Re: [Clamav-users] Broken zlib version?
On Wed, 2005-02-16 at 12:28 +0700, Fajar A. Nugraha wrote: Trog wrote: No, it requires 1.2.2 To be specific, does it absolutely require 1.2.2, or does a lower-but-not-buggy version work? e.g. will 1.2.0.7 work ? How on earth am I supposed to answer that? Sorry, my crystal ball has failed on this occassion. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] No announcement of 0.83 on clamav-announce ML
On Feb 16, 2005, at 02:44, Dennis Peterson wrote: christian laubscher said: On Tue, Feb 15, 2005 at 06:40:42PM -0700, Hal Goldfarb wrote: [...] I also think RPM binaries should be made available before an official release. [...] please not! Piggy-backing: Maybe they could stick a broom up their bum and sweep the floor at the same time, too. Dayum, guy - this stuff is free. Get off your butt and build your own binaries - hell, it takes maybe 10 minutes, is repeatable, and you get all the credit. Don't even suggest they put my Solaris source builds in limbo until all the weenies have their little rpm's all bundled up, ribboned, bowed, and ready for a point and click install. This is not rocket science - rocket science is loud and makes smoke trails. Y'all are giving Unix a bad name. dp Well put... -- Dale ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] problem with clamd
On Tuesday 15 Feb 2005 11:19, abac wrote: hi, I installed the clamav-0.82.tar.gz and the webmin module for clamav,the installation was successful,but now when i want to open the clamav in webmin this is theerror: WARNING: Please fill in the location of the clamav daemon startup file in the module's configuration (install the clamav daemon package if it isn't already done) and when i run the freshclam this is the error: ERROR: Please edit the example config file /etc/freshclam.conf. ERROR: Please edit the example config file /etc/clamd.conf. ERROR: Can't parse the config file /etc/clamd.conf plz help me Your best bet is to report it to the webmin author(s) ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Broken zlib version?
On Wednesday 16 Feb 2005 08:44, Trog wrote: No, it requires 1.2.2 To be specific, does it absolutely require 1.2.2, or does a lower-but-not-buggy version work? e.g. will 1.2.0.7 work ? How on earth am I supposed to answer that? Sorry, my crystal ball has failed on this occassion. LOL. Can't you enable your ESP chip? -trog -Nigel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Re: clamscan clamdscan
[EMAIL PROTECTED] wrote: I have mail folder name VIR that containts 43 mail attach with Netsky and 2 mail attach with Bagle. My FC1 has 0.83 and i do this : clamscan VIR clamdscan VIR cat VIR | clamscan - but it says no viruses. Can anybody tell me why clam cannot found the viruses ? Why? Because you don't know how to use it. Solution: Read the manual. Hint clamscan -r VIR is what you want, clamdscan doesn't use the -r, it does recursive scans by default, but you have to start clamd first, and before that you have to configure clamd, and for both commands to work their best you need to setup freshclam. The third command you used is so wrong I won't even comment about it. -- René Berber ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] No announcement of 0.83 on clamav-announce ML
Okay, okay. I guess the RPM business went too far. And you are right this is free software. But the thing that actually gets me is that when a new release of Clam comes out, it seems like there is all sorts of catching up to do. Believe it or not, I actually know how to use rpm tools. And I have about 10 years experience in configuration management (but none of it involving packaging of open software). The issue started out -- and then I went overboard because I felt frustrated -- that all of a sudden I discover that freshclam is not running, and only because I happened to be looking at it at that moment. Why it stops running is a mysterious: Do I have to have the latest code to match the virus defs, or does the existing code handle a newer schema for one or two releases until everyone has a chance to catch up with the latest code? And, please, don't snap at me. If you stopped to read the entire email I sent, you would see that I was thinking of a worldwide community of clamav users, not just very technical people who have the resources to put it all together. I was thinking of all of you and the hard work you are putting in. Really I was. Thank you, Hal ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] No announcement of 0.83 on clamav-announce ML
On Wed, 16 Feb 2005 at 3:16:25 -0700, Hal Goldfarb wrote: [...] The issue started out -- and then I went overboard because I felt frustrated -- that all of a sudden I discover that freshclam is not running, and only because I happened to be looking at it at that moment. Why it stops running is a mysterious: [...] Why do you think that freshclam stops running when there is an updated version of the code?? -- Tomasz PapszunSysAdm @ TP S.A. Lodz, Poland| And it's only tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros. tomek at clamav.net http://www.ClamAV.net/ A GPL virus scanner ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] No announcement of 0.83 on clamav-announce ML
On Wed, 16 Feb 2005 03:16:25 -0700 in [EMAIL PROTECTED] Hal Goldfarb [EMAIL PROTECTED] wrote: The issue started out -- and then I went overboard because I felt frustrated -- that all of a sudden I discover that freshclam is not running, and only because I happened to be looking at it at that moment. Why it stops running is a mysterious: Do I have to have the latest code to match the virus defs, or does the existing code handle a newer schema for one or two releases until everyone has a chance to catch up with the latest code? It sounds like you may have an issue with freshclam anyway, although I'm not sure what. There have been some problems mentioned of this nature with clamd, although I don't remember so many with freshclam. A read of the list archives should help spot anything that applies. Freshclam (all versions I've ever used) here keeps running just fine when new versions come out. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] No announcement of 0.83 on clamav-announce ML
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Hal Goldfarb Sent: Tuesday, February 15, 2005 9:41 PM I am trying to play by the rules, honest. Can you instruct me on how to properly be informed of clamav code updates? I also think RPM binaries should be made available before an official release. There are probably a lot of people out there who are not CVS and/or build savvy, but want to support you all in your efforts to provide the world with a free and open anti-virus tool. I rather wait a couple of days for some packager to kindly make the rpm/ebuild/etc for me and let the development team focus on what they do: develop! Asking them to do packages as well will only make the whole process slower and nobody wants that. This product is designed for _mail servers_, that means that will be used by _sysadmins_ who should know how to unpack/configure/make/make_install. We here use crash's srpm just for convenience (that is SRPMS =). We compile the program for our needs, but since we use Fedora, we like it to be all about RPMs. If your system is so important the needs to be upgraded as fast as possible, you should ask for some paid support (not to the clamav team, but to some third party). I guess your system worth it. -Samuel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Unable to install clamav from source or ports on openBSD 3.6
On Wednesday 16 Feb 2005 06:07, Joseph Filla wrote: I'm running openBSD 3.6 and cannot for the life of me install clamav. I've tried the ports (via cvsup) but run into gmp install errors (I can't figure that out) so I've moved to compiling from source. I've tried to compile .82 and .83 and after running 'configure' I try runing make. Check the output of ./configure, look for 'error' I just tried running ./configure on an openbsd box: configure: error: The installed zlib version may contain a security bug. Please upgrade to 1.2.2 or later: http://www.zlib.net. You can omit this check with --disable-zlib-vcheck but DO NOT REPORT any stablility issues then! wget http://www.zlib.net/zlib-1.2.2.tar.gz find out where the existing zlib stuff is installed before installing the above and make sure it is removed or overwritten by the new one locate zlib However I get a make: no target to make. ./configure did not finish, so no makefile keep trying ;-) -- - Bob Hutchinson Midwales dot com - ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Mime
Hi list, I have posted before about an issue with clamd hanging and yesterday we finally managed to find out what the underlying problem was. We came across an 800k mail that we initially thought was causing clamd to hang. The truth infact was that once we turned on debugging, we noticed that clamd was not hanging - just taking an age to scan the mail. This was obviously causing us huge problems as this was happening on very busy mail servers and in effect causes a DOS. We were running 0.83 and downgraded eventually to 0.80 and then we no longer experienced the issue. What we noticed about this one particular mail was that it had hundreds of mime-parts. So it appears to us that there has been a major change in the way clamav deals with mime parts since 0.80. So much so that it goes from scanning this mail in under a second in 0.80: # ls -la 1108491486.1513-1.ophelia.telkomsa.net -rw---1 root root 817795 Feb 15 20:35 1108491486.1513-1.ophelia.telkomsa.net # cat 1108491486.1513-1.ophelia.telkomsa.net | clamdscan - stream: OK --- SCAN SUMMARY --- Infected files: 0 Time: 0.741 sec (0 m 0 s) To taking over 4 minutes to scan in 0.83 Can anyone shed some light on this / offer some advice, as obviously we want to keep up with the latest stable version. I can provide the mail if anyone wants to examine it further. Many thanks Scott Ryan Telkom Internet ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Broken zlib version?
On Wed, 2005-02-16 at 08:49, Dennis Peterson wrote: Dörfler Andreas said: the versioncheck for zlib isnt the best. suse for example fixes the security hole in 1.2.1 with patches and not with a installation from a new version. forget the warning. Sounds like suse has introduced a configuration management anomaly. How much running around looking for such anomalies do you think these fine developers should do for free? Damn, but this has been a week of whiners. This software hasn't a brain, people, use your own. Nobody is whining here Dennis. I was asking a question about what the zlib warning was all about. The 3rd party SRPM requires zlib 1.2.1.2 which is the latest available for FC3 (1.2.2.2 is in Rawhide). The zlib homepage doesn't mention anything about 1.2.2 (you can download it if you manually change the download URLs). From the zlib ChangeLog I can't see anything important that would make 1.2.1.2 any less accetable than 1.2.2: Changes in 1.2.2 (3 October 2004) - Update zlib.h comments on gzip in-memory processing - Set adler to 1 in inflateReset() to support Java test suite [Walles] - Add contrib/dotzlib [Ravn] - Update win32/DLL_FAQ.txt [Truta] - Update contrib/minizip [Vollant] - Move contrib/visual-basic.txt to old/ [Truta] - Fix assembler builds in projects/visualc6/ [Truta] Java test suite? Assembler builds on VC6? Not applicable. 1.2.1.2 is the version where all the nasties were fixed. Something may have been changed in 1.2.2 which as left out in the ChangeLog of course, but if it was that important that's not very likely. The software doesn't have a brain alright, but it would be a lot more helpful if that warning actually stated what the possible problem was. (CAN-2004-0797 for instance?) SuSe/RedHat have not introduced any CM anomalies. Standard procedure is to patch bugs and release updated packages with an increased package version number. When/if the patch is accepted upstream it is removed from the package, and a new package is built with a new version number including the upstream fix. SuSE/RedHat obviously can't bump the version themselves just because they patched a bug, and they can't sit around and wait for security/bug patches to be incorporated upstream all the time. That said, nobody is complaining that the ClamAV developers aren't running around checking exactly what patch set people have installed. Andreas was just pointing out that the 1.2.1.2 in SuSE has already been patched, and I have nothing to worry about if I run SuSE. The same is the case with Fedora (I've checked now that I think I know what the worry is). That was helpful, thanks. Regards, -- Tarjei ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Broken zlib version?
On Tue, 2005-02-15 at 17:15, Trog wrote: On Tue, 2005-02-15 at 17:07 +0100, Tarjei Knapstad wrote: I've got a mail server here running RH8 (yes, yes I know... :)), and when trying to build clamav 0.83 RPMs it required zlib 1.2.1.2. No, it requires 1.2.2 May I ask why? There doesn't seem to be any important bugfixes between 1.2.2 and 1.2.1.2: Changes in 1.2.2 (3 October 2004) - Update zlib.h comments on gzip in-memory processing - Set adler to 1 in inflateReset() to support Java test suite [Walles] - Add contrib/dotzlib [Ravn] - Update win32/DLL_FAQ.txt [Truta] - Update contrib/minizip [Vollant] - Move contrib/visual-basic.txt to old/ [Truta] - Fix assembler builds in projects/visualc6/ [Truta] (There are a lot of important fixes in 1.2.1.2 though) -- Tarjei ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Broken zlib version?
On Wed, 2005-02-16 at 14:57 +0100, Tarjei Knapstad wrote: On Wed, 2005-02-16 at 08:49, Dennis Peterson wrote: Dörfler Andreas said: the versioncheck for zlib isnt the best. suse for example fixes the security hole in 1.2.1 with patches and not with a installation from a new version. forget the warning. Sounds like suse has introduced a configuration management anomaly. How much running around looking for such anomalies do you think these fine developers should do for free? Damn, but this has been a week of whiners. This software hasn't a brain, people, use your own. Nobody is whining here Dennis. I was asking a question about what the zlib warning was all about. The 3rd party SRPM requires zlib 1.2.1.2 which is the latest available for FC3 (1.2.2.2 is in Rawhide). The zlib homepage doesn't mention anything about 1.2.2 (you can download it if you manually change the download URLs). From the zlib ChangeLog I can't see anything important that would make 1.2.1.2 any less accetable than 1.2.2: Changes in 1.2.2 (3 October 2004) - Update zlib.h comments on gzip in-memory processing - Set adler to 1 in inflateReset() to support Java test suite [Walles] - Add contrib/dotzlib [Ravn] - Update win32/DLL_FAQ.txt [Truta] - Update contrib/minizip [Vollant] - Move contrib/visual-basic.txt to old/ [Truta] - Fix assembler builds in projects/visualc6/ [Truta] A simple search in the archive for zlib 1.2.2 turns this up: http://lurker.clamav.net/message/20041103.143255.97fa22ec.en.html It contains the references you are asking for, a link to the *current* zlib homepage which has 1.2.2 all over it, and the front page then states this: Version 1.2.2 eliminates a potential security vulnerability in zlib 1.2.1, so all users of 1.2.1 should upgrade immediately. The following important fixes are provided in zlib 1.2.2: * Eliminate a potential security vulnerability when decoding invalid compressed data * Fix bug when decompressing dynamic blocks with no distance codes * Do not return an error when using gzread() on an empty file -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
--On Wednesday, February 16, 2005 2:52 PM +0200 Scott Ryan [EMAIL PROTECTED] wrote: On Wednesday 16 February 2005 14:50, Ted Fines shaped the electrons to say: Would you please send me this attachment off-list. Please zip it and password protect it (password='password') so it comes through. Thanks, Ted Hope this works. -- Scott Ryan Telkom Internet Holy bananas. This problem could easily hang any server using Clam 0.83. I asked Scott to send me the email in question and I see exactly the same behavior with Clam 0.83 on FreeBSD 5.3 / Dual Xeon 2.xx GHz machine: qmail2# ls -l total 816 -rw-r--r-- 1 root daemon 817795 Feb 16 14:47 1108491486.1513-1.ophelia.telkomsa.net qmail2# time clamdscan 1108491486.1513-1.ophelia.telkomsa.net /usr/home/ftp/incoming/1108491486.1513-1.ophelia.telkomsa.net: OK --- SCAN SUMMARY --- Infected files: 0 Time: 253.436 sec (4 m 13 s) 0.006u 0.000s 4:13.44 0.0% 0+0k 0+0io 0pf+0w FOUR MINUTES, 13 SECONDS for an 800k email. By comparison, I scanned a large (160 MB) .zip file: qmail2# ls -al total 158260 drwx-wx-wx 2 root daemon512 Feb 16 08:02 . drwxr-xr-x 3 root daemon512 Feb 16 08:02 .. -rw-r--r-- 1 root daemon 161946301 Jan 18 16:01 GhostFull1117.zip qmail2# time clamdscan GhostFull1117.zip /usr/home/ftp/incoming/GhostFull1117.zip: OK --- SCAN SUMMARY --- Infected files: 0 Time: 86.319 sec (1 m 26 s) 0.006u 0.000s 1:26.32 0.0% 0+0k 0+0io 0pf+0w A minute, 26 seconds. ...And a more realistic sized .zip file: qmail2# ls -l total 1104 -rw-r--r-- 1 root daemon 1098702 Feb 16 08:04 Archive.zip qmail2# time clamdscan . /usr/home/ftp/incoming/.: OK --- SCAN SUMMARY --- Infected files: 0 Time: 0.795 sec (0 m 0 s) 0.006u 0.000s 0:00.80 0.0% 0+0k 0+0io 0pf+0w ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wednesday 16 Feb 2005 14:18, Ted Fines wrote: FOUR MINUTES, 13 SECONDS for an 800k email. Look at the file again. It is NOT an 800k mail. It is over 200 emails embedded within each other. By definition the largest message is about 800K and the smallest is about 1K give or take, giving an average of 400K (don't worry if the maths isn't too accurate). So thats about 200x400K = c.80Mb. 0.80 didn't scan it properly and would have let a virus through, 0.83 fixes that bug. By comparison, I scanned a large (160 MB) .zip file: Try comparing like with like next time. -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
* Ted Fines [EMAIL PROTECTED] [20050216 17:20]: wrote: --On Wednesday, February 16, 2005 2:52 PM +0200 Scott Ryan [EMAIL PROTECTED] wrote: On Wednesday 16 February 2005 14:50, Ted Fines shaped the electrons to say: Would you please send me this attachment off-list. Please zip it and password protect it (password='password') so it comes through. Thanks, Ted Hope this works. -- Scott Ryan Telkom Internet Holy bananas. This problem could easily hang any server using Clam 0.83. I asked Scott to send me the email in question and I see exactly the same behavior with Clam 0.83 on FreeBSD 5.3 / Dual Xeon 2.xx GHz machine: Now that you have come up, I believe I should as well. I backed off 0.83 and run several steps backwards. For the same reasons (clamd taking ages to scan), I am running the following version of ClamAv: ClamAV devel-20050214 I just did not have enough time to debug this on a production box! I am running FreeBSD 4.11/ Quad Xeon 500MHz, 1GB RAM. Well, and zlib version should not have anything to do with this since I still rely on the native one on the base system ;) -Wash http://www.netmeister.org/news/learn2quote.html -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ The human race is a race of cowards; and I am not only marching in that procession but carrying a banner. -- Mark Twain ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] No announcement of 0.83 on clamav-announce ML
Piggy-backing: Maybe they could stick a broom up their bum and sweep the floor at the same time, too. Dayum, guy - this stuff is free. Get off your butt and build your own binaries - hell, it takes maybe 10 minutes, is repeatable, and you get all the credit. Don't even suggest they put my Solaris source builds in limbo until all the weenies have their little rpm's all bundled up, ribboned, bowed, and ready for a point and click install. This is not rocket science - rocket science is loud and makes smoke trails. Y'all are giving Unix a bad name. dp I'll second that. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nigel Horne wrote: On Wednesday 16 Feb 2005 14:18, Ted Fines wrote: FOUR MINUTES, 13 SECONDS for an 800k email. Look at the file again. It is NOT an 800k mail. It is over 200 emails embedded within each other. By definition the largest message is about 800K and the smallest is about 1K give or take, giving an average of 400K (don't worry if the maths isn't too accurate). So thats about 200x400K = c.80Mb. 0.80 didn't scan it properly and would have let a virus through, 0.83 fixes that bug. By comparison, I scanned a large (160 MB) .zip file: Try comparing like with like next time. Oversized.Mail ? Do we need such new detection or is better solution ? Boguslaw Brandys -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCE198tuGICzHOh+YRAt/lAJwMmtO1DoF3aNSyzJoZVzwZNwY1UACgi3A2 Pav6a4h07YNqkEVx0tn27PM= =PWNa -END PGP SIGNATURE- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] No announcement of 0.83 on clamav-announce ML
-Original Message- From: Hal Goldfarb [mailto:[EMAIL PROTECTED] Subject: [Clamav-users] No announcement of 0.83 on clamav-announce ML I am trying to play by the rules, honest. Can you instruct me on how to properly be informed of clamav code updates? I also think RPM binaries should be made available before an official release. There are probably a lot of people out there who are not CVS and/or build savvy, but want to support you all in your efforts to provide the world with a free and open anti-virus tool. I've been rolling my own RPM's for a while now.. I try to keep the latest one available via my toaster site.. I'm sure I can open this up a bit and set up a clamav RPM site if necessary.. http://www.godshell.com/toaster Just my two bits. Thanks Hal ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users -- Jason Frisvold Penteledata ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wednesday 16 Feb 2005 14:58, Bogusaw Brandys wrote: Oversized.Mail ? Do we need such new detection or is better solution ? I need to finish the work on the new scanner that is already underway (see mbox.c) which removes the parser. Boguslaw Brandys -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wednesday 16 February 2005 16:26, Nigel Horne shaped the electrons to say: On Wednesday 16 Feb 2005 14:18, Ted Fines wrote: FOUR MINUTES, 13 SECONDS for an 800k email. Look at the file again. It is NOT an 800k mail. It is over 200 emails embedded within each other. By definition the largest message is about 800K and the smallest is about 1K give or take, giving an average of 400K (don't worry if the maths isn't too accurate). So thats about 200x400K = c.80Mb. 0.80 didn't scan it properly and would have let a virus through, 0.83 fixes that bug. My dillema is now this, we cannot upgrade to any version above 0.80 due to oversized mails potentially causing a DOS. What functionality am I missing out on (in a nutshell) by running 0.80? Are there many viruses that I will not be able to catch? Is there potentially a work around for these types of mails? regards -- Scott Ryan Telkom Internet ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wednesday 16 Feb 2005 15:15, Scott Ryan wrote: On Wednesday 16 February 2005 16:26, Nigel Horne shaped the electrons to say: On Wednesday 16 Feb 2005 14:18, Ted Fines wrote: FOUR MINUTES, 13 SECONDS for an 800k email. Look at the file again. It is NOT an 800k mail. It is over 200 emails embedded within each other. By definition the largest message is about 800K and the smallest is about 1K give or take, giving an average of 400K (don't worry if the maths isn't too accurate). So thats about 200x400K = c.80Mb. 0.80 didn't scan it properly and would have let a virus through, 0.83 fixes that bug. My dillema is now this, we cannot upgrade to any version above 0.80 due to oversized mails potentially causing a DOS. What functionality am I missing out on (in a nutshell) by running 0.80? Are there many viruses that I will not be able to catch? I have seen this in the field, indeed the scans were added as the result of a bug report. It's your decision on what to do. Is there potentially a work around for these types of mails? regards -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Broken zlib version?
On Wed, 2005-02-16 at 15:11, Trog wrote: On Wed, 2005-02-16 at 14:57 +0100, Tarjei Knapstad wrote: On Wed, 2005-02-16 at 08:49, Dennis Peterson wrote: snip A simple search in the archive for zlib 1.2.2 turns this up: http://lurker.clamav.net/message/20041103.143255.97fa22ec.en.html It contains the references you are asking for, a link to the *current* zlib homepage which has 1.2.2 all over it, and the front page then states this: Thanks Trog, that clears the haze. I thought the list archives were down (the archives link is borked if you follow the link attached to the bottom of each post on the list). Googling for zlib took me to the old site and does not show zlib.net in the first 100 results. (Googling for zlib 1.2.2 does not show either in the first 100). Oh well :-S Thanks, -- Tarjei ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wednesday 16 February 2005 17:34, Nigel Horne shaped the electrons to say: On Wednesday 16 Feb 2005 15:15, Scott Ryan wrote: On Wednesday 16 February 2005 16:26, Nigel Horne shaped the electrons to say: On Wednesday 16 Feb 2005 14:18, Ted Fines wrote: FOUR MINUTES, 13 SECONDS for an 800k email. Look at the file again. It is NOT an 800k mail. It is over 200 emails embedded within each other. By definition the largest message is about 800K and the smallest is about 1K give or take, giving an average of 400K (don't worry if the maths isn't too accurate). So thats about 200x400K = c.80Mb. 0.80 didn't scan it properly and would have let a virus through, 0.83 fixes that bug. My dillema is now this, we cannot upgrade to any version above 0.80 due to oversized mails potentially causing a DOS. What functionality am I missing out on (in a nutshell) by running 0.80? Are there many viruses that I will not be able to catch? I have seen this in the field, indeed the scans were added as the result of a bug report. It's your decision on what to do. I will just have to allow these types of mails to go unscanned. Four minutes to scan 1 will cause a DOS. Would it be possible to request that some kind of recursion limit be added here like there currently is on zip files? Just a thought... Is there potentially a work around for these types of mails? regards -- Scott Ryan Telkom Internet ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wednesday 16 Feb 2005 15:51, Scott Ryan wrote: Would it be possible to request that some kind of recursion limit be added here like there currently is on zip files? That would be bad idea since it would be v. easy for a virus writer to get around. -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Broken zlib version?
Tarjei Knapstad wrote: On Wed, 2005-02-16 at 15:11, Trog wrote: On Wed, 2005-02-16 at 14:57 +0100, Tarjei Knapstad wrote: On Wed, 2005-02-16 at 08:49, Dennis Peterson wrote: snip A simple search in the archive for zlib 1.2.2 turns this up: http://lurker.clamav.net/message/20041103.143255.97fa22ec.en.html It contains the references you are asking for, a link to the *current* zlib homepage which has 1.2.2 all over it, and the front page then states this: Thanks Trog, that clears the haze. I thought the list archives were down (the archives link is borked if you follow the link attached to the bottom of each post on the list). Googling for zlib took me to the old site and does not show zlib.net in the first 100 results. (Googling for zlib 1.2.2 does not show either in the first 100). Oh well :-S Exactly, this is retarded. I had the same problem. Google for zlib returns http://www.gzip.org/zlib/ which shows 1.2.1 as current and has no mention of another website (namely zlib.net). It also shows: Canonical URL: http://www.gzip.org/zlib/ Mirror sites: http://www.doc.cs.univ-paris8.fr/mirrors/zlib/ (France) Ok fine..so now i hear zlib.net is the current site. So over to www.zlib.net which says 1.2.2 is current. Aha! there it is. But on zlib.net there is no mention anywhere that www.gzip.org/zlib/ should not be used anymore and zlib.net even says: Canonical URL: http://www.gzip.org/zlib/ Mirror sites: http://www.zlib.net/ (US) Which makes no sense at all. I realize this is not a clamav issue, im just trying to point out the source of confusion WRT zlib and clamav. -Jim ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wed, 2005-02-16 at 16:00 +, Nigel Horne wrote: On Wednesday 16 Feb 2005 15:51, Scott Ryan wrote: Would it be possible to request that some kind of recursion limit be added here like there currently is on zip files? That would be bad idea since it would be v. easy for a virus writer to get around. Okay. How about an option to dump an email - or flag it as a *possible* virus - if a specified recursion limit is reached? -- Peter Hubbard [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] No announcement of 0.83 on clamav-announce ML
Your right 99.% of the people using computers are not Unix Admins. But they sure have an impact on the amount of traffic generated by infected systems sending email. While I agree that you should not hold up any code just so you can do a release across the board. In the long run we all benefit when the software is easy to install and maintain for all types of users. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Grau Sent: Wednesday, February 16, 2005 6:35 AM To: ClamAV users ML Subject: Re: [Clamav-users] No announcement of 0.83 on clamav-announce ML Piggy-backing: Maybe they could stick a broom up their bum and sweep the floor at the same time, too. Dayum, guy - this stuff is free. Get off your butt and build your own binaries - hell, it takes maybe 10 minutes, is repeatable, and you get all the credit. Don't even suggest they put my Solaris source builds in limbo until all the weenies have their little rpm's all bundled up, ribboned, bowed, and ready for a point and click install. This is not rocket science - rocket science is loud and makes smoke trails. Y'all are giving Unix a bad name. dp I'll second that. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV and BZip
On Tue, 15 Feb 2005 22:00:57 -0500 Dale Walsh [EMAIL PROTECTED] wrote: I've noticed the use of libbz2 in building ClamAV, this limits the scan to zipped files, would libz not allow tar and gz files to be scanned and make a better choice? libbz2 and libz are two different things. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Feb 16 15:22:40 CET 2005 pgpNHlyzyUtBF.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Broken zlib version?
On Wed, 16 Feb 2005 15:02:59 +0100 Tarjei Knapstad [EMAIL PROTECTED] wrote: On Tue, 2005-02-15 at 17:15, Trog wrote: On Tue, 2005-02-15 at 17:07 +0100, Tarjei Knapstad wrote: I've got a mail server here running RH8 (yes, yes I know... :)), and when trying to build clamav 0.83 RPMs it required zlib 1.2.1.2. No, it requires 1.2.2 May I ask why? There doesn't seem to be any important bugfixes between 1.2.2 and 1.2.1.2: www.zlib.net: Version 1.2.2 eliminates a potential security vulnerability in zlib 1.2.1, so all users of 1.2.1 should upgrade immediately. The following important fixes are provided in zlib 1.2.2[...] -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Feb 16 15:12:53 CET 2005 pgpykQOxK5SW5.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Broken zlib version?
On Wed, 16 Feb 2005 14:57:16 +0100 Tarjei Knapstad [EMAIL PROTECTED] wrote: Nobody is whining here Dennis. I was asking a question about what the zlib warning was all about. The www.zlib.net: October 3rd, 2004 Version 1.2.2 eliminates a potential security vulnerability in zlib 1.2.1, so all users of 1.2.1 should upgrade immediately. The following important fixes are provided in zlib 1.2.2[...] 3rd party SRPM requires zlib 1.2.1.2 which is the latest available for FC3 (1.2.2.2 is in Rawhide). The zlib homepage doesn't mention anything about 1.2.2 (you can download it if you manually change the You're wrong. Java test suite? Assembler builds on VC6? Not applicable. 1.2.1.2 is the version where all the nasties were fixed. Something may have been You're wrong. We've been playing with the bug in zlib since March 2004 and we have some knowledge which versions are fixed or not. The software doesn't have a brain alright, but it would be a lot more helpful if that warning actually stated what the possible problem was. (CAN-2004-0797 for instance?) It suggests visiting www.zlib.net and you didn't do it. That said, nobody is complaining that the ClamAV developers aren't running around checking exactly what patch set people have installed. Andreas was just pointing out that the 1.2.1.2 in SuSE has already been patched, and I have nothing to worry about if I run SuSE. The Anyway, do not report any stability issues with clamd. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Feb 16 15:19:23 CET 2005 pgp27ermNTILL.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wed, 16 Feb 2005 18:23:51 +0200 in [EMAIL PROTECTED] Peter Hubbard [EMAIL PROTECTED] wrote: That would be bad idea since it would be v. easy for a virus writer to get around. Okay. How about an option to dump an email - or flag it as a *possible* virus - if a specified recursion limit is reached? Isn't that what ArchiveBlockMax is for? See man clamd.conf -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wed, 16 Feb 2005 17:51:28 +0200 Scott Ryan [EMAIL PROTECTED] wrote: I will just have to allow these types of mails to go unscanned. Four minutes to scan 1 will cause a DOS. So increase the number of MaxThreads... Would it be possible to request that some kind of recursion limit be added here like there currently is on zip files? There's already a recursion limit for mail scanning but it's not configurable (yet). -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Feb 16 17:41:10 CET 2005 pgpRgcqVnmvFu.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wednesday 16 February 2005 18:43, Tomasz Kojm shaped the electrons to say: On Wed, 16 Feb 2005 17:51:28 +0200 Scott Ryan [EMAIL PROTECTED] wrote: I will just have to allow these types of mails to go unscanned. Four minutes to scan 1 will cause a DOS. So increase the number of MaxThreads... It was at 200 - I will increase to 300 and see what result I get. Would it be possible to request that some kind of recursion limit be added here like there currently is on zip files? There's already a recursion limit for mail scanning but it's not configurable (yet). What is that limit? -- Scott Ryan Telkom Internet ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] fetchmail and clam
Hello everybody ! I get mail from a remote pop server with fetchmail. How can I have user´s mail scanned with clam antivirus before mails are appended to /var/spool/mail/user If possible without using procmail Can anybody help ? Thanks !! PD: I´m using Fedora Core 1 with Clam 0.80 Gabriel Eduardo Carini [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] fetchmail and clam
On Wed, Feb 16, 2005 at 02:21:40PM -0300, Gabriel Carini said: Hello everybody ! I get mail from a remote pop server with fetchmail. How can I have user´s mail scanned with clam antivirus before mails are appended to /var/spool/mail/user If possible without using procmail Can anybody help ? Thanks !! fetchmail does not itself do any delivery. It hands off the message to some form of Mail Delivery Agent, and what you use for an MDA will determine how you will hook clam in. By default, I believe fetchmail uses the local MTA, so you would have to look up how to hook clamav into your MTA if you use that setup. If you have specified an alternate MDA, then you will have to look up how to do it with that software. -- -- | Stephen Gran | Carmel, New York, has an ordinance | | [EMAIL PROTECTED] | forbidding men to wear coats and| | http://www.lobefin.net/~steve | trousers that don't match. | -- pgpcAO8axsEll.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wed, 16 Feb 2005 19:05:22 +0200 Scott Ryan [EMAIL PROTECTED] wrote: What is that limit? libclamav/scanners.c: #define MAX_MAIL_RECURSION 15 -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Feb 16 19:12:57 CET 2005 pgp4XtmVzOvMa.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] clamav on gateway + sniffer to intercept mail attachments
Hy, I use postfix+mailscanner on my mail server to block a lot of virii comming from my internal network. I would like to implement a solution to block virii traffic on the internal gateway. The network looks like this: WIN- WIN- GW1- -MAIL SERVER- -GW2 WIN- One WIN is infected but I don't know which of the 30 computers on the network. I receive virused attachments on the MAIL SERVER from the GW1's ip. WIN are on the internal network. My first ideea would be to extract mail traffic passing through the gateway in mbox format and scan it with clamav. I'm looking for better ideeas/implementations. Also, please tell me which tool should I use to sniff mail on GW1 or if there is a better solution. Thanks, Vaida Bogdan ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav on gateway + sniffer to intercept mail attachments
On Feb 16, 2005, at 3:13 PM, vaida bogdan wrote: Hy, I use postfix+mailscanner on my mail server to block a lot of virii comming from my internal network. I would like to implement a solution to block virii traffic on the internal gateway. The network looks like this: WIN- WIN- GW1- -MAIL SERVER- -GW2 WIN- One WIN is infected but I don't know which of the 30 computers on the network. I receive virused attachments on the MAIL SERVER from the GW1's ip. WIN are on the internal network. My first ideea would be to extract mail traffic passing through the gateway in mbox format and scan it with clamav. I'm looking for better ideeas/implementations. Also, please tell me which tool should I use to sniff mail on GW1 or if there is a better solution. ethereal or ettercap are my favorites for packet sniffing on UNIX systems. Sometimes you can see things by sniffing traffic and see what machine is sending a lot of ARP queries for seemingly random IP's. I found one infected system on our network once by seeing a huge number of cached routes on our Linux Squid gateway for a client computer. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav on gateway + sniffer to intercept mail attachments
On February 16, 2005 12:13 pm, vaida bogdan wrote: Hy, I use postfix+mailscanner on my mail server to block a lot of virii comming from my internal network. I would like to implement a solution to block virii traffic on the internal gateway. The network looks like this: WIN- WIN- GW1- -MAIL SERVER- -GW2 WIN- Install Postfix on GW1. Configure it to use MAIL SERVER as the relay_host. Add a packet filter rules to redirect all outgoing port 25 traffic to this instance of Postfix. You now have a complete audit trail of every mail message leaving your network. Go through the logs on the MAIL SERVER to find out which message is infected. Trace that message back to GW1. In the logs on GW1 will be the IP of the infected station. This is the setup we use. Each school has a firewall that does NAT. On the firewall is a very basic Postfix install that relays all messages through our main mail server. This lets us trace back infected messages to the source computer, which has a private IP address. Quite handy. Not fully automated, but it works. -- Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech. School District 73 (250) 377-HELP [377-4357] [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] No announcement of 0.83 on clamav-announce ML
On Wednesday 16 February 2005 09:30, John Gallagher wrote: Your right 99.% of the people using computers are not Unix Admins. But they sure have an impact on the amount of traffic generated by infected systems sending email. While I agree that you should not hold up any code just so you can do a release across the board. In the long run we all benefit when the software is easy to install and maintain for all types of users. Thank you, finally someone understands what I am saying. As far as giving Unix a bad name, I am not sure what dp meant, but again, if people would just read what I actually wrote, they would understand that I am of the mindset that we should be making Linux easier to use for all types of users, not just sysadmins. That would give Unix and Linux a good name. Keep in mind that serious, busy sysadmins don't have time to build and package all of the different tools they support in addition to clamav. 10 minutes each times all those different packages is still more time than some sysadmins have in a day. I know, because I have been a sysadmin. You are right this is NOT rocket science, but it is very time consuming. Remember, not every package builds correctly on every platform, even popular ones. Sorting out those problems eats a lot of time. Also keep in mind that some of those packages, like database and desktop software, can be huge and take an extraordinary amount of time to build; there may not be much time in a sysadmin's day for building even one more small package like clamav. And also keep in mind that Gramma Jones won't be using Linux and open software for long if her Konquerer web browser isn't fitted with the latest versions of Spamassassin and Clamav. She may not recognize a rogue web site, or a malicious link, if she can even see through those coke-bottle glasses she wears. Maybe you find the notion of senior citizens using Linux quite laughable, but I don't. I would like everyone on earth to be freed from the scourge of using that more popular, so-called O.S. Clamav is still a pre-release 1.0 package, and I don't expect everything to work just perfectly. But unlike a game or PDA interface, this is mission critical software, whether for a mail server or protecting a user from the horrors of the web. Once again, I am stating that I am not your enemy. Thank you John for seeing my point of view. Suggestion: How about a pre-release notification that would, in part, alert packagers to get a jump? Maybe 2 or 3 days before the support for the previously supported code is abandoned. Maybe won't work, but thought I'd throw it out there. -Hal ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] No announcement of 0.83 on clamav-announce ML
On Wed, 16 Feb 2005 15:02:57 -0700 Hal Goldfarb [EMAIL PROTECTED] wrote: alert packagers to get a jump? Maybe 2 or 3 days before the support for the previously supported code is abandoned. Maybe won't work, You're still missing the point here. Please read my yesterday's posts. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Feb 16 23:07:22 CET 2005 pgpd0x1LpYamp.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Re: clamav on gateway + sniffer to intercept mail attachments
vaida bogdan wrote: Hy, I use postfix+mailscanner on my mail server to block a lot of virii comming from my internal network. I would like to implement a solution to block virii traffic on the internal gateway. The network looks like this: WIN- WIN- GW1- -MAIL SERVER- -GW2 WIN- One WIN is infected but I don't know which of the 30 computers on the network. I receive virused attachments on the MAIL SERVER from the GW1's ip. WIN are on the internal network. My first ideea would be to extract mail traffic passing through the gateway in mbox format and scan it with clamav. I'm looking for better ideeas/implementations. Also, please tell me which tool should I use to sniff mail on GW1 or if there is a better solution. Easiest thing to do: use netstat on GW1 and see who has a lot of connections with your gateway. This only works if GW1 has a netstat or similar functionality. You didn't specify what is GW1, a PC, a router, something else. Many routers have the functionality required, sometimes as NAT or NAPT mappings. Hope this helps. -- René Berber ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] virus incident response?
Several times now, we've been burned by virii that are picked up by other virus scanners when ClamAV doesn't yet have the signature. Within a couple of hours, when the bulk of the threat has already passed, Clam then catches up. Mydoom.M-2 was the virus of the day today. What is being done to get signatures out more quickly, if anything? Or can anything be done? Thanks, John -- John Madden UNIX Systems Engineer Ivy Tech State College [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
On Wed, 16 Feb 2005, John Madden wrote: Several times now, we've been burned by virii that are picked up by other virus scanners when ClamAV doesn't yet have the signature. Within a This is the exact opposite of our experience. How often do you run freshclam ? == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
On Wed, 16 Feb 2005 18:08:01 -0500 (EST) John Madden [EMAIL PROTECTED] wrote: Several times now, we've been burned by virii that are picked up by other virus scanners when ClamAV doesn't yet have the signature. Within a couple of hours, when the bulk of the threat has already passed, Clam then catches up. Mydoom.M-2 was the virus of the day today. You haven't submitted anything on our site. What is being done to get signatures out more quickly, if anything? Or can anything be done? http://www.clamav.net/sendvirus.html Actually you're an egoist. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Feb 17 00:21:03 CET 2005 pgpQxyXfrFSRR.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
Several times now, we've been burned by virii that are picked up by other virus scanners when ClamAV doesn't yet have the signature. Within a This is the exact opposite of our experience. Hmm. For example, Clam was about 2 hours behind McAfee's update of the 2/16/05 MyDoom variant. How often do you run freshclam ? Every 20 mins. John -- John Madden UNIX Systems Engineer Ivy Tech State College [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
You haven't submitted anything on our site. I would've today, had I not been off-site at a conference. Trouble is, by the time I receive a copy, it's too late. I suppose it's a perception problem with our users more than anything. Actually you're an egoist. How so? John -- John Madden UNIX Systems Engineer Ivy Tech State College [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
On Wed, 16 Feb 2005 18:38:38 -0500 (EST) John Madden [EMAIL PROTECTED] wrote: You haven't submitted anything on our site. I would've today, had I not been off-site at a conference. Trouble is, by the time I receive a copy, it's too late. I suppose it's a perception problem with our users more than anything. Actually you're an egoist. How so? Have you submitted any sample for the last two years? -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Feb 17 00:40:30 CET 2005 pgpm6p2olAQka.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
On Wed, 16 Feb 2005, John Madden wrote: Hmm. For example, Clam was about 2 hours behind McAfee's update of the 2/16/05 MyDoom variant. Odd. In any case, Clam is a user supported project. ALL viruses are submitted by end users. So, the only way response will get any better is if you submit new viruses you receive that get by clam. It's not going to 'improve' any other way. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
Have you submitted any sample for the last two years? Yes, when appropriate, which I believe has been thrice. (We haven't been on Clam for that long, though.) John -- John Madden UNIX Systems Engineer Ivy Tech State College [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
In any case, Clam is a user supported project. ALL viruses are submitted by end users. So, the only way response will get any better is if you submit new viruses you receive that get by clam. It's not going to 'improve' any other way. Well, that'd be my assumption as well. What I'm poking for is the potential for a means of making the process more formalized, like having a team of officials per continent who volunteer to be on the spot for given hours of the day? Are [vendor] forums where outbreaks are discussed? Does anyone watch releases from the major vendors to be able to develop signatures for ClamAV? Things like this have probably been mentioned before, I suppose. If ClamAV is to compete with companies who do nothing but develop virus signatures, I would think we'd have to find a way of tapping into the same resources or methodology somehow. Timing is everything -- we don't have to be the first, but we have to beat the outbreak. I'm not saying I have the answers or that there's a panacea for the problem, but when gigs of mail server storage is consumed and hundreds of users are run over their quota (and thus lose subsequent email), that's a problem that makes managers want to buy AV licenses. John -- John Madden UNIX Systems Engineer Ivy Tech State College [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
On Wednesday 16 February 2005 05:08 pm, John Madden wrote: Several times now, we've been burned by virii that are picked up by other virus scanners when ClamAV doesn't yet have the signature. Within a couple of hours, when the bulk of the threat has already passed, Clam then catches up. Mydoom.M-2 was the virus of the day today. I agree with Christopher that this has been the exact opposite experience that I have had. What is being done to get signatures out more quickly, if anything? Or can anything be done? sounds like you and The Register share the same tagline. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED] pgp9pCqHzCffg.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
I agree with Christopher that this has been the exact opposite experience that I have had. Hmm. Are there factors that can affect freshclam's performance? I got the Mydoom.M-2 sig at 17:10EST today. When was it available? (The mailing list archive doesn't appear to yet reflect today's update(s).) sounds like you and The Register share the same tagline. Biting the hand that feeds? Nay, being bitten by the hand of the well, something must be wrong with *your* virus scanner, because the one over *here* in *Exchange* caught it. (With neener-neener 8-year-old voice tones. :) ) I apologize if I sounded ungrateful, for ClamAV is certainly a superb product. John -- John Madden UNIX Systems Engineer Ivy Tech State College [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] virus incident response?
John Madden wrote: well, something must be wrong with *your* virus scanner, because the one over *here* in *Exchange* caught it. I think it's inherently a good thing to run multiple virus scanners from different vendors. Sometimes ClamAV will update first, sometimes other vendors will update first. If you scan in series you'll get the best of both worlds. Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg, ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
On Wed, 16 Feb 2005 18:56:32 -0500 (EST) John Madden [EMAIL PROTECTED] wrote: Have you submitted any sample for the last two years? Yes, when appropriate, which I believe has been thrice. (We haven't been on Clam for that long, though.) Found 0 submissions - Total results (0 pages) (on both your name and ivytech) -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Feb 17 01:27:41 CET 2005 pgpRjqZVyv4Cq.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
On Wed, 16 Feb 2005 19:04:25 -0500 (EST) John Madden [EMAIL PROTECTED] wrote: managers want to buy AV licenses. Is that bad? It's always good to have two or more e-mail virus scanners if resources funds allow that. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Feb 17 01:31:22 CET 2005 pgp8Wigt4rqEn.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
Found 0 submissions - Total results (0 pages) (on both your name and ivytech) Uh. 'Guess I can't explain that, unless submissions for already-submitted virii don't count. John -- John Madden UNIX Systems Engineer Ivy Tech State College [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
On Wed, 16 Feb 2005 20:04:55 -0500 (EST) John Madden [EMAIL PROTECTED] wrote: Found 0 submissions - Total results (0 pages) (on both your name and ivytech) Uh. 'Guess I can't explain that, unless submissions for already-submitted virii don't count. They count so this is a bad argument as well. Better let's stop the investigation at this point. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Feb 17 02:11:14 CET 2005 pgpIOs0M8IdH8.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
Tomasz Kojm wrote: On Wed, 16 Feb 2005 20:04:55 -0500 (EST) John Madden [EMAIL PROTECTED] wrote: Found 0 submissions - Total results (0 pages) (on both your name and ivytech) Uh. 'Guess I can't explain that, unless submissions for already-submitted virii don't count. They count so this is a bad argument as well. Better let's stop the investigation at this point. On the same note, I've submitted about 3 in the last year as well and checked off the email me the results check box but I've never heard back either or seen them in the virus update emails. BTW - Can't say it enough, great job devs! Regards, Rick ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] virus incident response?
On Wed, 16 Feb 2005 20:27:27 -0500 Rick Macdougall [EMAIL PROTECTED] wrote: Tomasz Kojm wrote: On Wed, 16 Feb 2005 20:04:55 -0500 (EST) John Madden [EMAIL PROTECTED] wrote: Found 0 submissions - Total results (0 pages) (on both your name and ivytech) Uh. 'Guess I can't explain that, unless submissions for already-submitted virii don't count. They count so this is a bad argument as well. Better let's stop the investigation at this point. On the same note, I've submitted about 3 in the last year as well and Yes, you have. checked off the email me the results check box but I've never heard back either or seen them in the virus update emails. Two of them have been published, one (some trojan, i.e. low priority) is still waiting for its turn: Page(s):1 Found 3 submissions - Total results (1 pages) Number DateSample type Origin SeverityStatus Assigned to 7382 (size:30208) 14-12-04 01:05 Backdoor.Helo.C (Bitdefender) Webform - Other 1 unassigned n/a 1689 (size:12422) 03-03-04 15:39 W32/[EMAIL PROTECTED](F-Prot) Webform - Other 1 published Denis De Messemacker 1689 (size:12422) 03-03-04 15:39 [EMAIL PROTECTED](Bitdefender) Webform - Other 1 published Denis De Messemacker -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Feb 17 02:26:11 CET 2005 pgphpJlNTriHt.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[OT] Re: [Clamav-users] virus incident response?
Tomasz Kojm wrote: On Wed, 16 Feb 2005 20:27:27 -0500 Rick Macdougall [EMAIL PROTECTED] wrote: Two of them have been published, one (some trojan, i.e. low priority) is still waiting for its turn: Page(s):1 Found 3 submissions - Total results (1 pages) Cool, I'm a hero :) But I never did get an email about them, maybe my greylisting blocked them the first time and they never got tried again, or maybe the email about submission results is broken ? (or done by hand, in which case I completely understand about not getting the emails, you guys must be swamped). Have a good day/night Tomasz, you are doing incredible work. Regards, Rick ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [OT] Re: [Clamav-users] virus incident response?
On Wed, 16 Feb 2005 20:37:23 -0500 Rick Macdougall [EMAIL PROTECTED] wrote: Have a good day/night Tomasz, you are doing incredible work. Thanks, it's 2:50 a.m. here. The whole team is working hard in its free time and sometimes I must take that unrewarding position and protect our cave ;-) even if I may sound harsh and boorish. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Feb 17 02:53:17 CET 2005 pgpQ96kPy3XRP.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [OT] Re: [Clamav-users] virus incident response?
Thanks, it's 2:50 a.m. here. The whole team is working hard in its free time and sometimes I must take that unrewarding position and protect our cave ;-) even if I may sound harsh and boorish. No one's attacking your cave. Fact of the matter is, for whatever reason, we had GB's of this virus this afternoon. I see lots of responses to the effect of you should stop complaining, which isn't even relevant, and not much of the sig was out at 14:30EST, so something's wrong with your freshclam config, or something similar. I do finally see the mailing list update post mentioning this variant: http://lurker.clamav.net/message/20050217.010300.babe0dce.en.html John -- John Madden UNIX Systems Engineer Ivy Tech State College [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Re: virus incident response?
John Madden wrote: Several times now, we've been burned by virii that are picked up by other virus scanners when ClamAV doesn't yet have the signature. Within a couple of hours, when the bulk of the threat has already passed, Clam then catches up. Mydoom.M-2 was the virus of the day today. What is being done to get signatures out more quickly, if anything? Or can anything be done? I'm monitoring 19 antivirus solutions in the company I work for, and I can tell you Clam is usually one of the fastest on new malware detection. -- Regards, Julio Canto Hispasec Sistemas http://www.hispasec.com (+34) 902 161 025 Parque Tecnologico de Andalucia Avda Juan Lopez Peñalver, 21 Málaga, España ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users