RE: [Clamav-users] Still Fighting Problem with clamd bombing out on Openbsd 3.3 w amavisd-new and postfix
If anyone has any suggestions I would love the help. I have two installs doing the exact same thing. So if I made a mistake in my setup I made it more than once. FWIW, I am seeing the same thing happen under 3.3-stable on two of my machines. Ben. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Still Fighting Problem with clamd bombing out on Openbsd 3.3 w amavisd-new and postfix
If anyone has any suggestions I would love the help. I have two installs doing the exact same thing. So if I made a mistake in my setup I made it more than once. FWIW, I am seeing the same thing happen under 3.3-stable on two of my machines. Ktrace shows clamd bombing out with... 26027 clamdRET read 557/0x22d 26027 clamdPSIG SIGSEGV SIG_DFL code 1 addr=0x3033343d trapno=1 26027 clamdPSIG SIGSEGV SIG_DFL code 0 addr=0x0 trapno=0 Complete trace avaliable. Ben. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] message.zip ?
Hi, One of our customers recieved a message that had a .zip attachment and looks suspect. Anyone here here what to take a look at at it ? Dee -- W.D.McKinney (Dee) Alaska Wireless Systems 11310 Lillan Lane, Anchorage, AK 99515-2914 Direct (907)349-4308 -=- http://www.akwireless.net --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] FOO.EXE
Here I am looking at manual. Using my clamav tools I find. --- SCAN SUMMARY --- Known viruses: 9317 Scanned directories: 1 Scanned files: 33 Infected files: 0 Data scanned: 27.98 Mb I/O buffer size: 131072 bytes Time: 14.597 sec (0 m 14 s) webmail:/home/dee# clamscan viri viri/message.zip: Trojan.Dropper.C FOUND --- SCAN SUMMARY --- Known viruses: 9317 Scanned directories: 1 Scanned files: 1 Infected files: 1 Data scanned: 0.02 Mb I/O buffer size: 131072 bytes Time: 0.360 sec (0 m 0 s) Following the Signature Tool section 3.5 sigtool -c clamscan --stdout -f message.zip -s message Not detected at 3900, moving backward. Not detected at 1950, moving backward. Not detected at 975, moving backward. Not detected at 487, moving backward. Not detected at 243, moving backward. Not detected at 121, moving backward. Not detected at 60, moving backward. Not detected at 29, moving backward. Not detected at 13, moving backward. Not detected at 5, moving backward. Not detected at 1, moving backward. Not detected at 0, moving backward. Not detected at 0, moving backward. Starting precise loop Segmentation fault This made it past our version of clamav ? clamscan / ClamAV version 0.60 Dee --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] message.zip ?
On Saturday 16 August 2003 4:30 pm, W.D. McKinney wrote: Hi, One of our customers recieved a message that had a .zip attachment and looks suspect. Anyone here here what to take a look at at it ? Let me guess - it's called message.zip (you said that in your subject), it's 20567 bytes long, and it contains one file, message.html, which is 20445 bytes long? Running it through a current version of ClamAV reveals that it's a recent virus called Trojan.Dropper.C, also known as MiMail... Am I right? If not, zip a copy with a password and email it to me (with the password) and I'll run it through a few other antivirus engines... Antony. -- The first ninety percent of an engineering project takes ninety percent of the time, and the last ten percent takes the remaining ninety percent. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] message.zip ?
Sure, post it somewhere we can get to. Sounds like mimail.a? Mike On Sat, Aug 16, 2003 at 07:30:02AM -0800, W.D. McKinney wrote: Hi, One of our customers recieved a message that had a .zip attachment and looks suspect. Anyone here here what to take a look at at it ? Dee -- W.D.McKinney (Dee) Alaska Wireless Systems 11310 Lillan Lane, Anchorage, AK 99515-2914 Direct (907)349-4308 -=- http://www.akwireless.net --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users -- Michael Sullenszino Unix System Administrator Data Security, UptimeTech.com - 206-547-1817 [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] FOO.EXE
On Saturday 16 August 2003 4:57 pm, W.D. McKinney wrote: Here I am looking at manual. Using my clamav tools I find. webmail:/home/dee# clamscan viri viri/message.zip: Trojan.Dropper.C FOUND Yup - that's the one I thought it would be :) It's been detected by ClamAV since 1st August. This made it past our version of clamav ? clamscan / ClamAV version 0.60 I don't understand. You said it just got detected and identified by your version of ClamAV... Does whatever mail scanning system you use check .zip files for viruses? Did it correctly pass this one to ClamAV for checking when it came through? Antony. -- Anyone that's normal doesn't really achieve much. - Mark Blair, Australian rocket engineer --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] FOO.EXE
Hi, One of our customers we host e-mail sent it to me from down in AU and it was from [EMAIL PROTECTED] as it made it to her from our server.(Like you said :-) This is the first instance of a known viris making through our system that I know. Thanks We run qmail/qmail-scanner/SA/clamav and it has worked excellent. It may have been in a small window of time On Sat, 2003-08-16 at 08:41, Antony Stone wrote: On Saturday 16 August 2003 4:57 pm, W.D. McKinney wrote: Here I am looking at manual. Using my clamav tools I find. webmail:/home/dee# clamscan viri viri/message.zip: Trojan.Dropper.C FOUND Yup - that's the one I thought it would be :) It's been detected by ClamAV since 1st August. This made it past our version of clamav ? clamscan / ClamAV version 0.60 I don't understand. You said it just got detected and identified by your version of ClamAV... Does whatever mail scanning system you use check .zip files for viruses? Did it correctly pass this one to ClamAV for checking when it came through? Antony. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] FOO.EXE
On Saturday 16 August 2003 5:58 pm, W.D. McKinney wrote: Hi, One of our customers we host e-mail sent it to me from down in AU and it was from [EMAIL PROTECTED] as it made it to her from our server.(Like you said :-) When was the message sent (or, more accurately, when was it received scanned by your server)? We run qmail/qmail-scanner/SA/clamav and it has worked excellent. It may have been in a small window of time This virus has been detected by ClamAV since 1st August. If the email was processed on your server much after that I recommend you check your signature updating system to ensure it (a) works and (b) tells you when there's a problem (which there are from time to time). Regards, Antony. -- This email was created using 100% recycled electrons. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] FOO.EXE
On 16 Aug 2003 07:57:50 -0800 W.D. McKinney [EMAIL PROTECTED] wrote: sigtool -c clamscan --stdout -f message.zip -s message Not detected at 5, moving backward. Not detected at 1, moving backward. Not detected at 0, moving backward. Not detected at 0, moving backward. Starting precise loop Segmentation fault This made it past our version of clamav ? clamscan / ClamAV version 0.60 Sigtool has _nothing_ to virus catching. Something must be wrong in your setup. Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] (\/)\. http://www.konarski.edu.pl/~zolw \..._ I nie zapomnij kliknac w brzuszek... //\ /\\ - C. Amboinensiswww.pajacyk.pl --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] FOO.EXE
sigtool -c clamscan --stdout -f message.zip -s message Someone correct me if I'm wrong but I'm pretty sure you can't use sigtool to extract the virus signature from a zip (no matter what scanner you use). The zip itself is not infected, you need to unzip the file and extract the signature from the infected file within. Quite why you're trying to do this however I can't see, as you've already proven that clamscan can detect the infection. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] FOO.EXE
On 16 Aug 2003 20:26:44 +0100 Kevin Spicer [EMAIL PROTECTED] wrote: sigtool -c clamscan --stdout -f message.zip -s message Someone correct me if I'm wrong but I'm pretty sure you can't use sigtool to extract the virus signature from a zip (no matter what You're completely right. Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] (\/)\. http://www.konarski.edu.pl/~zolw \..._ I nie zapomnij kliknac w brzuszek... //\ /\\ - C. Amboinensiswww.pajacyk.pl --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] FOO.EXE
On Saturday 16 August 2003 8:26 pm, Kevin Spicer wrote: sigtool -c clamscan --stdout -f message.zip -s message Someone correct me if I'm wrong but I'm pretty sure you can't use sigtool to extract the virus signature from a zip (no matter what scanner you use). The zip itself is not infected, you need to unzip the file and extract the signature from the infected file within. I assume the original poster suspected it was a virus which just happened to have a .zip extension - not realising that it really is a genuine zip file, with an infected .html inside. Quite why you're trying to do this however I can't see, as you've already proven that clamscan can detect the infection. Indeed. Antony. -- I vote no to this proposal to form a committee to investigate whether we should or should not hold a ballot on whether to vote yet. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: Queries on Clam AV
Thanks for the help guys, I will have another read through the documentation but I must have missed the part about cron jobs as I didn't think there was anything there that would have been able to help me. Thanks again. Cheers Darren --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users