Re: [Clamav-users] JPEG vulnerability
On Fri, 2004-09-17 at 03:02, Tomasz Kojm wrote: Okay, well I've found an easier to understand source... http://www.funducode.com/freec/Fileformats/format3/format3b.htm and it seems that the particular exploit byte sequence would be unique within jpeg files. I've also tracked down docs on how to make a signature for clam, but it doesn't appear that its possible to form a A new signature format that will be included in 0.80rc will allow on advanced offset and target type specification, including JPEG images. Cool, as ever you're one step ahead! signature by detecting two distinct patterns in a file, or anchoring With older clamav versions you can use HEX1*HEX2*...*HEXn That doesn't anchor to the start of the file though (I guess I'd need to anchor the magic number to minimise false positives). I had just about guessed, by looking at the sig files after I posted, that the * was a wildcard (matching many bytes) and the ? a single unknown byte (correct?). Perhaps this information could be added to signatures.pdf? Is there a limit (and if so what is it) to how many bytes a * will match? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to use clamav-milter with sendmail???
On Thursday 16 Sep 2004 20:47, Ken Morley wrote: I have a mail server that I've equipped with ClamAV 0.751, sendmail RH Linux 7. I would like to get sendmail to discard any messages/attachments that ClamAV determines are infected. snip As mentioned on page 24, I modified /etc/mailsendmail.mc: INPUT_MAIL_FILTER(`clmilter', `S=local:/var/run/clmilter.sock, F=, T=S:4m;R:4m')dnl define(`confINPUT_MAIL_FILTERS', `clmilter')dnl And I recompiled /etc/sendmail.cf: m4 /etc/mail/sendmail.mc /etc/sendmail.cf I started clamd, clamav-milter then restarted sendmail. Clamscan will detect infected files, but sendmail either doesn't detect infected emails or is not taking any action. Is there something left out of the documentation? Do you have LogSyslog set in clamav.conf? If not, set it. Then look in /var/log/maillog for clues. Thanks! Ken Morley -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: kernel: Out of Memory:Killed process xxxxx (clamd).
On Thu, 2004-09-16 at 04:58, Fajar A. Nugraha wrote: Trog wrote: Apache has been moving away from the prefork-kind of daemon towards threads for a number of years. Yes, but in case you didn't notice prefork is STILL the default MPM if no specific one is chosen. It's for compatibility purposes mostly, for modules that are not thread-safe yet. So it's still pretty much alive. Sure, and I still use it extensively. But, the point is that you were using the fact that Apache uses fork()ing as an argument for not using threads, when in fact they are moving towards threads away from fork()ing. The lifetime of threads in clamd is limited by the workload. If they don't have any work to do for a period of time, then they exit. What if they have lots of things to do all the time? (e.g. busy mailservers). Then they will keep processing work requests. The 3G memory usage that I talk about happens on the busiest server. The not-so-busy only uses hundreds of MB max. It might be a good idea to force-limit thread lifetime to a number of scans if it indeed helps return memory back to the OS (not sure about this one though. Logically it should work). Won't make any difference. The thread manager is completely separate from the scanning engine. A memory leak in the scanning engine won't get magically recovered by thread termination. You can limit the number of concurrent threads, and hence memory by using the MaxThreads directive. That also limits the number of concurrent scans. Have you tried the current CVS version?? If not, do. I did. Upgraded daily, in fact. I build (and use) daily CVS snapshot for many platforms, including Solaris (available on clamav.or.id). Most recent CVS snapshot still have this problem (e.g memory not returned to the OS). This clamd has been running for 7 hours, on a not-so-busy maliserver. PID USERNAME LWP PRI NICE SIZE RES STATETIMECPU COMMAND 1706 exim 9 580 41M 8064K sleep 16:43 4.30% clamd It's using only 8M of memory. Nothing wrong with that. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Re: kernel: Out of Memory:Killed process xxxxx
On Thu, 2004-09-16 at 06:28, Mar Matthias Darin wrote: Fajar A. Nugraha writes: Do you have any suggestion as to how to get back the free()d memory? Will (borrowing Apache's way) using a prefork-kind of daemon, with limited lifetime for each child, be better (in sense of memory management) than the current thread implementation? Or perhaps limiting the lifetime of each thread sufficient? From experience with pthreads and Linux v2.4, pthreads was a royal pain. I initially used threads as a method of a limited lifetime model for my firewall design... I kept getting unusual and unpredictable segfaults. The process would run anywhere from 2 days to several months, then for no appearent reason,segfault in a routine that had been tested a thousand times under high stress conditions and not failed. Such things are generally due to memory usage bugs in the code, they just don't trigger very often. My pthread'ed web proxy has been running very stable on RH 6.2 on kernel 2.2.19) for a very long time, current stats: connections(24104670) requests(54869840) threads(4/24) [The threads stat means there are 24 worker threads started, and 4 of them are currently actively doing something useful at this moment in time - in this model, all networking is non-blocking, so threads don't wait for network I/O - this means that the churn rate for threads is very high, while the actual number of threads remains relatively low.] After moving to fork() and named pipes, the same code hasn't broken once in nearly a year of hard testing. My tested often included 10 or more icmp floods of at least 65535 packets. I drove my load to 240 during the test... Now the forked process uses and frees memory thousands of time per second with no issue... Pthreads work well for light duty non-daemon processes... If its heavy duty It depends how good your model and implementation are in my experience. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] illegal instruction (NEW)
Dnia pi 17. wrzesie 2004 01:27, Tomasz Kojm napisa: On Thu, 16 Sep 2004 16:13:18 +0200 Marek Florianczyk [EMAIL PROTECTED] wrote: Any advice, maybe recompile some system libraries, but which one? And maybe some signatures in main.cvd is fatal for old libraries ( freshclam crash when downloading main.cvd and clamd crash when reading main.cvd ) Most likely something is wrong with digital signature verification. Please configure ClamAV with --disable-dsig and recompile. Does it help? I did it, no change, but I've made mistake. I've made --disable-sig no --disable-dsig, so I recompile libgmp as James Lick said. And configure again clamav this time with --disable-dsig and now everything works great ;) Thanks people. One more question. In some new version of clamd is there a chance to support rar 3.0 I know that clamscan can use external unpacker, but when I use clamscan, I can't use clamav-milter, I've to use amavis-milter and amavisd, but then MIME extraction and attachment unpack is made by amavis, clamscan only scan unpacked content, delivered by amavis, and I think the faster solution is clamav-milter with clamd. Maybe if there is problem with license with rar 3.0, clamd should have ability to run external unpacker for rar format? Can it be done? Now rar 3.0 is everywhere ( WinRAR ) and it's little shame to have a scanner that doesn't read that... thanks for help. Marek --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] JPEG vulnerability
On Fri, 17 Sep 2004 07:59:51 +0100
Kevin Spicer [EMAIL PROTECTED] wrote:
(correct?). Perhaps this information could be added to
signatures.pdf? Is there a limit (and if so what is it) to how many
All signature formats will be described in details in the new
documentation.
bytes a * will match?
Yes, there is (but only supported by the development versions). The
format is HEX1{limit}HEX2, and possible limits are:
exact: {n} - exactly n characters between HEX1 and HEX2
variable: {n-} - n or more
{-n} - n or less
{n1-n2} - n1, n2 or between them
--
oo. Tomasz Kojm [EMAIL PROTECTED]
(\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
\..._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Fri Sep 17 12:59:37 CEST 2004
pgpwKw6BhDlZg.pgp
Description: PGP signature
Re: [Clamav-users] JPEG vulnerability
Hi Kevin, On Fri, Sep 17, 2004 at 07:59:51AM +0100, Kevin Spicer wrote: On Fri, 2004-09-17 at 03:02, Tomasz Kojm wrote: Okay, well I've found an easier to understand source... http://www.funducode.com/freec/Fileformats/format3/format3b.htm and it seems that the particular exploit byte sequence would be unique within jpeg files. I've also tracked down docs on how to make a signature for clam, but it doesn't appear that its possible to form a A new signature format that will be included in 0.80rc will allow on advanced offset and target type specification, including JPEG images. Cool, as ever you're one step ahead! signature by detecting two distinct patterns in a file, or anchoring With older clamav versions you can use HEX1*HEX2*...*HEXn That doesn't anchor to the start of the file though (I guess I'd need to anchor the magic number to minimise false positives). I had just about guessed, by looking at the sig files after I posted, that the * was a wildcard (matching many bytes) and the ? a single unknown byte (correct?). Perhaps this information could be added to signatures.pdf? Is there a limit (and if so what is it) to how many bytes a * will match? 0xFFFE is the comment Marker in a JPEG. So it's not that bad to detect. It ist followed by the length field. With is where the Problem occures. So you have to detect the following sequence from the beginning of the JPEG. ffd8 - SoI marker ffe0 - APP0 marker 0010 - lenght of APP0 including those 2 Bytes. 4a46 4946 00 - string JFIF terminated with 0x00 010[012] - common Version number. (May differ) - 0?0? 0[012] - NA; p/ ; p/cm - 0? 0010 - vertical resolution - 0010 - horizontal resolution - - preview resolution - fffe - comment marker 000[01] - bad comment length - 000? So assuming the ? character belongs to 4Bit a signature would look something like this. Xploit.Name (Clam)=ffd8ffe000104a46494600?fffe Xploit.Name (Clam)=ffd8ffe000104a46494600?fffe0001 thats straight from the beginning but isn't long enoungh. And ClamAV may produce false positives. Btw. the signatures don't work. There should be a SoS Marker somewhere in the Image. 0xFFDA. At the end of the Image there should be a EoI Marker 0xFFD9. 0xffc4 Huffmann Table, 0xffdb Quantization Table, 0xffc0 Start of Frame maybe also a good Idea to check. Xploit.Name.better (Clam)=ffd8ffe000104a464946000?0?0?fffe*ffdb*ffc0*ffc4*ffda*ffd9 Xploit.Name.better (Clam)=ffd8ffe000104a464946000?0?0?fffe0001*ffdb*ffc0*ffc4*ffda*ffd9 That would be the signature for a plain JFIF File. No EXIF Tags. But due to many ??? also not a valid Signature. Xploit.Jpeg.Comment.2.FalsePositiv (Clam)=ffd8ffe000104a46494600*fffe0001*ffdb*ffc0*ffda*ffd9 Xploit.Jpeg.Comment.1.FalsePositiv (Clam)=ffd8ffe000104a46494600*fffe*ffdb*ffc0*ffda*ffd9 those two are valid and (IMHO) catch the xploit in JFIF and EXIF but may also produce false positives. Just test them. Greetings Daniel -- nur weil ihr paranoid seid heisst das noch lange nicht, dass sie nicht hinter euch her sind ;) --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] JPEG vulnerability
On Fri, Sep 17, 2004 at 01:07:25PM +0200, Tomasz Kojm wrote:
On Fri, 17 Sep 2004 07:59:51 +0100
Kevin Spicer [EMAIL PROTECTED] wrote:
bytes a * will match?
Yes, there is (but only supported by the development versions). The
format is HEX1{limit}HEX2, and possible limits are:
exact: {n} - exactly n characters between HEX1 and HEX2
variable: {n-} - n or more
{-n} - n or less
{n1-n2} - n1, n2 or between them
So there are no absolute offsets? Like this string has to be at the
beginning. This one at the end etc.
Mayby file and some shell/perl would be a workaround for the JPEG
problem. But I don't think thats usefull for two reasons. First
it's just an xploit and not malware. And second this produces higher
load at the server.
Greetings Daniel
--
There are 10 types of people in this world. Those who
understand binary and those who don't.
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] JPEG vulnerability
Daniel Lord wrote: 0xFFFE is the comment Marker in a JPEG. So it's not that bad to detect. It ist followed by the length field. With is where the Problem occures. So you have to detect the following sequence from the beginning of the JPEG. ffd8 - SoI marker ffe0 - APP0 marker 0010 - lenght of APP0 including those 2 Bytes. 4a46 4946 00 - string JFIF terminated with 0x00 010[012] - common Version number. (May differ) - 0?0? 0[012] - NA; p/ ; p/cm - 0? 0010 - vertical resolution - 0010 - horizontal resolution - - preview resolution - fffe - comment marker 000[01] - bad comment length - 000? I'm going to have to ask, what base system util will extract the info from a jpeg to allow you to examine for these strings? Matt --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] JPEG vulnerability
Hi List, On Fri, Sep 17, 2004 at 03:31:25PM +0200, Daniel Lord wrote: those two are valid and (IMHO) catch the xploit in JFIF and EXIF but may also produce false positives. Just test them. Those signatures don't catch the poc xploit found at http://www.gulftech.org/?node=downloads. But maybe it's better to leave this alone till there are real worms etc. to produce good signatures. At the moment clamav sigs don't seem good enought to catch this. (No support for absolute offsets) Greetings Daniel -- Alle Pilze sind eßbar. Manche sogar mehrmals. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] amavis+clamd+postfix question
I have an install as posted in subject. The problem is that although BANNED response find sender: Subject: BANNED IN MAIL TO YOU (from [EMAIL PROTECTED]) Our content checker found banned name: P=p002,M=application/x-msdownload,T=dat,N=KaHT.exe in an email to you from: [EMAIL PROTECTED] the VIRUS response doesn't find the sender: Subject: VIRUS (Trojan.Prorat.O) FROM [EMAIL PROTECTED] The mail originated from: [EMAIL PROTECTED] According to the 'Received:' trace, the message originated at: ... (notice - if not already :) - the ? mark instead of the address). Can anyone help me on this matter? 10ks in advance --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] JPEG vulnerability
Hi Matt, On Fri, Sep 17, 2004 at 03:43:34PM +0100, Matt wrote: Daniel Lord wrote: 0xFFFE is the comment Marker in a JPEG. So it's not that bad to detect. It ist followed by the length field. With is where the Problem occures. So you have to detect the following sequence from the beginning of the JPEG. ffd8 - SoI marker ffe0 - APP0 marker 0010 - lenght of APP0 including those 2 Bytes. 4a46 4946 00 - string JFIF terminated with 0x00 010[012] - common Version number. (May differ) - 0?0? 0[012] - NA; p/ ; p/cm - 0? 0010 - vertical resolution - 0010 - horizontal resolution - - preview resolution - fffe - comment marker 000[01] - bad comment length - 000? I'm going to have to ask, what base system util will extract the info from a jpeg to allow you to examine for these strings? Not shure if I got your question right. Hexedit is the tool to get the bytes (not strings). The rest is knowlegde of the JFIF fileformat. And some (2) samples to prove that the format is implemented widely this way. :) Greetings Daniel -- Golden rule of Sourcecode: 50% are comments, and the other 50% bugs! --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] JPEG vulnerability
Daniel Lord wrote: I'm going to have to ask, what base system util will extract the info from a jpeg to allow you to examine for these strings? Not shure if I got your question right. Hexedit is the tool to get the bytes (not strings). The rest is knowlegde of the JFIF fileformat. And some (2) samples to prove that the format is implemented widely this way. :) Sorry if my question was a bit vague :) That was indeed the type of answer I was after. The reason that I asked is because neither od nor hexdump output contains the strings listed, and I was just wondering if they can, or if I'm barking up the wrong tree trying to extract the info from a jpeg with those utils. Cheers, Matt --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] JPEG vulnerability
On Fri, 2004-09-17 at 16:21, Daniel Lord wrote: Those signatures don't catch the poc xploit found at http://www.gulftech.org/?node=downloads. But maybe it's better to leave this alone till there are real worms etc. to produce good signatures. At the moment clamav sigs don't seem good enought to catch this. (No support for absolute offsets) Yes, looking at the file there is more than one comment section, and it is the second that uses the exploit. It stands to reason that since there is some flexibility in the file format that a signature that doesn't account for that flexibility (by looking for the comment in a certain offset eg) could be easily avoided by the exploit writers. I wouldn't rely of finding very much at all, only the ffd8 at the start of the file and the ffe0 000[01] exploit (the poc doesn't even have the APP0 marker until some way in). Clearly without the ability to anchor the ffd8 to the start of the file a useful signature is impossible. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] How to troubleshoot clamav-milter ???
I've downloaded Sendmail 8.13.1 source and installed from scratch. I have verified that Sendmail compiled with milter support. In sendmail.cf, I see the following lines relating to clmilter: ## ## # # MAIL FILTER DEFINITIONS # ## ## Xclmilter, S=local:/var/clamav/clmilter.sock, F=, T=S:4m;R:4m #^L Clamscan and clamdscan work fine. Clamd and clamav-milter start and run without error. Clamd.sock and clmilter.sock are found in the /var/clamav directory. The problem is that clamav-milter is not virus-scanning incoming e-mail or, if it is, it's not taking any action. I've even set the LogClean variable and scanned a test directory with clamscan and clamdscan. Both show all of the files in the log. Yet there is nothing in the log indicating that clamav-milter is requesting clamd to scan anything, even though tons of mail are coming through the server. I'm stumped. How can I troubleshoot this further? Where in sendmail.cf does e-mail get sent to clamav-milter? Thanks very much for your assistance. Ken Morley --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: How to troubleshoot clamav-milter ???
* On 2004.09.17, in [EMAIL PROTECTED],
* Ken Morley [EMAIL PROTECTED] wrote:
Xclmilter, S=local:/var/clamav/clmilter.sock, F=, T=S:4m;R:4m
You'll also need O InputMailFilters=clamav and something like this:
# Milter options
#O Milter.LogLevel
O Milter.macros.connect=j, _, {daemon_name}, {if_name}, {if_addr}
O Milter.macros.helo={tls_version}, {cipher}, {cipher_bits}, {cert_subject},
{cert_issuer}
O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author},
{mail_mailer}, {mail_host}, {mail_addr}
O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host}, {rcpt_addr}
If you generate the sendmail.cf from m4 (*.mc) source as directed in the
sendmail documentation, these will be produced for you.
--
-D.[EMAIL PROTECTED] NSIT::ENSS
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] amavis+clamd+postfix question
From: Crucificator [EMAIL PROTECTED] I have an install as posted in subject. The problem is that although BANNED response find sender: Subject: BANNED IN MAIL TO YOU (from [EMAIL PROTECTED]) Our content checker found banned name: P=p002,M=application/x-msdownload,T=dat,N=KaHT.exe in an email to you from: [EMAIL PROTECTED] the VIRUS response doesn't find the sender: Subject: VIRUS (Trojan.Prorat.O) FROM [EMAIL PROTECTED] The mail originated from: [EMAIL PROTECTED] According to the 'Received:' trace, the message originated at: ... (notice - if not already :) - the ? mark instead of the address). Can anyone help me on this matter? 10ks in advance This is an amavisd-new issue, you need to ask on that list. I can tell you however, that the [EMAIL PROTECTED] is an attempt to provide you with the IP address of the sender as opposed to the sender's email address which is usually faked. It is therefore more useful if you wanted to know where the mail actually came from. _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] RE: How to troubleshoot clamav-milter ???
OK, I got clamav-milter running! The problem was that I was starting it using the instructions in the ClamAV documentation on page 25: /usr/local/sbin/clamav-milter -lo /var/clamav/clmilter.sock That does start clamav-milter as shown by ps, but it doesn't seem to work n my system. I found the clamav-milter start script and copied it to /etc/init.d. I can then do: /etc/init.d/clamav-milter -lo /var/clamav/clmilter.sock That starts something called t-clamav-milte as shown by ps and then the milter appears to work correctly: infected mail is returned to the sender. One question remaining is: there is a provision for a clamav-milter.conf configuration file and I've been advised to place it in /etc/conf.d. Since I'm on a RedHat 7 system, I don't have a /etc/conf.d directory. Where should I put this file? How does clamav-milter know to look for this file in that location? The suggested contents for clamav-milter.conf are: START_CLAMAVMILTER=yes CLAMAVMILTER_OPTS= --config-file=/etc/clamav.conf --max-children=20 --quiet -ol local:/var/lib/clamav/clamav-milter.socket CLAMAVMILTER_LOG=/var/log/clamav/clamav-milter.log Also, is there a method for shutting down clamav-milter other than using kill? Thanks very much! Ken Morley --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to troubleshoot clamav-milter ???
On Friday 17 Sep 2004 8:32 pm, Ken Morley wrote: I've downloaded Sendmail 8.13.1 source and installed from scratch. I have verified that Sendmail compiled with milter support. In sendmail.cf, I see the following lines relating to clmilter: ## ## # # MAIL FILTER DEFINITIONS # ## ## Xclmilter, S=local:/var/clamav/clmilter.sock, F=, T=S:4m;R:4m #^L Clamscan and clamdscan work fine. Clamd and clamav-milter start and run without error. Clamd.sock and clmilter.sock are found in the /var/clamav directory. The problem is that clamav-milter is not virus-scanning incoming e-mail or, if it is, it's not taking any action. I've even set the LogClean variable and scanned a test directory with clamscan and clamdscan. Both show all of the files in the log. Yet there is nothing in the log indicating that clamav-milter is requesting clamd to scan anything, even though tons of mail are coming through the server. I'm stumped. How can I troubleshoot this further? Where in sendmail.cf does e-mail get sent to clamav-milter? Have you set LogSyslog in clamav.conf? If not, set it. Now look in /var/log/maillog (that's probably where it is - you haven't told us the operating system you're using so I'm having to guess here), that should give you some clues. Thanks very much for your assistance. Ken Morley -Nigel --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] JPEG vulnerability
On Fri, 17 Sep 2004 17:21:26 +0200 Daniel Lord [EMAIL PROTECTED] wrote: Hi List, On Fri, Sep 17, 2004 at 03:31:25PM +0200, Daniel Lord wrote: those two are valid and (IMHO) catch the xploit in JFIF and EXIF but may also produce false positives. Just test them. Those signatures don't catch the poc xploit found at http://www.gulftech.org/?node=downloads. But maybe it's better to leave this alone till there are real worms etc. to produce good signatures. At the moment clamav sigs don't seem good enought to catch this. (No support for absolute offsets) The current CVS version (Sat Sep 18 01:13:21 CEST 2004 (tk)) supports offset and type specification. The new signature format is: VirusName:TargetType:Offset:HexSignature where TargetType is a decimal number: 0 = any file 1 = EXE 2 = OLE2 3 = HTML (normalised) 4 = Mail file 5 = Graphics (to help catching exploits in JPEG files) Offset is an asterisk or a decimal number n eventually combined with a special string: * = any n EOF-n = End of file - n bytes Executables only: EP+n = Entry point + n bytes (EP+0 if you want to anchor to EP) Sx+n = Start of section's x (counted from 0) data + n bytes All signatures in the above format must be placed in *.ndb files. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Sat Sep 18 01:17:08 CEST 2004 pgpy8UUOZp5g0.pgp Description: PGP signature
[Clamav-users] Re: Thanks for the ClamAV info...
Ken Morley wanted us to know: Digging around a little, I found the script for starting clamav-milter and put it in my /etc/init.d directory. I'm now trying to use that to start the milter. You referenced a clamav-milter configuration file. I would like to try using that, but can't seem to figure out where to put it. I'm running RedHat 7 and I don't have an /etc/conf.d directory. Any ideas where the configuration script should go? That config file that I posted was from a Gentoo box. Attached you'll find the clamav-milter init script and sysconfig configuration file that I use on my production servers. Hope they help for you. Note that you will need to adjust the path and/or socket name to match what you're using on your system. Set it to whatever you're telling sendmail to use in the sendmail.mc. -- Regards... Todd We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state. -- Jeff Schiller on NANOG Linux kernel 2.6.3-16mdkenterprise load average: 1.24, 1.36, 0.87 --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: Thanks for the ClamAV info...RESEND
Todd Lyons wanted us to know:
Attached you'll find the clamav-milter init script and sysconfig
configuration file that I use on my production servers. Hope they help
Ugh, sorry, forgot to attach the files.
--
Regards... Todd
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. --Benjamin Franklin
Linux kernel 2.6.3-16mdkenterprise load average: 1.58, 1.40, 1.00
#!/bin/sh
#
# Startup script for the Clamav Milter Daemon
#
# chkconfig: 2345 78 32
# description: clamav-milter is a daemon which hooks into sendmail \
# and routes email messages to clamav.
# processname: clamav-milter
# pidfile: /var/run/clamav/clamav-milter.pid
# config: /etc/sysconfig/clamav-milter
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
[ -x /usr/sbin/clamav-milter ] || exit 0
# Local clamav-milter config
CLAMAV_FLAGS=
test -f /etc/sysconfig/clamav-milter . /etc/sysconfig/clamav-milter
# See how we were called.
case $1 in
start)
echo -n Starting Clamav Milter Daemon:
daemon clamav-milter ${CLAMAV_FLAGS}
RETVAL=$?
echo
[ $RETVAL -eq 0 ] touch /var/lock/subsys/clamav-milter
;;
stop)
echo -n Stopping Clamav Milter Daemon:
killproc clamav-milter
RETVAL=$?
echo
[ $RETVAL -eq 0 ] rm -f /var/lock/subsys/clamav-milter
;;
status)
status clamav-milter
RETVAL=$?
;;
restart|reload)
$0 stop
$0 start
RETVAL=$?
;;
*)
echo Usage: clamav-milter {start|stop|status|restart|reload}
exit 1
esac
exit $RETVAL
### Simple config file for clamav-milter, you should
### read the documentation and tweak it as you wish.
CLAMAV_FLAGS=
--config-file=/etc/clamav.conf
--max-children=20
--quiet
-ol local:/var/clamav/clmilter.socket
Re: [Clamav-users] JPEG vulnerability
Daniel Lord wrote: Not shure if I got your question right. Hexedit is the tool to get the bytes (not strings). The rest is knowlegde of the JFIF fileformat. And some (2) samples to prove that the format is implemented widely this way. :) Sorry if my question was a bit vague :) That was indeed the type of answer I was after. The reason that I asked is because neither od nor hexdump output contains the strings listed, and I was just wondering if they can, or if I'm barking up the wrong tree trying to extract the info from a jpeg with those utils. Found out why I couldn't find them with hexdump. Its standard output type makes ffd8 into d8ff. (Sorry for referring to them as strings again instead of bytes, Daniel). One last question, do the fffe 000(0|1) bytes always have to follow each other for this exploit, or is this just a pure example of the possibility of this exploit? Matt --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
