Re: [Clamav-users] SCO.a
Nigel - thanks for the reply - I didnt have an original, because they do get caught by the second filter... I will play around with it and see if I can..however, I sent you an attached file witht the virus that does get through clam On Tue, 27 Jan 2004 06:31 , Shawn Tayler [EMAIL PROTECTED] sent: Nigel, I have several examples of this. Even with older virii. Would you be interested in them as well? Shawn On Tue, 27 Jan 2004 08:52:58 + Nigel Horne [EMAIL PROTECTED] exclaimed: On Tuesday 27 Jan 2004 3:11 am, McKeever Chris wrote: Any suggestions? It finds other virii fine when they are still encoded, maybe the definitions need to be added for its MIME version? Please forward an *original* copy (hmm, that's a contradiction in terms) of the e-mail to me at [EMAIL PROTECTED] and I'll look into it. Chris McKeever If you want to reply directly to me, please use cgmckeever--at--prupref---dot---com http://www.prupref.com Prudential Preferred Properties www.prupref.com --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Clamav-milter not installing
I am running the following: ./configure\ --enable-milter\ --sysconfdir=/etc make make install Clamd is installed normally and is running fine. However, clamav-milter is not being installed, no errors are generated. I tried running make clean and rerunning the command and still no luck. I have sendmail 8.12.11 installed with libmilter support and it is running fine. Any ideas why the milter is not being built and installed? --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SCO virus - Clam 0.65
On Tuesday 27 Jan 2004 12:53 pm, Brian Read wrote: I am getting lots of these, and clamav is detecting them fine, but it clearly is trying to email back the sender with a notification. As the reply to is spoofed, this makes no sense at all (and i am getting lots of bounces). How do we stop this happening? Turn off the --bounce option to clamav-milter Cheers Brian -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SCO virus - Clam 0.65
Yes I'm not sure.. do we put SCO Worm.SCO or Worm.SCO.A in the fake_sender list? On Tue, 2004-01-27 at 10:44, Brian Read wrote: At 14:57 27/01/2004, you wrote: Brian Read wrote: I am getting lots of these, and clamav is detecting them fine, but it clearly is trying to email back the sender with a notification. As the reply to is spoofed, this makes no sense at all (and i am getting lots of bounces). How do we stop this happening? I'm using amavisd-new-20030616-4 and in /etc/amavisd.conf I have: # Treat envelope sender address as unreliable and don't send sender # notification / bounces if name(s) of detected virus(es) match the #list. # Note that virus names are supplied by external virus scanner(s) and #are # not standardized, so virus names may need to be adjusted. # See README.lookups for syntax. # $viruses_that_fake_sender_re = new_RE( qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i, qr'tanatos|lentin|bridex|mimail|trojan\.dropper|bagle|SCO'i, ); and with this I have: A virus (Worm.SCO.A) was found. Scanner detecting a virus: Clam Antivirus-clamd The mail originated from: [EMAIL PROTECTED] Notification to sender will not be mailed. I am using Amavis-ng, and the amavisd.conf doesn't seem to have that line in it. However it does seem to know about other ones which spoof the reply, so i guess it must be somewhere? Cheers Brian -- Matt [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SCO.a
On Tuesday 27 Jan 2004 2:31 pm, Shawn Tayler wrote: Nigel, I have several examples of this. Even with older virii. Would you be interested in them as well? Yes but please send me the original. Many people send me the bounce message which contains the virus. This is no help to the parser, I must have the original. Shawn -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SCO virus - Clam 0.65
Brian Read wrote: At 14:57 27/01/2004, you wrote: I am using Amavis-ng, and the amavisd.conf doesn't seem to have that line in it. However it does seem to know about other ones which spoof the reply, so i guess it must be somewhere? Probabli... but try to change to amavisd-new, I thing is better - that's my opinion ofcourse ;-) -- Andrzej Zawadzki --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] yahoo groups??
I've got a user who says yahoo groups is getting an error message when trying to send an email to our email server. Here's a part of the transcript from the customer: * Recent Bounced Messages Most recent messages Response Date Type of message sent Date Result 1/1/2004 Auto Reactivation request 1/8/2004 Passive Reactivation 12/23/2003 Flatwalk msg #78965 12/23/2003 Hard Bounce 12/9/2003 TWHbreeders msg #71565 12/9/2003 Soft Bounce 12/9/2003 ColorfulDilutes msg #5887 12/9/2003 Soft Bounce 11/18/2003 ColorfulDilutes msg #5082 11/18/2003 Soft Bounce Last Bounced Message Remote host said: 550 5.7.1 Virus detected by ClamAV - http://clamav.elektrapro.com ** I'm pretty confident that legitamate yahoo mail would be virus free, and that they're getting a false positive from clamav... Can this problem be reproduced I wonder? Has anyone else heard a similar complaint? We use sendmail with clamav-milter -Troy Thanks, Kelly or Troy WCTA Internet helpdesk 837-6400 or 1-877-928-2638 (toll free) 8:00 am to 8:00 pm Mon thru Fri 9:00 am to Noon Sat --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SCO.A virus
On Mon, 26 Jan 2004, Rick Macdougall wrote: I've blocked over 1000 of them in the last hour or so since I forced a freshclam. Oddly enough, Spam Assassin picked one up for me at 4:45 PM EST here. at 4:50, my hourly cron job ran, updated the DB, and I've been filtering them ever since. Seem to be getting roughly 100/hour == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: SCO virus not detected in bounces
the end of the bounce message. Although I'm sure the MIME is no longer set up right so it may be harmles, Norton seems to catch these while ClamAV does It's not only problem with ClamAV mime unpacker - even ripmime is unable to extract attachment in the body of bounce message. For example I run ripmime (v1.3.0.6 - 14/01/2004) on bounce message, it extracted it's body as textfile0, when i run ripmime on textfile0 it extracted textfile0_1, when run on textfile0_1 it extracted textfile0_2, when run on textfile0_2 it extracted textfile0_3, textfile1, textfile2, doc.zip and textfile3. -- Virgo Pärna [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] http file uploads PHP Clamav
Does anyone know how to use clamscan to scan http web uploads on and Apache/PHP server ? Someone has written a mod_clamav module. Try searching on Google for it. David -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] fyi: 0.65 on OSX
Well, despite my better judgement I decided to go ahead and install clamav-devel-20040110 on my OSX 10.1.5 machine. Seems to work well, as far as I can tell. Tests run fine. The only issues I've had are freshclam's -c flag seems broken: [dina:/var/log/clamav] engineer% sudo freshclam -d -c 2 ERROR: Can't parse the config file 2 The other issue is that freshclam seems to generate more errors than earlier versions, like so: ClamAV update process started at Fri Jan 23 16:07:00 2004 main.cvd is up to date (version: 18, sigs: 19810, f-level: 1, builder: tomek) ERROR: Can't get information about 212.162.12.159 host. ERROR: Connection with database.clamav.net (IP: ???) failed. Trying again... ClamAV update process started at Fri Jan 23 16:07:02 2004 main.cvd is up to date (version: 18, sigs: 19810, f-level: 1, builder: tomek) ERROR: Can't get information about 193.126.14.29 host. ERROR: Connection with database.clamav.net (IP: ???) failed. Trying again... ClamAV update process started at Fri Jan 23 16:07:03 2004 main.cvd is up to date (version: 18, sigs: 19810, f-level: 1, builder: tomek) daily.cvd is up to date (version: 99, sigs: 581, f-level: 1, builder: tomek) But, it often doesn't generate errors, and it seems to stay up to date okay. Other than that, it seems to work great under OSX 10.1.5. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] RE: Clamav-milter not installing
On Wednesday 28 Jan 2004 12:52 am, James Nelson wrote: Not that I am aware of. Iinstalled sendmail from the src files not an RPM In that case, did you install libmilter? -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] sending bounces
On Wednesday 28 Jan 2004 12:03 am, Jure Pear wrote: This would greatly reduce the work for mail administrators, with only minimal changes to av engines and wrappers around them (like amavisd-new co). Yes it's a good idea but it can't be trusted and we still need a solution here. I am working at finding a solution. The number of systems admins that still contact me telling me I have a virus on the back of a faked from address including my address and then when I point out the fake address problem get into an argument saying it's my site at fault not their's is worrying for the profession. If systems administrators can't even be trusted to set up systems correctly to not bounce on trapping a worm how can they be trusted to update to an AV system that supports some new flag? What are clamav team and other users opinions about this? -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter
Mailing Lists wrote: I got clamd+clamav-milter working on my Redhat 9 mail server and it is blocking all of the latest worms. My question is this. Does clamav-milter delete these emails or move them to some quarantine directory. I am using a default rpm install from http://crash.fce.vutbr.cz/crash-hat/1/clamav/ This is clamav-0.65 version. AFAIK, 0.65 doesnt support quarantine. CVS snapshot with quarantine dir enabled is on http://crash.fce.vutbr.cz/crash-hat/testing/1/clamav/ Im running cvs version on my personal workstation week about and it looks fine. Petr --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SCO.a
I am curious, It appears that I have missed something very important in my Clamav setup, 0.65, in that I have several examples of Maildir files that contain a known, detectable virus, that will not show as conatining such unless the file is converted to binary from mime. I use the --mbox and --unzip options but stll no go. I do apologize if this is old hat, but I'd appreciate a point in the right direction on this. Shawn On Mon, 26 Jan 2004 21:11:50 -0600 McKeever Chris [EMAIL PROTECTED] exclaimed: clamscan is finding the SCO.a fine after the attachment has been decoded out of an email: /var/spool/qmailscan/quarantine/new/body.pif: Worm.SCO.A FOUND but it will not find it while it is still in the body of the attachment mime encoded. /var/spool/qmailscan/quarantine/new/prupref-mailgate10751714524615485: OK Content-Type: application/octet-stream; name=body.pif Content-Transfer-Encoding: base64 Content-Description: body.pif Content-Disposition: attachment; filename=body.pif TVqQAAME//8AALgAQAAA qAAA Any suggestions? It finds other virii fine when they are still encoded, maybe the definitions need to be added for its MIME version? thanks --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter
Jason Holland wrote: Richard, I had this very problem today on a fedora box. By default, with those rpm's, it doesn't seem to do anything. The virus is detected, but the email is allowed to pass through. I messed with this for a few hours and could not get it to do anything with the email. This package is configured and build to silently discard email when virus is detected. NONE of sender or recipient or postmaster is notified. Name of the virus is logged to the log file. But the virus doesnt pass through! If you have different experience, then there is something wrong on your system. Can you examine your system and let us the result, please? clamav-milter behaviour is configured via option described on man page. So, I just finished building a new rpm from the cvs snapshot last night and it is doing what it should. Emails are showing up as flagged in /var/log/maillog and I have them quarantined to another account via a clamav-milter config option, all automatically. That quarantine option is not available in the 0.65 release though. If you like, I can pass you the rpm or spec file. The testing package based on cvs with quarantide-dir option is on http://crash.fce.vutbr.cz/crash-hat/testing/1/clamav/ OK. Can you send me your modification of spec file? Thanks Petr --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SCO.a
I dunno but I had to restart clamd on all my servers this morning to get it to notice them.. is that normal? On Tue, 2004-01-27 at 10:24, Erick Ivaan Lopez Carreon wrote: El mar, 27-01-2004 a las 02:52, Nigel Horne escribió: On Tuesday 27 Jan 2004 3:11 am, McKeever Chris wrote: Any suggestions? It finds other virii fine when they are still encoded, maybe the definitions need to be added for its MIME version? Please forward an *original* copy (hmm, that's a contradiction in terms) of the e-mail to me at [EMAIL PROTECTED] and I'll look into it. Chris McKeever If you want to reply directly to me, please use cgmckeever--at--prupref---dot---com http://www.prupref.com -Nigel I have asome servers with clamav 0.54 and 0.60 and both detect fien te SCo.a: -- The virus checker has found potentially malicious code in a mail by [EMAIL PROTECTED]. Delivery has been stopped. The recipient(s) for this message were: [EMAIL PROTECTED] The message has been quarantined as 4015e43a-1b1d.msg. The corresponding logfile has been written to 4015e43a-1b1d.log. CLAM Anti Virus found: Worm.SCO.A - --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users -- Matt [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter
Mailing Lists wrote: Sure, do you have the src RPM so I can build for RH9 or will Fedora binary work? I am running 0.60, not 0.65 Richard, it is not good idea to install fedora binaries on old RH versions. Rebuild src package on your system and the result will be better. BTW, clamav-0.60 is very old. It has less features and has worse stability. Petr --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SCO.a
Nigel - I sent a message to you that made it through the system after I turned off the second AV for the mail. so that is an *original* copy of an email that got through thanks --- Chris McKeever If you want to reply directly to me, please use cgmckeever--at--prupref---dot---com http://www.prupref.com On Tue, 27 Jan 2004 06:31 , Shawn Tayler [EMAIL PROTECTED] sent: Nigel, I have several examples of this. Even with older virii. Would you be interested in them as well? Shawn On Tue, 27 Jan 2004 08:52:58 + Nigel Horne [EMAIL PROTECTED] exclaimed: On Tuesday 27 Jan 2004 3:11 am, McKeever Chris wrote: Any suggestions? It finds other virii fine when they are still encoded, maybe the definitions need to be added for its MIME version? Please forward an *original* copy (hmm, that's a contradiction in terms) of the e-mail to me at [EMAIL PROTECTED] and I'll look into it. Chris McKeever If you want to reply directly to me, please use cgmckeever--at--prupref---dot---com http://www.prupref.com -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users Prudential Preferred Properties www.prupref.com --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] SCO.a
I am having this problem as well. I have about 20 emails in my quaratine which my qmail-scanner blocked because they had .exe or /pif attachments. We have these attachment types blocked for security reasons. However it turns out these attachements all had virii in them. Some flat out .exe attachments, some .exe attachments in zip files and some that are using different types of encoding to fool virus scanners. I ran clamdscan on my quarantine folder and NO messages are found to contain the Mydoom/Novarg virus. I know for a fact atleast 5 are infected. I ran freshclam twice this morning and it got updates both times. I am running clamd 0.65 and my virus defs are as follows: ClamAV update process started at Tue Jan 27 09:38:23 2004 main.cvd is up to date (version: 19, sigs: 19987, f-level: 1, builder: ddm) daily.cvd updated (version: 108, sigs: 593, f-level: 1, builder: ddm) Database updated (20580 signatures) from database.clamav.net (207.201.202.73). Everything looks good yet Novarg is NOT detected. Thanks Jim Maul Eastern Long Island Hospital 631-477-5417 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Shawn Tayler Sent: Tuesday, January 27, 2004 9:31 AM To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] SCO.a Nigel, I have several examples of this. Even with older virii. Would you be interested in them as well? Shawn On Tue, 27 Jan 2004 08:52:58 + Nigel Horne [EMAIL PROTECTED] exclaimed: On Tuesday 27 Jan 2004 3:11 am, McKeever Chris wrote: Any suggestions? It finds other virii fine when they are still encoded, maybe the definitions need to be added for its MIME version? Please forward an *original* copy (hmm, that's a contradiction in terms) of the e-mail to me at [EMAIL PROTECTED] and I'll look into it. Chris McKeever If you want to reply directly to me, please use cgmckeever--at--prupref---dot---com http://www.prupref.com -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users smime.p7s Description: S/MIME cryptographic signature
Re: [Clamav-users] Suggestion: Read list of files to scan from file/stdin {Scanned}
On Wed, Jan 28, 2004 at 08:20:41AM +0100, Tomasz Kojm wrote:
On Tue, 27 Jan 2004 15:23:56 -0800 (PST)
Ryan Finnie [EMAIL PROTECTED] wrote:
find /path -ctime -1 -exec clamscan \{\} \;
but that invokes clamscan for EVERY matching file found. Instead, I
would like to request that a new flag, say -f, be added to
clamscan/clamdscan that takes a list of files, one file per line, from
a file (-f file) or stdin (-f -). That way you could do:
find /path -ctime -1 | clamscan -i -f -
or:
find /path -ctime -1 /tmp/toscan
clamscan -i -f /tmp/toscan
and put it in a nightly cron job. What do you think?
You can use the CVS version - clamscan supports multiple file arguments
from command line, and build a script that executes clamscan on a bunch
of files. You can fall into a problem with special characters and
spaces, though.
Just a thought - perhaps you could modify the tob (Tape Orientated
Backup) scripts to do this. Tob supports full, incremental and
differential file listings.
Jo.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter
Richard,
I had this very problem today on a fedora box. By default, with those
rpm's, it doesn't seem to do anything. The virus is detected, but the
email is allowed to pass through. I messed with this for a few hours and
could not get it to do anything with the email.
This package is configured and build to silently discard email when
virus is detected.
NONE of sender or recipient or postmaster is notified. Name of the virus
is logged
to the log file. But the virus doesnt pass through!
If you have different experience, then there is something wrong on your
system.
Can you examine your system and let us the result, please?
I was using 0.65 release, and from what I could see from the logs, the
emails were passed through, along with the virus. This particular
behavior was on a RedHat 9 box, running sendmail 8.12.8-9.90. But I also
tested that same rpm, rebuilt from src rpm, on a fedora box and it did the
same thing. That's when I decided to try cvs.
clamav-milter behaviour is configured via option described on man page.
So, I just finished building a new rpm from the cvs snapshot last night
and it is doing what it should. Emails are showing up as flagged in
/var/log/maillog and I have them quarantined to another account via a
clamav-milter config option, all automatically. That quarantine option is
not available in the 0.65 release though. If you like, I can pass you the
rpm or spec file.
The testing package based on cvs with quarantide-dir option is on
http://crash.fce.vutbr.cz/crash-hat/testing/1/clamav/
Ah, very nice!! This is what I needed. Could someone include this link
on the clamav binary download page near the one for RedHat/Fedora rpms??
This would be helpful for other people who want to test the new features
in cvs, but don't want to mess with building a spec file.
OK. Can you send me your modification of spec file?
Spec file is below, though I'll probably use your version above from now
on. The only modifications I made to the spec file were to take out the
patches, since I could not get them to apply cleanly, some additions for
an /etc/freshclam.conf file, and an upgrade to logwatch 0.23. I like your
spec file better though. Thanks for posting the link!
Jason
--- clamav.spec ---
# Conditional build (--with/--without option)
# --without milter
Summary:An antivirus toolkit for Unix
Name: clamav
Version:0.66
Release:1beta
Epoch: 32
License:GPL
Group: Applications/System
URL:http://www.clamav.net/
Source0:http://download.sf.net/clamav/%{name}-%{version}.tar.gz
Source1:clamd.sh
Source2:clamav-milter.sh
Source3:freshclam.sh
Source4:clamav-milter.sysconfig
Source6:clamd.logrotate
Source7:freshclam.logrotate
Source8:
http://www.schimkat.dk/clamav/clamav-milter-logwatch-0.23.tar.gz
Source9:RPM-clamav-milter.txt
BuildRequires: autoconf automake
BuildRoot: %{_tmppath}/%{name}-%{version}-root
%description
Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of
this
software is the integration with mail servers (attachment scanning).
The package provides a flexible and scalable multi-threaded daemon,
a command line scanner, and a tool for automatic updating via Internet.
The programs are based on a shared library distributed with package,
which you can use with your own software.
Most importantly, the virus database is kept up to date .
%if %{!?_without_milter:1}%{?_without_milter:0}
%packagemilter
Summary:Clamav milter
Group: System Environment/Daemons
License:GPL
Requires: %{name} = %{epoch}:%{version}-%{release}
Requires: sendmail = 8.11
BuildRequires: sendmail-devel = 8.11
%descriptionmilter
ClamAV sendmail filter using MILTER interface.
%endif
%packagedevel
Summary:Clamav - Development header files and libraries
Group: Development/Libraries
Requires: %{name} = %{epoch}:%{version}-%{release}
%descriptiondevel
This package contains the development header files and libraries
necessary to develope your own clamav based applications.
%prep
%setup -q
%setup -D -a 8
%build
%configure \
--enable-debug \
--program-prefix=%{?_program_prefix} \
%{!?_without_milter:--enable-milter} \
--enable-id-check \
--disable-clamav \
--with-user=clamav \
--with-group=clamav \
--with-dbdir=%{_localstatedir}/lib/clamav
%{__make}
%install
rm -rf $RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT%{_initrddir}/
install -d $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/
install -d $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/
install -d $RPM_BUILD_ROOT%{_sysconfdir}/log.d/scripts/services/
install -d $RPM_BUILD_ROOT%{_sysconfdir}/log.d/conf/services/
install -d $RPM_BUILD_ROOT%{_localstatedir}/lib/clamav/
install -d $RPM_BUILD_ROOT%{_localstatedir}/log/clamav/
RE: [Clamav-users] RE: Clamav-milter not installing
My make log is indicating its not even trying to make the clamav-milter. Making all in clamav-milter make[1]: Entering directory `/usr/src/clamav-0.65/clamav-milter' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/usr/src/clamav-0.65/clamav-milter' make[1]: Entering directory `/usr/src/clamav-0.65' make[1]: Nothing to be done for `all-am'. make[1]: Leaving directory `/usr/src/clamav-0.65' That's the very tail end of the make log. Any clues why it is not even trying to build it, even though the appropriate flag is used as posted previously, and the .configure log appears to show everything is ok. The only no flags I have are for the bzip stuff, is bzip required for clamav-milter to install? --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Solaris 8 Unzipping Issue
On Thu, 22 Jan 2004 15:40:17 -0600 Sean Tempesta [EMAIL PROTECTED] wrote: Basically, the error exim receives from clam is: /var/spool/exim/scan/1AjmNJ-0007VL-Jw/1AjmNJ-0007VL-Jw-0.com: Zip module failure. ERROR Please send me some sample that causes clamscan to generate this error. If this is an issue with all zip files please send me complete info of your system (architecture, full output from ./configure, etc.). Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] www.ClamAV.net (\/)\. http://www.clamav.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Jan 23 21:59:06 CET 2004 pgp0.pgp Description: PGP signature
[Clamav-users] Freshclam timeout with version devel-20040127 is too short {Scanned}
Hi, I have tried to use freshclam from the cvs version devel-20040127, but after 20 minutes it times out. My job shows the following: Starting the daily download of the clamAV virus databases to the Labserver at Wed Jan 28 11:39:26 GMT 2004 WARNING: Proxy settings are now only configurable in the config file. ClamAV update process started at Wed Jan 28 11:39:26 2004 Connecting via proxy.littleport Reading CVD header (main.cvd): OK ERROR: Maximal time (1200 seconds) reached. Completed the daily download of the clamAV virus databases at Wed Jan 28 11:59:26 GMT 2004 Freshclam return value was 1 The Labserver is an AMD Duron box running Debian Woody. Our Internet connection is uncontested, symmetrical at 512 Kbps. We are located just north of Cambridge in the UK. My mirrors.txt is shown below: clamav.inet6.fr clamav.e-admin.de clamav.fisher.hu clamav.essentkabel.com clamav.exsilia.net #clamav.ozforces.com #clamav.elektrapro.com #clamav.essentkabel.com #clamav.linux-sxs.org #clamav.rulez.pl #clamav.org I have never known freshclam take less than 30 minutes to complete, sometimes it can take up to an hour! The timeout for freshclam doesn't appear to be configurable. Any suggestions? Jo. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Clamdscan problem
# clamdscan readme.zip /root/readme.zip: Can't access the file ERROR --- SCAN SUMMARY --- Infected files: 0 Time: 0.001 sec (0 m 0 s) And everything I try to scan gives me the same ERROR. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Suggestion: Read list of files to scan from file/stdin
On Tue, 27 Jan 2004 at 15:23:56 -0800, Ryan Finnie wrote:
I was looking for a way to set up a cron job to, once per day, scan only
files that have changed in the last day. find works pretty well for that,
but the question is how to get the data to clamscan. My first thought was
xargs, but xargs isn't the most consistent when dealing with spaces/quotes
in filenames,
For a tip, read on...
and plus you have a limit on the total size of args passed
to a program. The current best working solution would be to do this:
find /path -ctime -1 -exec clamscan \{\} \;
but that invokes clamscan for EVERY matching file found. Instead, I would
To minimize wasting time and resources on invoking clamscan for multiple
files, use clamdscan.
like to request that a new flag, say -f, be added to clamscan/clamdscan
that takes a list of files, one file per line, from a file (-f file) or
stdin (-f -). That way you could do:
find /path -ctime -1 | clamscan -i -f -
or:
find /path -ctime -1 /tmp/toscan
clamscan -i -f /tmp/toscan
and put it in a nightly cron job. What do you think?
RF
Tips related to filenames with spaces, quotes etc.:
find /path -ctime -1 -print0 | xargs -0r command
man find:
-print0
True; print the full file name on the standard out
put, followed by a null character. This allows
file names that contain newlines to be correctly
interpreted by programs that process the find out
put.
man xargs:
--null, -0
Input filenames are terminated by a null character
instead of by whitespace, and the quotes and back
slash are not special (every character is taken
literally). Disables the end of file string, which
is treated like any other argument. Useful when
arguments might contain white space, quote marks,
or backslashes. The GNU find -print0 option pro
duces input suitable for this mode.
--no-run-if-empty, -r
If the standard input does not contain any non
blanks, do not run the command. Normally, the com
mand is run once even if there is no input.
--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
[EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros.
[EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SCO virus - Clam 0.65
Andrzej Zawadzki wrote: Brian Read wrote: At 14:57 27/01/2004, you wrote: I am using Amavis-ng, and the amavisd.conf doesn't seem to have that line in it. However it does seem to know about other ones which spoof the reply, so i guess it must be somewhere? Probabli... but try to change to amavisd-new, I thing is better - that's my opinion ofcourse ;-) I second that. Thomas --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] SOT: SCO.A disappearing?
I noticed that the virus count has dropped back to pre-SCO.A levels starting around 0330 UTC this morning. I have not seen a single SCO.A since then. Has anyone also seen this? Jeffrey --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter
Kritof Petr wrote: Mailing Lists wrote: Sure, do you have the src RPM so I can build for RH9 or will Fedora binary work? I am running 0.60, not 0.65 Richard, it is not good idea to install fedora binaries on old RH versions. Rebuild src package on your system and the result will be better. BTW, clamav-0.60 is very old. It has less features and has worse stability. Petr --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users Thanks for the info. I downloaded the CVS src rpm and rebuilt for our server and things are running fine now it seems. Thanks for all the help. -- Richard Humphrey --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SCO virus - Clam 0.65
El mié, 28-01-2004 a las 06:58, Thomas Lamy escribió: Andrzej Zawadzki wrote: Brian Read wrote: At 14:57 27/01/2004, you wrote: I am using Amavis-ng, and the amavisd.conf doesn't seem to have that line in it. However it does seem to know about other ones which spoof the reply, so i guess it must be somewhere? Probabli... but try to change to amavisd-new, I thing is better - that's my opinion ofcourse ;-) I second that. Thomas anybody could give some clue's in implementing such feature using amavis-ng thanks in advance --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Worm.SCO.A
Hi. My SMTP filter running ClamAV is blocking a huge amount of messages with the Worm.SCO.A. It seams to be the same virus as MyDoom or Novarg. Can anyone confirm this?! Thanks. Att, Patrícia Viana Network Administrator Eletrobolt Power Plant - Rio de Janeiro- BRAZIL Tel: +55 (21) 2665-9236 Cel: +55 (21) 9351-0007 Fax: + 55 (21) 2665-9248 mailto:[EMAIL PROTECTED] Visit us @www.eletrobolt.com.br!
Re: [Clamav-users] SOT: SCO.A disappearing?
On Wed, Jan 28, 2004 at 04:19:05PM -0600, Jeffrey L. Taylor wrote: I noticed that the virus count has dropped back to pre-SCO.A levels starting around 0330 UTC this morning. I have not seen a single SCO.A since then. Has anyone also seen this? No; I'm still seeing ~40 virus a minute as opposed to ~5 before it's outbreak. -- Kelsey Cummings - [EMAIL PROTECTED] sonic.net, inc. System Administrator 2260 Apollo Way 707.522.1000 (Voice) Santa Rosa, CA 95407 707.547.2199 (Fax)http://www.sonic.net/ Fingerprint = D5F9 667F 5D32 7347 0B79 8DB7 2B42 86B6 4E2C 3896 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] RE: Clamav-milter not installing
On Wednesday 28 Jan 2004 4:37 pm, james nelson wrote: That's the very tail end of the make log. Any clues why it is not even trying to build it, even though the appropriate flag is used as posted previously, and the .configure log appears to show everything is ok. The only no flags I have are for the bzip stuff, is bzip required for clamav-milter to install? You haven't got libmilter on your system. Look for /usr/include/libmilter. On Redhat (and it's derivatives) install the sendmail-devel RPM. -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Solaris 8 Unzipping Issue
I have LOTS of samples, whre can i send them to? On Fri, Jan 23, 2004 at 10:27:56PM +0100, Tomasz Kojm wrote: On Thu, 22 Jan 2004 15:40:17 -0600 Sean Tempesta [EMAIL PROTECTED] wrote: Basically, the error exim receives from clam is: /var/spool/exim/scan/1AjmNJ-0007VL-Jw/1AjmNJ-0007VL-Jw-0.com: Zip module failure. ERROR Please send me some sample that causes clamscan to generate this error. If this is an issue with all zip files please send me complete info of your system (architecture, full output from ./configure, etc.). Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] www.ClamAV.net (\/)\. http://www.clamav.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\Fri Jan 23 21:59:06 CET 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Correction to my last post regarding viruses not found
Hi all, I think you should say clamscan with --mbox because I haven't found --mbox flag for clamdscan isn't it? Nevertheless if a similar flag exist flag exist for clamdscan (0.65 release) I will be very interrested in. Best regards, Jose THOMAS. Le 28 janv. 04, à 16:47, Jim Maul a écrit : Sorry to have bothered everyone with my problem here but i have found the resolution. using the --mbox flag on the command line with clamdscan correctly identifies about 95% of all viruses in email in my quarantine directory. Thanks to all for the hints (changing softlimit and restarting clamd). Hope this of help to the others that are having similar problems. Jim Maul Eastern Long Island Hospital 631-477-5417 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Solaris 8 Unzipping Issue (my mistake)
Tomasz, Thank you for responding to my email. I realized I made a blatant mistake in thinking there was a problem with Clam on Solaris. The errors I am seeing are relating to Clam trying to unzip a file that is not a .zip file. I have a small collection of viri that I have been feeding clam for testing purposes and the failures I was seeing were only on the non-zip ones. Sorry about that. Sean On Jan 23, 2004, at 3:27 PM, Tomasz Kojm wrote: On Thu, 22 Jan 2004 15:40:17 -0600 Sean Tempesta [EMAIL PROTECTED] wrote: Basically, the error exim receives from clam is: /var/spool/exim/scan/1AjmNJ-0007VL-Jw/1AjmNJ-0007VL-Jw-0.com: Zip module failure. ERROR Please send me some sample that causes clamscan to generate this error. If this is an issue with all zip files please send me complete info of your system (architecture, full output from ./configure, etc.). Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] www.ClamAV.net (\/)\. http://www.clamav.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Jan 23 21:59:06 CET 2004 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SOT: SCO.A disappearing?
On Thu, 29 Jan 2004 08:19, Jeffrey L. Taylor wrote: I noticed that the virus count has dropped back to pre-SCO.A levels starting around 0330 UTC this morning. I have not seen a single SCO.A since then. Has anyone also seen this? Jeffrey From my mail server's /var/log/messages: Jan 29 09:23:44 marlin clamd[1]: stream: Worm.SCO.A FOUND Jan 29 09:23:46 marlin clamd[17801]: stream: Worm.SCO.A FOUND Jan 29 09:23:56 marlin clamd[17999]: stream: Worm.SCO.A FOUND Jan 29 09:23:56 marlin clamd[18003]: stream: Worm.SCO.A FOUND Jan 29 09:24:09 marlin clamd[18376]: stream: Worm.SCO.A FOUND Jan 29 09:24:25 marlin clamd[18703]: stream: Worm.SCO.A FOUND Jan 29 09:24:44 marlin clamd[19102]: stream: Worm.SCO.A FOUND Jan 29 09:24:50 marlin clamd[19171]: stream: Worm.SCO.A FOUND No, still going strong here it seems. Maybe you're just having a good day :) Daniel --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SOT: SCO.A disappearing?
On Wed, 28 Jan 2004 at 16:19:05 -0600, Jeffrey L. Taylor wrote: I noticed that the virus count has dropped back to pre-SCO.A levels starting around 0330 UTC this morning. I have not seen a single SCO.A since then. Has anyone also seen this? No. Many SCOs still arrive. Better check if you still have its signature in your database. I can't invent why you could not have it after you had it, but... -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: SCO.a not being caught at all
Yay! I'm not crazy! On Wed, 2004-01-28 at 08:23, Dirk Meyer wrote: Eric Wieling schrieb:, Try clamscan rather than clamdscan. I was having a similar problem and it started working when I used clamscan rather than clamdscan. I assumed it was a config issue on my part, but I Verified on 3 diffrent systems (cvs 2004-01-20 running) clamscan detects, clamdscan not. When I stop clamd and strat it again it works. Problem: after freshclam updates, clamddon#t catch the new signatures. Question: How can I verifiy clamd runs with new signatures? So this problem can be tracked down? kind regards Dirk - Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany - [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users -- Go to http://www.digium.com/index.php?menu=documentation and look at the Unofficial Links section. This section has links to a wide variety of 3rd party Asterisk related pages. My page is the Asterisk Resource Pages. BTEL Consulting 504-899-1387 or 850-484-4545 or 877-677-9643 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SOT: SCO.A disappearing?
Jeffrey L. Taylor wrote: I noticed that the virus count has dropped back to pre-SCO.A levels starting around 0330 UTC this morning. I have not seen a single SCO.A since then. Has anyone also seen this? Jeffrey Hi, Nope, better check your settings. I'm showing the same if not increased levels. See the link below and check the Virus Flow, that's 99.9% SCO.A http://mta001.aei.ca/qmailmrtg/ Regards, Rick --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SOT: SCO.A disappearing?
Nope, still getting hit with it. -- Jeff I noticed that the virus count has dropped back to pre-SCO.A levels starting around 0330 UTC this morning. I have not seen a single SCO.A since then. Has anyone also seen this? Jeffrey --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Zip module failure ERROR
On Tue, 27 Jan 2004 16:10:55 -0700 [EMAIL PROTECTED] wrote: Quoting Tomasz Kojm [EMAIL PROTECTED]: On Tue, 27 Jan 2004 12:18:11 -0700 [EMAIL PROTECTED] wrote: I also figured out that the cause for this error is damaged ZIP archive. So there's no problem - clamd properly recognized and logged it. But why clamd dies then? If it's a damaged zip archive it should skip it, not die, isn't it? Oh, I missed that ! Please try to catch some files for further analysis. Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] www.ClamAV.net (\/)\. http://www.clamav.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Jan 28 08:22:10 CET 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Suggestion: Read list of files to scan from file/stdin
On Tue, 27 Jan 2004 15:23:56 -0800 (PST)
Ryan Finnie [EMAIL PROTECTED] wrote:
find /path -ctime -1 -exec clamscan \{\} \;
but that invokes clamscan for EVERY matching file found. Instead, I
would like to request that a new flag, say -f, be added to
clamscan/clamdscan that takes a list of files, one file per line, from
a file (-f file) or stdin (-f -). That way you could do:
find /path -ctime -1 | clamscan -i -f -
or:
find /path -ctime -1 /tmp/toscan
clamscan -i -f /tmp/toscan
and put it in a nightly cron job. What do you think?
You can use the CVS version - clamscan supports multiple file arguments
from command line, and build a script that executes clamscan on a bunch
of files. You can fall into a problem with special characters and
spaces, though.
Best regards,
Tomasz Kojm
--
oo. [EMAIL PROTECTED] www.ClamAV.net
(\/)\. http://www.clamav.net/gpg/tkojm.gpg
\..._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Wed Jan 28 08:17:06 CET 2004
pgp0.pgp
Description: PGP signature
Re: [Clamav-users] RE: Clamav-milter not installing
On Tue, 27 Jan 2004 16:39:25 -0800 (PST) Nick Stephens [EMAIL PROTECTED] wrote: make[1]: *** No rule to make target `../docs/clamav-milter.8', needed by `all-am'. Stop. make[1]: Leaving directory `/root/clamav-0.65/clamav-milter' make: *** [all-recursive] Error 1 [/snip] cd /root/clamav-0.65/docs cp man/clamav-milter.8 clamav-milter.8 Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] www.ClamAV.net (\/)\. http://www.clamav.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Jan 28 08:07:29 CET 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Worm.SCO.A
On Wed, 2004-01-28 at 16:01, Patricia Viana wrote: Hi. My SMTP filter running ClamAV is blocking a huge amount of messages with the Worm.SCO.A. It seams to be the same virus as MyDoom or Novarg. Can anyone confirm this?! That is correct. Clam had a signature whilst the commercial vendors were still busy thinking up names, hence the difference. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Segmentation fault after database reload
On Tue, 27 Jan 2004 22:02:14 + Steve King [EMAIL PROTECTED] wrote: - - Linux 2.4.18 (it was 2.4.10 when I first had this problem) - - KDE 3.1.5 (3.1.4 until recently) Heh, KDE should not affect clamd ;-) - - I use clamuko, with dazuko version 1.2.2 (so when clamd crashes, Please disable it - this is a source of your problems. If you really need it, you can setup freshclam to restart the whole clamd after database reload with --on-update-execute=/some/script/to/restart/clamd. However I will try to fix the real problem ASAP. Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] www.ClamAV.net (\/)\. http://www.clamav.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Jan 28 08:12:27 CET 2004 pgp0.pgp Description: PGP signature
