[Clamav-users] Worm.Sober.U not being recognized
I'm running clamav-milter 0.87 from ClamAV 0.87.1 with sendmail 8.13.5, with a database that is fully up-to-date (main.cvd version 34, daily.cvd version 1182), but for some reason this setup is not catching Worm.Sober.U, and we're getting slammed pretty hard with it. I've tried submitting the offending message on the virus submission page, but am told that: This virus is *already recognized* by ClamAV 0.87.1/1182/Mon Nov 21 20:43:47 2005 (timezone: +0100 ) as Worm.Sober.U . Be careful when submitting samples and remember to run freshclam! Running clamscan --detect-broken finds the message, and generates no errors, but clamav-milter does not find the message when it comes in. clamd.logshows: Nov 21 14:08:18 paz clamav-milter[26450]: [ID 788897 local7.notice] jALM6n0R027652: clean message from [EMAIL PROTECTED] for the scanned message. -- Pete Hanson http://www.well.com/user/wolfy http://www.fotolog.net/wolfy ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
Pete 'Wolfy' Hanson wrote: Running clamscan --detect-broken finds the message, and generates no errors, but clamav-milter does not find the message when it comes in. clamd.logshows: Nov 21 14:08:18 paz clamav-milter[26450]: [ID 788897 local7.notice] jALM6n0R027652: clean message from [EMAIL PROTECTED] We've been detecting Worm.Sober.U here for a little over 2 hours (with daily.cvd 1182). If clamscan finds it, but clamav-milter doesn't, maybe for some reason clamd didn't load the updated database? Try restarting clamd and/or clamav-mitler (I've never used the milter, so I'm not sure what's necessary) and see if that does it. -- Kelson Vibber SpeedGate Communications www.speed.net ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
On 11/21/05, Kelson [EMAIL PROTECTED] wrote: We've been detecting Worm.Sober.U here for a little over 2 hours (with daily.cvd 1182). If clamscan finds it, but clamav-milter doesn't, maybe for some reason clamd didn't load the updated database? Try restarting clamd and/or clamav-mitler (I've never used the milter, so I'm not sure what's necessary) and see if that does it. I've already tried a couple of restarts to no avail. -- Pete Hanson http://www.well.com/user/wolfy http://www.fotolog.net/wolfy ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
Pete 'Wolfy' Hanson wrote: On 11/21/05, Kelson [EMAIL PROTECTED] wrote: We've been detecting Worm.Sober.U here for a little over 2 hours (with daily.cvd 1182). If clamscan finds it, but clamav-milter doesn't, maybe for some reason clamd didn't load the updated database? Try restarting clamd and/or clamav-mitler (I've never used the milter, so I'm not sure what's necessary) and see if that does it. I've already tried a couple of restarts to no avail. -- Pete Hanson http://www.well.com/user/wolfy http://www.fotolog.net/wolfy ___ http://lurker.clamav.net/list/clamav-users.html We are seeing the same issue here. We picked it up a little over 3 hours ago. clamd just seems not to detect it. I have tested using clamscan and it does find it, but if I switch our filter to use clamscan the load is outrageous. We have been able to add rawbody rules to our spam filters that score them high enough to stop them at the filter, but clamd does not seem to be detecting it. ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Worm.Sober.U not being recognized
Pete wrote: On 11/21/05, Kelson [EMAIL PROTECTED] wrote: We've been detecting Worm.Sober.U here for a little over 2 hours (with daily.cvd 1182). If clamscan finds it, but clamav-milter doesn't, maybe for some reason clamd didn't load the updated database? Try restarting clamd and/or clamav-mitler (I've never used the milter, so I'm not sure what's necessary) and see if that does it. I've already tried a couple of restarts to no avail. What are your clamd and clamav-milter options? -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
On 11/21/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: What are your clamd and clamav-milter options? /usr/local/sbin/clamav-milter --headers --pidfile=/var/clamav/clamav- milter.pid --quiet /var/clamav/clamav-milter.sock No clamd since we aren't running with --external. which has worked well for a long time. -- Pete Hanson http://www.well.com/user/wolfy http://www.fotolog.net/wolfy ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
Pete 'Wolfy' Hanson wrote: On 11/21/05, Kelson [EMAIL PROTECTED] wrote: We've been detecting Worm.Sober.U here for a little over 2 hours (with daily.cvd 1182). If clamscan finds it, but clamav-milter doesn't, maybe for some reason clamd didn't load the updated database? Try restarting clamd and/or clamav-mitler (I've never used the milter, so I'm not sure what's necessary) and see if that does it. Does your freshclam send a signal to clamd to reload the new patterns? If not, you'll have to do that yourself Also note that although wonderful ClamAV is one of the few AVs that are currently detecting Sober.U - there are already some variants that even it can't catch. Looks like the prats are having a let's release 100 different variants today party :-( -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
On Mon, 21 Nov 2005 14:04:43 -0900 Pete 'Wolfy' Hanson [EMAIL PROTECTED] wrote: On 11/21/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: What are your clamd and clamav-milter options? /usr/local/sbin/clamav-milter --headers --pidfile=/var/clamav/clamav- milter.pid --quiet /var/clamav/clamav-milter.sock No clamd since we aren't running with --external. which has worked well for a long time. Please post your clamd.conf file. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Nov 22 00:07:53 CET 2005 signature.asc Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
On 11/21/05, Tomasz Kojm [EMAIL PROTECTED] wrote: Please post your clamd.conf file. LogFileMaxSize 0 LogTime LogClean LogSyslog LogFacility LOG_LOCAL7 PidFile /var/clamav/clamd.pid TemporaryDirectory /tmp FixStaleSocket TCPSocket 3310 TCPAddr 127.0.0.1 http://127.0.0.1 MaxConnectionQueueLength 20 StreamMaxLength 2M MaxThreads 151 ReadTimeout 60 MaxDirectoryRecursion 1 SelfCheck 1800 User clamav ScanOLE2 ScanMail ScanHTML ScanArchive ArchiveMaxFileSize 1M ArchiveMaxRecursion 1 ArchiveMaxFiles 25 ArchiveMaxCompressionRatio 200 -- Pete Hanson http://www.well.com/user/wolfy http://www.fotolog.net/wolfy ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: Worm.Sober.U not being recognized
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pete 'Wolfy' Hanson wrote: [snip] Running clamscan --detect-broken finds the message, and generates no errors, but clamav-milter does not find the message when it comes in. clamd.logshows: The key is that clamscan --detect-broken is not the default clamd operation and probably the same goes for the milter. Fix it by editing /etc/clamd.conf, make sure that the following are set: DisableDefaultScanOptions DetectBrokenExecutables HTH - -- René Berber -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (Cygwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iEYEARECAAYFAkOCVB0ACgkQL3NNweKTRgwwMwCeIQqov8BV7QO6Vs96Jv8D/abA 1UwAn31rMFwSd5DStwL/SfhebCFeW1nl =JSUB -END PGP SIGNATURE- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
On Mon, 21 Nov 2005 14:10:07 -0900 Pete 'Wolfy' Hanson [EMAIL PROTECTED] wrote: MaxDirectoryRecursion 1 You should be more careful when changing the config options. With the current MaxDirectoryRecursion setting in your setup clamd/clamav-milter will fail to detect a lot of malware. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Nov 22 00:19:16 CET 2005 signature.asc Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Worm.Sober.U not being recognized
On Mon, 21 Nov 2005 17:11:25 -0600 René Berber [EMAIL PROTECTED] wrote: Fix it by editing /etc/clamd.conf, make sure that the following are set: DisableDefaultScanOptions Oh, no. Please do not enable this directive. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Nov 22 00:21:18 CET 2005 signature.asc Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
Pete 'Wolfy' Hanson wrote: On 11/21/05, Kelson [EMAIL PROTECTED] wrote: We've been detecting Worm.Sober.U here for a little over 2 hours (with daily.cvd 1182). If clamscan finds it, but clamav-milter doesn't, maybe for some reason clamd didn't load the updated database? Try restarting clamd and/or clamav-mitler (I've never used the milter, so I'm not sure what's necessary) and see if that does it. I've already tried a couple of restarts to no avail. I'm seeing the same thing here. My uvscan sees sober but since I restarted the server this morning at 10am there have been zero detections of anything from clamd at all. Only seven detections from uvscan over the same time period. = Kevin W. Gagel Network Administrator Information Technology Services (250) 562-2131 local 448 My Blog: http://mail.cnc.bc.ca/blogs/gagel --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca --- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Worm.Sober.U not being recognized
DisableDefaultScanOptions DetectBrokenExecutables No change in behavior with those opts -- Pete Hanson http://www.well.com/user/wolfy http://www.fotolog.net/wolfy ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
On 11/21/05, Tomasz Kojm [EMAIL PROTECTED] wrote: MaxDirectoryRecursion 1 You should be more careful when changing the config options. With the current MaxDirectoryRecursion setting in your setup clamd/clamav-milter will fail to detect a lot of malware. Maybe, but it doesn't seem to have anything to do with the problem at hand. -- Pete Hanson http://www.well.com/user/wolfy http://www.fotolog.net/wolfy ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
I'm seeing the same thing here. My uvscan sees sober but since I restarted the server this morning at 10am there have been zero detections of anything from clamd at all. Only seven detections from uvscan over the same time period. FWIW, we're detecting other viruses and worms - but Worm.Sober.U is slipping through in large quantities. I can stop it elsewhere, but would rather have ClamAV handle it like it should. -- Pete Hanson http://www.well.com/user/wolfy http://www.fotolog.net/wolfy ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
I'm seeing the same thing here. My uvscan sees sober but since I restarted the server this morning at 10am there have been zero detections of anything from clamd at all. Only seven detections from uvscan over the same time period. FWIW, we're detecting other viruses and worms - but Worm.Sober.U is slipping through in large quantities. I can stop it elsewhere, but would rather have ClamAV handle it like it should. Same here Pete. I'm just confirming what your seeing... = Kevin W. Gagel Network Administrator Information Technology Services (250) 562-2131 local 448 My Blog: http://mail.cnc.bc.ca/blogs/gagel --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca --- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
Kevin W. Gagel wrote: Pete 'Wolfy' Hanson wrote: On 11/21/05, Kelson [EMAIL PROTECTED] wrote: We've been detecting Worm.Sober.U here for a little over 2 hours (with daily.cvd 1182). If clamscan finds it, but clamav-milter doesn't, maybe for some reason clamd didn't load the updated database? Try restarting clamd and/or clamav-mitler (I've never used the milter, so I'm not sure what's necessary) and see if that does it. I've already tried a couple of restarts to no avail. I'm seeing the same thing here. My uvscan sees sober but since I restarted the server this morning at 10am there have been zero detections of anything from clamd at all. Only seven detections from uvscan over the same time period. I'm using qmail-scanner / clamdscan. Since updating to daily.cvd 1182, Sober.U are being detected effectively. Before, they were getting through (and also through outdated ClamWin clients). JT ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
On Mon, 21 Nov 2005 14:39:58 -0900 Pete 'Wolfy' Hanson [EMAIL PROTECTED] wrote: On 11/21/05, Tomasz Kojm [EMAIL PROTECTED] wrote: MaxDirectoryRecursion 1 You should be more careful when changing the config options. With the current MaxDirectoryRecursion setting in your setup clamd/clamav-milter will fail to detect a lot of malware. Maybe, but it doesn't seem to have anything to do with the problem at hand. Not true. Anyway, I suspect your situation is now even worse. If you have enabled DisableDefaultScanOptions (a nasty option that will be removed in the next major release) as suggested in another post your clamd/clamav-milter will fail to detect all malware in compressed executables because your config file misses the ScanPE option. I would suggest using the following config in your case (it's based on the one you have sent here): LogFileMaxSize 0 LogTime LogClean LogSyslog LogFacility LOG_LOCAL7 PidFile /var/clamav/clamd.pid TemporaryDirectory /tmp FixStaleSocket TCPSocket 3310 TCPAddr 127.0.0.1 MaxConnectionQueueLength 20 StreamMaxLength 2M MaxThreads 30 ReadTimeout 60 MaxDirectoryRecursion 10 SelfCheck 1800 User clamav ArchiveMaxFileSize 1M ArchiveMaxRecursion 8 ArchiveMaxFiles 1000 ArchiveMaxCompressionRatio 250 -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Nov 22 00:41:58 CET 2005 signature.asc Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html