Re: [Clamav-devel] clamav-0.96 is this properly working???
On Apr 18, 2010, at 13:18 PM, Török Edwin wrote: On 2010-04-18 18:06, Dale Walsh wrote: The changes make it difficult to understand if clamd is functioning properly because after the upgrade from 0.92 I see log entries that make no sense in what they are telling me. The older versions seemed to work and process the mail without issues until you decided to kill it and the new one doesn't look like it's capable of doing it's job with any integrity. In case it matters, clamd is being called from amavisd and it seems to pass all e-mail (even an e-mail sent with a test-virus that should be blocked) and this is disturbing. CONFIGURE COMMAND: ./configure --prefix=/usr/local --mandir=/usr/local/share/man --sysconfdir=/private/etc/clamav --with-dbdir=/var/clamav --with-datadir=/var/clamav --with-user=clamav --with-group=clamav --disable-shared --enable-static --enable-bigstack --enable-readdir_r Please post the output of clamconf -n. If you have some MaxRecursion 0, MaxFileSize 0, or similar lines try removing them. Best regards, --Edwin ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net REQUESTED INFORMATION: Checking configuration files in /private/etc/spam/clamav Config file: clamd.conf --- LogFile = "/var/log/clamav.log" LogFileMaxSize disabled LogTime = "yes" LogSyslog = "yes" PidFile = "/var/clamav/clamd.pid" TemporaryDirectory = "/var/clamav/tmp" LocalSocket = "/var/clamav/clamd.sock" MaxDirectoryRecursion = "20" Foreground = "yes" Debug = "yes" User = "clamav" AllowSupplementaryGroups = "yes" DetectBrokenExecutables = "yes" MaxScanSize = "20971520" MaxFileSize = "15728640" MaxRecursion = "20" MaxFiles = "1500" Config file: freshclam.conf --- LogVerbose = "yes" PidFile = "/var/clamav/freshclam.pid" Foreground = "yes" Debug = "yes" AllowSupplementaryGroups = "yes" UpdateLogFile = "/var/log/freshclam.log" DatabaseMirror = "database.clamav.net" clamav-milter.conf not found Software settings - Version: 0.96 LibClamAV Warning: Cannot dlopen libclamunrar_iface: file not found - unrar support unavailable Optional features supported: MEMPOOL IPv6 BIGSTACK AUTOIT_EA06 BZIP2 Database directory: /var/clamav main.cvd: version 52, sigs: 704727, built on Mon Feb 15 09:54:51 2010 daily.cld: version 10757, sigs: 52437, built on Sun Apr 18 22:29:28 2010 -- Dale -- Dale PGP.sig Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] ClamAV scanning
On 2010-04-18 22:50, Mohammed Al-Saleh wrote: > Hi Edwin, > > Thanks much for your useful replies. > Could you please point to me to where, in the source code, ClamAV does > scanning? > What are the string matching algorithms it uses? Search the archives of this mailing list, this question has been answered already. Best regards, --Edwin ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] ClamAV scanning
Hi Edwin, Thanks much for your useful replies. Could you please point to me to where, in the source code, ClamAV does scanning? What are the string matching algorithms it uses? Thanks again, ~Moe 2010/4/18 Török Edwin > On 2010-04-18 20:30, Mohammed Al-Saleh wrote: > > I've noticed that if I use clamscan to scan a file, it always takes > around 3.7 seconds no matter the file content, type, or even size (unless it > is really very large file). > > Does any body know what is the feature in the ClamAV to make it takes > the same time almost always? > > clamscan loads the database each time, and loading that takes a few > seconds. The actual scanning time is much smaller. > Compare it to the time needed by clamdscan: that is the scantime, and it > does change according to filesize. > > Best regards, > --Edwin > ___ > http://lurker.clamav.net/list/clamav-devel.html > Please submit your patches to our Bugzilla: http://bugs.clamav.net > ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] ClamAV scanning
On 2010-04-18 20:30, Mohammed Al-Saleh wrote: > I've noticed that if I use clamscan to scan a file, it always takes around > 3.7 seconds no matter the file content, type, or even size (unless it is > really very large file). > Does any body know what is the feature in the ClamAV to make it takes the same time almost always? clamscan loads the database each time, and loading that takes a few seconds. The actual scanning time is much smaller. Compare it to the time needed by clamdscan: that is the scantime, and it does change according to filesize. Best regards, --Edwin ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
[Clamav-devel] ClamAV scanning
I've noticed that if I use clamscan to scan a file, it always takes around 3.7 seconds no matter the file content, type, or even size (unless it is really very large file). Does any body know what is the feature in the ClamAV to make it takes the same time almost always? Thanks, ~Moe ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] Emulation
On 2010-04-18 16:10, Mohammed Al-Saleh wrote: > Hi, > > Does ClamAV do code emulation to detect viruses/worms? No. Unless you consider the trivial "emulator" in yc_poly_emulator() to be an emulator. Best regards, --Edwin ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] clamav-0.96 is this properly working???
On 2010-04-18 18:06, Dale Walsh wrote: > The changes make it difficult to understand if clamd is functioning > properly because after the upgrade from 0.92 I see log entries that make > no sense in what they are telling me. > > The older versions seemed to work and process the mail without issues > until you decided to kill it and the new one doesn't look like it's > capable of doing it's job with any integrity. > > In case it matters, clamd is being called from amavisd and it seems to > pass all e-mail (even an e-mail sent with a test-virus that should be > blocked) and this is disturbing. > > > CONFIGURE COMMAND: > > ./configure --prefix=/usr/local --mandir=/usr/local/share/man > --sysconfdir=/private/etc/clamav --with-dbdir=/var/clamav > --with-datadir=/var/clamav --with-user=clamav --with-group=clamav > --disable-shared --enable-static --enable-bigstack --enable-readdir_r Please post the output of clamconf -n. If you have some MaxRecursion 0, MaxFileSize 0, or similar lines try removing them. Best regards, --Edwin ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
[Clamav-devel] clamav-0.96 is this properly working???
The changes make it difficult to understand if clamd is functioning properly because after the upgrade from 0.92 I see log entries that make no sense in what they are telling me. The older versions seemed to work and process the mail without issues until you decided to kill it and the new one doesn't look like it's capable of doing it's job with any integrity. In case it matters, clamd is being called from amavisd and it seems to pass all e-mail (even an e-mail sent with a test-virus that should be blocked) and this is disturbing. CONFIGURE COMMAND: ./configure --prefix=/usr/local --mandir=/usr/local/share/man -- sysconfdir=/private/etc/clamav --with-dbdir=/var/clamav --with- datadir=/var/clamav --with-user=clamav --with-group=clamav --disable- shared --enable-static --enable-bigstack --enable-readdir_r LOG EXCERPTS: Sat Apr 17 20:13:28 2010 -> mode -> MODE_WAITREPLY Sat Apr 17 20:13:28 2010 -> THRMGR: queue (single) crossed low threshold -> signaling Sat Apr 17 20:13:28 2010 -> THRMGR: queue (bulk) crossed low threshold -> signaling Sat Apr 17 20:13:28 2010 -> Breaking command loop, mode is no longer MODE_COMMAND Sat Apr 17 20:13:28 2010 -> Consumed entire command Sat Apr 17 20:13:28 2010 -> Number of file descriptors polled: 1 fds Sat Apr 17 20:13:28 2010 -> fds_poll_recv: timeout after 600 seconds Sat Apr 17 20:13:28 2010 -> Finished scanthread Sat Apr 17 20:13:28 2010 -> Scanthread: connection shut down (FD 11) Sat Apr 17 20:13:28 2010 -> THRMGR: queue (single) crossed low threshold -> signaling Sat Apr 17 20:13:28 2010 -> THRMGR: queue (bulk) crossed low threshold -> signaling Sat Apr 17 20:13:30 2010 -> Received POLLIN|POLLHUP on fd 6 Sat Apr 17 20:13:30 2010 -> Got new connection, FD 11 Sat Apr 17 20:13:30 2010 -> Received POLLIN|POLLHUP on fd 7 Sat Apr 17 20:13:30 2010 -> fds_poll_recv: timeout after 5 seconds Sat Apr 17 20:13:30 2010 -> Received POLLIN|POLLHUP on fd 11 Sat Apr 17 20:13:30 2010 -> got command CONTSCAN /var/amavis/tmp/ amavis-20100417T201230-21853/parts (59, 7), argument: /var/amavis/tmp/ amavis-20100417T201230-21853/parts Sat Apr 17 20:13:30 2010 -> mode -> MODE_WAITREPLY Sat Apr 17 20:13:30 2010 -> THRMGR: queue (single) crossed low threshold -> signaling Sat Apr 17 20:13:30 2010 -> Breaking command loop, mode is no longer MODE_COMMAND Sat Apr 17 20:13:30 2010 -> THRMGR: queue (bulk) crossed low threshold -> signaling Sat Apr 17 20:13:30 2010 -> Consumed entire command Sat Apr 17 20:13:30 2010 -> Number of file descriptors polled: 1 fds Sat Apr 17 20:13:30 2010 -> fds_poll_recv: timeout after 600 seconds Sat Apr 17 20:13:30 2010 -> Finished scanthread Sat Apr 17 20:13:30 2010 -> Scanthread: connection shut down (FD 11) Sat Apr 17 20:13:30 2010 -> THRMGR: queue (single) crossed low threshold -> signaling Sat Apr 17 20:13:30 2010 -> THRMGR: queue (bulk) crossed low threshold -> signaling -- Dale PGP.sig Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
[Clamav-devel] Emulation
Hi, Does ClamAV do code emulation to detect viruses/worms? Thanks, ~Moe ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] The upcoming 15 April kill-switch (and a feature suggestion)
Hi there, Le 8 avr. 2010 à 03:11, David F. Skoll a écrit : > Jonathan Kamens wrote: > >> My company had hundreds of appliances in the field running versions of >> ClamAV affected by this change. When we saw the announcement, we >> immediately started working on figuring out how we were going to get >> them updated by April 15, and we succeeded in doing so. > > We have hundreds of appliances too. Those are easy. Most customers > enable automatic updates and have long since upgraded, and those that > haven't are easy to find and to upgrade. > > The problem is we have some customers who prefer RPM versions of our > software, and still others who install from source on platforms like > NetBSD, Solaris and FreeBSD. We have no administrative control over > their machines, yet if something goes wrong, they (quite reasonably) > call us. On some rpm linux, eg RH5 for example, there is yum. You can provide them a private yum server and this will done. On FreeBSD, there is packages, same add a correct line into /etc/make.conf and portupgrade -pP will fix this for you. > So even though 80% or more of our user-base is fine, I still dread > hundreds of support calls come the 15th. It doesn't do *us* any good > to say "We told you to upgrade... why didn't you?" when some irate > caller's mail is down. 6 months for a security software is big. Do you forgot to upgrade your IOS or Firewall software ? Clamav is security software, if you don't upgrade it, then... you have to be angry with you not author of free software like clamav. /Xavier ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net