasser > >I get nothing. Shouldn't Worm.Sasser.A, Worm.Sasser.D and Worm.Sasser.B all >show up using this? > Do you have more than one set of .cvd files? $ sigtool -l |grep -i sasser Worm.Sasser.A Worm.Sasser.D Worm.Sasser.B $ locate cvd /var/lib/clamav/main.cvd /var/lib/clamav/daily.cvd -- Steve --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Sasser Worm Virus not shown with sigtool
|Subject: [Clamav-users] Sasser Worm Virus not shown with sigtool | |Freshclam reports: | |RELAY:root>[sbin] freshclam |ClamAV update process started at Wed May 5 10:07:25 2004 |Reading CVD header (main.cvd): OK main.cvd is up to date |(version: 22, sigs: 20229, f-level: 1, builder: |tkojm) |Reading CVD header (daily.cvd): OK |daily.cvd is up to date (version: 303, sigs: 1196, f-level: 2, builder: |trog) | |However when I run: | |sigtool -l | grep -i sasser | |I get nothing. Shouldn't Worm.Sasser.A, Worm.Sasser.D and |Worm.Sasser.B all show up using this? | Never Mind! I figured it out. clamav datadir is /var/amavisd/usr/local/share/clamav # because of running in chroot for amavisd sigtool is looking in /usr/local/share/clamav # those files were not up to date. This directory must be # hard coded into sitool --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users