[Clamav-users] Re: Some viruses go through

[Mimmus]

Sorry, sorry, sorry.
I had some troubles with subscription AND posting by a newsreader.

I don't think that it is a problem related to specific virus/message,
peraphs it is a fetchmail related issue.
I download messages from external POP3 accounts of my users using fetchmail
and then I relay them to their internal accounts, using Sendmail+ClamAV on
the same machine.
When fetchmail try to relay an infected message, sendmail should answer with
'550 5.7.1 Virus detected by ClamAV'. And then?

Thanks again
Mimmus





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav-0.70-rc make probs

[Fajar A. Nugraha]

Schmidt, Patrick wrote:

What's up? ./configure is done without errors, but make stop at the
beginning
(SuSE 8.2, kernel 2.4.20,gcc 3.3 20030226)
...
 

How about the recent CVS snapshot? Last one compiles and installs OK on 
my Fedora Core 2 test 2.
Usually some problems are already fixed in CVS versions.

Regards,

Fajar
--
Don't use GIF. Use PNG instead
http://www.gnu.org/philosophy/gif.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] not recognising virus in zip files

[Regan Yelcich]

I'm having problems with the SomeFool virus and zip files... here's 
what's happening...

If I upload the zip file to the server and run clamscan or clamdscan 
on the file it recognises the virus no problem.

If I extract the virus and send it to myself as a mail attachment it 
recognises the viruses no problem.

BUT... if I send the zip file which contains the virus to myself as a 
mail attachment, clam doesn't recognise the virus at all and just 
lets it through.

I have updated to:

	clamdscan / ClamAV version devel-20040406

but that doesn't seem to have fixed it.

Any ideas?

Regan

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] not recognising virus in zip files

[Antony Stone]

On Tuesday 06 April 2004 11:57 am, Regan Yelcich wrote:

 I'm having problems with the SomeFool virus and zip files... here's
 what's happening...

 If I upload the zip file to the server and run clamscan or clamdscan
 on the file it recognises the virus no problem.

 If I extract the virus and send it to myself as a mail attachment it
 recognises the viruses no problem.

 BUT... if I send the zip file which contains the virus to myself as a
 mail attachment, clam doesn't recognise the virus at all and just
 lets it through.

How are you interfacing your email system to ClamAV (ie: what is unpacking the 
emails and passing them to ClamAV for analysis)?   Milter?   MailScanner?   
Amavisd?   Something else?

Regards,

Antony.

-- 
Perfection in design is achieved not when there is nothing left to add, but 
rather when there is nothing left to take away.

 - Antoine de Saint-Exupery

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Question on SomeFool Virus

[Vernon A. Fort]

Antony Stone wrote:

On Tuesday 06 April 2004 9:57 am, Vernon A. Fort wrote:

 

I have several emails which clamav detects as 'Worm.SomeFool.Gen-2', but
Sophos nor McAcfee will detect the virus.  Would this be some new
varient that clamav fould.  From the description, this sig was added to
detect possible future varients of the NetSky viruses.
   

Sound like it's working then :)

 

Should I submit this? or just be thankful or both?
   

No point submitting a virus which ClamAV already detects :)   Be thankful the 
team did a better job than Sophos  McAfee again.

I use ClamAV in addition to commercial scanners for exactly this reason 
- ClamAV does detect new viruses sooner that any other commerical 
scanner.  I was just curious if any of the virus admins wanted a look at 
the message file.  If so, let me know how and where to send.

Vernon



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Korchmenuk Nickolay]

On Mon, 5 Apr 2004 23:38:08 -0500
Erick Perez - Vision Media [EMAIL PROTECTED] wrote:

 Question:
 If Worm.SomeFool is Netsky, then why is not labeled as netsky?
 Also, is there a way to make an alias in the virus database so my users can
 see netsky instead of Worm.Somefool?
It's time to place answer for this question into faq.

-- 
 Korchmenuk Nickolay
06 Apr 2004 14:25:24


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] not recognising virus in zip files

[Regan Yelcich]

sorry - should have mentioned that!

clam is being called through MIMEDefang 2.36

just re-installed clam to version 0.68-1 to see if that changed 
anything - but it didnt.

Regan





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamd exited on signal 6

[Mipam]

So this problem is know in 0.70-rc
and should have been fixed?


On Mon, 5 Apr 2004, Tomasz Kojm wrote:

 On Mon, 5 Apr 2004 16:25:57 +0200 (MET DST)
 Mipam [EMAIL PROTECTED] wrote:

  Hi,
 
  Im facing this problem:
 
  kernel: pid 567 (clamd), uid 1006: exited on signal 6

 Probably some assertion failed and the process received SIGABRT. Try
 update to the latest CVS version.

 --
oo. Tomasz Kojm [EMAIL PROTECTED]
   (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
  \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\   /\  Mon Apr  5 22:06:04 CEST 2004




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Don't Understand

[Daniel J McDonald]

On Tue, 2004-04-06 at 02:45, Rmi Goyard wrote:
 Thanks guys
 Now Clamav seems to work.
 I'm trying now use it witth Amavisd-new 

The easiest thing to do is to run amavis-new and clamd under the same
user.  Since you will upgrade clamav more often than amavis, it's
probably easiest to run the amavis daemon as clamav rather than the
other way around.

 and when i start amavisd in debug
 mode, i try to send a test email using telnet on 10024 i've got an error
 that tell me can't access the file in the /var/lib/amavis/tmp directory,
 ownership of this directory is set to user/group amavis.
 Do my clamav user/group have to have a read access on this directory, if yes
 could you tell me how to set it .
 And then as i think i have to learn more on how to define rights under a
 linux system, could you told me a good tutorial of this.
 thanks before.

-- 
Daniel J McDonald [EMAIL PROTECTED]
Austin Energy



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Trojan.Dropper.JS.Mimail.B ?

[Keith G. Murphy]

Thanks.  I hadn't looked back nearly that far.

Something really odd is going on then.  Is it possible all of these 
folks really are suddenly infected?  Something to research...

Tomasz Papszun wrote:

On Mon, 05 Apr 2004 at  8:54:02 -0500, Keith Murphy wrote:

I'm suddenly seeing a buttload of these.  When was this added?  Can't 
find it in the daily updates.

Most, but not all of these, are in folk's browser caches.  McAfee and 
AVG don't detect them.


There:

From: Denis De Messemacker
To: [EMAIL PROTECTED]
Subject: [Clamav-virusdb] Update (daily: 46)
Date: Sat, 6 Dec 2003 04:57:29 +0100


--
Why waste time learning when ignorance is instantaneous?
-- Hobbes


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: Virus Names

[Jesse Guardiani]

Antony Stone wrote:

[...]

 I think the best we'll ever achieve is a cross-reference database.

Yes please.

What needs to be done to get this online? Who needs access to what?
Public reference submissions, or core maintainers?

I think we desperately need this functionality.

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Eric Rostetter]

Quoting Erick Perez - Vision Media [EMAIL PROTECTED]:

Question:
If Worm.SomeFool is Netsky, then why is not labeled as netsky?
Answer:
If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool?
Basically that's because the users keep complaning about the virus names
that cannot be found anywhere else (like the virus databse from TrendMicro).
If they want to use the name TrendMicro uses, then they should use the
TrendMicro software.
Thanks,
Erick
--
Eric Rostetter
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: Virus Names

[Jesse Guardiani]

Jesse Guardiani wrote:

 Antony Stone wrote:
 
 [...]
 
 I think the best we'll ever achieve is a cross-reference database.
 
 Yes please.
 
 What needs to be done to get this online? Who needs access to what?
 Public reference submissions, or core maintainers?
 
 I think we desperately need this functionality.

I also think it would be VERY nice to have the date and time the virus
was added included in either the definition database or in this reference
database.

Do any other AV vendors include this info in their sig databases? If they
DO, then we might be able to import that information into our cross references
too.

I think it would also be good to design the database tables (assuming
we end up going with a relational database) in such a way that it is
efficient to query not only for ClamAV viruses to retrieve what the OTHER
guys call it, but also to query the other guys' name and see what ClamAV
calls it.

Hmmm... then again, this is starting to sound like a separate project.

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Eric Rostetter]

Quoting Graham Murray [EMAIL PROTECTED]:

So maybe, as with celestial objects, there should be agreement that
the first AV 'vendor' to publish a detection for a virus should be
given the honour of naming it and the other vendors adopt the same
name rather than inventing their own (and potentially causing
confusion). So if Clamav is first, other vendors should adopt its
name and if some other vendor is first then Clamav should use the name
that vendor gives it.
This is exactly what ClamAV does.  Now you just need to get the rest
of the AV vendors to follow that rule.  Good luck with that!
--
Eric Rostetter
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Antony Stone]

On Tuesday 06 April 2004 3:58 pm, Eric Rostetter wrote:

 Quoting Erick Perez - Vision Media [EMAIL PROTECTED]:
  Question:
  If Worm.SomeFool is Netsky, then why is not labeled as netsky?

 Answer:
 If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool?

Do you call people Eskimos or Inuits?   They're still the same people, but 
looking up one or other in some information resource may provide different 
results.

  Basically that's because the users keep complaning about the virus names
  that cannot be found anywhere else (like the virus databse from
  TrendMicro).

 If they want to use the name TrendMicro uses, then they should use the
 TrendMicro software.

No, many people are interested to know more about the viruses which are being 
detected.

If you do a Google search for NetSky virus you get 308,000 results.   If you 
do a Google search for SomeFool virus you get 2,080.

Therefore knowing the more common name for a virus is useful to people who use 
ClamAV.

Regards,

Antony.

-- 
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Strange syslog messages from clamav-milter

[Orion Poplawski]

I'm periodically seeing the following syslogd messages:

Apr  6 09:23:37 earth rvard.edu n_children = 1 Received: PORT 50143 
Connecting to local port 50143 clamfi_abort pthread_cond_broadcast 
n_children = 0 clamfi_close clamfi_connect: connection from 
pc-68-118-183-26.will.ct.charter.com [68.118.183.26] clamfi_envfrom: 
[EMAIL PROTECTED] n_children = 1 Received: PORT 30713 Connecting 
to local port 30713 clamfi_abort pthread_cond_broadcast n_children = 0 
clamfi_close clamfi_connect: connection from sprocket.Colorado.EDU 
[128.138.240.72] clamfi_envfrom: [EMAIL PROTECTED] 
n_children = 1 Received: PORT 1109 Connecting to local port 1109 
clamfi_envrcpt: [EMAIL PROTECTED]  clamfi_header clamfi_header 
clamfi_header clamfi_header clamfi_header clamfi_header clamfi_header 
clamfi_header clamfi_header clamfi_header clamfi_header clamfi_eoh 
clamfi_envbody: 112 bytes clamfi_eom clamfi_eom: read stream: OK 
pthread_cond_broadcast n_children = 0 clamfi_close clamfi_connect: 
connection from mxjab.ysource1.com [64.251.8.12] clamfi_envfrom: 
[EMAIL PROTECTED] n_chi

These were broadcast to all users like this:

Message from [EMAIL PROTECTED] at Mon Apr  5 02:06:31 2004 ...
wind [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: 
[EMAIL PROTECTED] n_children = 1 clamfi_envfrom: 
[EMAIL PROTECTED] n_children = 1 clamfi_envfrom: 
[EMAIL PROTECTED] n_children = 2 clamfi_envfrom: 
[EMAIL PROTECTED] n_children = 1 clamfi_envfrom: 
[EMAIL PROTECTED] n_children = 1 
clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 
clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: 
[EMAIL PROTECTED] n_children = 1 clamfi_envfrom: [EMAIL PROTECTED] 
n_children = 1 clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 
clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: 
[EMAIL PROTECTED] n_children = 1 clamfi_envfrom: 
[EMAIL PROTECTED] n_children = 1 clamfi_envfrom: 
[EMAIL PROTECTED] n_children = 1 
clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 
clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: xsucc

until I commented out the following from syslogd.conf:

#*.emerg*

This happens with versions 0.67 and above.  I think it may have started 
with 0.67, though I'm not sure.

Any help on stopping these would be greatly appreciated.

- Orion

--
Orion Poplawski
System Administrator   303-415-9701 x222
Colorado Research Associates/NWRA  FAX: 303-415-9702
3380 Mitchell Lane, Boulder CO 80301   http://www.co-ra.com
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Hanford, Seth]

  If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool?

Rhetoric aside, this is obviously an itch that needs scratched.  Clam does a
wonderful job and (as was the case with SomeFool) does it faster than most.
Perhaps we might be able to scratch up support for an alias correlation
database, planting the seed with Clam.

 No, many people are interested to know more about the viruses which are
being
 detected.

 If you do a Google search for NetSky virus you get 308,000 results.   If
you
 do a Google search for SomeFool virus you get 2,080.

 Therefore knowing the more common name for a virus is useful to people who
use
 ClamAV.

I think that, for our purposes, we need only search on the Clam name for a
virus.  All other names are potentially worthless work--AFAIK, the clam DB
contains only (or mostly) viruses in the wild.  If we had as part of the
submission process an additional field noting what name the detecting AV
called it
(For example, worm.notagoodguy passes through clam, but is picked up by
trend as WORM.BADGUY).  Any aliases that we come up with could get submitted
right alongside such a sample.

Our search really only needs to be one-way, to keep it in scope.  There's no
need to support searching everyone else's names, only Clam's.  Everyone's
talking about NetSky?  If you're not receiving SomeFool, then why do you
care?  If you are, look up SomeFool.  If you're getting files and Clam
doesn't detect them, then submit them.  They'll be named, and you'll be able
to search.

--Seth



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Strange syslog messages from clamav-milter

[Nigel Horne]

On Tuesday 06 Apr 2004 4:28 pm, Orion Poplawski wrote:
 I'm periodically seeing the following syslogd messages:

 Any help on stopping these would be greatly appreciated.

Rerun configure without '--enable-debug'.

 - Orion

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clamd.ctl file not read in FC1

[Karl Hakmiller]

 clamav/d (0.68) installed.  When rebooting in FC1 I get FAILED report on read of 
/var/run/clamav/clamd.ctl though the file appears to exist.  Is there some way I can 
modify or fix that file short of re-installing clamav entirely?

Original installation does not seem to be entirely broken as I can run
freshclam and clamscan OK (and do, in a script I put in cron.daily).

Question about clamscan:  I'm using the move= option but when I run it
against an mbox the entire folder is moved when a worm is found (which
makes sense as an mbox is just one long file).  However, I've tried the
--remove option with no success either.  Since clamscan has an --mbox
option I would think there is some provision for extracting just the
wormy email but I haven't found it.  I'd appreciate advice on this.

Thanks.

Karl L



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] undetected virus by clamav

[Martin Gruss]

I have 3 viruses found on my harddrive which not detected by clamav
other scanner like fprot or mcaffee detect the virus as

1.ex#   Found the MultiDropper-IY trojan !!!
2.ex#   Found the W32/Spybot.worm.gen.d virus !!!
3.ex#   Found the IRC/Flood.dj trojan !!!

I have scan the files with the online scanner from clamav. he say

clamav scans the file ...
Clamav-Output:
/tmp/phpeQMyfj: OK
Clamav DID NOT identify your sample as malicious content

I scan one more times with mcaffee and found the 3 viruses.

when I try submit the virus files with the online submit page I get an error
message like this

This virus is already recognized by ClamAV. Be careful when submitting
samples and remember to run freshclam!

I have run freshclam and the database is up to date.
but the virus is undetected by clamav since four days.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Segmentation fault in clamav-0.70rc-1

[Claudio Alonso]

 It's a good idea to disable archive/mail support when using on-access
 scanner.
 
Sorry I didn't answer before, I wasn't available...
I disabled archive/mail support and the problem persists.
In all the cases the problem occurs exactly when the log rotates.
I find the last line of the previous log saying:
SIGHUP caught: re-opening log file.

And the first lines of the new log say:
No stats for Database check - forcing reload
Reading databases from /var/lib/clamav (sometimes this line doesn't appear)
Segmentation fault :-( Bye..

The last time it happend, clamd was up for just 65 minutes. Then the message appears 
and some
filesystems are locked. After that I have to reboot.
Any ideas or workarounds? I'm not using milter, I'm just using clamd 0.70rc-1 and 
clamuko (with
dazuko 2.0 on /home and /tmp) for a workstation with RH9.0 (kernel 2.4.20-30.9)
Anyone with a similar configuration? Do you have this problem or is it just my 
installation? I've
installed it several times and the result is always the same.
Can I change something in order to avoid the problem in the moment that the log 
rotates?

Thanks again,

--Claudio


Los mejores usados y las más tentadoras 
ofertas de 0km están en Yahoo! Autos.
Comprá o vendé tu auto en
http://autos.yahoo.com.ar


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Trojan.Dropper.JS.Mimail.B ?

[Keith G. Murphy]

Keith G. Murphy wrote:

Thanks.  I hadn't looked back nearly that far.

Something really odd is going on then.  Is it possible all of these 
folks really are suddenly infected?  Something to research...

It makes more sense now.  I'm running Debian stable, and had installed 
Luca Gibelli's 0.65-1 backport.

I had ignored his README, which states very clearly that you need to 
remove the old-format virus database files.  I guess freshclam must use 
those in preference to the .cvd's.  (I wonder why).  I found out that a 
couple of signatures had been removed for that trojan between the date 
of my old-format files and the latest .cvd's.

Upon obtaining, building, and installing the Debian source testing 
packages on my system, the problem went away.  Turns out that the 
clamav-freshclam package from them deletes the old-format files upon 
installation.  Kudos to Stephen Gran, the Debian maintainer.

What still doesn't make sense is why I suddenly started seeing the problem.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[jef moskot]

On Tue, 6 Apr 2004, Eric Rostetter wrote:
 If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool?

While I agree with this in principle, I think for instances where a
question like this pops up at least once a week just on this list, it
might be worth it to just bite the bullet and go along with the herd.

I understand that when the ClamAV (as it often does) discovers a worm
before there's a common name for it, that it's not just inconvenient, it's
impossible to choose the name that everyone else will eventually use.

But when something is this much of a phenomenon, why not just change the
name?  I know it's been done for other worms in the past.

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Bit Fuzzy]

While I can and do understand what Eric was saying, I have to agree with
Erick.

http://www.bitdefender.com/index.php - Bitdefender
http://www.grisoft.com/us/us_index.php - AVG
http://www.pandasoftware.com/home/ - Panda
http://www.symantec.com/ - Norton
http://us.mcafee.com/default.asp - Mcafee
http://www.trendmicro.com - Trendmicro
http://viruslist.com/eng/ -- Virus List

While different, all have 1 thing in common with each other.
CVID's (Common Virus Identifiers), granted some list netsky as
worm-i/netsky, or w32/netsky,
but in the end you (the user/administrator) know what was stopped, and thus
have the ability to see
what's being identified and or do research on what the virus/worm did (the
function)

Not complaining.. just expressing my 2 cents ;)

- Original Message - 
From: Eric Rostetter [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, April 06, 2004 10:58 AM
Subject: Re: [Clamav-users] Virus Names


 Quoting Erick Perez - Vision Media [EMAIL PROTECTED]:

  Question:
  If Worm.SomeFool is Netsky, then why is not labeled as netsky?

 Answer:
 If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool?

  Basically that's because the users keep complaning about the virus names
  that cannot be found anywhere else (like the virus databse from
TrendMicro).

 If they want to use the name TrendMicro uses, then they should use the
 TrendMicro software.

  Thanks,
  Erick

 --
 Eric Rostetter


 ---
 This SF.Net email is sponsored by: IBM Linux Tutorials
 Free Linux tutorial presented by Daniel Robbins, President and CEO of
 GenToo technologies. Learn everything from fundamentals to system
 administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Freshclam no longer checking in.

[Shaun T. Erickson]

On my FreeBSD 5.2.1-RELEASE-p4 system, I upgraded to the latest clamd 
port, when it was released a few days ago.

Now, freshclam doesn't check in to look for updates anymore, and only 
does so if I stopr and restart it - at that point it downloads the 
update, successfully notifys clamd, then just goes comatose again. The 
only thing logged to freshclam.log is the signal 15 when I stop it, and 
the db update when I restart it.

Any ideas?

I do run both clamd and freshclam as vscan (what amavisd-new runs as). 
After upgrading clamd, I did make sure (to the best of my knowledge) 
that directory permissions and ownership were correct.

	-ste

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Tomasz Papszun]

On Tue, 06 Apr 2004 at 12:17:05 -0400, Hanford, Seth wrote:
 
 If we had as part of the submission process an additional field noting
 what name the detecting AV called it

There is such a field! And if it's too short, you can add more
names/details/URLs in the description field (that big area below).

 (For example, worm.notagoodguy passes through clam, but is picked up by
 trend as WORM.BADGUY).  Any aliases that we come up with could get submitted
 right alongside such a sample.

We include aliases in our announcements. Unfortunately, while
submitting, many people fail to write the name (according to other
scanner), though they select that the sample is detected by other
scanner and sometimes they even write which scanner (but no virus name).

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]  | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus Names

[Diego d'Ambra]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:clamav-users-
 [EMAIL PROTECTED] On Behalf Of jef moskot
 Sent: 6. april 2004 19:08
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Virus Names
 
 On Tue, 6 Apr 2004, Eric Rostetter wrote:
  If netsky is Worm.SomeFool, then why is it not labeled as
Worm.SomeFool?
 
 But when something is this much of a phenomenon, why not just change
the
 name?  I know it's been done for other worms in the past.
 

And that is what we'll (try to) do in the future (if a common name has
been established). 

Best regards,
Diego d'Ambra


smime.p7s
Description: S/MIME cryptographic signature

[Clamav-users] Supervised Clamd

[Jeff Bilder]

Has anyone gotten Clamd to run with daemontools?  I have a clamd running supervised, 
but the log file will not supervise correctly.  I have /service/clamd/log  with:

[EMAIL PROTECTED] spamd]# cd /service/clamd/log/
[EMAIL PROTECTED] log]# ls -l
total 4
-rwxr-xr-x  1 root  qmail  101 Apr  6 14:20 run
drwx--  2 root  qmail  512 Apr  6 14:06 supervise

but when I run clamdctl stat I get:

[EMAIL PROTECTED] log]# clamdctl stat
/service/clamd: up (pid 1526) 658 seconds
/service/clamd/log: supervise not running

Any ideas?  Thanks!

- Jeff


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] compiling clamav 0.68

[Pad Hosmane]

Hi,

 I am compiling clamav 0.68 on HP-UX 11.00. I am getting following error
during make. 

I am using GCC 3.0.1.



++

gcc -g -O2 -o clamscan clamscan.o options.o getopt.o others.o manager.o treewalk.o -L/usr/local/lib -L/opt/gmp/lib
-L/test/down/clamav-0.68/libclamav /usr/local/lib/libclamav.sl
-lz -lpthread -Wl,+b -Wl,/usr/local/lib

/usr/ccs/bin/ld: Unsatisfied
symbols:

 cl_mbox (first referenced in manager.o)
(code)

 cl_gentemp (first referenced in manager.o)
(code)

 cl_debug (first referenced in clamscan.o)
(code)

 cl_strerror (first referenced in manager.o)
(code)

 cli_strtok (first referenced in manager.o)
(code)

collect2: ld returned 1 exit status

*** Error exit code 1



Stop.

*** Error exit code 1



Stop.

*** Error exit code 1



++



Any input would be a great help.



Thanks in advance.

PAd

Re: [Clamav-users] Virus Names

[Peter Bonivart]

Diego d'Ambra wrote:
And that is what we'll (try to) do in the future (if a common name has
been established). 
But that would break statistics. I don't mind if the name is different 
as long as it can be cross-referenced. Someone was working on a web site 
with just that but I haven't heard of any news for some time.

--
/Peter Bonivart
--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2, MailStats 0.25
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[jef moskot]

On Tue, 6 Apr 2004, Eric Rostetter wrote:
 But changing the name after the fact would just confuse people more.

I completely disagree.  Hardcore Clam users are more likely to understand
the reality of the situation and realize that the ClamAV team has to call
the viruses SOMETHING.  Usually, that's the same name everyone else uses,
but sometimes it isn't.

There's maybe a small amount of confusion for a couple days, and that's
that.

But we are constantly being asked by casual (or new) users why ClamAV
doesn't pick up Netsky, what the heck SomeFool is, etc.  Many of those
Google hits are WTF is SomeFool?.  A lot of work could be saved by being
more user-friendly.

Seriously, what have we to gain from using an obscure name?  OK, so, we
have the moral high ground, but that's not really the focus of the
product.

Other than some kind of issue with logging things by virus name, are there
any sensible reasons to not use the same name everyone else in the
computer community is using?

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Eric Rostetter]

Quoting jef moskot [EMAIL PROTECTED]:

On Tue, 6 Apr 2004, Eric Rostetter wrote:
But changing the name after the fact would just confuse people more.
I completely disagree.  Hardcore Clam users are more likely to understand
the reality of the situation and realize that the ClamAV team has to call
the viruses SOMETHING.  Usually, that's the same name everyone else uses,
but sometimes it isn't.
Great for netsky since almost everyone uses it.  But what about viruses
that have multiple names from the other vendors and the media?  For the
first week, SCO (clamd) was called novarg by most, until the media took
off with mydoom and that became the new name.  Should clamav have migrated
along from SCO to NOVARG to MYDOOM just because the others came along
later and in that order?
There's maybe a small amount of confusion for a couple days, and that's
that.
Most viruses don't last for more than a few days anyway, so this only
applies to the rare cases (like lately with the virus wars over netsky
et al).
But we are constantly being asked by casual (or new) users why ClamAV
doesn't pick up Netsky
Yes, but the user is just being stupid.  They are not getting infected
with netsky, so obviously it is picking it up.
what the heck SomeFool is, etc.  Many of those
You don't think you'll get that question even if you use the more common
name for viruses?
Google hits are WTF is SomeFool?.  A lot of work could be saved by being
more user-friendly.
Try looking at them again.

Seriously, what have we to gain from using an obscure name?  OK, so, we
have the moral high ground, but that's not really the focus of the
product.
The focus of the product is to stop viruses, not to name them with a
popular name.
Other than some kind of issue with logging things by virus name, are there
any sensible reasons to not use the same name everyone else in the
computer community is using?
Only when clamav names it before anyone else.  Even then, clamav is willing
to rename it if it can be done quickly, before the current name becomes
established, in my experience.  It is only when there is a large gap between
the clamav name and the popular name that they don't rename it.
Also, as I've pointed out, not all the AV vendors agree on the names.  It
usually isn't clamav against the world (as it appears with netsky).  It is
more normal that there are 2, 3, or 4 other names for the virus.  And you
never know which will become the most popular until days or weeks after
you name it.
Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]
--
Eric Rostetter
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[jef moskot]

On Tue, 6 Apr 2004, Eric Rostetter wrote:
 Great for netsky since almost everyone uses it.

Exactly.

 Should clamav have migrated along from SCO to NOVARG to MYDOOM just
 because the others came along later and in that order?

It could easily be taken on a case-by-case basis.  But, as even you admit,
Netsky/SomeFool is a slam dunk.

 Most viruses don't last for more than a few days anyway, so this only
 applies to the rare cases (like lately with the virus wars over netsky
 et al).

I agree.

 The focus of the product is to stop viruses, not to name them with a
 popular name.

Yes, but this is not best accomplished by calling users stupid (even
when they are).  We don't want to make something available to people and
then insult them when they use it in good faith.  The larger issue it that
the more people who use anti-virus methods and the more well-informed
users we have, the better it is for everyone.

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] help configuring 0.70-rc w/gnu mp

[Norman Yee]

hi,

i'm trying to get clamav 0.70-rc installed and have gmp installed in a 
directory under my home dir (eg. /home/norm/bin/gmp)

when i run

./configure --prefix=/home/norm/bin/clamav --disable-clamav --enable-milter

one of the messages i see is:
checking for mpz_init in -lgmp... no
WARNING: GNU MP 2 or newer NOT FOUND - digital signature support will be 
disabled !

i'm a configure n00b but I am guessing i need to somehow tell it to look in 
/home/norm/bin/gmp for the GMP libraries? How do I do this? i'm running RH 
(/etc/rehat-release says Red Hat Linux release HAL9000)

thanks in advance,
-norm


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Antony Stone]

On Tuesday 06 April 2004 9:44 pm, jef moskot wrote:

  The focus of the product is to stop viruses, not to name them with a
  popular name.

 Yes, but this is not best accomplished by calling users stupid (even
 when they are).

That may be true, however it's no excuse for allowing stupid users to continue 
with their misguided notions, without some attempt at education and 
correction.

ClamAV is focused on detecting viruses, sure, and you're right that this is 
not best accomplished by telling stupid users that they're stupid, however it 
doesn't condone pandering to their preconceived misconceptions about viruses 
and worms (such as they should each have only one name) either.

There are many examples of the commercial A-V vendors having different names 
for the same virus, and ClamAV happens to be showing this characteristic 
recently simply because the signature development team is doing such a good 
job (and, it should be noted, without the cooperation of commercial vendors 
providing the ClamAV team with newly discovered virus samples through their 
exclusive partnerships).   I do not agree with criticising the product 
because it is better than its competitors.

It cannot be too hard to explain to a clueless user how viruses get named, and 
hope that at least some proportion of those people might understand that this 
inevitably leads to different names for the same thing found in different 
places at about the same time.

And, if that doesn't work, give them a courgette and ask them whether it's a 
zucchini, give them a football and see if they kick it or carry it, ask them 
how to pronounce tomato, ask them which side of the road it is correct to 
drive on, put them on the pavement and see if they want to walk or drive on 
it, check whether they stop at traffic light or robots, or even ask them to 
do something momentarily.

Regards,

Antony.

-- 
There's no such thing as bad weather - only the wrong clothes.

 - Billy Connolly

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] help configuring 0.70-rc w/gnu mp

[Stephen Gran]

On Tue, Apr 06, 2004 at 01:51:29PM -0700, Norman Yee said:
 hi,
 
 i'm trying to get clamav 0.70-rc installed and have gmp installed in a 
 directory under my home dir (eg. /home/norm/bin/gmp)
 
 when i run
 
 ./configure --prefix=/home/norm/bin/clamav --disable-clamav --enable-milter
 
 one of the messages i see is:
 checking for mpz_init in -lgmp... no
 WARNING: GNU MP 2 or newer NOT FOUND - digital signature support will be 
 disabled !
 
 i'm a configure n00b but I am guessing i need to somehow tell it to look in 
 /home/norm/bin/gmp for the GMP libraries? How do I do this? i'm running RH 
 (/etc/rehat-release says Red Hat Linux release HAL9000)
 
 thanks in advance,
 -norm

[EMAIL PROTECTED]:~/Debian/clamav/0.70/clamav-0.70-rc$ ./configure --help
[...]
Some influential environment variables:
  LDFLAGS linker flags, e.g. -Llib dir if you have libraries in a
  nonstandard directory lib dir

So try:
LDFLAGS=-L/home/norm/bin/gmp ./configure --prefix=/home/norm/bin/clamav 
--disable-clamav --enable-milter

(all on one line)

HTH,
-- 
 --
|  Stephen Gran  | He who is good for making excuses is|
|  [EMAIL PROTECTED] | seldom good for anything else.  |
|  http://www.lobefin.net/~steve | |
 --


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Virus Names

[jef moskot]

On Tue, 6 Apr 2004, Antony Stone wrote:
 There are many examples of the commercial A-V vendors having different
 names for the same virus...

That's true, but when that's the case for an extremely prevalent virus,
it's usually noted in the media.

Using the well-known naming convention is a much simpler and more logical
response to the real world.  At such time as everyone else in the world
becomes wise to ClamAV's superior ways, then it would make sense to just
use our own word for whatever threat comes along.  But in THIS world, it's
easier for just about everyone involved (including all the admins who keep
dropping in here asking about Netsky and their users) to take the path of
least resistance.

 I do not agree with criticising the product because it is better than
 its competitors.

I'm not criticizing it, I'm just trying to be practical.  If a some admin
who has never heard of this mailing list or our political crusade to
educate the world about worms is looking into ClamAV (some free product he
might be suspicious of on principle, but is checking out because the price
is right), checks the database to see if it handles one of his biggest
problems and it turns out it's not in the database...then we've lost one
potential ClamAV user and done a disservice to the open source community.

 It cannot be too hard to explain to a clueless user how viruses get
 named...

It's not too hard to explain to one user, but this situation is repeated
over and over, probably many times a day.  It's not hard, but it's
unnecessary and we don't gain much by making a pointless stand.

Users aren't incapable of understanding the process, but being different
for no purpose doesn't make any sense.

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[B. van Ouwerkerk]

At 23:38 05-04-2004 -0500, you wrote:
Question:
If Worm.SomeFool is Netsky, then why is not labeled as netsky?
Also, is there a way to make an alias in the virus database so my users can
see netsky instead of Worm.Somefool?
Basically that's because the users keep complaning about the virus names
that cannot be found anywhere else (like the virus databse from TrendMicro).
It would be good if all AV software would use the same names. Still, most 
commercial AV vendors are using their own naming conventions and so does 
Clamav.

Somefool at least describes the sender of the virus :)



B. 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Fisher]

B. van Ouwerkerk wrote:

At 23:38 05-04-2004 -0500, you wrote:

Question:
If Worm.SomeFool is Netsky, then why is not labeled as netsky?


It would be good if all AV software would use the same names. Still, 
most commercial AV vendors are using their own naming conventions and 
so does Clamav.
Actually, it is usually happen the Clamav recognises the virii before 
the other AV vendors so no well-known name was available. See the 
archive for the more detailed answers, this question already answered here.

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: Don't Understand

[Rémi Goyard]

Thanks guys
Now Clamav seems to work.
I'm trying now use it witth Amavisd-new and when i start amavisd in debug
mode, i try to send a test email using telnet on 10024 i've got an error
that tell me can't access the file in the /var/lib/amavis/tmp directory,
ownership of this directory is set to user/group amavis.
Do my clamav user/group have to have a read access on this directory, if yes
could you tell me how to set it .
And then as i think i have to learn more on how to define rights under a
linux system, could you told me a good tutorial of this.
thanks before.

Rémi

Rémi Goyard [EMAIL PROTECTED] a écrit dans le message de news:
[EMAIL PROTECTED]
 Hi everybody,

 I'm trying to install Clamav for mail viruses scanning susing Postfix
 and Amavisd-new.
 But when i run clamd, ther's no errors, but if just after i want to
 verify the execution of the clamav daemon whith clamdscan this return :
 connect(): Connection refused
 ERROR: Can't connect to clamd.

 It seems to mean that clamd is not running, but i don't understand
why.
 Can anyone help me please ?
 Thanks

 Rémi



 ---
 Outgoing mail is certified Virus Free.
 Checked by AVG anti-virus system (http://www.grisoft.com).
 Version: 6.0.648 / Virus Database: 415 - Release Date: 31/03/2004





 ---
 This SF.Net email is sponsored by: IBM Linux Tutorials
 Free Linux tutorial presented by Daniel Robbins, President and CEO of
 GenToo technologies. Learn everything from fundamentals to system
 administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.648 / Virus Database: 415 - Release Date: 31/03/2004





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Graham Murray]

Fisher [EMAIL PROTECTED] writes:

 Actually, it is usually happen the Clamav recognises the virii before
 the other AV vendors so no well-known name was available. See the
 archive for the more detailed answers, this question already answered
 here.

So maybe, as with celestial objects, there should be agreement that
the first AV 'vendor' to publish a detection for a virus should be
given the honour of naming it and the other vendors adopt the same
name rather than inventing their own (and potentially causing
confusion). So if Clamav is first, other vendors should adopt its
name and if some other vendor is first then Clamav should use the name
that vendor gives it.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Antony Stone]

On Tuesday 06 April 2004 9:48 am, Graham Murray wrote:

 Fisher [EMAIL PROTECTED] writes:
  Actually, it is usually happen the Clamav recognises the virii before
  the other AV vendors so no well-known name was available. See the
  archive for the more detailed answers, this question already answered
  here.

 So maybe, as with celestial objects, there should be agreement that
 the first AV 'vendor' to publish a detection for a virus should be
 given the honour of naming it and the other vendors adopt the same
 name rather than inventing their own (and potentially causing
 confusion).

Celestial objects do not commonly appear and need an agreed name within the 
urgent timescale of computer viruses :)

Whilst your proposal makes excellent sense, it assumes:
a) cooperation between the commercial A-V vendors and Open Source developers 
(there is often a blockage in one direction here)
b) that it's easy to tell if the virus one person's given a name to is the 
same as the virus someone else has just named
c) that the time taken to cooperate over the name is very short compared to 
the time to get a signature out under the corresponding name

Basically, it comes down to the fact that the commercial A-V vendors don't 
want to share their new virus samples with the Open Source community, so we 
have no way of knowing whether the virus we've just named is the same one 
that they have.

I think the best we'll ever achieve is a cross-reference database.

Regards,

Antony.

-- 
These clients are often infected by viruses or other malware and need to be 
fixed.  If not, the user at that client needs to be fixed...

 - Henrik Nordstrom, on Squid users' mailing list

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clamav-0.70-rc make probs

[Schmidt, Patrick]

What's up? ./configure is done without errors, but make stop at the
beginning
(SuSE 8.2, kernel 2.4.20,gcc 3.3 20030226)
...
make  all-recursive
make[1]: Entering directory `/src/clamav-0.70-rc'
Making all in libclamav
make[2]: Entering directory `/src/clamav-0.70-rc/libclamav'
source='matcher.c' object='matcher.lo' libtool=yes \
depfile='.deps/matcher.Plo' tmpdepfile='.deps/matcher.TPlo' \
depmode=gcc3 /bin/sh ../depcomp \
/bin/sh ../libtool --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I.. -I..
-I./zziplib-g -O2 -c -o matcher.lo `test -f 'matcher.c' || echo
'./'`matcher.c
mkdir .libs
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./zziplib -g -O2 -c matcher.c -MT
matcher.lo -MD -MP -MF .deps/matcher.TPlo  -fPIC -DPIC -o .libs/matcher.lo
In file included from /usr/include/string.h:372,
 from matcher.c:29:
/usr/include/bits/string.h:1826:9: missing terminating  character
make[2]: *** [matcher.lo] Error 1

can anyone help? thanks :) clamav-0.68-1 is installed and work with complete
satisfaction!

Cheers,Patrick 
-- 
- Environmental Agency of North Rhine-Westphalia 
/ Duesseldorf,Germany -
Postfach 11 11 20, 40511 Düsseldorf
http://www.stua-d.nrw.de

Text used in this document is made from 100% recycled electrons and
magnetic particles.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus Names

[Randal, Phil]

Graham Murray wrote:

 So maybe, as with celestial objects, there should be 
 agreement that the first AV 'vendor' to publish a detection 
 for a virus should be given the honour of naming it and the 
 other vendors adopt the same name rather than inventing their 
 own (and potentially causing confusion). So if Clamav is 
 first, other vendors should adopt its name and if some other 
 vendor is first then Clamav should use the name that vendor gives it.

Viruses are discovered a darned sight more rapidly than celestial objects.

Let's not waste the antivirus folks' time by making them jump through hoops
over naming protocols.  I'd rather priorities were given to protecting us
the darned things instead of worrying about what the vendors call them.

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Question on SomeFool Virus

[Vernon A. Fort]

I have several emails which clamav detects as 'Worm.SomeFool.Gen-2', but 
Sophos nor McAcfee will detect the virus.  Would this be some new 
varient that clamav fould.  From the description, this sig was added to 
detect possible future varients of the NetSky viruses.

Should I submit this? or just be thankful or both?

Vernon



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Question on SomeFool Virus

[Antony Stone]

On Tuesday 06 April 2004 9:57 am, Vernon A. Fort wrote:

 I have several emails which clamav detects as 'Worm.SomeFool.Gen-2', but
 Sophos nor McAcfee will detect the virus.  Would this be some new
 varient that clamav fould.  From the description, this sig was added to
 detect possible future varients of the NetSky viruses.

Sound like it's working then :)

 Should I submit this? or just be thankful or both?

No point submitting a virus which ClamAV already detects :)   Be thankful the 
team did a better job than Sophos  McAfee again.

Regards,

Antony.

-- 
If you can't find an Open Source solution for it, then it isn't a real 
problem.

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users