Re: [Clamav-users] clamAV 0.83 milter discard infected message...
On Thursday 17 Mar 2005 02:54, Daniel Suen wrote: Dear All, Is there any way of discarding infected message with clamav-milter in version 0.83? What options are you currently giving? What do you mean by discarding? Do you mean stop quarantining, stop forwarding to someone? Best, Daniel. -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: How to Filter Spam Mails
hai Does any one know how to filter mails using clamAV milter using with sendmail I don't want to use spamassassin it will only mark as junk I don't want to send it to users i want to move it to a perticular mail box thanks On Wed, 16 Mar 2005 22:12:57 -0800, Ed Kasky [EMAIL PROTECTED] wrote: http://www.spamassassin.org At 09:55 PM Wednesday, 3/16/2005, you wrote -= I am using Sendmail with clamav Milter I want to know how can I filter spam Mails coming and I want to forward it to one user account Like email Admin how can I add more domains name to filter mails thanks in advance . . . . . . . . . . . . . . . . . . Randomly Generated Quote (179 of 476): The problem of power is how to achieve its responsible use rather than its irresponsible and indulgent use--of how to get men of power to live for the public rather than off the public. --Robert Fitzgerald Kennedy ___ http://lurker.clamav.net/list/clamav-users.html -- Jijo's ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: How to Filter Spam Mails
On Thursday 17 Mar 2005 09:06, Jijos wrote: Does any one know how to filter mails using clamAV milter using with sendmail I don't want to use spamassassin it will only mark as junk I don't want to send it to users i want to move it to a perticular mail box spamass-milter thanks -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: How to Filter Spam Mails
Jijos a écrit : hai Does any one know how to filter mails using clamAV milter using with sendmail I don't want to use spamassassin it will only mark as junk I don't want to send it to users i want to move it to a perticular mail box Hi. ClamAV is not an antispam solution but an antivirus. If I can give you an advice, you should do the both : filter spam then afilter virus for inconmig (and outgoing as well) mail traffic. If you just want to filter virus with clamav-milter and sendmail, this page : http://www.clamav.net/doc/0.83/html/node19.html is all you need to read ! :-) Regards, -- Guillaume Arcas J'ai personnellement connu un canard qui avait du genie. Alphonse Allais ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamav installation with milter support.
Hi, I am trying to use clamav with sendmail in FC-3. I heard that sendmail in FC-3 is precompiled with milter. Using the command: sendmail -d0.1 bv root also confirms that sendmail is complied with milter support. Also, while installing clamav-0.83.tar.gz with the following option: ./configure --disable-clamuko --enable-milter I got an error saying cannot find libmilter. While searching, I am not getting library file libmilter anywhere in the system. Don't I require, the option --enable-milter to use clamav for milter support? And will the installation of clamav---tar.gz without --enable-milter will be equivalent as installing rpms of both the below ones ? clamav---.rpm clamav-milter---rpm Hoping for your support. Regards Nabin Limbu ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] clamav installation with milter support.
This is all covered in .../clamav-milter/INSTALL. You have not installed sendmail-devel.rpm as instructed in that document. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nabin Limbu Sent: 17 March 2005 10:54 To: clamav-users@lists.clamav.net Subject: [Clamav-users] clamav installation with milter support. Hi, I am trying to use clamav with sendmail in FC-3. I heard that sendmail in FC-3 is precompiled with milter. Using the command: sendmail -d0.1 bv root also confirms that sendmail is complied with milter support. Also, while installing clamav-0.83.tar.gz with the following option: ./configure --disable-clamuko --enable-milter I got an error saying cannot find libmilter. While searching, I am not getting library file libmilter anywhere in the system. Don't I require, the option --enable-milter to use clamav for milter support? And will the installation of clamav---tar.gz without --enable-milter will be equivalent as installing rpms of both the below ones ? clamav---.rpm clamav-milter---rpm Hoping for your support. Regards Nabin Limbu ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav installation with milter support.
Nabin Limbu wrote: Hi, I am trying to use clamav with sendmail in FC-3. I heard that sendmail in FC-3 is precompiled with milter. Using the command: sendmail -d0.1 bv root also confirms that sendmail is complied with milter support. Also, while installing clamav-0.83.tar.gz with the following option: ./configure --disable-clamuko --enable-milter I got an error saying cannot find libmilter. Do you have installed package sendmail-devel? pk ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] clamAV 0.83 milter discard infected message...
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nigel Horne Sent: donderdag 17 maart 2005 9:51 To: ClamAV users ML Subject: Re: [Clamav-users] clamAV 0.83 milter discard infected message... On Thursday 17 Mar 2005 02:54, Daniel Suen wrote: Dear All, Is there any way of discarding infected message with clamav-milter in version 0.83? What options are you currently giving? What do you mean by discarding? Do you mean stop quarantining, stop forwarding to someone? I think he means SMFIS_DISCARD, as defined in the Milter protocol. Simply put: accepting the message (250 2.0.0), but silently throwing it away anyway. - Mark System Administrator Asarian-host.org --- If you were supposed to understand it, we wouldn't call it code. - FedEx ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Attachment not identified as attachment/bad jpeg
Hello, this is my first post here so be gentle... Clamscan does not find some attachments in some types of mail. Most attachments are, but not all. This have me somewhat concerned, since the receiving email client will not be as ignorant :( Seems like it is related to how a buggy(?), attached jpeg picture is scanned. Complete debug óutput is attached, a brief version regarding the interesting part is below. After the bad jpeg has been scanned, the next attachment is not scanned nor identified at all. Problem is that this is the virus/trojan... I can not find any references to this when searching the mailinglist archives... In short: 1) virus attachment IS NOT identified when the jpeg attachment is present 2) virus attachment IS identified if same mail w/o jpeg is scanned The actual JPEG is available if anyone want to take a closer look. Thanks in advance, //Daniel Version: 0.83 with latest virus definitions: ClamAV update process started at Thu Mar 17 11:04:40 2005 main.cvd is up to date (version: 30, sigs: 31086, f-level: 4, builder: tkojm) daily.cvd is up to date (version: 765, sigs: 550, f-level: 4, builder: diego) Debug output when virus attachment IS NOT identified below. LibClamAV debug: Loading databases from /usr/local/share/clamav LibClamAV debug: Loading /usr/local/share/clamav/main.cvd LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 486d65d0e35f87e7bca148052cdc6e67 LibClamAV debug: Decoded signature: 486d65d0e35f87e7bca148052cdc6e67 LibClamAV debug: Digital signature is correct. [...snip...] LibClamAV debug: Recognized Raw mail file LibClamAV debug: Starting cli_scanmail(), mrec == 1, arec == 0 [...snip...] LibClamAV debug: messageSetMimeType: 'application' LibClamAV debug: parseEmailFile: check 'Content-ID: me2.jpeg' contMarker 0 [...snip...] LibClamAV debug: blobSetFilename: me2.jpeg [...snip...] LibClamAV debug: Saving attachment as /tmp/clamav-7f65e4c3ef347566/me2.jpegMXVP6t LibClamAV debug: Exported 45597 bytes using enctype 2 LibClamAV debug: 1 trailing bytes to export LibClamAV debug: base64chars = 1 (? @ @) LibClamAV debug: Saving main message as attachment LibClamAV debug: 0 multiparts found LibClamAV debug: Not found uuencoded file LibClamAV debug: Saving text part to scan LibClamAV debug: Force mime encoding to application LibClamAV debug: messageSetMimeType: 'application' LibClamAV debug: messageToFileblob LibClamAV debug: parseEmailBody() returning 1 LibClamAV debug: cli_mbox returning 0 LibClamAV debug: Recognized JPEG file LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated false positive match of Exploit.JPEG.Comment LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Eliminated
Re: [Clamav-users] LibClamAV ERROR with tar archives
On Mar 17, 2005, at 05:48, Administrator wrote: hi, Version of Clamav 0.83/764 with HP-UX 11.11. PROBLEM When i try to scan tar archives this is the message: hpux11# /opt/clamav/bin/clamscan -r -v --debug --leave-temps aa.tar LibClamAV debug: Loading databases from /opt/clamav/share/clamav LibClamAV debug: Loading /opt/clamav/share/clamav/main.cvd LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 486d65d0e35f87e7bca148052cdc6e67 LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /var/tmp//clamav-193666ae0ccf7750/COPYING LibClamAV debug: Unpacking /var/tmp//clamav-193666ae0ccf7750/main.db LibClamAV debug: Unpacking /var/tmp//clamav-193666ae0ccf7750/main.hdb LibClamAV debug: Unpacking /var/tmp//clamav-193666ae0ccf7750/main.ndb LibClamAV debug: Loading databases from /var/tmp//clamav-193666ae0ccf7750 LibClamAV debug: Loading /var/tmp//clamav-193666ae0ccf7750/main.db LibClamAV debug: Initializing main node LibClamAV debug: Initializing trie LibClamAV debug: Initializing BM tables LibClamAV debug: in cli_bm_init() LibClamAV debug: BM: Number of indexes = 63744 LibClamAV debug: Loading /var/tmp//clamav-193666ae0ccf7750/main.hdb LibClamAV debug: Initializing md5 list structure LibClamAV debug: Loading /var/tmp//clamav-193666ae0ccf7750/main.ndb LibClamAV debug: Loading /opt/clamav/share/clamav/daily.cvd LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 3f5036d5adb949238c34b50c9ae6e2c6 LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /var/tmp//clamav-d5a45cd07e2ee865/COPYING LibClamAV debug: Unpacking /var/tmp//clamav-d5a45cd07e2ee865/daily.db LibClamAV debug: Unpacking /var/tmp//clamav-d5a45cd07e2ee865/daily.hdb LibClamAV debug: Unpacking /var/tmp//clamav-d5a45cd07e2ee865/daily.ndb LibClamAV debug: Unpacking /var/tmp//clamav-d5a45cd07e2ee865/daily.zmd LibClamAV debug: Loading databases from /var/tmp//clamav-d5a45cd07e2ee865 LibClamAV debug: Loading /var/tmp//clamav-d5a45cd07e2ee865/daily.db LibClamAV debug: Loading /var/tmp//clamav-d5a45cd07e2ee865/daily.hdb LibClamAV debug: Loading /var/tmp//clamav-d5a45cd07e2ee865/daily.ndb Scanning aa.tar LibClamAV debug: Recognized POSIX tar file LibClamAV debug: in cli_scantar() LibClamAV debug: In untar(/var/tmp//clamav-60a3f46bcf4ced06, 4) LibClamAV Error: Can't create temporary file : No such file or directory LibClamAV debug: 4 15 0 LibClamAV debug: Tar: Unable to create temporary file LibClamAV debug: Virus offset: 1024, expected: 0 (Eicar-Test-Signature) LibClamAV debug: Virus offset: 2087, expected: 0 (Eicar-Test-Signature) LibClamAV debug: Calculated MD5 checksum: bd469cc4164007dac9ea45b14b479089 aa.tar: Unable to create temporary file --- SCAN SUMMARY --- Known viruses: 31633 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.01 MB I/O buffer size: 131072 bytes Time: 1.895 sec (0 m 1 s) Temporary directory /var/tmp//clamav-60a3f46bcf4ced06 created by clamscan have permission rwx-- and is owned by root:root but /var/tmp is rwxrwxrwx. Please help me. Looks like the wrong user/group is working this file. -- Dale ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] LibClamAV ERROR with tar archives
LibClamAV Error: Can't create temporary file : No such file or directory Define NAME_MAX, since it is not in sys/param.h. I.e. #define NAME_MAX 255 //Daniel ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] use of clamav-milter
Hi, What is the difference between using clamd only and clamd + clamav-milter with mailserver. What additional benefits do we get while using clamav-milter. Regards Nabin Limbu ___ http://lurker.clamav.net/list/clamav-users.html
R: [Clamav-users] LibClamAV ERROR with tar archives
Hi, Before to run ./configure and make i have tested the parameter with getconf NAME_MAX /var and the result was 255. Now, with the new define in sys/param.h the clamscan command function correctly and libclamav does not return any error. Thanks for your help. //Alberto -- From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]:[EMAIL PROTECTED] Sent: Thursday, March 17, 2005 12:08:08 PM To:'clamav-users@lists.clamav.net' Subject: Re: [Clamav-users] LibClamAV ERROR with tar archives Auto forwarded by a Rule LibClamAV Error: Can't create temporary file : No such file or directory Define NAME_MAX, since it is not in sys/param.h. I.e. #define NAME_MAX 255 //Daniel ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] LibClamAV Warning: Ignoring empty field in charset=
LibClamAV Warning: Ignoring empty field in charset= When trying to scan some messages in my quarantine directory, i am getting the following output: LibClamAV Warning: Ignoring empty field in charset= Anyone have any ideas what might be causing this? Virus writers don't honour RFCs (what a surprise!) hehe i thought this was the cause (malformed messages) but i wasnt sure. Thanks for clarifying. Jim I read this in the archives, but am unsure of the steps necessary to resolve this issue. Thanks, Nett ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] use of clamav-milter
Hi, What is the difference between using clamd only and clamd + clamav-milter with mailserver. What additional benefits do we get while using clamav-milter. Clamav-milter is a milter interface for sendmail. Although not the only way to interface clam with a host running sendmail, it is probably the most common. Read the documentation for a further description. Regards Nabin Limbu ___ http://lurker.clamav.net/list/clamav-users.html -- Ken Jones ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: How to Filter Spam Mails
Jijos said: hai Does any one know how to filter mails using clamAV milter using with sendmail I don't want to use spamassassin it will only mark as junk I don't want to send it to users i want to move it to a perticular mail box thanks J-chkmail and probably spamassassin will do this. On a busy system you can fill a drive quickly with quarantined messages. I've never found any of them to have any value and so delete them immediately. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: How to Filter Spam Mails
hai Does any one know how to filter mails using clamAV milter using with sendmail I don't want to use spamassassin it will only mark as junk I don't want to send it to users i want to move it to a perticular mail box thanks This is rather simple with spamassassin err I should say spamassassin w/ procmail simply add: :0: * ^X-Spam-Status: Yes /directory/path/to/filename to a procmail profile. (either global /etc/procmailrc, or per user /home/user_name/.procmailrc) Hope this helps ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] use of clamav-milter
Nabin Limbu said: Hi, What is the difference between using clamd only and clamd + clamav-milter with mailserver. What additional benefits do we get while using clamav-milter. Regards Nabin Limbu The milter is the component that communicates with both the smtp server and the clamav scanner. To handle mail scanning in real time this component has to exist in some form. Milters are closely associated with SendMail and the libmilter library they provide. There are several products that can run in place of the clamav-milter code, so you have choices. Some of those choices include spam content and spammer behavior filters in addition to invoking ClamAv. It is frequently most efficient to test for spam content prior to scanning for viruses - there is no point in virus scanning a file if it has failed a spam content test. That's more than you asked but not bad to know. dp ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] use of clamav-milter
Dennis Peterson wrote:
It is frequently most efficient to test for spam content prior to scanning
for viruses - there is no point in virus scanning a file if it has
failed a spam content test. That's more than you asked but not bad to
know.
The reverse is also true. There is no point in spam scanning a file if it has
been identified as a virus.
Of the two processes (spam scanning and virus scanning), spam scanning is more
resource-intensive (at least the way I do it) - so I virus scan first, and
spam-scan second.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] use of clamav-milter
[EMAIL PROTECTED] wanted us to know: Dennis Peterson wrote: It is frequently most efficient to test for spam content prior to scanning for viruses - there is no point in virus scanning a file if it has failed a spam content test. That's more than you asked but not bad to know. The reverse is also true. There is no point in spam scanning a file if it has been identified as a virus. Of the two processes (spam scanning and virus scanning), spam scanning is more resource-intensive (at least the way I do it) - so I virus scan first, and spam-scan second. I second that. When I changed my system to av scan before spam, my load dropped by about 40%. -- Regards... Todd There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. --Ed Howdershelt Linux kernel 2.6.8.1-12mdkenterprise 1 user, load average: 0.00, 0.00, 0.00 ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Re: How to Filter Spam Mails
hai Does any one know how to filter mails using clamAV milter using with sendmail I don't want to use spamassassin it will only mark as junk I don't want to send it to users i want to move it to a perticular mail box thanks Look at the following document on integrating amavis-new. Amavis-new gives you control of how the mail is processed and what to do with it after spam, viruses are detected. http://www.ijs.si/software/amavisd/README.milter.txt http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Virus not identified in /var/spool/mqueue
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Administrator Sent: donderdag 17 maart 2005 17:31 To: 'clamav-users@lists.clamav.net' Subject: [Clamav-users] Virus not identified in /var/spool/mqueue hi, Version of Clamav 0.83/764 with HP-UX 11.11. when i try to scan a sendmail spool directory /var/spool/mqueue that contains mail infected by EICAR test virus and others virus Clamscan does not find any attachments and viruses. Since files in /var/spool/mqueue commonly consist of two separate parts, a 'q' and a 'd' file, one holding the headers (with extra info), the other the data, it does not surprise me that you cannot find viruses in them. I mean, in that shape they are not exactly in mbox mail format (or concatenated header + body format). You should scan in /var/mail/ or something. But better, of course, to scan prior to delivery (scanning in /var/mail/ could create a race condition, where a pop client reads from the mbox file before you could scan it). - Mark System Administrator Asarian-host.org --- If you were supposed to understand it, we wouldn't call it code. - FedEx ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] use of clamav-milter
[EMAIL PROTECTED] said: Dennis Peterson wrote: It is frequently most efficient to test for spam content prior to scanning for viruses - there is no point in virus scanning a file if it has failed a spam content test. That's more than you asked but not bad to know. The reverse is also true. There is no point in spam scanning a file if it has been identified as a virus. Of the two processes (spam scanning and virus scanning), spam scanning is more resource-intensive (at least the way I do it) - so I virus scan first, and spam-scan second. Interesting - that is exactly the opposite of my experiences so I'm interested in knowing more about your content scanning tool. I don't use Perl for this (or anything else) so I'm wondering if that may be a factor. But yes, no point in double-damning a message when once will do, and I guess that was my point, and clearly the most efficient method should be first. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamd on Solaris ceases functioning after a while (FIXED)
Howdy- Now that a week has gone by with absolutely no problems with our clamd hanging, I thought I would write in to provide the good news that I think we have this problem licked. Though we also rev'd exim on Wed, I think it was the upgrade for 0.83 to devel-20050308 that solved our problems. Many thanks to all the people who helped out with our issues. -- dNb P.S. If this message doesn't tempt fate enough to cause our entire mail server to burst into flames, I don't know what will. ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Latest virusdb update - mismatched signature count?
Received signal 14, wake up ClamAV update process started at Thu Mar 17 17:44:40 2005 main.cvd is up to date (version: 30, sigs: 31086, f-level: 4, builder: tkojm) daily.cvd updated (version: 767, sigs: 562, f-level: 4, builder: diego) Database updated (31648 signatures) from db.gb.clamav.net(IP:68.142.86.21) Clamd successfully notified about the update. -- Reading databases from /var/lib/clamav Database correctly reloaded (31647 viruses) So, why the difference between what freshclam thinks the number of signatures is, and what clamd thinks? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-devel (20050316) and zlib-1.2.2
Dale Walsh said: On Mar 17, 2005, at 00:03, Dennis Peterson wrote: Dale Walsh said: On Mar 16, 2005, at 19:33, Dennis Peterson wrote: Dale Walsh said: Where are the archives of this list, like for last week? I remember someone mentioned how to do what I want to do and I think I am almost right in how I was doing it... I don't intent to install zlib-1.2.2 over my system's zlib! -Wash I guess you didn't understand my response. Doing this upgrade is safe and wont break anything and is recommended. Installing it in a secondary location is not recommended and the reasons should be obvious!!! This upgrade is recommended because it fixes some bugs, improves performance and fixes some vulnerabilities. If you don't want to install it for any reason then give just give up on building anything that depends on it because without it they wont build. Is that any clearer for you? -- Dale It's clear to me, Dale, and it's wrong. I wouldn't do it either. I get my system libs from Sun, for example, because they are guaranteed to work with my OS. Anything else goes into /usr/local where my compiled sources are told to look for it. Generalizations are usually a bad idea - including mine. It is best to leave it to each admin to manage the configuration of their OS's. In this instance the OP can put the path to his libs in his clamav configure. If that doesn't work (as revealed by ldd, for example) then he can hack the Makefile. dp Yes, you can hack the Makefile, but Sun doesn't do anything special to the zlib installation so upgrading this app/library wont have any ill effects. Rot. They give it a part number, they track dependancies, it becomes part of the total configuration management system, they upgrade it in a coordinated fashion and in concert with other dependent packages. Man pages are replaced, for example, and are placed where pkgadd/pkgrm expects to see them. pkginfo will give you accurate information about the running product. This is in no way limited to zlib. If you do a ./configure make make install, it will install in /usr/local and you can point ClamAV to this library and it will work as you expect however, you may experience other side-affects by having two versions of zlib installed when library loading/linking occurs by different applications. User error. If you're doing this for test purposes, go ahead and do it this way but if you're wishing to use it in deployment, this is not recommended based on the problems that it causes unless soft-linking is employed and very few applications use this linking method. I'd imagine that if you have 40 different systems to manage with your methodology you'd truely have 40 very different systems. Considering the problem that occur with loading several different versions of the same application library, it should not pose any serious problem and System Engineers may consider this approach to determine compatibility on a test platform before deploying the application. Thanks, no. The OP has it right. dp Unfortunately you have misunderstood the scope of this topic and the information I have offered as something I recommend as a way of life.. I do have 14 systems to manage and I don't play games with any of them. Fortunately, the methodology isn't mine, it is the original poster who wishes to install different version of ClamAV and by adding the latest, a version requirement for zlib is being encountered that he doesn't want to install. All I did was mention the potential problems, suggest that a temporary install for testing purposes as described to me is about his only possible option if he still wishes to test-install the latest ClamAV without overwriting the current system installed zlib. In your case, you are saying you're basically stuck with the whatever version is available based on your configuration system management provides for you, hopefully they have the latest versions available. Not at all. You can install libraries in non-standard locations all you like. That is yet another reason why it is not necessary to over-write your system libs with rpm's from God knows where, or compiled code that may or may not have the proper switches set (32 vs 64 bit, for example) as the OS vendor expects. The best advice for the OP is to learn more about his development environment and in particular, his linker. Done right there is absolutely no reason why his original configure setting wouldn't work provided he understands that it is a strick environment. dp ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] ClamAV-milter sending delays
So, I've been using ClamAV quite successfully since the days of .66, and I've got a new problem. A user of mine is sending out a large (but not humongous - ~500kb) that is filled with lots of equations and other complicated stuff from Outlook (though there are problems with other mailers too). What's happening is this: user sends email, and while the connection is still open, sendmail passes the message via milter to Clam, which scans it for viruses. A minute and a half later, Clam has decided that the email is virus-free, sendmail sends a 250 Message accepted for delivery, and the message is sent. However, the problem comes in because Outlook (and Squirrelmail, our web-based email) has timed out the SMTP connection in that minute and a half. This is particularly annoying with Outlook because Outlook will attempt to resend the already-sent email over and over. Does this sound like my sendmail/milter setup is broken? Or is this the way things are supposed to work? I'm planning a transition to Postfix for this summer (since I'm not a Sendmail expert by any means), but if there's a change I can make now, that'd be even better. Thanks! -- Dan Bongert [EMAIL PROTECTED] SSCC Unix System Administrator ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 18:06:00 + Brian Morrison [EMAIL PROTECTED] wrote: Received signal 14, wake up ClamAV update process started at Thu Mar 17 17:44:40 2005 main.cvd is up to date (version: 30, sigs: 31086, f-level: 4, builder: tkojm) daily.cvd updated (version: 767, sigs: 562, f-level: 4, builder: diego) Database updated (31648 signatures) from db.gb.clamav.net(IP:68.142.86.21) Clamd successfully notified about the update. -- Reading databases from /var/lib/clamav Database correctly reloaded (31647 viruses) So, why the difference between what freshclam thinks the number of signatures is, and what clamd thinks? Your clamd doesn't support meta-data signatures. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 17 19:15:18 CET 2005 pgphM2xPnc0JM.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
Received signal 14, wake up ClamAV update process started at Thu Mar 17 17:44:40 2005 main.cvd is up to date (version: 30, sigs: 31086, f-level: 4, builder: tkojm) daily.cvd updated (version: 767, sigs: 562, f-level: 4, builder: diego) Database updated (31648 signatures) from db.gb.clamav.net(IP:68.142.86.21) Clamd successfully notified about the update. -- Reading databases from /var/lib/clamav Database correctly reloaded (31647 viruses) So, why the difference between what freshclam thinks the number of signatures is, and what clamd thinks? One started counting at 0 and the other at 1 ?? Main.cvd - 31086 Daily.cvd - 562 -- 31648 Total Just a guess -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lurker.clamav.net/list/clamav-users.html -- Ken Jones ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 19:15:44 +0100 in [EMAIL PROTECTED] Tomasz Kojm [EMAIL PROTECTED] wrote: So, why the difference between what freshclam thinks the number of signatures is, and what clamd thinks? Your clamd doesn't support meta-data signatures. So that will be a feature of 0.84 then? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 18:21:04 + Brian Morrison [EMAIL PROTECTED] wrote: On Thu, 17 Mar 2005 19:15:44 +0100 in [EMAIL PROTECTED] Tomasz Kojm [EMAIL PROTECTED] wrote: So, why the difference between what freshclam thinks the number of signatures is, and what clamd thinks? Your clamd doesn't support meta-data signatures. So that will be a feature of 0.84 then? Yes, it will (already supported in CVS). -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 17 19:23:10 CET 2005 pgpUWB7ORBBfQ.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] use of clamav-milter
Dennis Peterson wanted us to know: Of the two processes (spam scanning and virus scanning), spam scanning is more resource-intensive (at least the way I do it) - so I virus scan first, and spam-scan second. Interesting - that is exactly the opposite of my experiences so I'm interested in knowing more about your content scanning tool. I don't use Perl for this (or anything else) so I'm wondering if that may be a factor. Possibly. Using spamassassin in daemon mode with spamass-milter. But yes, no point in double-damning a message when once will do, and I guess that was my point, and clearly the most efficient method should be first. When a milter is configured to reject at the SMTP level, it never gets to the second milter in the chain. So if clamav-milter detects a virus, the CPU intensive content scanning process never sees the message (hence much lower load). The amount of time that clamav spends chomping on an email is typically less than 1 second. The amount of time that spamassassin spends chomping on an email is typically about 2 seconds. So ~33% time (or less) for clamav and ~66% time (or more) for spamassassin. This information gleaned from averages in my maillogs. -- Regards... Todd They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin Linux kernel 2.6.8.1-12mdkenterprise 1 user, load average: 0.08, 0.09, 0.02 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 19:15:44 +0100 in [EMAIL PROTECTED] Tomasz Kojm [EMAIL PROTECTED] wrote: Your clamd doesn't support meta-data signatures. Should the daily.cvd not be showing as f-level: 5 if a new format has been added? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
Tomasz Kojm a écrit : Your clamd doesn't support meta-data signatures. What is a meta-date signature ? BTW, what's in the .zmd file ? Patterns for password-protected zip file detection ? Regards, -- Guillaume Arcas J'ai personnellement connu un canard qui avait du genie. Alphonse Allais ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] ClamAV -- Squid Cache Integration
Hello, Looking for a way to scan all incoming web content using ClamAV. Is anyone aware of any integration of ClamAV into the Squid Cache proxy server? Similar open-source solutions? THANKS! Jon Kibler -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus not identified in /var/spool/mqueue
On Thu, 17 Mar 2005 17:29:57 +0100, Administrator [EMAIL PROTECTED] wrote: hi, Version of Clamav 0.83/764 with HP-UX 11.11. when i try to scan a sendmail spool directory /var/spool/mqueue that contains mail infected by EICAR test virus and others virus Clamscan does not find any attachments and viruses. Virus attachments is identified with another virus-scanner like eTrust Antivirus. Simple answer - use one of the many milter options available to scan the mail within sendmail. -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] use of clamav-milter
Todd Lyons wrote:
Dennis Peterson wanted us to know:
But yes, no point in double-damning a message when once will do, and
I guess that was my point, and clearly the most efficient method
should be first.
When a milter is configured to reject at the SMTP level, it never gets
to the second milter in the chain. So if clamav-milter detects a
virus, the CPU intensive content scanning process never sees the
message (hence much lower load).
Your site policies and your data patterns also come into play. If you get
lotsa spam and hardly any viruses it may make sense to spam-scan first anyway.
We reject viruses but accept spam (tagged so users can have a junk email
folder) so - for us - data patterns don't enter into it.
For the record, we use MIMEDefang + SpamAssassin to spam-scan. Each MIMEDefang
thread has its own SpamAssassin object which is quite big. I've been toying
with the idea of writing a SpamAssassin::Client module to emulate spamc, but
haven't done anything serious with it. I know someone else got a working
prototype together.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV-milter sending delays
On Thu, 17 Mar 2005 12:10:28 -0600, Dan Bongert [EMAIL PROTECTED] wrote: So, I've been using ClamAV quite successfully since the days of .66, and I've got a new problem. A user of mine is sending out a large (but not humongous - ~500kb) that is filled with lots of equations and other complicated stuff from Outlook (though there are problems with other mailers too). What's happening is this: user sends email, and while the connection is still open, sendmail passes the message via milter to Clam, which scans it for viruses. A minute and a half later, Clam has decided that the email is virus-free, sendmail sends a 250 Message accepted for delivery, and the message is sent. What sort of hardware have you got and what sort of load is it under? On my largely idle 1 GHz box with 512 MB of RAM I see a ~550 KB PDF file scanned (through MIMEDefang) by both ClamAV and F-Prot in about 2 seconds. I haven't seen anything take longer than 10 seconds, even with SpamAssassin. -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] use of clamav-milter
[EMAIL PROTECTED] wanted us to know: When a milter is configured to reject at the SMTP level, it never gets to the second milter in the chain. So if clamav-milter detects a virus, the CPU intensive content scanning process never sees the message (hence much lower load). Your site policies and your data patterns also come into play. If you get lotsa spam and hardly any viruses it may make sense to spam-scan first anyway. We reject viruses but accept spam (tagged so users can have a junk email folder) so - for us - data patterns don't enter into it. Yes, we're writing a quarantine program and will require spamassassin to allow the emails through as well. Good to see that this is a standard way of doing things. -- Regards... Todd They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin Linux kernel 2.6.8.1-12mdkenterprise 1 user, load average: 0.00, 0.01, 0.00 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV -- Squid Cache Integration
On Thu, 17 Mar 2005 13:43:11 -0500, Jon R. Kibler [EMAIL PROTECTED] wrote: Hello, Looking for a way to scan all incoming web content using ClamAV. Is anyone aware of any integration of ClamAV into the Squid Cache proxy server? Similar open-source solutions? Well, there are a number documented on the ClamAV site: http://www.clamav.net/3rdparty.html#proxy But, of course, you've already looked there :-) -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] use of clamav-milter
Todd Lyons said: Dennis Peterson wanted us to know: Of the two processes (spam scanning and virus scanning), spam scanning is more resource-intensive (at least the way I do it) - so I virus scan first, and spam-scan second. Interesting - that is exactly the opposite of my experiences so I'm interested in knowing more about your content scanning tool. I don't use Perl for this (or anything else) so I'm wondering if that may be a factor. Possibly. Using spamassassin in daemon mode with spamass-milter. But yes, no point in double-damning a message when once will do, and I guess that was my point, and clearly the most efficient method should be first. When a milter is configured to reject at the SMTP level, it never gets to the second milter in the chain. So if clamav-milter detects a virus, the CPU intensive content scanning process never sees the message (hence much lower load). In the case of my systems I have but one milter that handles both spam and AV, and it's optimized to least-load priorities. It's also worth observing that as a consequence I have but one milter entry in sendmail.cf and one set of timeouts to fuss over, and I only mention it for any interested parties who are pondering over such things. The amount of time that clamav spends chomping on an email is typically less than 1 second. The amount of time that spamassassin spends chomping on an email is typically about 2 seconds. So ~33% time (or less) for clamav and ~66% time (or more) for spamassassin. This information gleaned from averages in my maillogs. A bit of background is helpful - in my environment we deal with huge image files as that is what we sell and receive, so we possibly are more large-attachment oriented than some businesses. I test both incoming and outgoing messages and attachments because I believe it is the most internet friendly policy, and that also runs up our server loads. I avoid some of that by scanning the content first. So as always, ymmv, batteries not included, cake will not be served, defend yourself at all times, yaddah yaddah. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
Tomasz Kojm said: On Thu, 17 Mar 2005 18:21:04 + Brian Morrison [EMAIL PROTECTED] wrote: On Thu, 17 Mar 2005 19:15:44 +0100 in [EMAIL PROTECTED] Tomasz Kojm [EMAIL PROTECTED] wrote: So, why the difference between what freshclam thinks the number of signatures is, and what clamd thinks? Your clamd doesn't support meta-data signatures. So that will be a feature of 0.84 then? Yes, it will (already supported in CVS). It appears that quite a lot is happening in the CVS now - is .84 near? I'm uncomfortable dropping CVS code into production as many are. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 11:29:31 -0800 (PST) Dennis Peterson [EMAIL PROTECTED] wrote: It appears that quite a lot is happening in the CVS now - is .84 near? I'm uncomfortable dropping CVS code into production as many are. Yes, 0.84rc1 is relatively near. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 17 20:41:44 CET 2005 pgpmS3gJPb0yc.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: ClamAV -- Squid Cache Integration
Jon R. Kibler [EMAIL PROTECTED] schrieb im Newsbeitrag news:[EMAIL PROTECTED] Hello, Looking for a way to scan all incoming web content using ClamAV. Is anyone aware of any integration of ClamAV into the Squid Cache proxy server? Similar open-source solutions? I prefer/use Dansguardian: http://www.dansguardian.org ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
At 10:24 AM 3/17/2005, Tomasz Kojm wrote: Yes, it will (already supported in CVS). this is ridiculous. my clamd system is now broken due to these changes that are being propogated. i'm running the current .83 release. you should at least support your current RELEASE version for all clients out there before propogating changes to the db that are incompatible with it!! S60clamd start LibClamAV Error: Wrote 0 instead of 512 (/var/tmp//clamav-d8cafc6d942bbe89/main.db). LibClamAV Error: cli_cvdload(): Can't unpack CVD file. LibClamAV Error: Can't load /usr/local/share/clamav/main.cvd: CVD extraction failure ERROR: CVD extraction failure Mar 17 12:25:32 klaatu clamd[9258]: [ID 495146 local6.error] CVD extraction failure Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 12:33:42 -0800 [EMAIL PROTECTED] wrote: At 10:24 AM 3/17/2005, Tomasz Kojm wrote: Yes, it will (already supported in CVS). this is ridiculous. my clamd system is now broken due to these changes that are being propogated. i'm running the current .83 release. you should at least support your current RELEASE version for all clients out there before propogating changes to the db that are incompatible with it!! Buy a book on UNIX administering, kiddy. LibClamAV Error: Wrote 0 instead of 512 (/var/tmp//clamav-d8cafc6d942bbe89/main.db). LibClamAV Error: cli_cvdload(): Can't unpack CVD file. LibClamAV Error: Can't load /usr/local/share/clamav/main.cvd: CVD extraction failure ERROR: CVD extraction failure Mar 17 12:25:32 klaatu clamd[9258]: [ID 495146 local6.error] CVD extraction failure ...and start from a chapter on /tmp cleaning. Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 17 21:35:48 CET 2005 pgpfqOWEgMwYS.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
RES: [Clamav-users] timeout before data read
Thank's Tood I used --max-children=20 and the system is running 24 hours without errors. Junior -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Todd Lyons Enviada em: quarta-feira, 16 de março de 2005 17:28 Para: clamav-users@lists.clamav.net Assunto: Re: [Clamav-users] timeout before data read Junior wanted us to know: /usr/local/sbin/clamav-milter -dlDo --max-children=2 Try setting --max-children to something like 20 or 40. -- Regards... Todd We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state. -- Jeff Schiller on NANOG Linux kernel 2.6.8.1-12mdkenterprise 1 user, load average: 0.01, 0.11, 0.17 ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
[EMAIL PROTECTED] wanted us to know: Yes, it will (already supported in CVS). this is ridiculous. my clamd system is now broken due to these changes that are being propogated. i'm running the current .83 release. you should at S60clamd start LibClamAV Error: Wrote 0 instead of 512 (/var/tmp//clamav-d8cafc6d942bbe89/main.db). LibClamAV Error: cli_cvdload(): Can't unpack CVD file. LibClamAV Error: Can't load /usr/local/share/clamav/main.cvd: CVD extraction failure ERROR: CVD extraction failure Mar 17 12:25:32 klaatu clamd[9258]: [ID 495146 local6.error] CVD extraction failure I get no errors on my system running a duplicate configuration. Figure out why clam cannot write to /var/tmp and you'll most likely solve your problem. See if df -i and df -h return anything useful. -- Regards... Todd They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin Linux kernel 2.6.8.1-12mdkenterprise 1 user, load average: 0.24, 0.07, 0.02 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
At 10:24 AM 3/17/2005, Tomasz Kojm wrote: Yes, it will (already supported in CVS). this is ridiculous. my clamd system is now broken due to these changes that are being propogated. i'm running the current .83 release. you should at least support your current RELEASE version for all clients out there before propogating changes to the db that are incompatible with it!! Buy a book on UNIX administering, kiddy. wow, aren't we the pompous one. LibClamAV Error: Wrote 0 instead of 512 (/var/tmp//clamav-d8cafc6d942bbe89/main.db). LibClamAV Error: cli_cvdload(): Can't unpack CVD file. LibClamAV Error: Can't load /usr/local/share/clamav/main.cvd: CVD extraction failure ERROR: CVD extraction failure Mar 17 12:25:32 klaatu clamd[9258]: [ID 495146 local6.error] CVD extraction failure ...and start from a chapter on /tmp cleaning. you've broken something in the distributed CVD's. i've seen other reports of this problem today. my clamd was working just fine, and i've plenty of disk space, swap space, and actual ram. got any other brilliant suggestions, einstein? Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 12:48:10 -0800 [EMAIL PROTECTED] wrote: got any other brilliant suggestions, einstein? I commiserate with your users. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 17 21:49:19 CET 2005 pgpmmwljB3veP.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
At 12:48 PM 3/17/2005, [EMAIL PROTECTED] wrote: you've broken something in the distributed CVD's. i've seen other reports of this problem today. correction, the other reports are regarding changes to the CVD format apparently, but don't match what i'm experiencing. as i said, plenty of disk, plenty of inodes, no memory shortage. that's why this suggested to me a problem with the CVD's. Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Latest virusdb update - mismatched signature c ount?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of At 12:48 PM 3/17/2005, [EMAIL PROTECTED] wrote: you've broken something in the distributed CVD's. i've seen other reports of this problem today. correction, the other reports are regarding changes to the CVD format apparently, but don't match what i'm experiencing. as i said, plenty of disk, plenty of inodes, no memory shortage. that's why this suggested to me a problem with the CVD's. Permissions perhaps? ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
[EMAIL PROTECTED] wrote: that's why this suggested to me a problem with the CVD's. Might one enquire then as to why no one else, upto just, are experiencing this problem? Double check your system before blaming the software. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
At 01:05 PM 3/17/2005, Matt Fretwell wrote: [EMAIL PROTECTED] wrote: that's why this suggested to me a problem with the CVD's. Might one enquire then as to why no one else, upto just, are experiencing this problem? Double check your system before blaming the software. uh, that's essentially what i just said in that post. it *suggested* a problem with the software, and i misinterpreted the other problem reports in haste. since nothing's changed on my system, and my disk space, inodes, ram, permissions, etc are all okay, i jumped to a conclusion. i'm investigating further. i flew off the handle, which i don't usually do. i've apologized to Tomas in private email. I apologize here now as well. i suggested to him in private email that maybe he got up on the wrong side of the bed with his personal attacks. clearly, i was projecting! Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 13:10:57 -0800 [EMAIL PROTECTED] wrote: At 01:05 PM 3/17/2005, Matt Fretwell wrote: [EMAIL PROTECTED] wrote: that's why this suggested to me a problem with the CVD's. Might one enquire then as to why no one else, upto just, are experiencing this problem? Double check your system before blaming the software. uh, that's essentially what i just said in that post. it *suggested* a problem with the software, and i misinterpreted the other problem reports in haste. since nothing's changed on my system, and my disk space, inodes, ram, permissions, etc are all okay, i jumped to a conclusion. i'm investigating further. i flew off the handle, which i don't usually do. i've apologized to Tomas in private email. I apologize here now as well. i suggested to him in private email that maybe he got up on the wrong side of the bed with his personal attacks. clearly, i was projecting! Because our competences are often unfairly questioned on this list, my reactions may be find somewhat ironic. I apologize. Attached you can find a patch that (hopefully) will display some useful information on the problem. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 17 22:25:10 CET 2005 pgpSrk1kSxclU.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, 17 Mar 2005 22:25:44 +0100 Tomasz Kojm [EMAIL PROTECTED] wrote: On Thu, 17 Mar 2005 13:10:57 -0800 [EMAIL PROTECTED] wrote: At 01:05 PM 3/17/2005, Matt Fretwell wrote: [EMAIL PROTECTED] wrote: that's why this suggested to me a problem with the CVD's. Might one enquire then as to why no one else, upto just, are experiencing this problem? Double check your system before blaming the software. uh, that's essentially what i just said in that post. it *suggested* a problem with the software, and i misinterpreted the other problem reports in haste. since nothing's changed on my system, and my disk space, inodes, ram, permissions, etc are all okay, i jumped to a conclusion. i'm investigating further. i flew off the handle, which i don't usually do. i've apologized to Tomas in private email. I apologize here now as well. i suggested to him in private email that maybe he got up on the wrong side of the bed with his personal attacks. clearly, i was projecting! Because our competences are often unfairly questioned on this list, my reactions may be find somewhat ironic. I apologize. Attached you can find a patch that (hopefully) will display some useful information on the problem. Don't worry about the invalid signature in my last post. It's probably a bug in Mailman which breaks signatures in PGP/MIME emails with attachments. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 17 22:26:58 CET 2005 pgpxZG1EpEXyn.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: How to Filter Spam Mails
I would recommend Bogofilter . ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, Mar 17, 2005 at 07:24:15PM +0100, Tomasz Kojm wrote:
Your clamd doesn't support meta-data signatures.
So that will be a feature of 0.84 then?
Yes, it will (already supported in CVS).
Great! I've been using meta-data signatures, via procmail, probably since
sircam came out in 2001, and it works very good. I'm still catching
mydoom variants using a procmail recipe I wrote in 2003 (much to my
surprise, I might add). (See http://www.xs4all.nl/~johnpc/procmailrc.txt
if you're interested).
But it's also bad, since if a high-profile virus scanner like ClamAV is
going to start matching meta-data, then virus writers are more likely to
notice and start changing it with each virus release, making my procmail
hackery less effective ;)
--
#!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED]
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet
___
http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] CPU dogging in 0.83 and current CVS
Hi, I recently upgraded from 0.80 to 0.83. I have seen a dramatic increase in CPU usage. Running inside of amavisd-new, my five amavis servers hog the CPU with around 20% each and up to 50% or more for one server process when the others are idling. Word had it that there was a Digest bug in 0.83 on the amavis list, and that current CVS had a fix. I just tried installing the newest snapshot, and there was no change, so I rolled back to 0.80 and things are back to normal. I looked over the clamav list archives for the last two months, but must have missed relevant threads...? Fedore Core 2, amavisd-new 2.2.1, avg 45msg/min, spikes to 250msg/min, 0.80 CPU usage averages no more than 10% (often half that) per amavis server process. This is a production environment, but I can steal a minute to grab debug output if needed (if I can figure out how...:)) TIA! __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV-milter sending delays
On Thu, 17 Mar 2005 18:58:46 + Rob MacGregor [EMAIL PROTECTED] wrote: On Thu, 17 Mar 2005 12:10:28 -0600, Dan Bongert [EMAIL PROTECTED] wrote: So, I've been using ClamAV quite successfully since the days of .66, and I've got a new problem. A user of mine is sending out a large (but not humongous - ~500kb) that is filled with lots of equations and other complicated stuff from Outlook (though there are problems with other mailers too). What's happening is this: user sends email, and while the connection is still open, sendmail passes the message via milter to Clam, which scans it for viruses. A minute and a half later, Clam has decided that the email is virus-free, sendmail sends a 250 Message accepted for delivery, and the message is sent. What sort of hardware have you got and what sort of load is it under? On my largely idle 1 GHz box with 512 MB of RAM I see a ~550 KB PDF file scanned (through MIMEDefang) by both ClamAV and F-Prot in about 2 seconds. I haven't seen anything take longer than 10 seconds, even with SpamAssassin. It's a pretty beefy box (though not even close to cutting-edge): dual PIII 1.13GHz processors, 1GB of RAM, FreeBSD 4.8. It's not particularly processor-bound--the load average is usually less than 1, and top only reports 162MB of active RAM. I'm wondering if there might be something weird with .doc scanning (for macro viruses)? That wouldn't be a problem with PDFs... -- Dan Bongert [EMAIL PROTECTED] SSCC Unix System Administrator ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Feature Request
Has anyone considered or requested that the URL for upgrading Clamav might be put in the notice the admin receives when the following message is sent: WARNING: Your ClamAV installation is OUTDATED - please update immediately! I may just poke through the source code, but my time can be better spent elsewhere... This is NOT meant to be taken as a high priority. Keeping my servers clean from viruses is significantly more important than worrying about whether I have to type clamav.net in the URL field. Thanks for not flaming me. ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] GTK gui for Clamav
Does anyone know of a gtk gui frontend to clamav?I have looked around and havnt found one yet. M ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] GTK gui for Clamav
On Thu, 17 Mar 2005 17:55:16 -0500 Michael [EMAIL PROTECTED] wrote: Does anyone know of a gtk gui frontend to clamav?I have looked around and havnt found one yet. This one looks nice but it depends on an additional library: http://wolfpack.twu.net/Endeavour2/contrib/index.html#avscan -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 17 23:57:42 CET 2005 pgpQ3IBryFQkQ.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] clamAV 0.83 milter discard infected message...
Yes, I mean the DISCARD in the milter, anyone knows how to do it? As far as I know, there are connection-oriented and message-oriented kind of things in milters, and I do not know where to modify the code to do what I want. Best, Daniel. ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Segmentation fault (0.83)
Greetings, Clamd works correctly in foreground. /var/log/clamd.log ... +++ Started at Thu Mar 17 22:56:17 2005 clamd daemon 0.83 (OS: linux-gnu, ARCH: i386, CPU: i686) Log file size limited to 10485760 bytes. Verbose logging activated. Reading databases from /var/lib/clamav Protecting against 31635 viruses. Unix socket file /var/run/clamav/clamd Setting connection queue length to 30 Listening daemon: PID: 8378 Archive: Archived file size limit set to 10485760 bytes. Archive: Recursion level limit set to 8. Archive: Files limit set to 1000. Archive: Compression ratio limit set to 250. Archive support enabled. Archive: RAR support disabled. Portable Executable support enabled. Mail files support enabled. OLE2 support enabled. HTML support enabled. Self checking every 1800 seconds. No stats for Database check - forcing reload Reading databases from /var/lib/clamav Database correctly reloaded (31635 viruses) /var/spool/exim/scan/1DCA1i-0006yG-Fh/1DCA1i-0006yG-Fh.eml: Worm.SomeFool.P FOUND But in background mode: /var/log/clamd.log ... Archive: Recursion level limit set to 8. Archive: Files limit set to 1000. Archive: Compression ratio limit set to 250. Archive support enabled. Archive: RAR support disabled. Portable Executable support enabled. Mail files support enabled. OLE2 support enabled. HTML support enabled. Self checking every 1800 seconds. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Which stops exim4 from receiving mail :-( Any idea? ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV-milter sending delays
On Thu, 17 Mar 2005 16:39:40 -0600, Dan Bongert [EMAIL PROTECTED] wrote: It's a pretty beefy box (though not even close to cutting-edge): dual PIII 1.13GHz processors, 1GB of RAM, FreeBSD 4.8. It's not particularly processor-bound--the load average is usually less than 1, and top only reports 162MB of active RAM. I'm wondering if there might be something weird with .doc scanning (for macro viruses)? That wouldn't be a problem with PDFs... Well, I just turned one of the RTF documents I've got kicking around into a DOC, coming out at 480 KB. That went through in ~3 seconds. I suspect the possibility of a config problem on your box? Worth checking - which milter are you using and are you using the clamav from the ports? -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lurker.clamav.net/list/clamav-users.html
R: [Clamav-users] Virus not identified in /var/spool/mqueue
Hi, I will use MailScanner from http://www.sng.ecs.soton.ac.uk/mailscanner/. Alberto -- From: [EMAIL PROTECTED] on behalf of Rob MacGregor[SMTP:[EMAIL PROTECTED] Sent: Thursday, March 17, 2005 7:52:46 PM To:ClamAV users ML Subject: Re: [Clamav-users] Virus not identified in /var/spool/mqueue Auto forwarded by a Rule On Thu, 17 Mar 2005 17:29:57 +0100, Administrator [EMAIL PROTECTED] wrote: hi, Version of Clamav 0.83/764 with HP-UX 11.11. when i try to scan a sendmail spool directory /var/spool/mqueue that contains mail infected by EICAR test virus and others virus Clamscan does not find any attachments and viruses. Virus attachments is identified with another virus-scanner like eTrust Antivirus. Simple answer - use one of the many milter options available to scan the mail within sendmail. -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
