Re: [Clamav-users] finding viruses in email : please help
Payal Rathod wrote: Hi, I am using clamdscan with qmail in conjuction with dot-qmail files. I have in .qmail | /usr/local/bin/clamdscan -; [ $? != 1 ] || exit 99 ./Maildir/ # ps aux | grep clamd root 7967 0.0 4.2 29396 10776 ? S20:54 0:00 clamd When I send a eicar test vrus it was caught properly, but when I sent a Sobig virus and others they were not caught at all and were delivered normally. I have the latest virus definitions with me. What is wrong here? Please suggest someway. It is harrassing. You need to enable at least the ScanMail and ScanArchive directives in /usr/local/etc/clamav.conf (or whereever that file resides). Thomas --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Listing viruses in the db?
On Tue, 20 Jan 2004 16:01:47 -0500 Kevin Hanser [EMAIL PROTECTED] wrote: there a way to search for a particular virus? Not really important to be able to search, as long as I can get a listing of all the viruses that it catches I just added a new option to sigtool: with --list-sigs you can list all virus signature names (sigtool --list-sigs) or signatures from selected database only (sigtool --list-sigs=/path/to/database). Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] www.ClamAV.net (\/)\. http://www.clamav.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Jan 21 09:32:43 CET 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] finding viruses in email : please help
On Wed, 21 Jan 2004 04:58:17 + Payal Rathod [EMAIL PROTECTED] wrote: Hi, I am using clamdscan with qmail in conjuction with dot-qmail files. I have in .qmail | /usr/local/bin/clamdscan -; [ $? != 1 ] || exit 99 ./Maildir/ # ps aux | grep clamd root 7967 0.0 4.2 29396 10776 ? S20:54 0:00 clamd When I send a eicar test vrus it was caught properly, but when I sent a Sobig virus and others they were not caught at all and were delivered normally. I have the latest virus definitions with me. What is wrong here? Please suggest someway. It is harrassing. Take a look at contrib/trashscan and use it instead of clamdscan in .qmail. Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] www.ClamAV.net (\/)\. http://www.clamav.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Jan 21 06:51:47 CET 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Listing viruses in the db?
On Wed, 21 Jan 2004 12:27:20 +1100 Darryl Luff [EMAIL PROTECTED] wrote: What's the difference between --unpack and --unpack-current? They both seem to do the same thing and produce identical output? --unpack extracts a selected file while --unpack-current only extracts files from the database directory. Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] www.ClamAV.net (\/)\. http://www.clamav.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Jan 21 09:31:23 CET 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Listing viruses in the db?
Quoting jonathan soong [EMAIL PROTECTED]: hmm yes clamav does detect Bagle now, but when we first got hit with Bagle it was undetected for about 2 hours... (i.e. clamav virus db was about 2 hours behind our first sighting of it). I was just wondering how to add virus signatures to our own database immediately (the signatures.pdf file says you have to send it to a SIGNING_SERVER?? - initially i wanted to just update our own signatures, before worrying about sending it to the clamav servers) All you need to do is create an old style db file with your sig in it and put it in your database directory, making sure it has a .db extension. -trog --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] finding viruses in email : please help
On Wed, Jan 21, 2004 at 09:38:17AM +0100, Thomas Lamy wrote: You need to enable at least the ScanMail and ScanArchive directives in /usr/local/etc/clamav.conf (or whereever that file resides). I did it. Stopped clamd. Restarted it. Still no luck. Same problem. Where exactly is the problem? Thanks, -Payal -- For GNU/Linux Success Stories and Articles visit: http://payal.staticky.com --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] finding viruses in email : please help
On Wed, Jan 21, 2004 at 06:52:57AM +0100, Tomasz Kojm wrote: Take a look at contrib/trashscan and use it instead of clamdscan in .qmail. It needs procmail, which I don't use. Also logger [???] What is wrong with calmdscan? It caught eicar properly. With regards, -Payal -- For GNU/Linux Success Stories and Articles visit: http://payal.staticky.com --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ERROR: Malformed CVD header detected.
I also keep getting the same under sun solaris 8. - Original Message - From: Wouter de Vries [EMAIL PROTECTED] Date: Tuesday, January 20, 2004 8:32 pm Subject: [Clamav-users] ERROR: Malformed CVD header detected. Hi, Just to let you know, I am receiving these errors: ERROR: Malformed CVD header detected. ERROR: Can't read main.cvd header from database.clamav.net (209.204.175.217)ERROR: Malformed CVD header detected. ERROR: Can't read main.cvd header from database.clamav.net (195.70.36.141)ERROR: Malformed CVD header detected. ERROR: Can't read main.cvd header from database.clamav.net (212.162.12.159) Wouter --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] finding viruses in email : please help
You need to enable at least the ScanMail and ScanArchive directives in /usr/local/etc/clamav.conf (or whereever that file resides). I did it. Stopped clamd. Restarted it. Still no luck. Same problem. Where exactly is the problem? I don't use clamdscan, but in clamscan there is an option --mbox, which enables mail scanning. Maybe this will help you. -- Tomasz Klim, [EMAIL PROTECTED] http://www.euroneto.pl Phone: +48 61 8433535 Fax: +48 61 8434455 Euronet Sp. z o.o., Dabrowskiego 81/85, 60-529 Poznan, Poland --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] OSX build problem with 0.65
These changes will make clamd compile under OSX10.1.
The bad news is it's rather doubtful that ClamAV supports that operating
system any more.
It's best to ask Tomasz to put the support back in.
The good news is that this part of the code is only called in the event
of a crash or through something called clamuko which I suspect is Linux
only anyway.
Apologies for posting/discussing source code in the users group!
-Nigel
*** Oserver-th.cWed Jan 21 10:51:53 2004
--- server-th.c Wed Jan 21 11:01:11 2004
***
*** 34,45
#include clamuko.h
#include tests.h
#include session.h
#ifdef CLAMUKO
pthread_t clamukoid;
#endif
void *threadscanner(void *arg)
{
--- 34,49
#include clamuko.h
#include tests.h
#include session.h
+ #include ../target.h
#ifdef CLAMUKO
pthread_t clamukoid;
#endif
! #ifdef TARGET_OS_DARWIN5_5
! #define pthread_sigmask(A, B, C)sigprocmask((A), (B),
(C))
! #define pthread_kill(A, B) { }
! #endif
void *threadscanner(void *arg)
{
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Another OS X prob
I just upgraded from 0.54 to 0.65 on an OS X 10.1.5 box and now if I run clamscan it takes 1.5 hours to run in place of about 20 mins. I had to disable the thread support to get this to make and I have no support for digital signatures (as I don't know where to find it - fink doesn't seem to have it). Are either of these config conditions likely to cause the vast increase in time? I'm afraid I'm not up on this sort of thing (can do you lots of other languages and setups but not this combo). Tx. Rod --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Listing viruses in the db?
On Wed, Jan 21, 2004 at 08:56:16AM +, Trog wrote: file says you have to send it to a SIGNING_SERVER?? - initially i wanted to just update our own signatures, before worrying about sending it to the clamav servers) All you need to do is create an old style db file with your sig in it and put it in your database directory, making sure it has a .db extension. Can we hope such support for old style db is not going away? --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] LogSyslog logs twice?
On Wed, 21 Jan 2004 at 12:51:44 +1100, Darryl Luff wrote: Has anyone noticed that enabling the LogSyslog option causes everything to be logged twice? Or is it just something odd on my machine (sample below)? Jan 20 00:11:02 gateway clamd[19226]: Reading databases from /var/lib/clamav Jan 20 00:11:02 gateway clamd[19226]: Reading databases from /var/lib/clamav [...] Maybe you have set also LogFile to the same file?... Though I can be wrong - I haven't tried them both together. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Multiple stability problems on Solaris 9
Hello:
In the past few days we have experienced multiple stability problems with clamav. Here
is our environment:
Solaris 9 (sparc)
mimedefang 2.36 w/ sendmail 8.12.10
clamav 0.65
The problems appear to be two fold:
1) freshclam, run as a daemon, crashes without sending a notify.
freshclam appears to die anytime it finds a problem with a database update
instead of just
reporting the error and keep on running to try again later.
2) something is causing clamd to die. this just started Monday.
the only indication of a problem is that mimedefang starts reporting all sorts of
strange errors.
in mimedefang, we are using clamdscan instead of clamd directly, as it appears to
catch some problems
that are missed when running clamd directly under the control of mimedefang
(which I view as a
mimedefang problem, not a clamav problem).
Detailed logs showing these problems, and commentary explaining what happened when,
follow the signature paragraph. I should also add that we deleted both the main and
daily databases locally and loaded new ones just to ensure that some local database
corruption was not the cause of the problem.
Suggestion for a new clamd and freshclam feature: Have a notify on program exit that
will log a notice or take other action the daemon die.
This was submitted to [EMAIL PROTECTED] yesterday... just curious, is there any type
of acknowledgment that we should expect from such submittals?
TIA for all help!
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC USA
(843) 849-8214
FRESHCLAM PROBLEMS:
===
This is how we start freshclam -- and in the recent past we have received
notifications when updates fail, but I cannot recall ever receiving a notification
when freshclam crashes.
/usr/local/bin/freshclam -d \
-c 24 \
-u ${CLAMU} \
-l ${CAVLOG} \
--daemon-notify=${CAVCONF} \
--on-error-execute=/usr/bin/logger -i -t freshclam -p
daemon.alert 'clamav virus signatures database update failed'
Here is an example of the problem from today. The previous entry in the log was from
an hour earlier and all was OK. We discovered freshclam had died (with no notice sent)
when we were preparing the documentation for the clamd problem. We received no notice
that freshclam had any problems or had died.
--
ClamAV update process started at Tue Jan 20 12:22:46 2004
ERROR: Malformed CVD header detected.
ERROR: Can't read main.cvd header from database.clamav.net (193.126.14.29)
ClamAV update process started at Tue Jan 20 12:22:56 2004
ERROR: Malformed CVD header detected.
ERROR: Can't read main.cvd header from database.clamav.net (193.126.14.29)
ClamAV update process started at Tue Jan 20 12:23:06 2004
ERROR: Malformed CVD header detected.
ERROR: Can't read main.cvd header from database.clamav.net (193.126.14.29)
--
Here is another example, this from last Friday, where freshclam died, again, without
any notice being logged.
--
ClamAV update process started at Fri Jan 16 14:53:19 2004
ERROR: Verification: MD5 verification error.
ClamAV update process started at Fri Jan 16 14:57:26 2004
ERROR: Verification: MD5 verification error.
ClamAV update process started at Fri Jan 16 15:06:39 2004
ERROR: Maximal time (1200 seconds) reached.
CLAMD PROBLEMS:
===
Yesterday, just before 11:00 we started getting all sorts of 'strange' mimedefang
errors -- none of which were 'problem running virus scanner'. Checking, we found that
clamd was not running. (We use clamdscan in mimedefang, not clamd directly, as it
appears to be somewhat better at catching some viruses.)
Notice that it appeared to die the first time shortly after finding 'Worm.Gibe.F' --
with no indication of why it died. (The virus hit was successfully passed back to
mimedefang.)
Next, at 12:04 we restarted clamd and it died due to a timeout at 12:28.
Then we restarted clamd at 12:31 and it died again for some unknown reason around
13:30.
At 13:32 we restarted clamd and also changed mimedefang to use clamscan instead of
clamdscan. clamd appears stable in so long as it is not being used.
We have tried to track down what clamd may have been doing when it died, but we have
not been able to find anything in common at its various points of failure.
Mon Jan 19 11:00:09 2004 - +++ Started at Mon Jan 19 11:00:09 2004
Mon Jan 19 11:00:09 2004 - Log file size limited to 8388608 bytes.
Mon Jan 19 11:00:09 2004 - Running as user defang (UID 104, GID 25)
Mon Jan 19 11:00:09 2004 - Reading databases from /usr/local/share/clamav
Mon Jan 19 11:00:10 2004 - Protecting against 20206 viruses.
Mon Jan 19 11:00:11 2004 - Unix socket file /var/clamav/clamd.sock
Mon Jan 19 11:00:11 2004 - Setting connection queue length to 60
Mon Jan 19
Re: [Clamav-users] finding viruses in email : please help
If you're using qmail, look into qmailscanner.. [http://qmail-scanner.sourceforge.net/]... build a string of virus checkers (includeing it's own built-in perl scanner) to process your mail... We use it on a system with 18000+ messages a day, running each through spamassassin and clamav without any trouble... Definitely worth a look... Carl Tomasz Kojm wrote: On Wed, 21 Jan 2004 04:58:17 + Payal Rathod [EMAIL PROTECTED] wrote: Hi, I am using clamdscan with qmail in conjuction with dot-qmail files. I have in .qmail | /usr/local/bin/clamdscan -; [ $? != 1 ] || exit 99 ./Maildir/ # ps aux | grep clamd root 7967 0.0 4.2 29396 10776 ? S20:54 0:00 clamd When I send a eicar test vrus it was caught properly, but when I sent a Sobig virus and others they were not caught at all and were delivered normally. I have the latest virus definitions with me. What is wrong here? Please suggest someway. It is harrassing. Take a look at contrib/trashscan and use it instead of clamdscan in .qmail. Best regards, Tomasz Kojm --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Multiple stability problems on Solaris 9
Hi, Jon On Wed, 21 Jan 2004 11:45:11 -0500 Jon R. Kibler [EMAIL PROTECTED] wrote: Hello: In the past few days we have experienced multiple stability problems with clamav. Here is our environment: Solaris 9 (sparc) mimedefang 2.36 w/ sendmail 8.12.10 clamav 0.65 The problems appear to be two fold: 1) freshclam, run as a daemon, crashes without sending a notify. freshclam appears to die anytime it finds a problem with a database update instead of just reporting the error and keep on running to try again later. 2) something is causing clamd to die. this just started Monday. the only indication of a problem is that mimedefang starts reporting all sorts of strange errors. in mimedefang, we are using clamdscan instead of clamd directly, as it appears to catch some problems that are missed when running clamd directly under the control of mimedefang (which I view as a mimedefang problem, not a clamav problem). I am another clamav user with Solaris 9 SPARC and Sun's sendmail, so this is not an official response to your bug report. Why not run freshclam from a crontab entry? I have freshclam running twice a day and I always get a mail message, even when there is a problem such as the MD5 checksum error, et. al. that have occurred recently. Have you tried running clamav-milter? I have no problems with that setup. It even picked up a message with the recent bagel worm just shortly after I read about it on the net. Alex --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Multiple stability problems on Solaris 9
Jon R. Kibler wrote: 1) freshclam, run as a daemon, crashes without sending a notify. freshclam appears to die anytime it finds a problem with a database update instead of just reporting the error and keep on running to try again later. Run freshclam from crontab, works like a charm. No daemon that can die. 2) something is causing clamd to die. this just started Monday. the only indication of a problem is that mimedefang starts reporting all sorts of strange errors. in mimedefang, we are using clamdscan instead of clamd directly, as it appears to catch some problems that are missed when running clamd directly under the control of mimedefang (which I view as a mimedefang problem, not a clamav problem). Use MailScanner, it scans files in batches with clamscan so no performance loss. No daemon that can die. http://www.mailscanner.info -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Multiple stability problems on Solaris 9
Jon R. Kibler wrote: Hello: In the past few days we have experienced multiple stability problems with clamav. Here is our environment: Solaris 9 (sparc) mimedefang 2.36 w/ sendmail 8.12.10 clamav 0.65 Isn't 0.65 known to have problems? I use daily snapshot (devel-20040115) and it works fine so far. This was submitted to [EMAIL PROTECTED] yesterday... just curious, is there any type of acknowledgment that we should expect from such submittals? Some acknowledgments are in ChangeLog. Here is an example of the problem from today. The previous entry in the log was from an hour earlier and all was OK. We discovered freshclam had died (with no notice sent) when we were preparing the documentation for the clamd problem. We received no notice that freshclam had any problems or had died. I use freshclam -d on Solaris9, and it didn't die during Malformed CVD header period. ClamAV update process started at Tue Jan 20 23:28:04 2004 main.cvd is up to date (version: 18, sigs: 19810, f-level: 1, builder: tomek) daily.cvd is up to date (version: 94, sigs: 488, f-level: 1, builder: diego) -- ClamAV update process started at Wed Jan 21 01:28:04 2004 ERROR: Malformed CVD header detected. ERROR: Can't read main.cvd header from clamav.antispam.or.id (202.134.0.71) Trying again... ClamAV update process started at Wed Jan 21 01:28:05 2004 ERROR: Malformed CVD header detected. ERROR: Can't read main.cvd header from clamav.antispam.or.id (202.134.0.71) Trying again... ClamAV update process started at Wed Jan 21 01:28:06 2004 ERROR: Malformed CVD header detected. ERROR: Can't read main.cvd header from clamav.antispam.or.id (202.134.0.71) Giving up... ClamAV update process started at Wed Jan 21 01:28:06 2004 ERROR: Malformed CVD header detected. ERROR: Can't read main.cvd header from database.clamav.net (202.134.0.71) Trying again... ClamAV update process started at Wed Jan 21 01:28:08 2004 ERROR: Malformed CVD header detected. ERROR: Can't read main.cvd header from database.clamav.net (202.134.0.71) Trying again... ClamAV update process started at Wed Jan 21 01:28:09 2004 ERROR: Malformed CVD header detected. ERROR: Can't read main.cvd header from database.clamav.net (202.134.0.71) Giving up... -- ClamAV update process started at Wed Jan 21 03:28:09 2004 main.cvd is up to date (version: 18, sigs: 19810, f-level: 1, builder: tomek) daily.cvd is up to date (version: 94, sigs: 488, f-level: 1, builder: diego) CLAMD PROBLEMS: === Yesterday, just before 11:00 we started getting all sorts of 'strange' mimedefang errors -- none of which were 'problem running virus scanner'. Checking, we found that clamd was not running. (We use clamdscan in mimedefang, not clamd directly, as it appears to be somewhat better at catching some viruses.) Notice that it appeared to die the first time shortly after finding 'Worm.Gibe.F' -- with no indication of why it died. (The virus hit was successfully passed back to mimedefang.) The problem might be in Mon Jan 19 12:04:37 2004 - Mail files support enabled. Try commenting ScanMail on clamav.conf. I don't know how stable (or reliable) ScanMail support is now, but since you use mimedefang you wont need clamd to unpack attachments. Disabling it will at least reduce scanning time a little. Regards, Fajar A. Nugraha --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Maildrop core dump and clamd
Hello,
Since a couple of days I'm using clamd/clamdscan on an OpenBSD
(snapshot/i386) machine. Clamd is started at boot time and clamdscan is
being used by means of a maildrop filter...
if (`/usr/local/bin/clamdscan --mbox --disable-summary --stdout - | grep -c
'FOUND'` == 1)
{
to $DEFAULT/.SPAM-VIRUS
}
As can be seen every mail is being tested by clamdscan and every output is
being scanned on the string 'FOUND'. If this string is found the mail is
being send to a maildir named 'SPAM-VIRUS'.
At the moment I'm experiencing two problems:
1.) When not using StreamSaveToDisk, viruses are not always recognized
(known feature);
2.) When using StreamSaveToDisk clamdscan is initiated, does its thing.and
does not die! The result of clamdscan not dying is that after a couple of
hours there are about 40 (or more...) clamdscan processes running. The
end-result is a system in which both Perl and maildrop dumps its cores and
mail is not being delivered.
Is this feature/problem known? If so, is there a solution?
With kind regard,
Björn Ketelaars
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] ClamAV instabilities
Hello About since the big-virus import of about 10'000 viruses I experience a lot of problems with the until then stable ClamAV 0.65 on OpenBSD/Sparc64 and i386. clamd hangs at leats twice a day, does no longer respond to network connections. It has to be killed and restarted. It has become unusable on OpenBSD. Is there any news regardings clamd notorious instability? Is nclamd the way to go? Regards, Marc --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] OSX build problem with 0.65
On Jan 21, 2004, at 3:11 AM, Nigel Horne wrote:
These changes will make clamd compile under OSX10.1.
The bad news is it's rather doubtful that ClamAV supports that
operating system any more.
It's best to ask Tomasz to put the support back in.
The good news is that this part of the code is only called in the
event of a crash or through something called clamuko which I suspect
is Linux only anyway.
Apologies for posting/discussing source code in the users group!
-Nigel
*** Oserver-th.cWed Jan 21 10:51:53 2004
--- server-th.c Wed Jan 21 11:01:11 2004
***
*** 34,45
#include clamuko.h
#include tests.h
#include session.h
#ifdef CLAMUKO
pthread_t clamukoid;
#endif
void *threadscanner(void *arg)
{
--- 34,49
#include clamuko.h
#include tests.h
#include session.h
+ #include ../target.h
#ifdef CLAMUKO
pthread_t clamukoid;
#endif
! #ifdef TARGET_OS_DARWIN5_5
! #define pthread_sigmask(A, B, C)sigprocmask((A), (B),
(C))
! #define pthread_kill(A, B) { }
! #endif
void *threadscanner(void *arg)
{
Thanks for the help. I get the following complaint when using the
patch, however:
[dina:~/Documents/work/clamav-0.65] engineer% patch
../clamav-0.65-osx.patch
patch: Premature `---' at line 15; check line numbers at line 4
I snooped around but I'm not sure which file is targeted by this patch.
I guess the bigger question is, would it be better to stick with 0.60
on OSX 10.1.x, or is 0.65 better? Neither of them compile out of the
box.
Thanks!
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Multiple stability problems on Solaris 9
On Wed, 21 Jan 2004 at 11:45:11 -0500, Jon R. Kibler wrote: [...] This was submitted to [EMAIL PROTECTED] yesterday... just curious, is there any type of acknowledgment that we should expect from such submittals? [...] Jon, the server which serves your domain (mx001.mail.trustem.net) permanently bounces mail sent to you by my server. That's why you didn't receive the response. BTW, when I connected to it to diagnose the problem, I got: 220-It is a crime in the state where this system is located to port scan 220-a system. If you connect to this MTA without attempting to send mail, 220-you will be subject to prosecution for port scanning. Because I connected to that MTA not to send mail but to see what's wrong, seems that I committed a crime! Eh..., good luck... P.S. Please, shorten line length in your MUA. Log excerpts may be not wrapped and it's OK, but human text should not exceed about 75 chars. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Maildrop core dump and clamd
Since a couple of days I'm using clamd/clamdscan on an OpenBSD
(snapshot/i386) machine. Clamd is started at boot time and
clamdscan is being used by means of a maildrop filter... if
(`/usr/local/bin/clamdscan --mbox --disable-summary --stdout
- | grep -c 'FOUND'` == 1) {
to $DEFAULT/.SPAM-VIRUS
}
As can be seen every mail is being tested by clamdscan and
every output is being scanned on the string 'FOUND'. If this
string is found the mail is being send to a maildir named
'SPAM-VIRUS'. At the moment I'm experiencing two problems:
Not entirely relevant to the questions you asked... But why not (instead
of grepping the entire file), just check the exit code of clamdscan?
0 == clean
1 == infected
(`/usr/local/bin/clamdscan --mbox --disable-summary --stdout -; EXIT =
$?` $EXIT == 1) { to $DEFAULT/.SPAM-VIRUS }
Just something I noticed and could help speed things up a little bit.
Tom Walsh
Network Administrator
http://www.ala.net/
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Mailscanner, sendmail 8.12, split input queues
The Mailscanner docs tells us to make two queues and run two copies of sendmail: drwxr-x--- 2 root bin 62976 Oct 23 16:18 mqueue drwxr-x--- 2 root bin 41472 Oct 23 16:18 mqueue.in sendmail -bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirecto ry=/var/spool/mqueue.in sendmail -q15m How does this fit in with sendmail 8.12 already having two queues, mqueue and mqueue-client? And how do I do this with Debian's /etc/mail/sendmail.conf? Leif --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamav-devel massive memory leaks
At 01:37 PM 1/21/2004, Stefan Kaltenbrunner wrote: Since clamd in 0.65 is much too unstable here (stops responding within minutes), we have been running several development snapshots here. all the snapshots from the last 14 days or so seem to massivily leak memory. typically our mailrelays do run out of memory(1GB physical and 2Gb swap) after a few (maybe 10 to 15) minutes with the snapshots 20040113 and 20040119 under load . 20040104 behaves much better allthough it does seem to leak ~100MB/hour too. We do have some significant load here at times and we have ScanMail-Support enabled but in this state clamav/clamd is clearly quite unusable :-(( since there are quite a few of these problems popping up in the last days - any idea what can be done to fix or at least improve this situation? In case it's important we are on Debian Woody 3.0r2 and Kernel 2.4.24 here. Solaris 9, Netra T1 ultrasparc, clamav .65, compiled with gcc 3.3.2: 8 R qscand 3046 1 1 60 20? 4885Jan 09 ? 396:45 /usr/local/sbin/clamd 38 megs of ram. hasn't changed significantly since starting it 12 days ago. i think you may have other problems. what compiler are you using, and what optimization options? Paul Theodoropoulos http://www.anastrophe.com --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Mailscanner, sendmail 8.12, split input queues
Leif Neland wrote: How does this fit in with sendmail 8.12 already having two queues, mqueue and mqueue-client? You really should have posted this on the MailScanner list since nothing of this is Clam related. However the mqueue-client does not have a physical queue, instead it's a way of picking up local mail transmitting them through your MTA. It does not affect MailScanner at all, everyone using Sendmail has 8.12 (except for some heavily patched 8.11 that comes with older Linux systems). And how do I do this with Debian's /etc/mail/sendmail.conf? There are Debian ports that I think do the job for you. Check it out on the web site under downloads. http://www.mailscanner.info -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Mailscanner, sendmail 8.12, split input queues
On Wed, 2004-01-21 at 22:19, Peter Bonivart wrote: Leif Neland wrote: How does this fit in with sendmail 8.12 already having two queues, mqueue and mqueue-client? You really should have posted this on the MailScanner list since nothing of this is Clam related. I'll second that, I'd certainly recommend joining the MailScanner list. However the mqueue-client does not have a physical queue, Peter, I'm going to have to slightly disagree with you on that, certainly as far as my MailScanner Mandrake boxes are concerned. The bahaviour I see is that mail sent by programs that call sendmail directly (as opposed to having their own SMTP engine) is queued in the clientmqueue (on Mandrake, maybe thats mqueue-client on other systems) before being picked up by the incoming sendmail, which in turns queues it in mqueue.in (where it is picked up by MailScanner). As far as I can see the incoming (i.e. listening) sendmail keeps an eye on the clientmqueue and grabs anything it finds there. instead it's a way of picking up local mail transmitting them through your MTA. It does not affect MailScanner at all, Agreed. And how do I do this with Debian's /etc/mail/sendmail.conf? You shouldn't need to mess with any configuration settings (disclaimer: I'm not a Debian user so maybe they do something differently?), MailScanner passes the necesary instructions to sendmail on the command line. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] LogSyslog logs twice?
Tomasz Papszun wrote:
On Wed, 21 Jan 2004 at 12:51:44 +1100, Darryl Luff wrote:
Has anyone noticed that enabling the LogSyslog option causes everything
to be logged twice? Or is it just something odd on my machine (sample
below)?
Jan 20 00:11:02 gateway clamd[19226]: Reading databases from
/var/lib/clamav
Jan 20 00:11:02 gateway clamd[19226]: Reading databases from
/var/lib/clamav
[...]
Maybe you have set also LogFile to the same file?...
Though I can be wrong - I haven't tried them both together.
I have an (uncomfirmed) theory. In the config file, I have:
LogFile /var/log/clamd.exim
...
LogSyslog
Since I added the 'LogSyslog' entry two days ago, nothing further has
been logged to /var/log/clamd.exim, but everything is logged to syslog
twice. I suspect the code is doing something like:
if (LogFile) {
if (LogSyslog)
log to syslog
else
log to file.
}
if (LogSyslog) {
log to syslog
}
But this is a guess. I'll have to have a check.
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
