Re: [Clamav-users] Not Detecting Netsky.P (With Sample)
On Thu, 08 Jul 2004 at 23:59:14 -0600, Patrick Liechty wrote: > > I am using Qmail with Maildir format. Does -mbox work with Maildir mail > boxes? > >From the ChangeLog: "Fri Aug 29 06:00:01 CEST 2003 - * libclamav: enabled support for Maildir files" -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Not Detecting Netsky.P (With Sample)
> > > > > clamscan --mbox [file] > > > > Matt > > > > > > > > I am using Qmail with Maildir format. Does -mbox work with Maildir mail > boxes? > > Patrick Liechty > Maildir or mbox is irrelevant. An email is an email whichever type of mailbox system you use. The main difference being Maildir stores each email as a seperate entity, whereas mbox just appends the email to the file. Matt --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Not Detecting Netsky.P (With Sample)
- Original Message - From: "Matt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 08, 2004 1:08 PM Subject: Re: [Clamav-users] Not Detecting Netsky.P (With Sample) > > clamscan --mbox [file] > > Matt > > > I am using Qmail with Maildir format. Does -mbox work with Maildir mail boxes? Patrick Liechty --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Not Detecting Netsky.P (With Sample)
clamscan --mbox [file] Matt --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Not Detecting Netsky.P (With Sample)
On Thursday 08 July 2004 5:15 pm, [EMAIL PROTECTED] wrote: > I just installed clamav for the first time today, so please bear with me. > > Although clamscan finds a lot of HTML naztyness, the Virus #1, I´m > receiving Netsky.P totally gets away. Does your ClamAV installation detect Eicar (or any virus)? http://www.eicar.org/anti_virus_test_file.htm > I don´t know if it´s normal but freshclam is only downloading 2 files > main.cvd (version 24), and daily.cvd (version 399) > There are no viruses.db or viruses.db2 files.. Yes, that's normal. The .cvd files are the new database style, the .db? files are the old style. You should use only one (preferably the new one) on any given system. > --- SCAN SUMMARY --- > Known viruses: 45142 That indiactes a problem - you have two copies of the signature database/s, because this is approximately twice the number of current signatures known to ClamAV (22551). Either you have both the old and the new databases (in which case delete the old .db and .db2 files) or you have the database installed in two places (in which case delete them both and then re-run freshclam). Check that ClamAV successfully detects the Eicar test virus, and then let us know how you are passing emails to ClamAV for scanning (eg amavis, milter, mailscanner, etc...) Regards, Antony. -- I own three Windows books, published by O'Reilly. They are "Windows Annoyances", "Office 97 Annoyances" and "Windows 98 Annoyances". That pretty much sums it up for me. Please reply to the list; please don't CC me. --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Not Detecting Netsky.P (With Sample)
On Thu, 8 Jul 2004 18:15:05 +0200 <[EMAIL PROTECTED]> wrote: > I just installed clamav for the first time today, so please bear with > me. > > Although clamscan finds a lot of HTML naztyness, the Virus #1, I´m > receiving Netsky.P totally gets away. [EMAIL PROTECTED]:/tmp$ clamscan -m Viri Viri: Worm.SomeFool.P FOUND --- SCAN SUMMARY --- Known viruses: 22571 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.03 MB I/O buffer size: 131072 bytes Time: 1.659 sec (0 m 1 s) > --- SCAN SUMMARY --- > Known viruses: 45142 I don't even have as many signatures as you. Next time please RTM before bothering the mailing list. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jul 8 19:34:26 CEST 2004 pgpkrThs0AW3q.pgp Description: PGP signature
Re: [Clamav-users] Not Detecting Netsky.P (With Sample)
Quoting [EMAIL PROTECTED]: I just installed clamav for the first time today, so please bear with me. Although clamscan finds a lot of HTML naztyness, the Virus #1, I´m rece iving Netsky.P totally gets away. I don´t know if it´s normal but freshclam is only downloading 2 files main.cvd (version 24), and daily.cvd (version 399) There are no viruses.db or viruses.db2 files.. The .cvd files are the only ones that should be downloaded. This is workin g correctly. I have put a sample of the Netsky.P virus at http://www.biodef.org/Viri i f someone wants to see if their version catches it ACK! BAD! Dont do this please. There are enough viruses floating around, w e really dont need more adding to this. If you are using clamscan, try using the --mbox option. Jim --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Not Detecting Netsky.P (With Sample)
[EMAIL PROTECTED] wrote: I just installed clamav for the first time today, so please bear with me. Although clamscan finds a lot of HTML naztyness, the Virus #1, I´m receiving Netsky.P totally gets away. I don´t know if it´s normal but freshclam is only downloading 2 files main.cvd (version 24), and daily.cvd (version 399) There are no viruses.db or viruses.db2 files.. I have put a sample of the Netsky.P virus at http://www.biodef.org/Viri if someone wants to see if their version catches it Hi, It gets detected here just fine, note that I do have ScanMail enabled in clamav.conf clamscan --mbox testvirus testvirus: Worm.SomeFool.P FOUND --- SCAN SUMMARY --- Known viruses: 22571 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.03 MB I/O buffer size: 131072 bytes Time: 0.547 sec (0 m 0 s) bash-2.05b# clamdscan testvirus /root/testvirus: Worm.SomeFool.P FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.014 sec (0 m 0 s) Regards, Rick --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Not Detecting Netsky.P (With Sample)
[EMAIL PROTECTED] wanted us to know: >I just installed clamav for the first time today, so please bear with me. >Although clamscan finds a lot of HTML naztyness, the Virus #1, I´m receiving >Netsky.P totally gets away. Clam named the virus SomeFool before the mainstream media latched onto the name Netsky. The Clam group does not change a name once it has settled on it. >I don´t know if it´s normal but freshclam is only downloading 2 files >main.cvd (version 24), and daily.cvd (version 399) >There are no viruses.db or viruses.db2 files.. That's normal. The viruses.db and viruses.db2 files are from older versions of clamav. >I have put a sample of the Netsky.P virus at http://www.biodef.org/Viri if >someone wants to see if their version catches it Take it down, it's already detected and has been for a long time. >* Scanning this file with clamscan results in the following >report. >Viri: OK >--- SCAN SUMMARY --- >Known viruses: 45142 >Scanned directories: 0 >Scanned files: 1 >Infected files: 0 >Data scanned: 0.04 MB >I/O buffer size: 131072 bytes >Time: 0.746 sec (0 m 0 s) Is the message a mail message? If so, you need to use --mbox on the commandline so that it knows to extract it out of an email format. Also make sure that your clamscan and clamd are using the same virus databases as the ones that are being downloaded (ie your freshclam is downloading to /var/lib/clamav and your binaries are trying to use /usr/local/clamav/ or something like that). This is a FAQ and is online somewhere, I just can't remember where. -- Regards... Todd They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin Linux kernel 2.6.3-8mdkenterprise 2 users, load average: 0.02, 0.13, 0.12 --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users