Re: [Clamav-users] Virus detection notification
[sending notification to receiver] It's possible with Amavisd-new to do this, but if it's wise??? It can confuse the receiver, so inform them good about this kind of messages (or make the message very good). Here we just delete the worms, what is the use of a message that you just received the new Sassler virus (or is it just me ;)). Oh the option you're looking for in amavisd.conf is: $warnvirusrecip = 0 Greetings, Ralf Bosz ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] 0.81 default clamd.conf and clamav-milter
On Wednesday 26 Jan 2005 23:41, Kritof Petr wrote: Hi, trying to start clamav-milter from 0.81 I get: Starting clamav-milter: /usr/sbin/clamav-milter: ScanMail not defined in /etc/clamd.conf (needed without --external) What are your clamav-milter options? Petr -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Problem with clamd hanging
Tomasz Kojm [EMAIL PROTECTED] Date: Tue, 25 Jan 2005 18:09:59 +0100 Subject: Re: [Clamav-users] Problem with clamd hanging On Tue, 25 Jan 2005 17:48:08 +0100 [EMAIL PROTECTED] wrote: Trog [EMAIL PROTECTED] Thats normal behaviour. A gdb backtrace of each thread when it is hanging is the most helpful thing at the moment. Ok, so I did not use gdb as gdb core dump (maybe because I compiled clamav with sun cc). I used dbx and here is the backtrace : I can send you the email that was scanned. =[1] __zzip_find_disk_trailer(fd = 12, filesize = 31981, trailer = 0xfeb7b29e, io = 0xff30c2b0), line 289 in zzip-zip.c This is a known problem when using Sun's cc. Recompile with gcc. After 24hours with 0.81rc1 compiled with gcc I have not seen any hang-up. That's really better. f.g. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] 0.81rc1 - html documentation missing, intentional?
On Thu, 27 Jan 2005 02:01:28 +0100 in [EMAIL PROTECTED] Tomasz Kojm [EMAIL PROTECTED] wrote: There were problems generating HTML documentation (probably due to broken TeX installation in Debian). The tarball now includes clamdoc.tex so you can try to generate it yourself with latex2html. Tried it, lost of html output files, but also some other stuff that wasn't there in 0.80/docs/html and: [docs]$ more html/WARNINGS No implementation found for style `pslatex' No implementation found for style `url' No implementation found for style `fancyhdr' No implementation found for style `titlesec' redefining command \email previous meaning of \email will be lost The clamdoc.aux file was not found, so sections will not be numbered and cross-references will be shown as icons. Is there a correct command for generating the html docs or the clamdoc.aux file? I'm not very TeX literate I'm afraid -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Problem with clamd hanging
On Thu, 27 Jan 2005 09:51:48 +0100 in [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: After 24hours with 0.81rc1 compiled with gcc I have not seen any hang-up. And 0.81 is now released officially. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] 0.81rc1 - html documentation missing, intentional?
On Thu, Jan 27, 2005 at 08:10:36AM +, Brian Morrison wrote: The clamdoc.aux file was not found, so sections will not be numbered and cross-references will be shown as icons. Is there a correct command for generating the html docs or the clamdoc.aux file? I'm not very TeX literate I'm afraid TeX generates the .aux file itself. Just rerun the command you gave. In pathetic cases, you might have to rerun it a third time if the page numbers changed due to page numbers being longer than expected and now suddenly wrapping a paragraph making it appear on a new page, therefore shifting all other pages... etc. -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Using Clam AV - Perhaps I am not understanding product intent
On Wed, 26 Jan 2005 at 13:17:40 -0600, [EMAIL PROTECTED] wrote: [...] Secondly full file system scanning. [...] The second is easy enough, however, when I used clamdscan the file system scan consumes inordinate amount of CPU resources. I've tried starting clamd with a nice value of 17 and running clamdscan with a nice value of 18, in hopes of slowing it down so [...] I've got no idea whether it has any impact in your environment (a virtual machine), but one needn't run clamd and clamdscan to just scan a file system. In such situation it gives almost nothing because you launch the scanner _once_, not every time for every single file (like it happens when scanning incoming mail). So you may try to stop clamd and run just clamscan with nice(1). -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] 0.81rc1 - html documentation missing, intentional?
On Thu, 27 Jan 2005 10:35:47 +0100 in [EMAIL PROTECTED] Jan Pieter Cornet [EMAIL PROTECTED] wrote: On Thu, Jan 27, 2005 at 08:10:36AM +, Brian Morrison wrote: The clamdoc.aux file was not found, so sections will not be numbered and cross-references will be shown as icons. Is there a correct command for generating the html docs or the clamdoc.aux file? I'm not very TeX literate I'm afraid TeX generates the .aux file itself. Just rerun the command you gave. In pathetic cases, you might have to rerun it a third time if the page numbers changed due to page numbers being longer than expected and now suddenly wrapping a paragraph making it appear on a new page, therefore shifting all other pages... etc. Done that, same result. I ran latex2html, do I need to run another command first? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Clamav upgrade 0.80-0.81rc1-1
On Thu, Jan 27, 2005 at 10:08:08AM -, Christopher Roberts wrote: I 'had' a beautiful Clamd installation working on a Debian distribution with MIMEDefang. Replacing config file /etc/clamav/freshclam.conf with new version Starting ClamAV virus database updater: ERROR: Number of checks must be a positive integer. Check the value of Checks in /etc/clamav/freshclam.conf (defaults to 12, I think) subprocess post-installation script returned error exit status 41 Have you tried dpkg-reconfigure clamav? Bye, gc :-) ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] 0.81rc1 - html documentation missing, intentional?
On Thu, Jan 27, 2005 at 10:49:57AM +, Brian Morrison wrote: TeX generates the .aux file itself. Just rerun the command you gave. Done that, same result. I ran latex2html, do I need to run another command first? Hm, I'm not very familiar with latex2html. Maybe you should just run latex first? But if nothing is being generated, the tex program aborts due to the missing definitions that you mentioned earlier... those need to be resolved then, somehow. -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Clamav upgrade 0.80-0.81rc1-1
Check the value of Checks in /etc/clamav/freshclam.conf (defaults to 12, I think) Thanks GC, you're a genius. Or perhaps I'm just stupid - I just never thought to read the error message that literally - it was set to zero and instead I had added freshclam to cron. I have now changed to 12 and the upgrade has now completed fine, so thanks. Chris. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Re: [Clamav-announce] announcing ClamAV 0.81
Luca Gibelli wrote: Dear ClamAV users, release 0.81 is now available for download. [ NOTHING ABOUT FUNCTIONALITY UPGRADE ] WARNING: Your ClamAV installation is OUTDATED - please update immediately! WARNING: Current functionality level = 3, required = 4 This is the second time, that this happened (last time was to 0.80). Could you please *at least* tell users in the announcement, what this means, which functioniality won't be available if you don't update immediately and what funcionality is gained by level 4? I know, Open Source and all that - but a virus scanner is a security sensitive piece of software. Just putting that in the logfile of freshclam plainly sucks. Regards, Ralph -- Ralph [EMAIL PROTECTED] | ..Text processing has made it possible Bayerischer Rundfunk...HA-Multimedia | to right-justify any idea, even one Rundfunkplatz 180300 Mnchen | .which cannot be justified on any other Tl:089.5900.16023..Fx:089.5900.16240 | ..grounds. -- J. Finnegan, USC pgpV1pbPMBEeh.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Re: [Clamav-announce] announcing ClamAV 0.81
On Thu, 27 Jan 2005 13:17:16 +0100 Ralph Angenendt wrote: Luca Gibelli wrote: Dear ClamAV users, release 0.81 is now available for download. [ NOTHING ABOUT FUNCTIONALITY UPGRADE ] WARNING: Your ClamAV installation is OUTDATED - please update immediately! WARNING: Current functionality level = 3, required = 4 This is the second time, that this happened (last time was to 0.80). And it sounds a bit unpolite :-([at least to me] I suggest s/please update immediately!/Please update as soon as possible./ --Frank Elsner ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Re: [Clamav-announce] announcing ClamAV 0.81
On Thu, 27 Jan 2005 13:37:33 +0100 Frank Elsner [EMAIL PROTECTED] wrote: WARNING: Your ClamAV installation is OUTDATED - please update immediately! WARNING: Current functionality level = 3, required = 4 This is the second time, that this happened (last time was to 0.80). And it sounds a bit unpolite :-([at least to me] I suggest s/please update immediately!/Please update as soon as possible./ Will ASCII-art flowers printed by freshclam satisfy you as well? -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 27 13:38:12 CET 2005 pgpcah2mKX34q.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Re: [Clamav-announce] announcing ClamAV 0.81
On Thu, 27 Jan 2005 12:55:33 + Brian Morrison [EMAIL PROTECTED] wrote: On Thu, 27 Jan 2005 13:42:12 +0100 in [EMAIL PROTECTED] Tomasz Kojm [EMAIL PROTECTED] wrote: Will ASCII-art flowers printed by freshclam satisfy you as well? Won't your sheep(?) eat them? Actually it's a turtle. I really hate when people confuse it with a sheep! ;-) -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 27 13:55:01 CET 2005 pgpRuABTwbIwT.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Clamav upgrade 0.80-0.81rc1-1
On Thu, Jan 27, 2005 at 12:12:09PM -, Christopher Roberts wrote: Check the value of Checks in /etc/clamav/freshclam.conf (defaults to 12, I think) Thanks GC, you're a genius. Or perhaps I'm just stupid - ... Please don't exagerate: you're NOT stupid!!! ;-) bye, gc :-) ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Clamav upgrade 0.80-0.81rc1-1
On Thu, 27 Jan 2005 14:03:46 +0100 Gian Carlo [EMAIL PROTECTED] wrote: On Thu, Jan 27, 2005 at 12:12:09PM -, Christopher Roberts wrote: Check the value of Checks in /etc/clamav/freshclam.conf (defaults to 12, I think) Thanks GC, you're a genius. Or perhaps I'm just stupid - ... Please don't exagerate: you're NOT stupid!!! ;-) Then you're a genius GC :-) -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 27 14:05:24 CET 2005 pgpIX0LtVwn1S.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Re: [Clamav-announce] announcing ClamAV 0.81
Tomasz Kojm wrote: Won't your sheep(?) eat them? Actually it's a turtle. I really hate when people confuse it with a sheep! ;-) Ehh? I really thought it was a snail! those two little dots on top, are s like snail antennas. or eyes, whatever. If you've seen Gary, Spongebob Squarepants' snail, especially on the episode where he teaches Spongebob how to tie his shoes, you'll know what I mean. Okay, Back to virus-talk people :)) ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Upgrade doc?
Is there an upgrade doc? I want to update to the latest version. Is it best to install over the top of an old version? Or is there a preferred method of upgrade? Thanks! ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Upgrade doc?
On Thu, 27 Jan 2005 07:16:06 -0600 Diane Rolland [EMAIL PROTECTED] wrote: Is there an upgrade doc? I want to update to the latest version. Is it best to install over the top of an old version? Or is there a preferred method of upgrade? http://wiki.clamav.net/index.php/UpgradeInstructions -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 27 14:17:12 CET 2005 pgpNeYP95ZZ5t.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Directory recursion limit exceeded error in clamd.log file (clamav version 0.80)
On Mon, 24 Jan 2005 at 3:04:22 -0700, Hal Goldfarb wrote: [...] Problem: When I run clamdscan (which uses the daemon), it generates zillions of errors in the clamd.log file something like Directory recursion limit exceeded at /home/hal/.tvtime. However, when I run clamscan (which does not use the daemon, right?), [...] Could this be a memory leak of some kind? I doubt it. Why do you doubt it? Memory leaks are a common problem in C and C++, even if one is an expert coder. Do you doubt it because you are using a standard set of routines? Even so, could it still be the case that the mainline code is corrupting something in those routines? I suppose I could do something courageous ... like, uh ... get the source code and uh ... do some debugging (yeccch). I just offered a possible explanation for this behavior. Try to experiment with setting other values of MaxDirectoryRecursion (and don't forget to reload the clamd). Are there certain values of MaxDirectoryRecursion that work better than others? Also, try to reproduce the error in some other, nested directories (e.g. created for testing purposes). Aha! Sounds like you want me to do some debugging for you. Sounds like maybe you are drafting me for some work here ... :D -Hal ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Re: [Clamav-announce] announcing ClamAV 0.81
On Thu, 27 Jan 2005 13:57:30 +0100 in [EMAIL PROTECTED] Tomasz Kojm [EMAIL PROTECTED] wrote: Won't your sheep(?) eat them? Actually it's a turtle. I really hate when people confuse it with a sheep! ;-) OK, but turtles like flowers too don't they? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Upgrade instructions that ~I~ follow(ed)
Here are the upgrade instructions that I follow(ed)! These do work if you follow them to the t! *oh ya ... Remember to backup your Freshclam.conf and clamd.conf =P~ unpack the old distribution: tar -zxf clamav-0.80.tar.gz run configure cd clamav-0.80 ./configure Unpack the new distribution: cd .. tar -zxf clamav-0.81.tar.gz run configure: cd clamav-0.81 ./configure compile it: make become root stop qmail stop qmailscan uninstall the existing clamav stuff: cd ../clamav-0.80 make uninstall install the new stuff: cd ../clamav-0.81 make install restart clamd run freshclam start qmailscan start qmail Jeffrey Kroll :: IT Coordinator :: PBOA Risk Services 941.955.0793 :: 1800 Second St. Suite 910 :: Sarasota, FL 34236 ( SUN ) o o o-Earth o ( ) -(-)- oo. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Are we safe - WORM_BAGLE.AZ
I'm thinking that someone has submitted this, and we already have the update...but does anyone know for sure if we are safe from this. WORM_BAGLE.AZ is what Trend Net is referring to this as, there message to me this morning follows: As of January 27, 2005 1:42 AM PST (Pacific Standard Time/GMT -8:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BAGLE.AZ. TrendLabs has received several infection reports indicating that this malware is spreading in US, China, and Japan. This WORM_BAGLE variant arrives on a system as an email attachment. It sends copies of itself to all email addresses it gathers from files with certain extensions but skips those addresses that contain particular strings. === Users must be wary of the email it sends that have the following details: Subject: (any of the following) Delivery service mail Delivery by mail Registration is accepted Is delivered mail You are made active Thanks for use of our software. Before use read the help Message body: (any of the following) Delivery service mail Delivery by mail Registration is accepted Is delivered mail You are made active Thanks for use of our software. Before use read the help Attachments: (any of the following file names) guupd02.exe Jol03.exe siupd02.exe upd02.exe viupd02.exe wsd01.exe zupd02.exe (with any of the following extensions) COM CPL EXE SCR === The email is spoofed and may appear to have come from a familiar email address. As a general rule, users should avoid opening the attachments of unsolicited email. This worm drops a copy of itself using the following file names into the Windows system folder: sysformat.exe sysformat.exeopen sysformat.exeopenopen It also looks for folders that have the string shar then drops copies of itself using file names with EXE extensions into those folders. In addition, this worm terminates several processes, most of which are related to antivirus and security programs. -- Craig Daters ([EMAIL PROTECTED]) Systems Administrator West Press Print Communications 1663 West Grant Road Tucson, Arizona 85705 (520) 624-4939 (520) 624-2715 fax www.westpress.com -- Please note: It is the policy of West Press that all e-mail sent to and from any @westpress.com address may be recorded and monitored. Unless it is West Press related business, please do not send any material of a private, personal, or confidential nature to this or any @westpress.com e-mail address. This message has been scanned for UCE (spam), viruses, and dangerous content, and is believed to be clean. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Are we safe - WORM_BAGLE.AZ
On Thu, 2005-01-27 at 07:01 -0700, Craig Daters wrote: I'm thinking that someone has submitted this, and we already have the update...but does anyone know for sure if we are safe from this. WORM_BAGLE.AZ is what Trend Net is referring to this as, there message to me this morning follows: It is detected by Clam as Trojan.Downloader.Small-165, which was added on 8th Nov 2004 by Christoph. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Are we safe - WORM_BAGLE.AZ
Trog wrote: It is detected by Clam as Trojan.Downloader.Small-165, which was added on 8th Nov 2004 by Christoph. Wow, that was some time ago, and TrendNet is only just now putting out an update! That's scarry! Thanks Trog -- Craig Daters ([EMAIL PROTECTED]) Systems Administrator West Press Print Communications 1663 West Grant Road Tucson, Arizona 85705 (520) 624-4939 (520) 624-2715 fax www.westpress.com -- Please note: It is the policy of West Press that all e-mail sent to and from any @westpress.com address may be recorded and monitored. Unless it is West Press related business, please do not send any material of a private, personal, or confidential nature to this or any @westpress.com e-mail address. This message has been scanned for UCE (spam), viruses, and dangerous content, and is believed to be clean. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] 0.81 - Question on Upgrade
Hi List! Please allow me to start by saying I'm relatively new here, having just switched to clam from RAV. I'm very impressed with the responsiveness of the Clam team, and with the Clam product. You guys do a great job. I do have a question on the upgrade(s): Is there typically a period of time where the old version will work alongside the new version? (I read the faq and saw the mention of missing viruses if one doesn't upgrade). The reason I ask is, in my real job as a network engineer at a major corporation, we have gotten burned in the past by applying a new service pack (not talking about Windows...I don't support that pos), or a new version of a product too soon after its release. As such, I have developed a policy that if the patch is not security-related, we don't install it until it has been released for a month or so. I'd kinda like to apply that same principle to my own business (Loganet) with regards to Clam. However, if in so doing I'd be exposing my customers to viruses that would otherwise be caught using the newer version, I'd reconsider that policy. Just wondering... Keep up the great work, and if I can help you guys with anything please ask. Sam (not a programmer, but willing to help :) -- Sam Morris, Owner Loganet Internet Service Logan IA, United States of America 712-644-3578 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Are we safe - WORM_BAGLE.AZ
[EMAIL PROTECTED] wrote: Trog wrote: It is detected by Clam as Trojan.Downloader.Small-165, which was added on 8th Nov 2004 by Christoph. Wow, that was some time ago, and TrendNet is only just now putting out an update! That's scarry! Thanks Trog -- Craig Daters ([EMAIL PROTECTED]) Systems Administrator West Press Print Communications 1663 West Grant Road Tucson, Arizona 85705 (520) 624-4939 (520) 624-2715 fax www.westpress.com We caught our first copy at 10:20 GMT today. ClamAV, Bitdefender, and McAfee's uvscan (4423 DATs) all detected it. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] 0.81 - Question on Upgrade
On Thu, 2005-01-27 at 08:25 -0600, Sam wrote: I do have a question on the upgrade(s): Is there typically a period of time where the old version will work alongside the new version? (I read the faq and saw the mention of missing viruses if one doesn't upgrade). The reason I ask is, in my real job as a network engineer at a major corporation, we have gotten burned in the past by applying a new service pack (not talking about Windows...I don't support that pos), or a new version of a product too soon after its release. As such, I have developed a policy that if the patch is not security-related, we don't install it until it has been released for a month or so. I think the best advice I can give you is that you should start testing when a release candidate comes out, running it against real data - you don't have to do that on a production system. Then you build confidence in the software. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Are we safe - WORM_BAGLE.AZ
Craig Daters Wow, that was some time ago, and TrendNet is only just now putting out an update! That's scarry! Thanks Trog What concerns me (if it is true that ClamAV has detected this specific variant since November) is that ClamAV is not performing due diligence and sharing samples to protect users of other products on the Internet. AV teams working together is a good thing, and I personally share all of my samples with over 20+ AV vendors. sk3tch ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] v0.81 suddenly says ScanStream: accept() failed
Upgraded this morning to 0.81, and suddenly I have frequently the error message ScanStream: accept() failed in my logs. I have enable verbose logging, and notice that *most of the time* all is ok, but frequently there is an accept error: Thu Jan 27 16:09:06 2005 - Accepted connection on port 12586, fd 9 Thu Jan 27 16:09:07 2005 - stream: OK Thu Jan 27 16:09:20 2005 - ERROR: ScanStream: accept() failed. Thu Jan 27 16:09:42 2005 - Accepted connection on port 26208, fd 9 Thu Jan 27 16:09:43 2005 - stream: OK Frequently, I mean, a 5-10 times per hour there is the error. I've never seen that error when using 0.80 (as far as my log files go back). Also downgrading to 0.80 for almost two hours, never showed that error. The setup appears to be working, because if I mail myself a virus, it is detected. I can't reproduce the error either on demand (save some incoming mail in backup folder, and let it scan again -- all works fine then). Anyone seen something similar? -- Paul Bijnens, XplanationTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, * * quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ...* * ... Are you sure? ... YES ... Phew ... I'm out * *** ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Are we safe - WORM_BAGLE.AZ
[EMAIL PROTECTED] wrote: Craig Daters Wow, that was some time ago, and TrendNet is only just now putting out an update! That's scarry! Thanks Trog What concerns me (if it is true that ClamAV has detected this specific variant since November) is that ClamAV is not performing due diligence and sharing samples to protect users of other products on the Internet. AV teams working together is a good thing, and I personally share all of my samples with over 20+ AV vendors. sk3tch ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Hold on a minute there! ClamAV detects it because it matches an existing ClamAV virus pattern - that is serendipitous rather than malicious. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Are we safe - WORM_BAGLE.AZ
On Thu, 2005-01-27 at 09:13 -0600, [EMAIL PROTECTED] wrote: Craig Daters Wow, that was some time ago, and TrendNet is only just now putting out an update! That's scarry! Thanks Trog What concerns me (if it is true that ClamAV has detected this specific variant since November) is that ClamAV is not performing due diligence and sharing samples to protect users of other products on the Internet. AV teams working together is a good thing, and I personally share all of my samples with over 20+ AV vendors. Thats not what it means. Virus writers like to share code too. It just happens that in this case, the new Bagle variants are similar enough to a previous Trojan, that an existing signature caught them. As for your comments regarding sample sharing, perhaps you should address them to the WildList organisation. We have previously offered samples to other AV vendors, in specific cases. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Sam wrote: I have yet another question. I have noticed Clam stopping (or at least to me it appears to be stopping) various phishing attempts. Or am I wrong? If this is the case, I will start submitting phishing attemps I see (I probably get 3 - 4 a day). Please don't. Phishing attempts do not automatically propagate (by infecting a machine and being re-sent) and therefore are generally one-time events. As such, they can be trivially changed to evade any signature-based filter, which must obviously generate a signature _after_ the release of each phishing email. As a result, blocking of phishing schemes is best left to anti-spam tools such as SpamAssassin. In contrast, once a virus (or other auto-propagating code) is released, the author no longer has control, so signatures can be developed. There was a discussion about this several months ago. Unfortunately, many people (including part of the signature-generation team) are too dogmatic about their feelings that phishing is bad, so we should block it to look at it logically. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Jan 27, 2005, at 10:25 AM, Damian Menscher wrote: There was a discussion about this several months ago. Unfortunately, many people (including part of the signature-generation team) are too dogmatic about their feelings that phishing is bad, so we should block it to look at it logically. Can I submit win.com for inclusion as a signature? :-) /duck -Bart ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
Damian Menscher wrote: Please don't. Phishing attempts do not automatically propagate (by infecting a machine and being re-sent) and therefore are generally one-time events. As such, they can be trivially changed to evade any signature-based filter, which must obviously generate a signature _after_ the release of each phishing email. As a result, blocking of phishing schemes is best left to anti-spam tools such as SpamAssassin. In contrast, once a virus (or other auto-propagating code) is released, the author no longer has control, so signatures can be developed. I have a lot of those one-time events that clamav blocks. On my installation, I see about the same number of phishing-mails being block by clamav than the somefool-virus. It certainly helps my users. -- Paul Bijnens, XplanationTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, * * quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ...* * ... Are you sure? ... YES ... Phew ... I'm out * *** ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] v0.81 suddenly says ScanStream: accept() failed
On Thu, 2005-01-27 at 16:19 +0100, Paul Bijnens wrote: Upgraded this morning to 0.81, and suddenly I have frequently the error message ScanStream: accept() failed in my logs. I have enable verbose logging, and notice that *most of the time* all is ok, but frequently there is an accept error: Thu Jan 27 16:09:06 2005 - Accepted connection on port 12586, fd 9 Thu Jan 27 16:09:07 2005 - stream: OK Thu Jan 27 16:09:20 2005 - ERROR: ScanStream: accept() failed. Thu Jan 27 16:09:42 2005 - Accepted connection on port 26208, fd 9 Thu Jan 27 16:09:43 2005 - stream: OK Frequently, I mean, a 5-10 times per hour there is the error. What software are you using to pass requests/data to clamd? -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] v0.81 suddenly says ScanStream: accept() failed
Trog wrote: What software are you using to pass requests/data to clamd? clamscan-procfilter.pl, a little perlprog to be used in procmail essential boiling down to cat themsg | clamdscan --stdout - $tempfile, and examining $tempfile for results. -- Paul Bijnens, XplanationTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, * * quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ...* * ... Are you sure? ... YES ... Phew ... I'm out * *** ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Jim Maul wrote: Is it causing you (or anyone for that matter) a problem by clamav catching some phishing attempts as opposed to spamassassin catching them? Whats really the issue here? You just dont believe clamav is the right tool for that job, but is there REALLY a problem? I doubt it. If my car is broken usually I take it to a mechanic. But if a friend of mine who happens to be a plumber can fix it also, does it really matter if I bring it to him instead? No. (This is directed more at Trog than anyone...) So if one were to submit phishing attempts, what do you need? I don't think the virus submission page will allow one to submit something without an attachment? Do you need headers? Do you need the email saved as an attachment and uploaded? Sorry to have so many questions. Also to Damian: I understand what you are saying, but tend to agree more with Jim. What does it matter who catches it as long as it's caught? (Plus I haven't gotten a chance to set up spamassassin yet. :) Sam ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 2005-01-27 at 09:45 -0600, Sam wrote: (This is directed more at Trog than anyone...) So if one were to submit phishing attempts, what do you need? I don't think the virus submission page will allow one to submit something without an attachment? Do you need headers? Do you need the email saved as an attachment and uploaded? The raw email, with headers please. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Clamav upgrade 0.80-0.81rc1-1
On Thu, Jan 27, 2005 at 12:12:09PM -, Christopher Roberts said: Check the value of Checks in /etc/clamav/freshclam.conf (defaults to 12, I think) Thanks GC, you're a genius. Or perhaps I'm just stupid - I just never thought to read the error message that literally - it was set to zero and instead I had added freshclam to cron. I have now changed to 12 and the upgrade has now completed fine, so thanks. I'm not sure how that could have happened. Did you choose cron in the debconf setup, or something else? I wouldn't mind getting to the bottom of this. Thanks, -- -- | Stephen Gran | More software projects have gone awry | | [EMAIL PROTECTED] | for lack of calendar time than for all | | http://www.lobefin.net/~steve | other causes combined. -- Fred Brooks, | || Jr., _The Mythical Man Month_ | -- pgpG1GHOvMJ1A.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] v0.81 suddenly says ScanStream: accept() failed
On Thu, 2005-01-27 at 16:44 +0100, Paul Bijnens wrote: Trog wrote: What software are you using to pass requests/data to clamd? clamscan-procfilter.pl, a little perlprog to be used in procmail essential boiling down to cat themsg | clamdscan --stdout - $tempfile, and examining $tempfile for results. My first suggestions would be to make sure that ReadTimeout is set to a sensible value (if not the default). Then set StreamMaxPort and StreamMinPort to conservative values, such as: StreamMinPort 1024 StreamMaxPort 2048 -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Jan 27, 2005, at 10:33 AM, Tomasz Kojm wrote: No problem. As a bonus we will create a signature for your domain name ;-) Just kidding! Honest! I'd NEVER think of having Windows thought of as a virus... :-) ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 11:27:00 -0500 Adam Tauno Williams [EMAIL PROTECTED] wrote: Just my two cents - I agree with the other guy. CLAM should blocks virii and worms, and leave SPAM to something else. Just think of the Phishing IS NOT spam! Is that really so hard to understand? -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 27 17:26:42 CET 2005 pgpDQmyb4Zsa0.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Are we safe - WORM_BAGLE.AZ
On Thu, 27 Jan 2005 11:35:24 -0500 Don Levey [EMAIL PROTECTED] wrote: Hmm... Passed right through my setup, without detection. Database updated as recently as 4:am today. So better update your software ASAP. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 27 17:37:58 CET 2005 pgpmmiVklHOFH.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 17:29:05 +0100 Tomasz Kojm [EMAIL PROTECTED] wrote: On Thu, 27 Jan 2005 11:27:00 -0500 Adam Tauno Williams [EMAIL PROTECTED] wrote: Just my two cents - I agree with the other guy. CLAM should blocks virii and worms, and leave SPAM to something else. Just think of the Phishing IS NOT spam! Is that really so hard to understand? Can you give me a pointer to how Phishing is defined and detected in the context of ClamAV ? I would like to convey the correct notion in my presentation at the Chemnitzer Linuxtag in March :-) Bye Racke -- LinuXia Systems = http://www.linuxia.de/ Expert Interchange Consulting and System Administration ICDEVGROUP = http://www.icdevgroup.org/ Interchange Development Team ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Are we safe - WORM_BAGLE.AZ
On Thu, 27 Jan 2005 11:35:24 -0500 in [EMAIL PROTECTED] Don Levey [EMAIL PROTECTED] wrote: Hmm... Passed right through my setup, without detection. And your setup is? Database updated as recently as 4:am today. That's more than 7 *hours* ago... -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Are we safe - WORM_BAGLE.AZ
On Thu, 27 Jan 2005 at 11:35:24 -0500, Don Levey wrote: [EMAIL PROTECTED] wrote: On Thu, 2005-01-27 at 07:01 -0700, Craig Daters wrote: WORM_BAGLE.AZ is what Trend Net is referring to this as, there message to me this morning follows: It is detected by Clam as Trojan.Downloader.Small-165, which was added on 8th Nov 2004 by Christoph. -trog Hmm... Passed right through my setup, without detection. Database updated as recently as 4:am today. -Don Let me guess... you're using ClamAV 0.75.1, aren't you? A very outdated version. Anyway, have you tried to submit it at http://www.clamav.net/sendvirus.html ? -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Clamav upgrade 0.80-0.81rc1-1
I'm not sure how that could have happened. Did you choose cron in the debconf setup, or something else? I wouldn't mind getting to the bottom of this. I really don't recall the setup process. I believe I visited http://sial.org/howto/clamav/freshclam/ and took the following sentence to heart: The freshclam utility can be run as a daemon, or called periodically from a scheduler. Due to the infrequent need for updates, I recommend against running freshclam as a daemon. Perhaps I misunderstood it, but I read that as meaning to use cron instead. I think that there was slightly more to it than that, perhaps I was getting errors running freshclam as defang user? Or perhaps not. Sorry I can't be more informative, but I think relying on computers has fried my memory! ~:-) I was wondering, though, why it was necessary for the configuration to fail simply because the freshclam update frequency (i.e. 'checks') was set to zero. Surely this is a perfectly valid frequency? Perhaps a warning might have been more appropriate - WARNING: You have switched off virus updates (checks = 0) in freshclam.conf. It would have saved me from posting my query - but then again I would have missed all the banter, which would have been a shame! Thanks for all the help! Chris. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] ClamAV 0.81 works great
Hello, I just wanted to give the team a big thank you. All I needed to do was upgrade zlib and compile. Everything is working great. Gord CONFIDENTIALITY WARNING: The information in the e:mail is confidential and privileged. It is intended only for the use of the individual or entity it is addressed to. If the reader of this message is not the intended recipient, or the authorized agent thereof, the reader is hereby notified that the retention, dissemination, distribution or copying of this transmission is strictly prohibited. If you have received this communication in error, please notify me immediately by telephone or fax and delete all copies of the original message. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 17:40:25 +0100 Stefan Hornburg [EMAIL PROTECTED] wrote: Can you give me a pointer to how Phishing is defined and detected in the context of ClamAV ? See http://www.antiphishing.org/ What is Phishing? Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them. ClamAV contains special mechanisms (such as a HTML normalisator) that help to catch them. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 27 17:53:13 CET 2005 pgpxMZzYkcEbN.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Tomasz Kojm wrote: Phishing IS NOT spam! Is that really so hard to understand? Phishing IS NOT a virus! Is that really so hard to understand? Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
Tomasz Kojm wrote: On Thu, 27 Jan 2005 11:27:00 -0500 Adam Tauno Williams [EMAIL PROTECTED] wrote: Just my two cents - I agree with the other guy. CLAM should blocks virii and worms, and leave SPAM to something else. Just think of the Phishing IS NOT spam! Is that really so hard to understand? By definition, both phishing and email viruses are spam... http://www.spamhaus.org/definition.html http://www.monkeys.com/spam-defined/ Internet spam is one or more unsolicited messages, sent or posted as part of a larger collection of messages, all having substantially identical content. Perhaps it might be better to think of phishing and viruses as spam with malicious or evil intent? Regards, Mike Lambert ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV 0.81 works great
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] If you have received this communication in error, please notify me immediately by telephone or fax and delete all copies of the original message. How can I do that if you don't quote your phone number. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 10:57:27 -0600 (CST) Damian Menscher [EMAIL PROTECTED] wrote: On Thu, 27 Jan 2005, Tomasz Kojm wrote: Phishing IS NOT spam! Is that really so hard to understand? Phishing IS NOT a virus! Is that really so hard to understand? 95% of internet worms are not viruses as well. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 27 18:00:27 CET 2005 pgpwVy4G3sCxU.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Jan 27, 2005, at 11:29 AM, Tomasz Kojm wrote: On Thu, 27 Jan 2005 11:27:00 -0500 Adam Tauno Williams [EMAIL PROTECTED] wrote: Just my two cents - I agree with the other guy. CLAM should blocks virii and worms, and leave SPAM to something else. Just think of the Phishing IS NOT spam! Is that really so hard to understand? As I understand it it doesn't execute code on the computer or spread to other systems without intervention either. This entire thread is degenerating...it was hashed and rehashed already. The ultimate decision goes to the Clam developers, and I believe they already decided it. Everything that's bad would be blocked, so end users could live with it or use a different product. Our Windows computers are slowly being migrated to static images using Deep Freeze, and if users decide to hand out their bank account info without stopping to think that maybe they shouldn't give out sensitive information we couldn't really stop them. I would have thought it would be more of a burden eventually to keep up with HTML messages going out to people asking for info along with the binary executables containing viruses so the scanner could catch them both, but oh well. Maybe the UNIX-ish philosophy of specialized applications working together to accomplish goals is giving way to the more common Windows throw-everything-together mindset. Maybe it's overlapping jobs. This is certainly the way commercial AV's go about it now. I've seen all sorts of hits on crap from the web cache on Windows machines...why? Because the AV is hitting stuff the latest update to Spybot is hitting now. And Ad-Aware/Spybot/etc. are hitting some mail viruses. But it doesn't matter. The Clam people made their decision, and the end user benefits from it, even if it does overlap with other systems in place for guarding against phishing/spam. If a developer really resents it, they could fork the project. Personally, I see having three programs doing the same thing as just bloat; phishing is annoying, hit delete or configure the spam filter to get it. Others see it as having three systems increasing the chances of catching new crap as it comes out. I'm tired of fighting with it and tired of the administrators who never turn off their collateral damage-causing you sent me a virus! notifications. End users don't see any difference though, so companies pander to this mindset of protecting people from all that's potentially bad, period. Regardless, If the developers wish to get input from users on the issue and are considering it one way or the other, then maybe a thread like this would be useful. As it stands, discussing it again accomplishes nothing, and will inevitably lead to flames and arguments that still...accomplish...nothing. Except sarcastic comments like mine about submitting win.com as a signature. If all this crap has evolved to the point where spyware/trojans/phishing/spam are now one thing (magical MalWare! Software that's just *bad!*), then maybe someone should come up with a new email network that can truly work so we don't get this junk anymore, period. Email was never meant for the five meg look at the pictures! attachments. It wasn't meant for emailing programs to one another. Does it really need to be a proxy for web pages by emailing people all this html-formatted crap that makes dancing images appear while compromising Explorer? We can't even get people to stop with top posting or formatting email in a way that makes it easy to read, without twenty embedded sigs or munged headers. We even have these sigs saying that the contents of the message are confidential meant only for the named recipient and if you get it in error...huh? I already read the message! What good is that?! It's not even been tested in the courts as binding! Why are you wasting ten lines of space at the end of every message telling me this?? It's the EULA of email...no one even reads them anymore. Start an email network that uses clients with embedded encryption. Voila', no more accidental reading. Even makes it safer in transit. Whew...I'm going to go lay down before I have an aneurism. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
Damian Menscher wrote: On Thu, 27 Jan 2005, Tomasz Kojm wrote: Phishing IS NOT spam! Is that really so hard to understand? Phishing IS NOT a virus! Is that really so hard to understand? Ok, so its not a virus, and its not spam. So neither product should detect it your saying? How about both products detect it, we have overlap, and users are happy cause they dont have to deal with this crap in their inbox. -Jim ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Tomasz Kojm wrote: On Thu, 27 Jan 2005 Damian Menscher [EMAIL PROTECTED] wrote: On Thu, 27 Jan 2005, Tomasz Kojm wrote: Phishing IS NOT spam! Is that really so hard to understand? Phishing IS NOT a virus! Is that really so hard to understand? 95% of internet worms are not viruses as well. ...which is why, in my original email, I referred to things that propagate automatically without intervention from their author. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV 0.81 works great
Nigel, You are far too detailed. Gord CONFIDENTIALITY WARNING: The information in the e:mail is confidential and privileged. It is intended only for the use of the individual or entity it is addressed to. If the reader of this message is not the intended recipient, or the authorized agent thereof, the reader is hereby notified that the retention, dissemination, distribution or copying of this transmission is strictly prohibited. If you have received this communication in error, please notify me immediately by telephone or fax and delete all copies of the original message. Nigel Horne [EMAIL PROTECTED] ukTo Sent by: ClamAV users ML clamav-users-boun clamav-users@lists.clamav.net [EMAIL PROTECTED] cc net Subject RE: [Clamav-users] ClamAV 0.81 01/27/2005 10:59 works great AM Please respond to ClamAV users ML [EMAIL PROTECTED] ts.clamav.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] If you have received this communication in error, please notify me immediately by telephone or fax and delete all copies of the original message. How can I do that if you don't quote your phone number. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
Ok, so its not a virus, and its not spam. So neither product should detect it your saying? How about both products detect it, we have overlap, and users are happy cause they dont have to deal with this crap in their inbox. Personally, I'd love to have it as a config option in clamd.conf. Make it catch phishes by default out-of-the-box, but being able to disable that would be nice. I am working on a spam research project and ClamAV skews my results slightly because it nabs the phishes. But I'm absolutely OK with that, because ClamAV works so damned well. Thanks, ClamAV developers. :) Benny -- I'm on the Zoloft to keep from killing y'all. -- Mike Tyson ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Jim Maul wrote: Is it causing you (or anyone for that matter) a problem by clamav catching some phishing attempts as opposed to spamassassin catching them? Whats really the issue here? You just dont believe clamav is the right tool for that job, but is there REALLY a problem? I doubt it. Virus signatures typically rely on some binary attachment. Phishing signatures rely on plaintext. Therefore the probability of a false positive goes way up. For those who drop/reject viruses, this is an unacceptable (and unnecessary) risk. If my car is broken usually I take it to a mechanic. But if a friend of mine who happens to be a plumber can fix it also, does it really matter if I bring it to him instead? No. Great analogy. What if you have two friends, one who happens to be a plumber, and one who happens to be a mechanic? If it's free either way, who would you take it to? Me, I'd take it to the mechanic. Sure, the plumber can probably fix it. But what if his solution to that fuel-line clog is a gallon of Drano? Is it really worth the risk? Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Building clamav 0.81 (broken zlib?)
I am building clamav from src rpm from crash-hat. It build just fine but i get the message: configure: WARNING: ** This ClamAV installation may be linked against configure: WARNING: ** a broken zlib version. Please DO NOT report any configure: WARNING: ** stability problems to the ClamAV developers! I know there were problems with older versions of zlib. I am using zlib-1.2.2.2-1 which according to gzip.org/zlib/ isnt even out yet. Is there a problem using this version of zlib with clamav 0.81? -Jim ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
Damian Menscher wrote: On Thu, 27 Jan 2005, Jim Maul wrote: Is it causing you (or anyone for that matter) a problem by clamav catching some phishing attempts as opposed to spamassassin catching them? Whats really the issue here? You just dont believe clamav is the right tool for that job, but is there REALLY a problem? I doubt it. Virus signatures typically rely on some binary attachment. Phishing signatures rely on plaintext. Therefore the probability of a false positive goes way up. For those who drop/reject viruses, this is an unacceptable (and unnecessary) risk. This is probably the best (and possibly only) reason i have heard to not detect them. In a case where some people want the option and others dont, perhaps a way to turn off detection of these messages if you so choose is the best option. If my car is broken usually I take it to a mechanic. But if a friend of mine who happens to be a plumber can fix it also, does it really matter if I bring it to him instead? No. Great analogy. What if you have two friends, one who happens to be a plumber, and one who happens to be a mechanic? If it's free either way, who would you take it to? Me, I'd take it to the mechanic. Sure, the plumber can probably fix it. But what if his solution to that fuel-line clog is a gallon of Drano? Is it really worth the risk? What if the plumber and the mechanic work on it together? ;) -Jim ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 11:08:12 -0600 (CST) Damian Menscher [EMAIL PROTECTED] wrote: ...which is why, in my original email, I referred to things that propagate automatically without intervention from their author. OK, so what about the trojans? ;-) -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 27 18:21:16 CET 2005 pgpYrTqQzWE14.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
Sam said: Also to Damian: I understand what you are saying, but tend to agree more with Jim. What does it matter who catches it as long as it's caught? The answer to this is simple: my policy for dealing with spam is quite different than my policy for dealing with viruses. Spam is annoying, phishing is annoying, viruses are a real time danger. We do a lot of on-line commerce. We cannot tolerate many false positives. Phishing exploits are something we deal with through education first, and filtering second. As phishers become more sophisticated and numerous false positives will rise leaving education as the final solution. I prefer using my filter processes for defending against them as I can fine tune them to our needs. dp ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Tomasz Kojm wrote: On Thu, 27 Jan 2005 Damian Menscher [EMAIL PROTECTED] wrote: ...which is why, in my original email, I referred to things that propagate automatically without intervention from their author. OK, so what about the trojans? ;-) I take the somewhat-unusual position that trojans which will propagate after infecting a machine should be caught, and those that do NOT propagate should be allowed through (to possibly be caught by anti-spam or anti-spyware software). But I'm fairly certain that's just me... it'd be difficult to find anyone who would agree. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 11:27:48 -0600 (CST) Damian Menscher [EMAIL PROTECTED] wrote: On Thu, 27 Jan 2005, Tomasz Kojm wrote: On Thu, 27 Jan 2005 Damian Menscher [EMAIL PROTECTED] wrote: ...which is why, in my original email, I referred to things that propagate automatically without intervention from their author. OK, so what about the trojans? ;-) I take the somewhat-unusual position that trojans which will propagate after infecting a machine should be caught, and those that do NOT Then they're rather worms than trojans. propagate should be allowed through (to possibly be caught by anti-spam or anti-spyware software). But I'm fairly certain that's just me... it'd be difficult to find anyone who would agree. Ouch... -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 27 18:31:39 CET 2005 pgpbZ6FSZODnK.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
Jim Maul wrote: snip If my car is broken usually I take it to a mechanic. But if a friend of mine who happens to be a plumber can fix it also, does it really matter if I bring it to him instead? No. -Jim Ok, I took part in the previous discussion and I accept the developers decision. But I just. can't. let this. go. If my car is broken and I have a mechanic available, do I have my plumber fix the car while I have water leaking out of my pipes? ;^) The issue I believe was never who the best developers were, it was not that no one had confidence that the Clamav developers are capable mechanics, or whether Clamav would do a good job. The argument was a discussion of efficent resource useage. Clamav catches Phishing content, the developers made the choice, and it is their project. Lets move on. DAve -- Systems Administrator http://www.tls.net Get rid of Unwanted Emails...get TLS Spam Blocker! ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Latest CVS / outdated warning
I've been running clamav for quite some time, generally following CVS. The build and install procedures are well established and have worked for a long time. After the latest CVS upgrade I'm suddenly getting an outdated version warning. I've read the FAQ, and I see nothing in it which explains my situation, as both clamd and freshclam are current and are the same version. The clamd (from the mail log) and freshclam versions are reported below, as well as a verbose freshclam session. Is this an innocuous message, or have I missed something totally obvious? -- Michael Jan 27 11:38:01 ... clamd[27135]: clamd daemon devel-20050127 (OS: linux-gnu,ARCH: i386, CPU: i686) # freshclam -V ClamAV devel-20050127/689/Thu Jan 27 07:33:10 2005 # freshclam -v Current working dir is /.../ Max retries == 5 ClamAV update process started at Thu Jan 27 11:49:01 2005 Querying current.cvd.clamav.net TTL: 504 Software version from DNS: 0.81 main.cvd version from DNS: 29 main.cvd is up to date (version: 29, sigs: 29086, f-level: 3, builder: tomek) daily.cvd version from DNS: 689 daily.cvd is up to date (version: 689, sigs: 775, f-level: 4, builder: diego) WARNING: Your ClamAV installation is OUTDATED - please update immediately! WARNING: Current functionality level = 3, required = 4 Freeing option list...done ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
You know, this gets old real quick! Back when this debate first started (around November or so) I never thought it would stop. In November I decided to do 2 things 1 log what virus's were being caught, where they were going, and what virus was detected. Out of 446 detected viruses, 167 were phishing attempts. How can stopping 167 attempts to defraud be looked at as a bad thing regardless of what stopped it. ClamAV detects them, and I for one am very happy that it does. Keep up the great work guys!! ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
From: http://www.infoworld.com/article/05/01/21/04FEphishing_1.html?source=NLC-WS2005-01-26 Phishers are employing increasingly sophisticated techniques, such as malicious code buried in images, keystroke-logging applications that download as soon as an e-mail is opened, and spoofed Web sites that look totally legitimate right down to the security padlock in the browser. So I think that malicious code or keystroke-logging applications falls into the realm of clamav ... For a good read ... http://www.antiphishing.org/ -- Ken Jones ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV 0.81 works great
On Thu, 27 Jan 2005 16:59:57 - in [EMAIL PROTECTED] Nigel Horne [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] If you have received this communication in error, please notify me immediately by telephone or fax and delete all copies of the original message. How can I do that if you don't quote your phone number. Not to mention that dissemination is not allowed, so you can't even tell the author that you have it. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 2005-01-27 at 09:25 -0800, Dennis Peterson wrote: We do a lot of on-line commerce. We cannot tolerate many false positives. Phishing exploits are something we deal with through education first, and filtering second. As phishers become more sophisticated and numerous false positives will rise leaving education as the final solution. I prefer using my filter processes for defending against them as I can fine tune them to our needs. And how many Phishing false positives have you had exactly? -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Trog wrote: On Thu, 2005-01-27 at 09:25 -0800, Dennis Peterson wrote: We do a lot of on-line commerce. We cannot tolerate many false positives. Phishing exploits are something we deal with through education first, and filtering second. As phishers become more sophisticated and numerous false positives will rise leaving education as the final solution. I prefer using my filter processes for defending against them as I can fine tune them to our needs. And how many Phishing false positives have you had exactly? All of them. ;) Seriously, that's an unfair question. When you're deleting people's email, how would they find out if there was a false positive? With spam, it's standard practice to review a junk-mail box for false positives regularly. Viruses are treated differently; nobody checks them for false positives. That's why this is such a concern for those of us who depend on email. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 2005-01-27 at 11:14 -0600, Damian Menscher wrote: On Thu, 27 Jan 2005, Jim Maul wrote: Is it causing you (or anyone for that matter) a problem by clamav catching some phishing attempts as opposed to spamassassin catching them? Whats really the issue here? You just dont believe clamav is the right tool for that job, but is there REALLY a problem? I doubt it. Virus signatures typically rely on some binary attachment. Phishing signatures rely on plaintext. Therefore the probability of a false positive goes way up. For those who drop/reject viruses, this is an unacceptable (and unnecessary) risk. The opposite is, in fact, true. (your initial assumptions are incorrect, and so are your conclusions) -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] 0.81 default clamd.conf and clamav-milter
trying to start clamav-milter from 0.81 I get: Starting clamav-milter: /usr/sbin/clamav-milter: ScanMail not defined in /etc/clamd.conf (needed without --external) What are your clamav-milter options? Petr Hi Guys Sorry this thread doesn't follow, I have just sbscribed here, and dont have a local copy of the mail to reply to. :( I am having the same problems since my foolish install of 0.81 on live system :) I can not see whats up with this at present, so will undoubtedly roll back a gen or two very shortly (before the boss spots that i've taken out the primary mailserver :-p) My milter startups are as follows (if this is any help) /usr/local/sbin/clamav-milter --headers --local --postmaster-only \ [EMAIL PROTECTED] \ [EMAIL PROTECTED] \ [EMAIL PROTECTED] \ --pidfile=/var/run/clam/clmilter.pid \ -lo /var/run/clam/clmilter.sock -- Regards, Kul ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 2005-01-27 at 12:32 -0600, Damian Menscher wrote: And how many Phishing false positives have you had exactly? All of them. ;) Seriously, that's an unfair question. When you're deleting people's email, how would they find out if there was a false positive? With spam, it's standard practice to review a junk-mail box for false positives regularly. Viruses are treated differently; nobody checks them for false positives. That's why this is such a concern for those of us who depend on email. You describe SPAM, not Phishing. And thats the difference you are missing. I've written a complete SPAM tagging application from scratch, I know the issues involved. Perhaps you should check your viruses for false positives. Ever had a Parite virus deleted? With some commercial scanners, there's probably about a 20% chance it's a false positive. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] 0.81 default clamd.conf and clamav-milter
On Thu, 2005-01-27 at 18:37 +, Kul wrote: trying to start clamav-milter from 0.81 I get: Starting clamav-milter: /usr/sbin/clamav-milter: ScanMail not defined in /etc/clamd.conf (needed without --external) What are your clamav-milter options? Uncomment the ScanMail option in clamd.conf? -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
Damian Menscher wrote: On Thu, 27 Jan 2005, Trog wrote: On Thu, 2005-01-27 at 09:25 -0800, Dennis Peterson wrote: We do a lot of on-line commerce. We cannot tolerate many false positives. Phishing exploits are something we deal with through education first, and filtering second. As phishers become more sophisticated and numerous false positives will rise leaving education as the final solution. I prefer using my filter processes for defending against them as I can fine tune them to our needs. And how many Phishing false positives have you had exactly? All of them. ;) Seriously, that's an unfair question. When you're deleting people's email, how would they find out if there was a false positive? With spam, it's standard practice to review a junk-mail box for false positives regularly. Viruses are treated differently; nobody checks them for false positives. That's why this is such a concern for those of us who depend on email. We quarantine viruses, not delete. Perhaps you should do the same. A false positive on a virus is also likely, but you dont seem to have any problems deleting those. We run NAV corp on about 200 workstations. Just this morning i got a notification that 98 of them were infected with w32.randex.gen. Being that these machines dont have web access (only email) and this virus is not spread through email, i found this highly unlikely. Turns out symantecs newly distributed virus database had a false positive in it. Long story short, false positives do happen and you probably shouldnt be deleting ANY mail without first looking over it. I realize that for large setups this is not likely possible due to lack of time and a large number of messages to review, but how can you honestly say you're worried about false positives in phishing attempts but delete virus infected mail without even looking back? -Jim ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Phishing Questions
The more tools that you have the likelihood of filtering it out increases. Just because I run ClamAv on the mail exchanger does not mean I do not run AV on our Exchange server and all of our desktop machines. Firewalls can do IDS functions, AV applications for the desktop are now including Anti Spam functions, by default outlook now has Junk Mail options. My point is that most people layer these things together to provide a comprehensive solution. If ClamAv processes the message first and kills it before passing it on the anti spam application. Why would this be a bad thing? John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BitFuzzy Sent: Thursday, January 27, 2005 9:36 AM To: ClamAV users ML Subject: Re: [Clamav-users] Phishing Questions You know, this gets old real quick! Back when this debate first started (around November or so) I never thought it would stop. In November I decided to do 2 things 1 log what virus's were being caught, where they were going, and what virus was detected. Out of 446 detected viruses, 167 were phishing attempts. How can stopping 167 attempts to defraud be looked at as a bad thing regardless of what stopped it. ClamAV detects them, and I for one am very happy that it does. Keep up the great work guys!! ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Trog wrote: On Thu, 2005-01-27 at 12:32 -0600, Damian Menscher wrote: Seriously, that's an unfair question. When you're deleting people's email, how would they find out if there was a false positive? With spam, it's standard practice to review a junk-mail box for false positives regularly. Viruses are treated differently; nobody checks them for false positives. That's why this is such a concern for those of us who depend on email. You describe SPAM, not Phishing. And thats the difference you are missing. I described the standard practice of how most admins handle spam filtering and virus filtering. I did not mention phishing. It will be difficult to have an intelligent discussion if you insist on making random assertions. Another is your assertion that my initial assumptions were incorrect when I suggested that phishing signatures were more likely to create false positives as a result of being more likely to be matching plaintext. Which initial assumptions were incorrect? Can you back your assertion up with anything? Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] 0.81 default clamd.conf and clamav-milter
On Thu, 2005-01-27 at 18:37, Kul wrote: trying to start clamav-milter from 0.81 I get: Starting clamav-milter: /usr/sbin/clamav-milter: ScanMail not defined in /etc/clamd.conf (needed without --external) What are your clamav-milter options? Petr Hi Guys Sorry this thread doesn't follow, I have just sbscribed here, and dont have a local copy of the mail to reply to. :( I am having the same problems since my foolish install of 0.81 on live system :) I can not see whats up with this at present, so will undoubtedly roll back a gen or two very shortly (before the boss spots that i've taken out the primary mailserver :-p) My milter startups are as follows (if this is any help) /usr/local/sbin/clamav-milter --headers --local --postmaster-only \ [EMAIL PROTECTED] \ [EMAIL PROTECTED] \ [EMAIL PROTECTED] \ --pidfile=/var/run/clam/clmilter.pid \ -lo /var/run/clam/clmilter.sock Follow the instructions in the error message, either 1) set --external; or 2) define ScanMail in clamd.conf ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Jim Maul wrote: What if the plumber and the mechanic work on it together? ;) What if the electrician goes to night school to learn ornithology? ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 2005-01-27 at 12:45 -0600, Damian Menscher wrote: Another is your assertion that my initial assumptions were incorrect when I suggested that phishing signatures were more likely to create false positives as a result of being more likely to be matching plaintext. Which initial assumptions were incorrect? Can you back your assertion up with anything? Yes. Of the 126 Phishing signatures, 120 will only match in HTML documents, and 1 will only match in email messages - they aren't plaintext. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Trog wrote: On Thu, 2005-01-27 at 12:45 -0600, Damian Menscher wrote: Another is your assertion that my initial assumptions were incorrect when I suggested that phishing signatures were more likely to create false positives as a result of being more likely to be matching plaintext. Which initial assumptions were incorrect? Can you back your assertion up with anything? Yes. Of the 126 Phishing signatures, 120 will only match in HTML documents, and 1 will only match in email messages - they aren't plaintext. Oh, ok. Apparently we have a different definition of plaintext. I generally take anything using only the lower 7 bits (ASCII table) to mean plaintext, and things that use the 8th bit to mean binary. Regardless of your definition of plaintext, it would seem that my conclusion that phishing signatures that rely exclusively on 7-bit ascii are more likely to have a false positive than binary signatures that use the full 8 bits is correct. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Re: clamav-users Digest, Vol 5, Issue 70
snip trying to start clamav-milter from 0.81 I get: Starting clamav-milter: /usr/sbin/clamav-milter: ScanMail not defined in /etc/clamd.conf (needed without --external) What are your clamav-milter options? Petr Hi Guys Sorry this thread doesn't follow, I have just sbscribed here, and dont have a local copy of the mail to reply to. :( I am having the same problems since my foolish install of 0.81 on live system :) I can not see whats up with this at present, so will undoubtedly roll back a gen or two very shortly (before the boss spots that i've taken out the primary mailserver :-p) My milter startups are as follows (if this is any help) /usr/local/sbin/clamav-milter --headers --local --postmaster-only \ [EMAIL PROTECTED] \ [EMAIL PROTECTED] \ [EMAIL PROTECTED] \ --pidfile=/var/run/clam/clmilter.pid \ -lo /var/run/clam/clmilter.sock snip Uncomment the ScanMail option in clamd.conf? -trog snip Hi, I have tried that and then i get a nicer error message: clamd.conf: #ScanMail # kul changed ScanMail Then the restart: Starting clamd: [ OK ] Starting clamav-milter: /usr/local/sbin/clamav-milter: --max-children must be given in internal mode [ ** ] Had to do a roll back to 0.80, but I can install 0.81 on the backup mailserver as nobody will notice, if anybody has any ideas beyond the above message :) -- Regards, Kul ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Re: clamav-users Digest, Vol 5, Issue 70
On Thu, 2005-01-27 at 19:12, Kul wrote: Then the restart: Starting clamd: [ OK ] Starting clamav-milter: /usr/local/sbin/clamav-milter: --max-children must be given in internal mode [ ** ] Had to do a roll back to 0.80, but I can install 0.81 on the backup mailserver as nobody will notice, if anybody has any ideas beyond the above message :) --external ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 2005-01-27 at 13:05 -0600, Damian Menscher wrote: Oh, ok. Apparently we have a different definition of plaintext. I generally take anything using only the lower 7 bits (ASCII table) to mean plaintext, and things that use the 8th bit to mean binary. Regardless of your definition of plaintext, it would seem that my conclusion that phishing signatures that rely exclusively on 7-bit ascii are more likely to have a false positive than binary signatures that use the full 8 bits is correct. Even with your definition of plaintext you are still wrong :-) Why? Because the structure of language in plaintext files is much richer than that used in the binaries of computer programs. An aside: HTML is actually Universal Character Set (UCS), or to quote the standard: The ASCII character set is not sufficient for a global information system such as the Web, so HTML uses the much more complete character set called the Universal Character Set (UCS), defined in [ISO10646]. This standard defines a repertoire of thousands of characters used by communities all over the world. and When HTML text is transmitted in UTF-16 (charset=UTF-16), text data should be transmitted in network byte order (big-endian, high-order byte first) in accordance with [ISO10646], Section 6.3 and [UNICODE], clause C3, page 3-1. Furthermore, to maximize chances of proper interpretation, it is recommended that documents transmitted as UTF-16 always begin with a ZERO-WIDTH NON-BREAKING SPACE character (hexadecimal FEFF, also called Byte Order Mark (BOM)) which, when byte-reversed, becomes hexadecimal FFFE, a character guaranteed never to be assigned. Thus, a user-agent receiving a hexadecimal FFFE as the first bytes of a text would know that bytes have to be reversed for the remainder of the text. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 13:54:22 -0500 (EST) in [EMAIL PROTECTED] jef moskot [EMAIL PROTECTED] wrote: On Thu, 27 Jan 2005, Jim Maul wrote: What if the plumber and the mechanic work on it together? ;) What if the electrician goes to night school to learn ornithology? Electrified owls? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] errors using clamav 0.81 with amavisd-new-2.2.1]
Hi all, When using clamav 0.81rc1 with amavisd-new I get these errors: Jan 22 12:05:22 donkeykong amavis[24030]: (24030-07) Mail::ClamAV av-scanner FAILED: statchkdir() only works if a database directory was specified to new() at (eval 35) line 62. clamav is configured in amavisd-new (amavisd-new-2.2.1, 20041222) as follows: # ### http://www.clamav.net/ and CPAN (Perl modules) ['Mail::ClamAV', \ask_clamav, *, [0], [1], qr/^INFECTED: (.+)/], Any idea why this is happening? With 0.80 I don't get these errors. Thx, Erik PS: I also posted this message to the amavis list but have had no response yet Now with 0.81 I still am seeing these errors. Anybody else seeing them? Erik ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] ScanStream: read poll failed error occurs with 0.81 release
Hello, The latest 0.81 release of clamav now displays ERROR: ScanStream: accept() failed. errors in the logs for some incoming e-mails. For example if I send the Test #6: Eicar virus embedded within another MIME segment test from http://www.webmail.us/testvirus it causes this error, where with the other tests this error does not happen. This did not occur with the clamav 0.80 release. My clamav configuration (clamd.conf) is basically the default that came with 0.81, the only change is to enable ArchiveBlockEncrypted. Do you have any ideas? Thank you! ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ScanStream: read poll failed error occurs with 0.81 release
On Thu, 2005-01-27 at 11:44 -0800, exo dia wrote: Hello, The latest 0.81 release of clamav now displays ERROR: ScanStream: accept() failed. errors in the logs for some incoming e-mails. For example if I send the Test #6: Eicar virus embedded within another MIME segment test from http://www.webmail.us/testvirus it causes this error, where with the other tests this error does not happen. This did not occur with the clamav 0.80 release. Which of the two errors you've quoted was it? -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ScanStream: read poll failed error occurs with 0.81 release
On Thu, 2005-01-27 at 11:44 -0800, exo dia wrote: Hello, The latest 0.81 release of clamav now displays ERROR: ScanStream: accept() failed. errors in the logs for some incoming e-mails. For example if I send the Test #6: Eicar virus embedded within another MIME segment test from http://www.webmail.us/testvirus it causes this error, where with the other tests this error does not happen. This did not occur with the clamav 0.80 release. What software are you using to stream data to clamd? -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Trog wrote: On Thu, 2005-01-27 at 13:05 -0600, Damian Menscher wrote: Oh, ok. Apparently we have a different definition of plaintext. I generally take anything using only the lower 7 bits (ASCII table) to mean plaintext, and things that use the 8th bit to mean binary. Regardless of your definition of plaintext, it would seem that my conclusion that phishing signatures that rely exclusively on 7-bit ascii are more likely to have a false positive than binary signatures that use the full 8 bits is correct. Even with your definition of plaintext you are still wrong :-) Why? Because the structure of language in plaintext files is much richer than that used in the binaries of computer programs. I don't believe you, but at least now we're down to something that can be tested. I've heard, for example, that English has about 3 bits of entropy per word. Ao, assuming a word is 5 characters (typical assumption from speed-typing tests) then a 5-byte signature would provide 3 bits of entropy, if it was matching something designed for humans to read. Anyone care to guess how many bits of entropy are in 5 bytes of machine code? I'm guessing it's larger, but I suppose I could be wrong. The simple test is to assume that bzip2 is an ideal compression program. As such, it will compress data down to a size roughly equal to its level of entropy. So, compress 10K of human-readable text (be it HTML, or whatever) and 10K of a machine-readable binary (say, from a virus). Which compresses down to something smaller? I'll leave this as an exercise to the reader... I'm fairly confident that I already know the answer. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 2005-01-27 at 09:25 -0800, Dennis Peterson wrote: =20 We do a lot of on-line commerce. We cannot tolerate many false positives. Phishing exploits are something we deal with through education first, and filtering second. As phishers become more sophisticated and numerous fals= e positives will rise leaving education as the final solution. I prefer using my filter processes for defending against them as I can fine tune them to our needs. =20 And how many Phishing false positives have you had exactly? -trog Quite a few in my own filtering. I add x-headers rather than block them so it is possible to keep track. If clamav is blocking them then I have no idea as we don't quarantine. How many are needed for it to be a bad idea? Can it even happen with Clamav? I don't know and I can't risk it. dp ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
I don't understand what the fuss is. clamAV (like all other AVs) produces a report stating what the malware is. In the case of Phishing, clamAV tags them as *.Phishing.*. So, change your blocking agents to ignore such matches Don't be surprised if they don't have the option, but if you use an Open Source Content Filter like Qmail-Scanner or Amavis, then you can change the code. ClamAV's ability to block Phishing attacks makes it EXTREMELY attractive IMHO. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Fri, 28 Jan 2005, Jason Haar wrote: clamAV (like all other AVs) produces a report stating what the malware is. In the case of Phishing, clamAV tags them as *.Phishing.*. So, change your blocking agents to ignore such matches Don't be surprised if they don't have the option, but if you use an Open Source Content Filter like Qmail-Scanner or Amavis, then you can change the code. Easier said than done. First problem is the lack of a consistent naming scheme, making it hard to identify exactly which signatures refer to auto-propagating code, and which don't. More difficult is the problem that ClamAV only reports the *first* match it finds. So a mail that matched both a phishing signature and a virus signature might be reported to be a phishing scheme, and therefore allowed through. The simplest solution seems to be to write a wrapper around freshclam. After downloading the databases, you need to unpack them, grep out the phishing schemes, and then move only the unpacked versions into your signatures directory. If a reliable naming scheme could be agreed upon, I expect there are several of us on this list who would be willing to write/share such a wrapper. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 14:29:06 -0600 (CST) Damian Menscher [EMAIL PROTECTED] wrote: The simplest solution seems to be to write a wrapper around freshclam. You can patch ClamAV to filter out all *Phishing* sigs in libclamav/readdb.c. It should be simpler and more reliable solution. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Jan 27 21:29:42 CET 2005 pgpW5DuHxdLRh.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005 21:30:56 +0100 in [EMAIL PROTECTED] Tomasz Kojm [EMAIL PROTECTED] wrote: On Thu, 27 Jan 2005 14:29:06 -0600 (CST) Damian Menscher [EMAIL PROTECTED] wrote: The simplest solution seems to be to write a wrapper around freshclam. You can patch ClamAV to filter out all *Phishing* sigs in libclamav/readdb.c. It should be simpler and more reliable solution. My goodness, there's something about providing this source code stuff after all isn't there? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ScanStream: read poll failed error occurs with 0.81 release
I apologize -- bad cut and paste in my first e-mail subject. This is the error from my logs: Thu Jan 27 11:28:12 2005 - SelfCheck: Database status OK. Thu Jan 27 11:50:15 2005 - ERROR: ScanStream: accept() failed. Thu Jan 27 11:57:43 2005 - ERROR: ScanStream: accept() failed. Thu Jan 27 11:58:27 2005 - SelfCheck: Database status OK. -ed On Thu, 27 Jan 2005 19:50:02 +, Trog [EMAIL PROTECTED] wrote: On Thu, 2005-01-27 at 11:44 -0800, exo dia wrote: Hello, The latest 0.81 release of clamav now displays ERROR: ScanStream: accept() failed. errors in the logs for some incoming e-mails. For example if I send the Test #6: Eicar virus embedded within another MIME segment test from http://www.webmail.us/testvirus it causes this error, where with the other tests this error does not happen. This did not occur with the clamav 0.80 release. Which of the two errors you've quoted was it? -trog ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users