Kristof Hardy wrote:
Hi,
Just wondering (i'm trying to understand), my CG Pro and ClamAV find the
virus in the message correctly. The msg is discarded and put in
Quarantine. Ok, so I tried a manual scan afterwards on this .msg file
with clamscan (example below) but it can't find a virus. Is there
My question is towared the following: there was a recent discussion in
the MailScanner mailing list because Julian Field (the developer) is not
only deprecating, but also eliminating, the possibility of 'bouncing' a
mail containing a virus back to its (aparent) originator.
What I do is :
-
Hi again,
Please see my original post for background information:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg04704.html
No replies yet, and I finally got a chance to catch this thing in the
act. Here's what I observed when I let gdb attach to one of the
clamav-milter children:
ttyp1 [
Ah lawyers..
You wouldn't believe how often that one is pointed out.
On Wed, 2004-02-04 at 23:29, Stevens, John wrote:
> and sorry for this stupid disclaimer.
>
We also have a stupid disclaimer, but one question about yours - can you
have "omissions that are present"?
---
This message
Hi,
I browsed the documentation but couldn't find much info about the format
of the virus database (CVD), not counting the info on how to use it &
append to it.
My question is towared the following: there was a recent discussion in
the MailScanner mailing list because Julian Field (the develop
Am Thu, 5 Feb 2004 00:11:23 +0100 hat Tomasz Kojm <[EMAIL PROTECTED]>
geschrieben:
On Wed, 04 Feb 2004 23:40:35 +0100
"mario kammerer" <[EMAIL PROTECTED]> wrote:
1)ERROR: Socket file /tmp/clamd exists. Either remove it, or configure
a different one.
Enable FixStaleSocket in clamav.conf.
i alrea
On Wed, 2004-02-04 at 23:29, Stevens, John wrote:
> and sorry for this stupid disclaimer.
>
We also have a stupid disclaimer, but one question about yours - can you
have "omissions that are present"?
I did think about making it a very small font, or white text on a white
background - but then yo
This is another post about the problems that some people have been
having with sco.a seemingly making it past clam due to doggy mime
structure in bounce messages.
I noticed that Symantec on our exchange servers (which are behind a
mailscanner box running clam and sophos) is picking up a few Sco's
Hi Nigel,
Yes the disclaimer is crap. I have been arguing against it to the MD for a year to no
avail. We have even sometimes put really weird stuff in it just to find out if people
read it, and it has never given a response. I'd tell the MD, but he would get pissed
off at me and sick the law
On Wed, 4 Feb 2004 14:34:36 -0700
[EMAIL PROTECTED] wrote:
> Is there a way to tell daemon not to use internal zip and rar
> archiver, but external, like I can do with clamscan: --mbox
> --disable-archive --unzip -- unrar --unace --arj --zoo --lha --jar
> --tar --deb --tgz ?
No, it can't use ex
On Wed, 04 Feb 2004 23:40:35 +0100
"mario kammerer" <[EMAIL PROTECTED]> wrote:
> 1)ERROR: Socket file /tmp/clamd exists. Either remove it, or configure
> a different one.
Enable FixStaleSocket in clamav.conf.
> 2)ERROR: Can't save PID in file /var/run/clamd.pid
That must be a permission proble
hi!
i tried - look other thread of me - to bind the clamd to tcp instead of
socket.
the result is: error: address already in use.
pfaaa? what happens here? ;)
thanx for info what to do to solve the problem - i really need the package!
mario
--
Erstellt mit M2, Operas revolutionärem E-Mail-M
hello!
i got 2 errors with clamav 0.65 and the latest snapshot (i tried today).
# clamd --version
clamd / ClamAV version devel-20040204
1)ERROR: Socket file /tmp/clamd exists. Either remove it, or configure a
different one.
2)ERROR: Can't save PID in file /var/run/clamd.pid
mario
--
Ers
Quoting Tomasz Kojm <[EMAIL PROTECTED]>:
> On Wed, 28 Jan 2004 09:35:45 -0700
> [EMAIL PROTECTED] wrote:
>
> >
> > Hi,
> >
> > I finally have got a sample of damages zip archive that causes clamd
> > to die with this error:
> > Tue Jan 27 09:58:59 2004 -> /var/spool/MIMEDefang/mdefang-
> > i0RGww
On Tue, 3 Feb 2004, [UTF-8] Kriе║tof Petr wrote:
KP>I decided to switch from LocalSocket to TcpSocket on clamd server
KP>for windows users can start testing windows client from their Win
KP>workstations.
KP>
KP>But this option is exclusive with --quarantine-dir on clamav-milter.
KP>
KP>Is there so
On Wednesday 04 of February 2004 21:05, Tomasz Papszun wrote:
> The "normal" way of reporting viruses not yet detected by ClamAV or
> false positives, is:
>
> 1. Scan samples at "clamav online specimen scanner"
>< http://www.gietl.com/test-clamav/ > and if this doesn't detect a
>virus go t
Hi,
Just wondering (i'm trying to understand), my CG Pro and ClamAV find the
virus in the message correctly. The msg is discarded and put in
Quarantine. Ok, so I tried a manual scan afterwards on this .msg file
with clamscan (example below) but it can't find a virus. Is there a
reasonable explanat
On Wednesday 04 February 2004 12:14 pm, Ola Thoresen wrote:
> I have now tested the latest tar.gz from
> http://www.clamav.net/snapshot/clamav-devel-20040204.tar.gz and can
> verify that the problem with memory allocations on special binhex-files
> has been fixed.
> I have about 10
Nigel Horne <[EMAIL PROTECTED]> wrote:
> What version of clamav-milter? (clamav-milter --version will tell you)
ClamAV version 0.65, clamav-milter version 0.60p
> Have you checked to see if you have another clamav.conf on your
> system, say /usr/local/etc/clamav.conf?
Nothing there.
Przemysla
On Wed, 4 Feb 2004, Przemyslaw Holowczyc wrote:
> On Wednesday 04 of February 2004 19:37, Chris Barnes wrote:
> > Interesting problem going on here. Using clamav-milter w/ sendmail on
> > RH9. Sending email seems to take a VERY LONG TIME.
> >
> > The /var/log/maillog shows:
> > Feb 4 10:37:57
On Wed, 04 Feb 2004 at 19:12:27 +0100, Przemyslaw Holowczyc wrote:
>
> Today morning, I installed the Windows XP on some machine. After that, I
> downloaded a latest virus databases and I checked the C:\WINDOWS directory
> with a clamscan.exe (windows port). Results are below.
>
> windows XP
>
ur hard work.
>
I have now tested the latest tar.gz from
http://www.clamav.net/snapshot/clamav-devel-20040204.tar.gz and can
verify that the problem with memory allocations on special binhex-files
has been fixed.
I have about 10 different files that triggered the bug, and all of them
are no
On Wed, 4 Feb 2004 16:02:19 -0300 (ART)
Claudio Alonso <[EMAIL PROTECTED]> wrote:
> Any idea on why does it happen and how to solve it?
> Thanks in advance,
Dazuko support is broken. A fix will be available on days.
Best regards,
Tomasz Kojm
--
oo. [EMAIL PROTECTED]
On Wednesday 04 of February 2004 19:37, Chris Barnes wrote:
> Interesting problem going on here. Using clamav-milter w/ sendmail on
> RH9. Sending email seems to take a VERY LONG TIME.
>
> The /var/log/maillog shows:
> Feb 4 10:37:57 titan clamav-milter[27829]: hit max-children limit (7 >=
> 2):
On Wednesday 04 Feb 2004 6:37 pm, Chris Barnes wrote:
> Interesting problem going on here. Using clamav-milter w/ sendmail on
> RH9. Sending email seems to take a VERY LONG TIME.
What version of clamav-milter? (clamav-milter --version will tell you)
> The /var/log/maillog shows:
> Feb 4 10:37:
Hi,
I'm using clamav-0.65-4 (rpm version) on a RH9.0 and dazuko-1.2.3 (Clamuko is
configured to scan
on open, close and exec for paths /home and /tmp.
Everything works great until I execute freshclam.
Freshclam updates the virus definition files and on next SelfCheck, clamd detects the
database
m
> On Wednesday 04 Feb 2004 5:52 pm, Jim Maul wrote:
> > When trying to scan some messages in my quarantine directory, i
> am getting
> > the following output:
> >
> > LibClamAV Warning: Ignoring empty field in " charset="
>
> > Anyone have any ideas what might be causing this?
>
> Virus writers don
Interesting problem going on here. Using clamav-milter w/ sendmail on
RH9. Sending email seems to take a VERY LONG TIME.
The /var/log/maillog shows:
Feb 4 10:37:57 titan clamav-milter[27829]: hit max-children limit (7 >=
2): waiting for some to exit
Even though the /etc/clamav.conf file has:
On Wednesday 04 Feb 2004 5:52 pm, Jim Maul wrote:
> When trying to scan some messages in my quarantine directory, i am getting
> the following output:
>
> LibClamAV Warning: Ignoring empty field in " charset="
> Anyone have any ideas what might be causing this?
Virus writers don't honour RFCs (wh
Hi :>
Today morning, I installed the Windows XP on some machine. After that, I
downloaded a latest virus databases and I checked the C:\WINDOWS directory
with a clamscan.exe (windows port). Results are below.
windows XP
C:\WINDOWS/system32/dllcache/rpcrt4.dll: Exploit.DCOM.Gen FOUND
C:\WINDOWS
When trying to scan some messages in my quarantine directory, i am getting
the following output:
LibClamAV Warning: Ignoring empty field in " charset="
This happens with about 5 out of 800 messages.
Anyone have any ideas what might be causing this?
Thanks.
Jim Maul
Eastern Long Island Hospital
On Wed, 4 Feb 2004, Tomasz Kojm wrote:
> It seems you have changed the name of the main virus database with
> --with-dbname..
I removed both --with-db* configure options and recompiled (something I
remember now was that it wouldn't compile without them back when I first
got started with clam).
On Wed, 4 Feb 2004, Tomasz Kojm wrote:
> > >Downloading main.cvd [*]
> > >viruses.db updated (version: 19, sigs: 19987, f-level: 1, builder:
>^^
>
> What's that ?
>
> It seems you have changed the name of the main virus database with
> --with-dbname..
Howdy, Tomasz. Thanks for the
On Wed, 4 Feb 2004, Jo Mills wrote:
> Justin,
>
>Just a thought - what was the return code from freshclam? Was it
> "1" by any chance? I would be interested to know.
Thanks for the reply, Jo. It looks like it's exiting with a 1.
Justin
--
Thanks for the reply.
On Wed, 4 Feb 2004, Fajar A. Nugraha wrote:
> AFAIK, for every new install clamav always zeroes out main.cvd and
> daily.cvd. The real mistery is why you have non-zero daily.cvd but zero
> main.cvd
I didn't know this. Interesting...
> >Everything seems to be running smo
http://sourceforge.net/mailarchive/forum.php?thread_id=3839743&forum_id=
34617
Eric, thanks for that... I must have missed that email this morning
since the topic didn't quite trigger anything in my brain... More along
the lines of I thought it was a bug report... Ie: "bzip bombs" as in
blows up
On Wed, Feb 04, 2004 at 09:35:07AM -0600, Tom Walsh wrote:
> I saw an article on bigtraq today that discussed an interesting vectored
> attack against anti-virus software and was curious if any type of checks
> were in place for clamav.
http://sourceforge.net/mailarchive/forum.php?thread_id=383974
On Wed, 04 Feb 2004 at 9:35:07 -0600, Tom Walsh wrote:
> I saw an article on bigtraq today that discussed an interesting vectored
> attack against anti-virus software and was curious if any type of checks
> were in place for clamav.
>
> Basically a decompression bomb is a zero padded file of extr
did you try running clamscan with the --mbox option?
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Dinko
> Ivanov
> Sent: Wednesday, February 04, 2004 7:57 AM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] MyDoom???
>
>
> Well, but i can not dete
I saw an article on bigtraq today that discussed an interesting vectored
attack against anti-virus software and was curious if any type of checks
were in place for clamav.
Basically a decompression bomb is a zero padded file of extreme size
(100GB) that is compressed using bzip, gzip, zip, etc...
I'd like to obtain one in order to identify which viruses should generate
recipient warnings (i.e. we have quarantined a message containing a virus).
The goal is to not notify user about the typical worms like Klez, MiDoom,
etc... where there would nothing of value in the message anyway.
Thanks,
On Wed, 4 Feb 2004 14:16:07 +
Nigel Horne <[EMAIL PROTECTED]> wrote:
> On Wednesday 04 Feb 2004 1:26 pm, James F. Hranicky wrote:
>
> > The files can be found here
> >
> > http://www.cise.ufl.edu/~jfh/sco-examples
>
> But they can't be accessed:
Sorry, fixed.
> As usual, the best metho
On Wednesday 04 Feb 2004 1:26 pm, James F. Hranicky wrote:
> The files can be found here
>
> http://www.cise.ufl.edu/~jfh/sco-examples
But they can't be accessed:
www.cise.ufl.edu/~jfh/sco-examples/vir1
Either you are not authorized to access the requested page on the CISE Web Server, or
ClamAV version : clamscan / ClamAV version devel-20040203
OS : FreeBSD 4.9-STABLE #35: Wed Jan 28
It seems clamscan is having trouble finding SCO.a in a multiply-attached
file.
I have the following files:
vir1: multiply-attached message with SCO.a
On Wed, 04 Feb 2004 12:56:30 +0200
Dinko Ivanov <[EMAIL PROTECTED]> wrote:
> When clamav will detect MyDoom?
> I hope soon?!
No comment.
Best regards,
Tomasz Kojm
--
oo. [EMAIL PROTECTED] www.ClamAV.net
(\/)\. http://www.clamav.net/gpg/tkojm.gpg
Well, but i can not detect it with clamscan! Why?
This my report:
Known viruses: 20612
Scanned directories: 1
Scanned files: 63
Infected files: 0
Data scanned: 90.24 MB
This returned from freshclam:
]# freshclam
ClamAV update process started at Wed Feb 4 15:07:55 2004
Reading CVD header (main.cvd
On Wed, 04 Feb 2004 13:54:32 +0700
"Fajar A. Nugraha" <[EMAIL PROTECTED]> wrote:
> I think it's the b8946eefa674d8c5. The download wasn't completed
> because of (perhaps) network error.
>
> >[EMAIL PROTECTED] /usr/local/share/clamav]#> freshclam
> >ClamAV update process started at Wed Feb 4 00
Alex S Moore wrote:
I plan to talk with our head guy at blastwave.org and hopefully will provide
packages for Solaris 8 and 9 for SPARC and x86 soon. Clamav is a great product
and I want to do whatever I can to help it grow in popularity.
Wonder why nobody provides official Solaris binaries ye
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:clamav-users-
> [EMAIL PROTECTED] On Behalf Of Dinko Ivanov
> Sent: 4. februar 2004 11:57
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] MyDoom???
>
> When clamav will detect MyDoom?
> I hope soon?!
>
ClamAV was updated 21:23 (+0
On Wed, 04 Feb 2004 12:33:57 +0100
Thomas Lamy <[EMAIL PROTECTED]> wrote:
> Dinko Ivanov wrote:
> > When clamav will detect MyDoom?
> > I hope soon?!
> >
> It already does (and, in fact, most commercial vendors published their
> definitions _after_ the clamav team).
> It's called Worm.SCO.* in
I think you'll find it was one of the first to detect it.
ClamAV calls it Worm.SCO.A, and it has caught hundred of the critters here.
Cheers,
Phil
-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
> -Original Message-
> From:
On Wed, Feb 04, 2004 at 12:56:30PM +0200, Dinko Ivanov wrote:
> When clamav will detect MyDoom?
> I hope soon?!
This is when my first Worm.SCO.A was caught, this is soon enought for me :
--
Date: Mon, 26 Jan 2004 23:36:28 +0100 (CET)
Dinko Ivanov wrote:
When clamav will detect MyDoom?
I hope soon?!
It already does (and, in fact, most commercial vendors published their
definitions _after_ the clamav team).
It's called Worm.SCO.* in clamav, though.
Thomas
---
The SF.Net emai
Actually, Clamav was (IIRC) the first antivirus package that had a
signature for MyDoom. Sophos and Mcafee were hours later, possibly because
they couldn't agree upon a spiffy name for the newcomer.
so, clamav *does* scan for mydoom. if your version doesn't, check whether
the automatic update of
Hmmm... My impression was that ClamAV catches MyDoom
(it called it SCO.A) from the start.
Sincerely yours, Roman A.Suzi
--
- Petrozavodsk - Karelia - Russia - mailto:[EMAIL PROTECTED] -
On Wed, 4 Feb 2004, Dinko Ivanov wrote:
> When clamav will detect MyDoom?
> I hope soon?!
--
On Wed, Feb 04, 2004 at 12:56:30PM +0200, Dinko Ivanov wrote:
> When clamav will detect MyDoom?
> I hope soon?!
Clamav detects MyDoom just fine right now, but it calls it
SCO.A.
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-dodging professi
When clamav will detect MyDoom?
I hope soon?!
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclips
Stefan Kaltenbrunner wrote:
Nigel Horne wrote:
4) Yes I am working on a solution and yes I am aware of it!
I have just disabled binhex decoding in CVS while I further
investigate this.
A sidenote to everyone using the CVS version: It seems sf.net's public
CVS service lags behind the develo
Hi
Just a note to say I tried some of the zip and bzip bombs described in
http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html
and found that clamav copes very well with them. In particular I was able
to scan a mail consisting of a 10Gbyte bzip2 bomb followed by a copy
On Wed, Feb 04, 2004 at 12:34:33AM -0600, Justin wrote:
> After getting 20040203 to compile tonight on my RH 9 box, I ran into
> trouble starting the new daemon. It was convinced I had a "Malformed
.
.
.
> Everything seems to be running smoothly now. I wonder though, should I
> have a main.cvd
Hi,
I am using clamav to filter email. Here is the version info in
the RPM (downloaded from the clamav site).
Name: clamav Relocations: (not relocateable)
Version : 0.65 Vendor: B.O.F.H. Corp.
Release : 4
Michael St. Laurent wrote:
Are you using clamav-milter for the email scanning?
No.
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. Februar
Justin wrote:
After getting 20040203 to compile tonight on my RH 9 box, I ran into
trouble starting the new daemon. It was convinced I had a "Malformed
Database." The old version of clamd I was running didn't seem to think
so. I remembered reading something about clamd picking up all files i
63 matches
Mail list logo
