Re: [Declude.Virus] Error 40
I am getting the following error, and trying to search through the list archives, I have come up with nothing. 03/08/2006 16:58:11 Q617000CD007623DA Error 40 in virus scanner 1. I believe that Error 40 is the return code reported by the scanner which in your case is clamscan from the ClamWin port. I do not know about ClamWin but for ClamAV you can find the return codes in the /man/ folder - the file name will be something like clamscan.1 - if you view it in a text editor it is not formatted so you have to interpret the escape characters, line feeds and so on. Or: http://www.clamav.net/doc/latest/man/clamscan.1 It appears that return code 40: Unknown option passed. Apple has one that is formatted: http://developer.apple.com/documentation/Darwin/Reference/ManPages/man1/clamscan.1.html From what you posted it appears to me that you have -1 (- digit ONE) instead of -l (- letter L) but it is hard to really tell and what you posted may not be what you have in your config file. Or it might be something about the file paths. Or since you are using the ClamWin port there could be differences. You probably should search for ClamWin return codes and research it that way. It is much faster by the way to have the clamd service running and use clamdscan. I wrote a program http://www.smartbusiness.com/imail/declude/ to keep clamd running but you could probably use srvany or any similar thing. --- Terry Fritts --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
At one point on each machine started getting these errors in the Declude Virus file: 06/04/2005 14:06:54 Qed820cb43917 ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating. 06/04/2005 14:06:54 Qed820cb43917 WARNING: Couldn't remove .vir directory o:\spool\Ded820cb43917.vir\: SHARING VIOLATION. 06/04/2005 14:06:54 Qed820cb43917 Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool. we had this happen this morning. I think it has to do with the number of processes at one time. I'm taking a look at it today. --- Terry --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
I can't find anything in the event or application logs that looks bad around this time either. I can't either. I've switched my clamd.conf file settings to run on TCP/IP rather than local socket. In the clamd.log file there were accept() errors recorded when this occurs which is a socket command error. I don't know that running in TCP/IP will help but the conf file says it can help some stability issues on windows servers. I also see that once this starts the other scanners never get a return either - not sure why that would be. --- Terry --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
I do have some weird log lines on one of the machines: Those look okay to me. There are 57 on one box and 80 on another. Every time I click on of the files, I get a simple Access Denied error even though ALL clam processes are stopped and I'm running under a Domain Admin account. These exist because the scanner never completed and the files are owned by SYSTEM. You'll have to select them - right click - and change the owner to your Admin account so you can then change the permissions to delete them. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
it looks like the genesis of the problem is that clam started timing out. It may be but I haven't been able to force it to happen so far. For me this is the first instance of this in more than one year. I am suspicious that it could be a Windows socket issue which is why I've changed the clamd.conf settings. If you also want to try this find clamd.conf (usually in C:\clamav-devel\etc) and open in an editor. Change the following in clamd.conf: Comment out with # the lines: LocalSocket /cygdrive/c/clamav-devel/clamd.sock FixStaleSocket yes Uncomment the lines: TCPSocket 3310 TCPAddr 127.0.0.1 Restart clamd by Stopping Runclamd and then restarting. Since you've had more occurrences it may be a better test. As I mentioned, a completely separate process that copies my Sniffer .snf file onto the same drive failed with a could not copy file error That's very interesting although I'm uncertain what it may mean. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
Forgive me if I'm naive, but what does a local virus scanner have to do with TCP/IP? I'll write how I understand it. In the case being discussed we have ClamD running as a service under Windows. When clamdscan is called to actually scan a file then that instance of clamdscan communicates with ClamD which is already resident. Because ClamD is running and listening then this makes the scanning process faster since some functions are already in memory awaiting service. But in order for this to occur ClamD has to be listening for a request from the calling program. Normally the service establishes a socket - meaning a hole punched through the OS - to allow such communication to occur. However, for ClamD in the configuration file there is an option to bind the service to a specific IP address and a specific port assignment. For greater security 127.0.0.1 is the default address. But the service could be bound to another IP address. I don't know why this might solve stability problems on some versions of windows but that's the message in the conf and somethng I was advised to try from my forum posting. Since the error I was seeing in the ClamD log file was an error with accept() it seemed reasonable to me to try it. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
It took a reboot of both machines to fix the problem. On one I had 288 process running which fouls everything else up. Clam is SCANNER2 Any ideas? What did the runclamscan log report if anything? What kind of times are you seeing in it for the actual scanning? The only time I've had anything similar happen had to do with ownership of the files and folders. It seems to me I may have had to change the ownership of the virus folder but I don't recall now. --- Terry --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
I also use Terry's runclamscan with no issues. That's good to hear. Runclamscan is just a wrapper to return the correct virus name to Declude. It would be better really if Declude would modify their code to accommodate ClamAV's reporting. Then there would not be a need for the intermediate runclamscan wrapper. And the fewer programs to call the better. So if anyone from Declude is listening I think that would be a nice feature for them to include in some future release. I have had rare email melt downs when I was running runclamd. The only real thing runclamd is supposed to do is to keep the clamdscan service running on windows without anyone logged on to the machine. There are other programs that do this just as well so don't hesitate to use them if you think runclamd might be causing problems. I have had 3 basic problems with ClamAV: 1) when the ClamAV program itself changes - or changes with cygwin stuff 2) there was an issue with one of the sosdg versions that reported an unexpected return code - but that's a while back 3) some issues with the installation that caused file ownership problems Otherwise we've enjoyed really good results with it. As has been mentioned it does a great job on the phishing exploits and it often picks up a few other things that FPROT misses. With clamdscan we get scanning speeds very similar to FPROT. (I know on this because on our XMAIL server we track the speeds for FPROT as we do ClamAV) Brian Burns of sosdg.org deserves a lot of credit for his work on ClamAV for windows. --- Terry Fritts --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
How can I figure out if freshclam is grabbing the latest defs? I set up a scheduled task update_clamav to run every 2 hours or so: start in: c:\clamav-devel\bin\ run: freshclam.exe --quiet -l c:\clamav-devel\log\freshclam.log Then I can check the freshclam.log file. I have Rundclamd running as a service under LocalSystem. Should I set the startup type to Automatic or leave it at Manual? Mine is set to automatic. If I leave it on Manual do I need to rerun runclamd -start after a reboot? Yes. The point of runclamd is to be able to use clamdscan (the daemon or service) rather than clamscan. runclamd has a log too. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Second Scanner
I was interested in what folks were using as a second scanner aside from F-Prot. ... I thought someone had posted some stats about this but can't find them. Any suggestions? ClamAV - http://www.sosdg.org/clamav-win32/index.php Get my utilities: runclamd, runclamdscan http://www.smartbusiness.com/imail/declude/ Set up a scheduled task to periodically run freshclam to keep the database update. Works extremely well for us. --- Terry Fritts --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV scan time
ClamAV when not run in daemon mode is very slow in comparison to other virus scanners. If your server is getting pushed to it's limits, the first sign will likely be their vir directories piling up as a result of ClamAV not finishing within the specified time configured in Declude Virus. I played around with daemon mode several months back, but there was an issue with the service not shutting down when you told it to, so I abandoned it for the time being. Maybe some others have information about how to do this properly now with newer builds. My log records the scan times. I did check when I read this and there are a few excessively long scan times. I checked about 10,000 entries. There were 360 scans that took longer than .5 sec. There were 206 that took 1 sec or longer. Also, I record the total time, the time to check to see if the service is running, and then the actual scan time. In my worst case these numbers were recorded: 13.3490,11.947,1.402. But notice that the middle number is the time to check to see if the service is running. This indicates to me that the issue is not with ClamAV but with the server load at the time of the scan. I know the server is being hammered anyway. I did check to see if there were any correlation between the file size and the long elapsed times and I really could not find any. But then again we are not handling huge numbers of messages either. My programs are available for download at: http://www.smartbusiness.com/imail/declude/ Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] ClamAV
ClamAV is no longer using the old style database as of Sep 1 2004. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Blocking the files in MyDoom
Also, I have temporarily blocked all zip files, as I am seeing quite a few that are not being caught by banned extension or F-Prot or AVG. I am investigating these. The ones I am seeing appear to be virus laden but would require the user to unzip them and to take additional action to activate. The unzipped file name is domain.com ... many spaces ... .scr Once I get it unzipped then FPROT and CLAMAV recognize it as a MyDoom variant. McAffee did not trigger on it so not sure about it. Terry --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] MacAfee Error
TS Has McAfee admit there was a problem yet? TS Has anybody heard anything from them about this? Article on web site: http://www.nai.com/us/promos/4160_engine.htm Note Scenario 2 where some users running 4320 also failed because of scanpm. I think SuperDat will not work if all you have purchased is CmdLine scanner. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[3]: [Declude.Virus] Has McAfee fixed Virus Definition Corruptions Yet?
RLH I did not do this. As I said you need to replace the Scan.Exe as well. RLH This is the file dailyscan.zip, not daily.zip... No problems at all RLH here. Don't know why it works for you and not me. For me the 4.3.2.0 engine fails with 4367 dat. Engines 4.3.2.0 and 4.1.6.0 neither one fail with 4366 dat or the dat files from dailyscan.zip. But thanks for sharing that link last night. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] [OT} Anti-Virus - Client Side Suggestion
McAfee, Norton, or others? Which do you think provides the quickest update I used Norton for a long time on Windows 2k but when I moved to XP I also upgraded to Norton 2004. It seemed much more complex to me with a bunch more services (maybe my imagination). Regardless, I had constant problems with it and no help from Symantec. Main problem was that after a reboot the AV could not start. Usually a 2nd reboot would fix but sometimes not. Also, my XP machine would sometimes just reboot itself for no apparent reason and I always felt it had something to do with Norton. Don't know that - could just be XP. Finally removed it and switched to McAfee on one workstation. So far I think I like it better and no problems on it starting and no reboots. Only thing I do complain about it with McAfee is the download process forces use of Internet Explorer and the scanning configuration program needs more granularity. On my XP notebook I'm using Kaspersky - it's kind of fun actually - screams if it finds something - a little too aggressive on non-virus vulnerabilities but probably something I can adjust out. All seem to me about equally effective over time. Also using Fprot and ClamAV and have extremely good results with both. Really with cost consideration Fprot has to be one of my favorites. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] declude clamav utilities
I've written a couple of utilities for clamav that we thought we'd share. runclamd - an nt service that keeps the windows port of the clamd service running. command line options for install, start, stop, remove. Using clamd results in much better scanning time. runclamscan - a wrapper program to be used with declude to call the win32 clamscan or clamdscan program for virus scanning. If clamdscan is specified the program tests whether clamd is running and changes the call to clamscan if clamd is not running. Log file is provided but otherwise this just allows declude to acquire the correct virus name. These work for us and are made available with no warranties or guarantees. Use at your own risk and so on. ZIP downloads available from http://www.smartbusiness.com/imail/declude/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] clamav
BTW, run clamd.exe and clamdscan.exe and notice a difference in speed Charles, Did you start clamd and then leave the server logged on? Terry --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Scanner Efficiency Olympics
ClamAV...1.0 seconds...2.303%...100.000% Charles posted on this a while back. Run clamd and link to clamdscan.exe (rather than clamscan). Times and processor usage are much less. Just running clamscan mine ranged from about a low of .8 to a high of 3.6 sec. Buf after running clamd and using clamdscan they dropped to a low of .047 and a high of .406 so far. Only thing is I'm not sure how to keep clamd running without keeping the server logged on. F-Prot is amazing. This really is true. Here are just a few stats I pulled from my logs (not from Declude - from one of my programs for an xmail server where I actually do the timing myself inside my program) (and this is after clamd): Total demime fprot naiclamav sniffer = == = = == === 1.672 0.563 0.156 0.266 0.406 0.281 1.047 0.141 0.234 0.281 0.110 0.266 1.828 0.485 0.187 0.453 0.156 0.547 2.015 0.203 0.609 0.594 0.328 0.281 0.625 0.109 0.062 0.235 0.047 0.625 0.079 0.062 0.188 0.125 0.500 0.094 0.062 0.188 0.156 Fprot actually does a decent job of demime by itself but it doesn't do everything so I began catching more when I added my own demime. NAI and clamav are both worthless without demime. When I have to write this stuff myself it makes me appreciate declude a lot! Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] clamav
Terry, if you could explain the demime thing, that would be appreciated. I'm sorry - I've been tied up all day working on name server issues. The application I referenced earlier was an xmail mail server. Declude is not available for it so I wrote my own program that is called by xmail for messages. My program does something similar to what declude does but not nearly as well. Giving a message to either NAI or ClavAV is inconsequential because both of those programs will not dismantle the message into its mime parts (demime). As I said Fprot actually does a certain amount of demime itself. I don't know how declude accomplishes this but I know declude does something to make NAI and others scan the pieces of the message. In my case I use an external program (munpack I think it is). My program creates a temporary directory and then calls munpack with that directory and message path. munpack then takes the message and splits into the various mime segments. For instance there might be a text segment, an html segment, and a zip file attachment. It is quite common to have 4 or more files. Then my program next calls fprot, nai, and clamav in turn for that directory. Each of those programs scan all the files in the temp folder and create a report file. My program extracts the virus name from the report files if an infection is indicated, logs it, quarantines the message, and tells the mail server to delete the message (if infected). Finally my program does some spam checking including a call to the sniffer engine. I don't do a lot of stuff that declude does however. As for the daemon issue I'm going to look a that and see if I can figure some way to keep the thing loaded - just no time today. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[6]: [Declude.Virus] clamav
LibClamAV Error: cli_cvdload(): Can't create temporary directory /tmp/ccb31b8aace2b2fc ERROR: Unable to create temporary directory. Oh I'm sorry - I had this problem. Create a C:\tmp directory is easiest solution. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Clam?
After this there was another error, that I've solved after Terry's tipp to create the c:\tmp folder. At them moment I've a problem with freshclam (MD5 error) So I downloaded all the updates manualy from an mirror. I fear after the next available update I will have this error again. But at the moment its running and not its time go to sleep. Yes, that's exactly the problem I'm having. I don't understand what the program is doing. Maybe best thing is to get the source and look at it. Works great when it works. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
