Re: [Clamav-users] clarm fail to detect this virus (W32.Netsky.Z@mm)
On Tue, 28 Dec 2004 at 12:11:16 +0600, Kev wrote: I have my system runing fine with clarmav and Clamfilter (http://www.ensita.net/products/clamfilter/) that check virus on SMTP traffic on a ClarkConnect 2.2 BOX (RedHat 9 Kernel) [...] i send a test virus via clarm File Attachment: Textfile.zip [EMAIL PROTECTED] clarm fail to detect this virus but my Norton Gateway detected it as --- Scan information follows --- Result: Virus Detected Virus Name: [EMAIL PROTECTED] File Attachment: Textfile.zip Attachment Status: deleted why is that ? Is ClamAV detecting the virus in the attachment itself? (not in the mail message but in the naked Textfile.zip). If yes, there is some problem in your setup (Clamfilter?). If not, submit the file at http://www.clamav.net/sendvirus.html . -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] clamav-milter man page description of --noreject
I have a question regarding the --noreject man page entry, specifically the last line: -N, --noreject When clamav-milter processes an e-mail which contains a virus it rejects the e-mail by using the SMTP code 550 or 554 depending on the state machine. This option causes clamav-milter to silently discard such messages. It is recommended that system administrators use this option when NOT using the --bounce option. It is not immediately obvious why, if you are NOT generating new bounce e-mails (which no one should be doing), you should also be silently discarding viruses instead of returning a 550/554 error code. It would seem to me that if you aren't generating bounces, you would WANT to return a 550/554 in the SMTP transaction, so any valid senders would know that their mail was not accepted. Am I missing something, or is this an error in the man page ? -Chris == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Clamav-milter not loading?
- Original Message - From: Nigel Horne [EMAIL PROTECTED] To: ClamAV users ML clamav-users@lists.clamav.net Sent: Tuesday, December 28, 2004 12:47 AM Subject: Re: [Clamav-users] Clamav-milter not loading? What operating system? Look for clues in the syslog (you have LogSyslog and LogVerbose enabled). # ls -l /var/milter/ total 4 -rw-rw 1 clamav clamav 5 Dec 27 15:09 clamd.pid srwxrwxrwx 1 clamav clamav 0 Dec 27 15:09 clmilter.sock That is suspicious - I don't like the idea of a 777 clmilter.sock - that could be the reason it fails, since the permission is wide open - check for that error /var/log/messages and/or maillog depending on your OS and configuration. /usr/local/sbin/clamav-milter -l -o -b -P -H /var/milter/clmilter.sock Please don't use -b unless you don't talk to the Internet Josh -Nigel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Sorry about the HTML I thought it was set to plain text, I agree that HTML is a pain to use when reading mail and not using an html reader. The OS is Suse 9.1 I also figured out what my problem was. I was launching the clamd under the same socket name as the clamav-milter. This of course will not work. Also per your suggestions I changed the permissions to the sockets and took out the bounce as well. Thanks for your help. Josh ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Clamav-milter not loading?
On Tue, 2004-12-28 at 16:41, Josh Malinski wrote: I also figured out what my problem was. I was launching the clamd under the same socket name as the clamav-milter. This of course will not work. Also per your suggestions I changed the permissions to the sockets and took out the bounce as well. Thanks for your help. The next version of clamAV (0.81) has a specific check for this and issues an error when it happens to aid with debugging since it seems a common mistake amongst users. Happy clamav-miltering! Josh -Nigel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav-milter man page description of --noreject
On Tue, 2004-12-28 at 11:32 -0500, Christopher X. Candreva wrote: It is not immediately obvious why, if you are NOT generating new bounce e-mails (which no one should be doing), you should also be silently discarding viruses instead of returning a 550/554 error code. It would seem to me that if you aren't generating bounces, you would WANT to return a 550/554 in the SMTP transaction, so any valid senders would know that their mail was not accepted. That's still back-scatter, just one relay removed. If Lucy is infected, and sends mail with Mary's return address through Lucy's usual mail relay, then when the relay gets a 554 it will send the DSN back to Mary, often including the virus. Mary then gets infected and starts sending mail with Joe's return address Best to just smile and say thanks while you drop it all in the memory hole. -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav-milter man page description of --noreject
On Tue, 28 Dec 2004, Daniel J McDonald wrote: That's still back-scatter, just one relay removed. If Lucy is infected, and sends mail with Mary's return address through Lucy's usual mail relay, then when the relay gets a 554 it will send the DSN back to Mary, often including the virus. Mary then gets infected and starts sending mail with Joe's return address That's back-scatter on the part of Lucy's mail server, which should either have a virus scanner, not be accepting mail with forged return addresses, or both. Frankly I've not heard anyone define back-scatter this way - that the scatter is MY fault if I return a 550 at my gateway. Pardon me if I'm confusing a discussion here with something from either the spamassassin or SPAM-l lists, but every discussion I've read says that returning a 550 at your gateway is the prefered method, as it blocks actual bad stuff, while returning an error to the actual sender of a false positive. And while few and few between, clam does get some FPs. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav-milter man page description of --noreject
Christopher X. Candreva wrote: On Tue, 28 Dec 2004, Daniel J McDonald wrote: That's still back-scatter, just one relay removed. If Lucy is infected, and sends mail with Mary's return address through Lucy's usual mail relay, then when the relay gets a 554 it will send the DSN back to Mary, often including the virus. Mary then gets infected and starts sending mail with Joe's return address That's back-scatter on the part of Lucy's mail server, which should either have a virus scanner, not be accepting mail with forged return addresses, or both. Frankly I've not heard anyone define back-scatter this way - that the scatter is MY fault if I return a 550 at my gateway. Pardon me if I'm confusing a discussion here with something from either the spamassassin or SPAM-l lists, but every discussion I've read says that returning a 550 at your gateway is the prefered method, as it blocks actual bad stuff, while returning an error to the actual sender of a false positive. And while few and few between, clam does get some FPs. It is one of those, how long is a piece of string? type debates. There are arguments for and against. It is personal preference generally. As long as it is not allowed into your system and then bounced, that's the main thing. I, personally, agree with Daniel. Crap is crap. No use leaving it out in the wild and letting some unfortunate bugger get saddled with it. You may as well just bin it. Matt ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav-milter man page description of --noreject
On Tue, 28 Dec 2004, Christopher X. Candreva wrote: Pardon me if I'm confusing a discussion here with something from either the spamassassin or SPAM-l lists, but every discussion I've read says that returning a 550 at your gateway is the prefered method, as it blocks actual bad stuff, while returning an error to the actual sender of a false positive. I think the 550 is appropriate for spam, only because it is more likely that any given message identified as spam is actually a real message. No spam-blockers advertise over 99% accuracy, for example. On the other hand, virus false-positives are so rare that I don't personally think it is beneficial in the big picture to 550 them. I have the idea in my head that this is the most common way of looking at things, but I could be completely wrong. Just wanted to mention that the 550 thing is typically brought up in terms of spam, so it's likely that's where you heard that kind of talk. Given that the 550 goes back to the actual mail server that delivers the nasty payload (not a forged one), I can see the value of 550ing viruses too (I just don't do it). I do monitor the quarantine stats, however, just in case I see something strange. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users