RE: [Clamav-users] mail to recipient
-Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Valerii Valeev Envoyé : jeudi 13 mai 2004 17:10 À : [EMAIL PROTECTED] Objet : [Clamav-users] mail to recipient Hi all, is it possible to mail a failure message to the recipient, not only to postmaster? man clamav-milter :-) Valerii Valeev. --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id%62alloc_ida84op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Clam virus scanning through procmail
Hello all, I am in a position where I can't add milter to sendmail due to having Redhat Enterprise ES2.1 server and thus loose support on sendmail by recompiling it... I do believe however that it should be possible to avoid a milter by means of a procmail receipt. Anyone who have a tried and tested receipt, or have suggestions for how to accomplish this? In advance thanks! --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] sendmail-milter-clamav
First, when you show a config file, please omit the comment lines... It makes the mail big and doesn't give any extra info. Answering your problem, I think you are lacking one option on the sendmail.cf file. We have sendmail(8.12.11) + clamav + clamav-milter and the options we have on the sendmail.cf are: Code O InputMailFilters=clmilter Xclmilter, S=local:/var/run/clamav/clmilter.sock,F=, T=C:5s;S:10s;R:30s End I saw that you only included the second one. Regards, Samsam -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nombre de Iulian Enviado el: Jueves, 13 de Mayo de 2004 06:01 a.m. Para: [EMAIL PROTECTED] Asunto: [Clamav-users] sendmail-milter-clamav I try to install CLAMAV, on Slack 9.1, with sendmail and milter, My installation: 1. sendmail -d0 | grep MILTER on my PC: Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 2. User clamav, ...: group clamav useradd -g clamav -d /dev/null clamav mkdir /var/clamav chown clamav:clamav /var/clamav 3 Install... ./configure \ --prefix=/usr --sysconfdir=/etc --datadir=/var/clamav \ --enable-milter make make install 4. Cofig /etc/clamav.conf ... 5. Update Virus Database freshclam --quiet --stdout --datadir /var/clamav --log /var/clamav/clamav.log 6. Test cd /usr/src/clamav/test clamscan test1 -the test is OK 7. Sendmail In sendmail.cf, in section Mail Filtres Xclmilter, S=local:/var/clamav/clmilter.sock,F=, T=S:4m;R:4m 8. Start daemon clamd clamav-milter -blo /var/clamav/clmilter.sock /etc/rc.d/rc.sendmail restart -my test ls -l /var/clamav/*sock srwxrwxrwx 1 clamav clamav 0 May 13 09:17 /var/clamav/clamd.sock srwx-- 1 clamav clamav 0 May 13 09:17 /var/clamav/clmilter.sock ps -aux|grep cla clamav 920 0.0 10.2 14300 13020 ? S09:17 0:00 clamd clamav 924 0.0 0.6 4368 860 ?S09:17 0:00 clamav-milter -blo /var/clamav/clmilter.sock 9. Mail test(with file test1 , the same as point 6.) cat test1 | mail -s Vir root and the mail test go on my mailbox, without any problems! In my logs, no errors, warnings,...What is wrong ?! Thanks! --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] What is this Exploit.JUnksurf.A ? (Off topic)
In the message dated: Thu, 13 May 2004 14:21:55 +0200, The pithy ruminations from Flynn on Re: [Clamav-users] What is this Exploit.JUnksurf.A ? were: = = If your md5sum does NOT match, then reinstalling is probably your best = option. = = = I would suggest to run this : = = for i in $(rpm -qa);do rpm -V $i | grep bin;done = = before taking the decision of reinstalling everything... If you're concerned about file corruption, maybe. If you're concerned that you've been hacked, neither of those techniques is very useful, unless the md5sum executable, the rpm executable, and the rpm database are located on known-good, read-only media, such as a the distribution CD. Mark = = Flynn = = Mark Bergman http://wwwkeys.pgp.net:11371/pks/lookup?op=getsearch=bergman%40merctech.com --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] softlimit+clamav
Rich wrote: Jason, I Googled my clamav problem (memory usage grows!) and found this thread. I've had numerous OOM with my production box so I thought running Softlimit+Clamd would be a good idea. The problem is I get get segmentation fault error and all the clamd processes seems to hang. You mentioned that you figured out the problem, can you please provide details on this? Thanks! -Richie Re: [Cl How about trying to get a core file for the seg faults and stracing the hanging clamd processes? Joe --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] sendmail-milter-clamav
I try to install CLAMAV, on Slack 9.1, with sendmail and milter, My installation: 1. sendmail -d0 | grep MILTER on my PC: Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 2. User clamav, ...: group clamav useradd -g clamav -d /dev/null clamav mkdir /var/clamav chown clamav:clamav /var/clamav 3 Install... ./configure \ --prefix=/usr --sysconfdir=/etc --datadir=/var/clamav \ --enable-milter make make install 4. Cofig /etc/clamav.conf # By default the log file is locked for writing - the lock protects against # running clamd multiple times (if want to run another clamd, please # copy the configuration file, change the LogFile variable, and run # the daemon with --config-file option). That's why you shouldn't uncomment # this option. LogFileUnlock # Maximal size of the log file. Default is 1 Mb. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. LogFileMaxSize 2M # Log time with an each message. LogTime # Log also clean files. May be useful in debugging but will drastically # increase the log size. LogClean # Use system logger (can work together with LogFile). LogSyslog # Enable verbose logging. LogVerbose # This option allows you to save the process identifier of the listening # daemon (main thread). PidFile /var/clamav/clamd.pid # Optional path to the global temporary directory. # Default is system specific - usually /var/tmp or /tmp. TemporaryDirectory /var/tmp # Path to the database directory. # Default is the hardcoded directory (mostly /usr/local/share/clamav, # but it depends on installation options). DatabaseDirectory /var/clamav # The daemon works in local or network mode. Currently the local mode is # recommended for security reasons. # Path to the local socket. The daemon doesn't change the mode of the # created file (portability reasons). You may want to create it in a directory # which is only accessible for a user running daemon. LocalSocket /var/clamav/clamd.sock # Remove stale socket after unclean shutdown. FixStaleSocket # TCP port address. #TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. #TCPAddr 127.0.0.1 # Maximum length the queue of pending connections may grow to. # Default is 15. MaxConnectionQueueLength 90 # When activated, input stream (see STREAM command) will be saved to disk before # scanning - this allows scanning within archives. StreamSaveToDisk # Close the connection if this limit is exceeded. StreamMaxLength 10M # Maximal number of a threads running at the same time. # Default is 5, and it should be sufficient for a typical workstation. # You may need to increase threads number for a server machine. MaxThreads 100 # Waiting for data from a client socket will timeout after this time (seconds). # Default is 120. Value of 0 disables the timeout. ReadTimeout 300 # Maximal depth the directories are scanned at. MaxDirectoryRecursion 25 # Follow a directory symlinks. # SECURITY HINT: You should have enabled directory recursion limit to # avoid potential problems. #FollowDirectorySymlinks # Follow regular file symlinks. #FollowFileSymlinks # Do internal checks (eg. check the integrity of the database structures) # By default clamd checks itself every 3600 seconds (1 hour). SelfCheck 600 # Execute a command when a virus is found. In the command string %v will # be replaced by the virus name. # VirusEvent /bin/mail -s VIRUS ALERT: %v root # Run as selected user (clamd must be started by root). # By default it doesn't drop privileges. User clamav # Initialize the supplementary group access (for all groups in /etc/group # user is added in. clamd must be started by root). #AllowSupplementaryGroups # Don't fork into background. Useful in debugging. #Foreground # Enable debug messages in libclamav. #Debug ## ## Document scanning ## # This option enables scanning of Microsoft Office document macros. ScanOLE2 ## ## Mail support ## # Uncomment this option if you are planning to scan mail files. ScanMail ## ## Archive support ## # Comment this line to disable scanning of the archives. ScanArchive # By default the built-in RAR unpacker is disabled by default because the code # terribly leaks, however it's probably a good idea to enable it. ScanRAR # Options below protect your system against Denial of Service attacks # with archive bombs. # Files in archives larger than this limit won't be scanned. # Value of 0 disables the limit. # WARNING: Due to the unrarlib implementation, whole files (one by one) in RAR # archives are decompressed to the memory. That's why never disable # this limit (but you may increase it of course!) ArchiveMaxFileSize 10M # Archives are scanned recursively - e.g. if Zip archive contains RAR file, # the RAR file will be decompressed, too (but only
Re: [Clamav-users] sendmail-milter-clamav
On Thu, May 13, 2004 at 01:00:39PM +0300, Iulian wrote: I try to install CLAMAV, on Slack 9.1, with sendmail and milter, My installation: 1. sendmail -d0 | grep MILTER on my PC: Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 2. User clamav, ...: group clamav useradd -g clamav -d /dev/null clamav mkdir /var/clamav chown clamav:clamav /var/clamav 3 Install... ./configure \ --prefix=/usr --sysconfdir=/etc --datadir=/var/clamav \ --enable-milter make make install 4. Cofig /etc/clamav.conf # By default the log file is locked for writing - the lock protects against # running clamd multiple times (if want to run another clamd, please # copy the configuration file, change the LogFile variable, and run # the daemon with --config-file option). That's why you shouldn't uncomment # this option. LogFileUnlock # Maximal size of the log file. Default is 1 Mb. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. LogFileMaxSize 2M # Log time with an each message. LogTime # Log also clean files. May be useful in debugging but will drastically # increase the log size. LogClean # Use system logger (can work together with LogFile). LogSyslog # Enable verbose logging. LogVerbose # This option allows you to save the process identifier of the listening # daemon (main thread). PidFile /var/clamav/clamd.pid # Optional path to the global temporary directory. # Default is system specific - usually /var/tmp or /tmp. TemporaryDirectory /var/tmp # Path to the database directory. # Default is the hardcoded directory (mostly /usr/local/share/clamav, # but it depends on installation options). DatabaseDirectory /var/clamav # The daemon works in local or network mode. Currently the local mode is # recommended for security reasons. # Path to the local socket. The daemon doesn't change the mode of the # created file (portability reasons). You may want to create it in a directory # which is only accessible for a user running daemon. LocalSocket /var/clamav/clamd.sock # Remove stale socket after unclean shutdown. FixStaleSocket # TCP port address. #TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. #TCPAddr 127.0.0.1 # Maximum length the queue of pending connections may grow to. # Default is 15. MaxConnectionQueueLength 90 # When activated, input stream (see STREAM command) will be saved to disk before # scanning - this allows scanning within archives. StreamSaveToDisk # Close the connection if this limit is exceeded. StreamMaxLength 10M # Maximal number of a threads running at the same time. # Default is 5, and it should be sufficient for a typical workstation. # You may need to increase threads number for a server machine. MaxThreads 100 # Waiting for data from a client socket will timeout after this time (seconds). # Default is 120. Value of 0 disables the timeout. ReadTimeout 300 # Maximal depth the directories are scanned at. MaxDirectoryRecursion 25 # Follow a directory symlinks. # SECURITY HINT: You should have enabled directory recursion limit to # avoid potential problems. #FollowDirectorySymlinks # Follow regular file symlinks. #FollowFileSymlinks # Do internal checks (eg. check the integrity of the database structures) # By default clamd checks itself every 3600 seconds (1 hour). SelfCheck 600 # Execute a command when a virus is found. In the command string %v will # be replaced by the virus name. # VirusEvent /bin/mail -s VIRUS ALERT: %v root # Run as selected user (clamd must be started by root). # By default it doesn't drop privileges. User clamav # Initialize the supplementary group access (for all groups in /etc/group # user is added in. clamd must be started by root). #AllowSupplementaryGroups # Don't fork into background. Useful in debugging. #Foreground # Enable debug messages in libclamav. #Debug ## ## Document scanning ## # This option enables scanning of Microsoft Office document macros. ScanOLE2 ## ## Mail support ## # Uncomment this option if you are planning to scan mail files. ScanMail ## ## Archive support ## # Comment this line to disable scanning of the archives. ScanArchive # By default the built-in RAR unpacker is disabled by default because the code # terribly leaks, however it's probably a good idea to enable it. ScanRAR # Options below protect your system against Denial of Service attacks # with archive bombs. # Files in archives larger than this limit won't be scanned. # Value of 0 disables the limit. # WARNING: Due to the unrarlib implementation, whole files (one by one) in RAR #
Re: [Clamav-users] sendmail-milter-clamav
Iulian [EMAIL PROTECTED] Wrote: clamav-milter -blo /var/clamav/clmilter.sock Except for specific situations please don't use the -b option. srwxrwxrwx 1 clamav clamav 0 May 13 09:17 /var/clamav/clamd.sock Publically writable named pipes could be a security risk. Please look into your umask settings. -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] What is this Exploit.JUnksurf.A ?
If your md5sum does NOT match, then reinstalling is probably your best option. I would suggest to run this : for i in $(rpm -qa);do rpm -V $i | grep bin;done before taking the decision of reinstalling everything... Flynn --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] softlimit+clamav
Jason, I Googled my clamav problem (memory usage grows!) and found this thread. I've had numerous OOM with my production box so I thought running Softlimit+Clamd would be a good idea. The problem is I get get segmentation fault error and all the clamd processes seems to hang. You mentioned that you figured out the problem, can you please provide details on this? Thanks! -Richie Re: [Clamav-users] clamd still hangs with 0.70 --- - From: Jason Haar Subject: Re: [Clamav-users] clamd still hangs with 0.70 Date: Tue, 20 Apr 2004 19:44:54 -0700 --- - On Tue, Apr 20, 2004 at 01:11:40PM -0400, Mike Cathey wrote: ...lsof the pid and see what files it has open...then copy the files to somewhere else and fire them off to the develpers. :) Nope - that won't help. I just did that - twice within 10 minutes on my (currently) hung mail server. The first shows clamd (running just below the softlimit memory setting - again it ran out of memory) having bunches of library files, logfiles,etc open - plus one eml file. 10 minutes later it hasn't got that file open but has others open... i.e. it hasn't hung - it's now just going E.X.T.R.E.M.E.L.Y slowly... OK, I think I can trigger this at will at the moment. If I let clamdscan run over my SPAM Maildir folder (32,580 msgs) - which will be full of atrociously written MIME mail messages (if that matters), then over a few minutes clamd climbs up to the softlimit RAM limit and then clamd hangs (or goes slow - take your pick). Then all further clamdscan processes hang. If I then kill the clamdscan -r SPAM/ process, then almost immediately all the other clamdscan processes finish (not crash!), and clamd memory usage drops back down to around 16M. Gah. I think I've figured out the problem. I'm running clamd under daemontools - which means I've set Foreground in clamav.conf... How does that affect the running of clamd? Does it force clamd to serialize requests by any chance...? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clam virus scanning through procmail
This is what I am using:
--- clamav.rc ---
:0
CLAMAV=|/usr/bin/clamdscan --mbox --disable-summary --stdout -
:0
* CLAMAV ?? .*: \/.* FOUND
{
:0 fhw
| /usr/bin/formail -a X-ClamAV: ${MATCH}
}
#:0E fhw
#| /usr/bin/formail -a X-ClamAV: clean
I didn't want to add a header to clean messages so I commented out the
else case.
Linux 2.4
procmail v3.22
ClamAV 0.70
Brian
On May 13, 2004, at 10:50 AM, Kenneth Andresen wrote:
Hello all,
I am in a position where I can't add milter to sendmail due to having
Redhat Enterprise ES2.1 server and thus loose support on sendmail by
recompiling it...
I do believe however that it should be possible to avoid a milter by
means of a procmail receipt.
Anyone who have a tried and tested receipt, or have suggestions for how
to accomplish this?
In advance thanks!
---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clam virus scanning through procmail
On Thu, 13 May 2004, Kenneth Andresen wrote: Anyone who have a tried and tested receipt, or have suggestions for how to accomplish this? This has been posted several times, but: # Change path to suit: VIRUS=`/usr/local/bin/clamdscan --mbox --disable-summary --stdout -` :0 Di * VIRUS ?? FOUND /dev/null # Or whatever you want to do == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: What is this Exploit.Junksurf.A?
astro: [20:31] [10] ~md5sum /usr/bin/kmail df82e822af0ecb12a2e04f832144a87d /usr/bin/kmail If your md5sum matches mine, then your box is safe and it's clamav that's screwy. You should update to 0.70 and run freshclam to update your database, then try again. = [EMAIL PROTECTED] srikanth]$ md5sum /usr/bin/kmail df82e822af0ecb12a2e04f832144a87d /usr/bin/kmail Yes, I think it is the clamscan that is screwy ! Cheeka -- Learn From others' mistakes! Your lifetime is not enough to commit all of them yourself and learn from them! --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] What is this Exploit.JUnksurf.A ? (Off topic)
On Thu, 13 May 2004 [EMAIL PROTECTED] wrote: In the message dated: Thu, 13 May 2004 14:21:55 +0200, The pithy ruminations from Flynn on Re: [Clamav-users] What is this Exploit.JUnksurf.A ? were: = = If your md5sum does NOT match, then reinstalling is probably your best = option. = = = I would suggest to run this : = = for i in $(rpm -qa);do rpm -V $i | grep bin;done = = before taking the decision of reinstalling everything... If you're concerned about file corruption, maybe. If you're concerned that you've been hacked, neither of those techniques is very useful, unless the md5sum executable, the rpm executable, and the rpm database are located on known-good, read-only media, such as a the distribution CD. You are obviously correct in the case of an intrusion. But I don't know many 1337 h4x0rs that would mess with: //usr/share/doc/libxml2-devel-2.5.4/example.html: Exploit.Junksurf.A FOUND which is why i recommended updating clamav before reinstalling. Taking things in context helps. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers: |#=- -=#| UIUC CITES Security Group || Beckman Imaging Technology Group |#=- --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] sendmail-milter-clamav
-- I will do a top post here as it is to much to scroll and therefore not readable enough... (no comments on top postings please) -- The sendmail config (your section 7) is not ok. Two things here. 1. You should consider to use the macro configuration (the .mc file) and build a sendmail.cf from that. Editing sendmail.cf directly is not recommended. The row to use is something like: INPUT_MAIL_FILTER(`clamav', `S=inet:[EMAIL PROTECTED], F=T, T=S:4m;R:4m;E:5m')dnl (Or you can use a file socket if you want...) The steps for macro config. a) edit sendmail.mc b) type make sendmail.cf c) copy the new sendmail.cf to /etc/mail. d) restart sendmail. 2. (Your config will however work without this change) You should not (my opinion) use F=. You should use F=T. The F= will allow the mail if the clamav-milter connector or clamd is down. Is that what you want? You probably want F=T which means sendmail will give a 4.7.1 Try again later back to the sender if the clamav-milter connector or clamd is down and wont answer. Otherwise viruses can go through... Also... Make sure you have timeouts in the milter connection (both ends) that are high enough to scan a huge mail over a slow connection that will take time. Otherwise you will see aborts. /Per-Olov Iulian said: I try to install CLAMAV, on Slack 9.1, with sendmail and milter, My installation: 1. sendmail -d0 | grep MILTER on my PC: Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 2. User clamav, ...: group clamav useradd -g clamav -d /dev/null clamav mkdir /var/clamav chown clamav:clamav /var/clamav 3 Install... ./configure \ --prefix=/usr --sysconfdir=/etc --datadir=/var/clamav \ --enable-milter make make install 4. Cofig /etc/clamav.conf # By default the log file is locked for writing - the lock protects against # running clamd multiple times (if want to run another clamd, please # copy the configuration file, change the LogFile variable, and run # the daemon with --config-file option). That's why you shouldn't uncomment # this option. LogFileUnlock # Maximal size of the log file. Default is 1 Mb. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. LogFileMaxSize 2M # Log time with an each message. LogTime # Log also clean files. May be useful in debugging but will drastically # increase the log size. LogClean # Use system logger (can work together with LogFile). LogSyslog # Enable verbose logging. LogVerbose # This option allows you to save the process identifier of the listening # daemon (main thread). PidFile /var/clamav/clamd.pid # Optional path to the global temporary directory. # Default is system specific - usually /var/tmp or /tmp. TemporaryDirectory /var/tmp # Path to the database directory. # Default is the hardcoded directory (mostly /usr/local/share/clamav, # but it depends on installation options). DatabaseDirectory /var/clamav # The daemon works in local or network mode. Currently the local mode is # recommended for security reasons. # Path to the local socket. The daemon doesn't change the mode of the # created file (portability reasons). You may want to create it in a directory # which is only accessible for a user running daemon. LocalSocket /var/clamav/clamd.sock # Remove stale socket after unclean shutdown. FixStaleSocket # TCP port address. #TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. #TCPAddr 127.0.0.1 # Maximum length the queue of pending connections may grow to. # Default is 15. MaxConnectionQueueLength 90 # When activated, input stream (see STREAM command) will be saved to disk before # scanning - this allows scanning within archives. StreamSaveToDisk # Close the connection if this limit is exceeded. StreamMaxLength 10M # Maximal number of a threads running at the same time. # Default is 5, and it should be sufficient for a typical workstation. # You may need to increase threads number for a server machine. MaxThreads 100 # Waiting for data from a client socket will timeout after this time (seconds). # Default is 120. Value of 0 disables the timeout. ReadTimeout 300 # Maximal depth the directories are scanned at. MaxDirectoryRecursion 25 # Follow a directory symlinks. # SECURITY HINT: You should have enabled directory recursion limit to # avoid potential problems. #FollowDirectorySymlinks # Follow regular file symlinks. #FollowFileSymlinks # Do internal checks (eg. check the integrity of the database structures) # By default clamd checks itself every 3600 seconds (1 hour). SelfCheck 600 # Execute a command when a virus is found. In the command string %v will # be replaced by the virus
RE: [Clamav-users] clamav-milter[xxx]: ClamAv: thread_create() failed: 11, try again
Hi, As a matter of fact, the configuration I wrote about was correct. Setting the thread stack to 2Mb solved the problem and let the system create more than 256 threads of clamav-milter (till the hard limit of glibc). Regards, Samuel Benzaquen Hi, I have to say that the answer to this problem was easier than we thought. Just by adding the lines: --- ulimit -s 2048 ulimit -n 10240 --- I'll post a reply with our experience of this changes running a couple of days in production enviroment. Regards, Samuel Benzaquen --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] What is this Exploit.JUnksurf.A ? (Off topic)
On Thu, 2004-05-13 at 20:53, Damian Menscher wrote: You are obviously correct in the case of an intrusion. But I don't know many 1337 h4x0rs that would mess with: //usr/share/doc/libxml2-devel-2.5.4/example.html: Exploit.Junksurf.A FOUND which is why i recommended updating clamav before reinstalling. Taking things in context helps. Its also worth noting that where the type of infection doesn't match the type of file its likely to be a false positive. For example if you find linux binaries 'infected' with a word macro virus. In this particular case (from its name, and the description of a similarly named virus on Trend's site http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=HTML_JUNKSURF.A ) I would guess this is an HTML exploit, therefore finding it in all manner of files, both binary and text would seem to suggest an error on the part of the scanner. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamd Leaking?
Lucas Albers wrote: Fajar A. Nugraha said: Did you add the script to kill clamd and start it when clamdwatch says clamd dead/hung? What is clamdwatch, I have never heard of it? Where do you get it? It's a simple perl script to determine whether clamd is dead, hung, or alive. http://mikecathey.com/code/clamdwatch/ It is also included under contrib directory on clamav source tarball. Regards, Fajar -- Please avoid sending me Microsoft Office attachments. See http://www.fsf.org/philosophy/no-word-attachments.html --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamd Leaking?
Rich wrote: Found this Googling, good tool too to monitor clamd ;-) http://www.tildeslash.com/monit/ Yes, it's good indeed. So is daemontools. But when it comes to simplicity, clamdwatch is the simplest one. Which is (I think) why clamdwatch is included on the default clamav tarball package, replacing clamd-supervised. It's up to you to choose the most suitable one. Regards, Fajar - Original Message - What is clamdwatch, I have never heard of it? Where do you get it? It's a simple perl script to determine whether clamd is dead, hung, or alive. http://mikecathey.com/code/clamdwatch/ It is also included under contrib directory on clamav source tarball. -- Please avoid sending me Microsoft Office attachments. See http://www.fsf.org/philosophy/no-word-attachments.html --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: Clam virus scanning through procmail
Check out clamassassin at http://drivel.com/clamassassin. It is a shell script which uses clamscan and formail to scan for viruses and modify the email header aka spamassassin. The README explains how to use procmail to invoke clamassassin and filter based on the header. Good luck. --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
