RE: [Declude.Virus] ClamAV
In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me) http://www.armresearch.com/tools/arm/clamAID.jsp This installs Clam 0.92, wraps it up as a service, wraps up FreshClam as a service and gets everything pointed and configured for Declude to use. It includes pthreadVC2.dll , but I don't know if it uses it once we replace the files here in a bit, because. .when FreshClam goes to update the DB, it mangles the DB dies, because version 0.92 isn't supported anymore. Immediately after installing ClamAID I stopped the ClamAVSvc and FreshClam services and I commented out the lines it added in virus.cfg so I could get it all running properly again. I downloaded the clamav-win32-0.96.7z from http://oss.netfarm.it/clamav/ and extracted the files to a folder. I grabbed all the .exe and .dll files and replaced the old ones in \Program Files\Clam AV. I edited \conf\clamd.conf and commented out the deprecated MailFollowURLs on line 226. I deleted the files in \data\ and crated a \db\. I set the log levels in clamd.conf and freshclam.conf to high so I could see things chugging along until I was comfortable. I hard set the database to \db\ in the conf files, and set verbose logging. I cranked up the services, and watched FreshClam download new profiles to \db\. Once the db was downloaded, I tested Clam from the command prompt as described on the armresearch page, and everything looked like it was working fine. I uncommented the lines in Declude, restarted Declude, and watched it all start humming. Now I am just keeping an eye on things, and waiting for Clam to catch a virus. -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
The official download from Clam wouldn't install on my Windows 2003 box. It said it only supports Windows 7, Vista, told me to go pound sand, yada yada. The stuff at oss.netfarm.it didn't come with very much in the way of instructions, but the ClamAID stuff did and it was also familiar with Declude so it gave me a warm and fuzzy feeling. It also didn't look like clamav-win32-0.96.7z was going to set up FreshClam as a service, or at least didn't mention it, and I hate installing random product just to see what it does. Not dissing anything, just explaining why I chose it. You're completely right. I'm completely clam-n00b. I've never worked with ClamAV, don't know its parts and pieces from a racoon skin hat, and was grateful to have a nice page of instructions (thanks, ARM!), especially on how to test it before configuring Declude.Also, the ClamAID example used the .conf file in their Declude config, while the Declude example didn't. I thought that was handy, too. It at least gave me a place I could kludge from, and now I know a lot more about how the product works. Just splaining where my head was and leaving a trail here in the archives in case it helps someone else. :) - Michael Cummins From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, April 29, 2010 3:14 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV There really is no need for ClamAid, because the recent builds (including oss.netfarm.it) already are able to install themselves as services, and the additional ClamAid DLLs will obsolete once you install the official version. So unless you need help adding the 3 lines to the Virus.cfg, ClamAid probably makes things unnecessary complicated... From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Thursday, April 29, 2010 2:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me) http://www.armresearch.com/tools/arm/clamAID.jsp This installs Clam 0.92, wraps it up as a service, wraps up FreshClam as a service and gets everything pointed and configured for Declude to use. It includes pthreadVC2.dll , but I don't know if it uses it once we replace the files here in a bit, because. .when FreshClam goes to update the DB, it mangles the DB dies, because version 0.92 isn't supported anymore. Immediately after installing ClamAID I stopped the ClamAVSvc and FreshClam services and I commented out the lines it added in virus.cfg so I could get it all running properly again. I downloaded the clamav-win32-0.96.7z from http://oss.netfarm.it/clamav/ and extracted the files to a folder. I grabbed all the .exe and .dll files and replaced the old ones in \Program Files\Clam AV. I edited \conf\clamd.conf and commented out the deprecated MailFollowURLs on line 226. I deleted the files in \data\ and crated a \db\. I set the log levels in clamd.conf and freshclam.conf to high so I could see things chugging along until I was comfortable. I hard set the database to \db\ in the conf files, and set verbose logging. I cranked up the services, and watched FreshClam download new profiles to \db\. Once the db was downloaded, I tested Clam from the command prompt as described on the armresearch page, and everything looked like it was working fine. I uncommented the lines in Declude, restarted Declude, and watched it all start humming. Now I am just keeping an eye on things, and waiting for Clam to catch a virus. -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection!
When I set up Clam earlier today, I was able to run it from the command line and test it against an EICAR file, get a response, etc. I saw it fail against the bad database and succeed when properly configured. I imagine that I could easily schedule that, pipe the results to a text file and schedule a bot to read it regularly and e-mail me if the test fails. That would let me know if FreshClam ever mangled the database. Is there a way we could do the same with Declude and the Internal AVG scanner / database? Is there some way to execute it from a command line, point it at EICAR and get a parse-able result? That could be awfully handy. -- Michael Cummins From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, April 29, 2010 11:13 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] New Release Declude 4.10.48 -- MUST Install to Reenable Virus Protection! Declude Users - take note! CommTouch/Zerohous does a good job, but does not catch all known viruses (some days I have 5 or 6 DIFFERENT viruses/trojans sneaking by, some to multiple users each!), it's absolutely imperative that AVG works if you don't have additional scanners set up. Unfortunately, AVG had stopped working (no one has said for how many weeks or possible months it has not worked). I have confirmed that AVG is now working again after I upgraded from 4.10.42-A to 4.10.48. So - I recommend all Declude users get on top of this quickly! (PS: This is the second time AVG has gone AWOL inside of Declude for extended periods of times - and it's never discovered until I finally insist. Naturally, I have zero confidence in the built-in scanner. It's unreliable and there is no notification whenever it stops working.) From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, April 28, 2010 12:56 PM To: declude.junkm...@declude.com; declude.virus@declude.com; declude.relea...@declude.com Subject: [Declude.Virus] New Release Declude 4.10.48 The following release contains the following changes since 4.7.35 to the current 4.10.48: RELEASE 4.10.48 4.10.48 Fix closing files when PCRE dll encounters an error. 4.10.47 Fix memory leak in AVG SDK Release Instance 4.10.46 Updated AVG SDK to 1.7.9783; Added avgcorex.dll and avgcert.dll 4.10.45 Optimize code for moving files to the spool directory for IMail 4.10.44 Optimize code for moving files to the spool directory for Smartermail 4.10.43 Fixed variable names in the MoveToError function which were declared globally 4.10.42-A Fix for SNF Authentication to turn off without having to restart Decludeproc 4.10.42 Message Sniffer integrated into Declude 4.10.41 Added variable %AUTH% to show the authenticated sender of the email 4.10.40 XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple
RE: [Declude.Virus] Declude Virus inoperable for 13% of th year?
Darin Cox said: that the AVG API was no longer performing scans? David Barker said: Declude Virus does not have a built in system to report this error as with this specific example. Is this true? Has my Declude virus scanner been inoperable? My Declude logs look OK, but I guess that's what you're talking about? What's the deal? How can I detect this misbehavior, if indeed it did occur? -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
