Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, Mar 17, 2005 at 07:24:15PM +0100, Tomasz Kojm wrote: > > > Your clamd doesn't support meta-data signatures. > > So that will be a feature of 0.84 then? > Yes, it will (already supported in CVS). Great! I've been "using" meta-data signatures, via procmail, probably since "sircam" came out in 2001, and it works very good. I'm still catching mydoom variants using a procmail recipe I wrote in 2003 (much to my surprise, I might add). (See http://www.xs4all.nl/~johnpc/procmailrc.txt if you're interested). But it's also bad, since if a high-profile virus scanner like ClamAV is going to start matching meta-data, then virus writers are more likely to notice and start changing it with each virus release, making my procmail hackery less effective ;) -- #!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]> $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$&;$f.eig;# Jan-Pieter Cornet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 22:25:44 +0100 Tomasz Kojm <[EMAIL PROTECTED]> wrote: > On Thu, 17 Mar 2005 13:10:57 -0800 > [EMAIL PROTECTED] wrote: > > > At 01:05 PM 3/17/2005, Matt Fretwell wrote: > > > > >[EMAIL PROTECTED] wrote: > > > > > > > that's why this suggested to me a problem with the CVD's. > > > > > > Might one enquire then as to why no one else, upto just, are > > > experiencing > > >this problem? Double check your system before blaming the software. > > > > uh, that's essentially what i just said in that post. it *suggested* > > a problem with the software, and i misinterpreted the other problem > > reports in haste. since nothing's changed on my system, and my disk > > space, inodes, ram, permissions, etc are all okay, i jumped to a > > conclusion. i'm investigating further. i flew off the handle, which > > i don't usually do. i've apologized to Tomas in private email. I > > apologize here now as well. i suggested to him in private email > > that maybe he got up on the wrong side of the bed with his personal > > attacks. clearly, i was projecting! > > Because our competences are often unfairly questioned on this list, my > reactions may be find somewhat ironic. I apologize. > > Attached you can find a patch that (hopefully) will display some > useful information on the problem. Don't worry about the invalid signature in my last post. It's probably a bug in Mailman which breaks signatures in PGP/MIME emails with attachments. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 17 22:26:58 CET 2005 pgpxZG1EpEXyn.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 13:10:57 -0800 [EMAIL PROTECTED] wrote: > At 01:05 PM 3/17/2005, Matt Fretwell wrote: > > >[EMAIL PROTECTED] wrote: > > > > > that's why this suggested to me a problem with the CVD's. > > > > Might one enquire then as to why no one else, upto just, are > > experiencing > >this problem? Double check your system before blaming the software. > > uh, that's essentially what i just said in that post. it *suggested* a > problem with the software, and i misinterpreted the other problem > reports in haste. since nothing's changed on my system, and my disk > space, inodes, ram, permissions, etc are all okay, i jumped to a > conclusion. i'm investigating further. i flew off the handle, which i > don't usually do. i've apologized to Tomas in private email. I > apologize here now as well. i suggested to him in private email that > maybe he got up on the wrong side of the bed with his personal > attacks. clearly, i was projecting! Because our competences are often unfairly questioned on this list, my reactions may be find somewhat ironic. I apologize. Attached you can find a patch that (hopefully) will display some useful information on the problem. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 17 22:25:10 CET 2005 pgpSrk1kSxclU.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
At 01:05 PM 3/17/2005, Matt Fretwell wrote: [EMAIL PROTECTED] wrote: > that's why this suggested to me a problem with the CVD's. Might one enquire then as to why no one else, upto just, are experiencing this problem? Double check your system before blaming the software. uh, that's essentially what i just said in that post. it *suggested* a problem with the software, and i misinterpreted the other problem reports in haste. since nothing's changed on my system, and my disk space, inodes, ram, permissions, etc are all okay, i jumped to a conclusion. i'm investigating further. i flew off the handle, which i don't usually do. i've apologized to Tomas in private email. I apologize here now as well. i suggested to him in private email that maybe he got up on the wrong side of the bed with his personal attacks. clearly, i was projecting! Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
[EMAIL PROTECTED] wrote: > that's why this suggested to me a problem with the CVD's. Might one enquire then as to why no one else, upto just, are experiencing this problem? Double check your system before blaming the software. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
At 12:48 PM 3/17/2005, [EMAIL PROTECTED] wrote: you've broken something in the distributed CVD's. i've seen other reports of this problem today. correction, the other reports are regarding changes to the CVD format apparently, but don't match what i'm experiencing. as i said, plenty of disk, plenty of inodes, no memory shortage. that's why this suggested to me a problem with the CVD's. Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 12:48:10 -0800 [EMAIL PROTECTED] wrote: > got any other brilliant suggestions, einstein? I commiserate with your users. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 17 21:49:19 CET 2005 pgpmmwljB3veP.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
> >At 10:24 AM 3/17/2005, Tomasz Kojm wrote: > > >Yes, it will (already supported in CVS). > > this is ridiculous. my clamd system is now broken due to these changes > that are being propogated. i'm running the current .83 release. you > should at least support your current RELEASE version for all clients > out there before propogating changes to the db that are incompatible > with it!! Buy a book on UNIX administering, kiddy. wow, aren't we the pompous one. > LibClamAV Error: Wrote 0 instead of 512 > (/var/tmp//clamav-d8cafc6d942bbe89/main.db). > LibClamAV Error: cli_cvdload(): Can't unpack CVD file. > LibClamAV Error: Can't load /usr/local/share/clamav/main.cvd: CVD > extraction failure > ERROR: CVD extraction failure > Mar 17 12:25:32 klaatu clamd[9258]: [ID 495146 local6.error] CVD > extraction failure ...and start from a chapter on /tmp cleaning. you've broken something in the distributed CVD's. i've seen other reports of this problem today. my clamd was working just fine, and i've plenty of disk space, swap space, and actual ram. got any other brilliant suggestions, einstein? Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
[EMAIL PROTECTED] wanted us to know: >>>Yes, it will (already supported in CVS). >this is ridiculous. my clamd system is now broken due to these changes that >are being propogated. i'm running the current .83 release. you should at >S60clamd start >LibClamAV Error: Wrote 0 instead of 512 >(/var/tmp//clamav-d8cafc6d942bbe89/main.db). >LibClamAV Error: cli_cvdload(): Can't unpack CVD file. >LibClamAV Error: Can't load /usr/local/share/clamav/main.cvd: CVD >extraction failure >ERROR: CVD extraction failure >Mar 17 12:25:32 klaatu clamd[9258]: [ID 495146 local6.error] CVD extraction >failure I get no errors on my system running a duplicate configuration. Figure out why clam cannot write to /var/tmp and you'll most likely solve your problem. See if df -i and df -h return anything useful. -- Regards... Todd They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin Linux kernel 2.6.8.1-12mdkenterprise 1 user, load average: 0.24, 0.07, 0.02 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 21:40:43 +0100 Tomasz Kojm <[EMAIL PROTECTED]> wrote: > On Thu, 17 Mar 2005 12:33:42 -0800 > [EMAIL PROTECTED] wrote: > > > >At 10:24 AM 3/17/2005, Tomasz Kojm wrote: > > > >Yes, it will (already supported in CVS). > > > > this is ridiculous. my clamd system is now broken due to these > > changes that are being propogated. i'm running the current .83 > > release. you should at least support your current RELEASE version > > for all clients out there before propogating changes to the db that > > are incompatible with it!! > > Buy a book on UNIX administering, kiddy. > > > LibClamAV Error: Wrote 0 instead of 512 > > (/var/tmp//clamav-d8cafc6d942bbe89/main.db). > > LibClamAV Error: cli_cvdload(): Can't unpack CVD file. > > LibClamAV Error: Can't load /usr/local/share/clamav/main.cvd: CVD > > extraction failure > > ERROR: CVD extraction failure > > Mar 17 12:25:32 klaatu clamd[9258]: [ID 495146 local6.error] CVD > > extraction failure > > ...and start from a chapter on /tmp cleaning. and /var/tmp -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 17 21:42:30 CET 2005 pgpBebl55LSyu.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 12:33:42 -0800 [EMAIL PROTECTED] wrote: > >At 10:24 AM 3/17/2005, Tomasz Kojm wrote: > > >Yes, it will (already supported in CVS). > > this is ridiculous. my clamd system is now broken due to these changes > that are being propogated. i'm running the current .83 release. you > should at least support your current RELEASE version for all clients > out there before propogating changes to the db that are incompatible > with it!! Buy a book on UNIX administering, kiddy. > LibClamAV Error: Wrote 0 instead of 512 > (/var/tmp//clamav-d8cafc6d942bbe89/main.db). > LibClamAV Error: cli_cvdload(): Can't unpack CVD file. > LibClamAV Error: Can't load /usr/local/share/clamav/main.cvd: CVD > extraction failure > ERROR: CVD extraction failure > Mar 17 12:25:32 klaatu clamd[9258]: [ID 495146 local6.error] CVD > extraction failure ...and start from a chapter on /tmp cleaning. > Paul Theodoropoulos > http://www.anastrophe.com > http://www.smileglobal.com -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 17 21:35:48 CET 2005 pgpfqOWEgMwYS.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
At 10:24 AM 3/17/2005, Tomasz Kojm wrote: >Yes, it will (already supported in CVS). this is ridiculous. my clamd system is now broken due to these changes that are being propogated. i'm running the current .83 release. you should at least support your current RELEASE version for all clients out there before propogating changes to the db that are incompatible with it!! S60clamd start LibClamAV Error: Wrote 0 instead of 512 (/var/tmp//clamav-d8cafc6d942bbe89/main.db). LibClamAV Error: cli_cvdload(): Can't unpack CVD file. LibClamAV Error: Can't load /usr/local/share/clamav/main.cvd: CVD extraction failure ERROR: CVD extraction failure Mar 17 12:25:32 klaatu clamd[9258]: [ID 495146 local6.error] CVD extraction failure Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 11:29:31 -0800 (PST) "Dennis Peterson" <[EMAIL PROTECTED]> wrote: > It appears that quite a lot is happening in the CVS now - is .84 near? > I'm uncomfortable dropping CVS code into production as many are. Yes, 0.84rc1 is relatively near. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 17 20:41:44 CET 2005 pgpmS3gJPb0yc.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
Tomasz Kojm said: > On Thu, 17 Mar 2005 18:21:04 + > Brian Morrison <[EMAIL PROTECTED]> wrote: > >> On Thu, 17 Mar 2005 19:15:44 +0100 in >> [EMAIL PROTECTED] Tomasz Kojm <[EMAIL PROTECTED]> >> wrote: >> >> > > So, why the difference between what freshclam thinks the number >> > > of signatures is, and what clamd thinks? >> > >> > Your clamd doesn't support meta-data signatures. >> >> So that will be a feature of 0.84 then? > > Yes, it will (already supported in CVS). It appears that quite a lot is happening in the CVS now - is .84 near? I'm uncomfortable dropping CVS code into production as many are. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
Tomasz Kojm a écrit : > Your clamd doesn't support meta-data signatures. What is a meta-date signature ? BTW, what's in the .zmd file ? Patterns for password-protected zip file detection ? Regards, -- Guillaume Arcas J'ai personnellement connu un canard qui avait du genie. Alphonse Allais ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 19:15:44 +0100 in [EMAIL PROTECTED] Tomasz Kojm <[EMAIL PROTECTED]> wrote: > Your clamd doesn't support meta-data signatures. Should the daily.cvd not be showing as f-level: 5 if a new format has been added? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 18:21:04 + Brian Morrison <[EMAIL PROTECTED]> wrote: > On Thu, 17 Mar 2005 19:15:44 +0100 in > [EMAIL PROTECTED] Tomasz Kojm <[EMAIL PROTECTED]> > wrote: > > > > So, why the difference between what freshclam thinks the number > > > of signatures is, and what clamd thinks? > > > > Your clamd doesn't support meta-data signatures. > > So that will be a feature of 0.84 then? Yes, it will (already supported in CVS). -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 17 19:23:10 CET 2005 pgpUWB7ORBBfQ.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 19:15:44 +0100 in [EMAIL PROTECTED] Tomasz Kojm <[EMAIL PROTECTED]> wrote: > > So, why the difference between what freshclam thinks the number of > > signatures is, and what clamd thinks? > > Your clamd doesn't support meta-data signatures. So that will be a feature of 0.84 then? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
> Received signal 14, wake up > ClamAV update process started at Thu Mar 17 17:44:40 2005 > main.cvd is up to date (version: 30, sigs: 31086, f-level: 4, > builder: tkojm) > daily.cvd updated (version: 767, sigs: 562, f-level: 4, builder: diego) > Database updated (31648 signatures) from > db.gb.clamav.net(IP:68.142.86.21) > Clamd successfully notified about the update. > -- > Reading databases from /var/lib/clamav > Database correctly reloaded (31647 viruses) > > So, why the difference between what freshclam thinks the number of > signatures is, and what clamd thinks? One started counting at 0 and the other at 1 ?? Main.cvd - 31086 Daily.cvd - 562 -- 31648 Total Just a guess > > -- > > Brian Morrison > > bdm at fenrir dot org dot uk > > GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html > ___ > http://lurker.clamav.net/list/clamav-users.html > -- Ken Jones ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 18:06:00 + Brian Morrison <[EMAIL PROTECTED]> wrote: > Received signal 14, wake up > ClamAV update process started at Thu Mar 17 17:44:40 2005 > main.cvd is up to date (version: 30, sigs: 31086, f-level: 4, > builder: tkojm) > daily.cvd updated (version: 767, sigs: 562, f-level: 4, builder: > diego) Database updated (31648 signatures) from > db.gb.clamav.net(IP:68.142.86.21) > Clamd successfully notified about the update. > -- > Reading databases from /var/lib/clamav > Database correctly reloaded (31647 viruses) > > So, why the difference between what freshclam thinks the number of > signatures is, and what clamd thinks? Your clamd doesn't support meta-data signatures. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 17 19:15:18 CET 2005 pgphM2xPnc0JM.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html