Re: [Clamav-users] cpu utilization suddenly over 90% all the time
On Mon, 2006-01-09 at 15:37 -0800, Bill Shupp wrote: Bill Shupp wrote: I see that 0.88 just came out. I'll probably grab that soon. Can anyone verify whether linking statically to libclamav would make any difference in cpu utilization? To follow up, I have gotten 0.88 installed on the main system, yet the clamd process still crawls up to 80-90%, and stays there. There are only about 40 concurrent incoming smtp connections. Message size is still limited to 1MB. First, I would check the filesystem type of /tmp (or whatever you are using). Make sure it is not sync'ed or journalling. Next, I would investigate the pthreads libraries. If your system has more than one to choose from, try the other one. Failing that, disable thread support at compile time. If that doesn't help, you'll need to do some profiling to find out where all the time is being spent. -trog signature.asc Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
On Fri, Jan 06, 2006 at 12:37:02PM -0500, Chuck Swiger wrote:
Anyway, amavisd-new lists a dozen or so examples:
# Treat envelope sender address as unreliable and don't send sender
# notification / bounces if name(s) of detected virus(es) match the list.
# Note that virus names are supplied by external virus scanner(s) and are
# not standardized, so virus names may need to be adjusted.
# See README.lookups for syntax.
#
$viruses_that_fake_sender_re = new_RE(
qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
qr'tanatos|lentin|bridex|mimail|trojan\.dropper'i,
);
This list is pretty much incomplete (at least sober, somefool and mydoom
are missing, to name a few). And having this makes you follow the latest
virus definitions scanning for possible new virus strands that fake their
sender.
I believe it's way easier to do the opposite: list only viruses that do
NOT fake the sender. The only ones you'd expect to find in email are
things like eicar, joke and macro viruses.
This is probably a better regex:
$viruses_that_dont_fake_sender_re =
qr{ ^( Joke
| Eicar
| OF97
| WM(97)?
| W(97)?M
| (Word)?Macro
)(\b|_)
}xi;
Anyone got any comment or suggestions about this list? (You can of course
include all oldfashioned .com and .exe infectors, and it would be wise to
do so for any still in the wild, but I don't know if there are any.)
Unfortunately the information available from various virus scanners never
includes a field virus has its own SMTP engine and fakes sender addresses,
or this would be a lot easier.
--
#!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED]
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Squirriel Mail clamav scanner
Paul Matthews wrote: I seam to have started a rather indeepth argument, so from all that i guess i just have this to say. 1. Stephen Gran, you mention a 'php library with clamav bindings' how does that help me? is that something i should be looking into in relation to a squirriel mail plugin? 2. James Kosin, you've said 'be sure to get clamdscan to scan for viruses or get a script to scan when checking email. There are plenty of choices out there.' Can you point me in the direction of a few of those scripts? 3. Joe Polk, you said 'OpenWebMail has a hook into clamav and it looks better than Squirrelmail'. I know this thats where i got the idaea, but i'm using Squirriel Mail on my server at the moment with a lot of squirriel mail plugins, so i would like to stay with it. But both are webmail clients, i would imagen if one could do it so could the other ... I don't server my own mail much anymore but when I did I milted sendmail through clamd and just left my users out of it. Not elligant and certainly it takes some of the control away from users, but sometimes you have to. JP ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Squirriel Mail clamav scanner
Joe Polk said: Paul Matthews wrote: I seam to have started a rather indeepth argument, so from all that i guess i just have this to say. 1. Stephen Gran, you mention a 'php library with clamav bindings' how does that help me? is that something i should be looking into in relation to a squirriel mail plugin? 2. James Kosin, you've said 'be sure to get clamdscan to scan for viruses or get a script to scan when checking email. There are plenty of choices out there.' Can you point me in the direction of a few of those scripts? 3. Joe Polk, you said 'OpenWebMail has a hook into clamav and it looks better than Squirrelmail'. I know this thats where i got the idaea, but i'm using Squirriel Mail on my server at the moment with a lot of squirriel mail plugins, so i would like to stay with it. But both are webmail clients, i would imagen if one could do it so could the other ... I don't server my own mail much anymore but when I did I milted sendmail through clamd and just left my users out of it. Not elligant and certainly it takes some of the control away from users, but sometimes you have to. The milter I use, J-Chkmail, allows users to choose if they wish to have any or all of content, virus, xfiles enabled for inbound mail. All mail is scanned outbound viruses and spam, but not xfiles. There is no interface to configure this and I have to do it manually until I complete a web-based tool. This process is also integrated into Sendmail to allow them to declare in the access table if they are a spam friend or not. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
Jan Pieter Cornet wrote: I believe it's way easier to do the opposite: list only viruses that do NOT fake the sender. The only ones you'd expect to find in email are things like eicar, joke and macro viruses. I just check for a small list (Mimail, Sober, etc.), plus anything that starts with Worm. or contains @mm. @MM is used by Norton, McAfee and others to indicate a worm that does its own mass mailing. Yeah, the criteria are slightly different -- it's looking for self-mailers and worms rather than specifically self-mailers that forge the sender -- but it does the job here. -- Kelson Vibber SpeedGate Communications, www.speed.net ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] sourceforge fubar?
i'm trying to download .88, and each time i try, sourceforge takes me to an incredibly lame full screen ad for star wars light sabers or some such crap. won't let me download. anyone else experiencing this? Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com http://www.forumgarden.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sourceforge fubar?
At 10:56 AM 1/10/2006, you wrote: i'm trying to download .88, and each time i try, sourceforge takes me to an incredibly lame full screen ad for star wars light sabers or some such crap. won't let me download. anyone else experiencing this? scratch that. bypassed the idiocy using lynx on the shell. sheesh. Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com http://www.forumgarden.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sourceforge fubar?
On Tue, 10 Jan 2006 10:56:52 -0800 in [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: i'm trying to download .88, and each time i try, sourceforge takes me to an incredibly lame full screen ad for star wars light sabers or some such crap. won't let me download. anyone else experiencing this? I has some problems with some mirrors, I forget which ones though, and I forget which one eventually worked. Would you like me to mail the tarball to you? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
At 06:51 AM 1/10/2006, Jan Pieter Cornet wrote: On Fri, Jan 06, 2006 at 12:37:02PM -0500, Chuck Swiger wrote: Anyway, amavisd-new lists a dozen or so examples: # Treat envelope sender address as unreliable and don't send sender # notification / bounces if name(s) of detected virus(es) match the list. # Note that virus names are supplied by external virus scanner(s) and are # not standardized, so virus names may need to be adjusted. # See README.lookups for syntax. # $viruses_that_fake_sender_re = new_RE( qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i, qr'tanatos|lentin|bridex|mimail|trojan\.dropper'i, ); This list is pretty much incomplete (at least sober, somefool and mydoom are missing, to name a few). And having this makes you follow the latest virus definitions scanning for possible new virus strands that fake their sender. I believe it's way easier to do the opposite: list only viruses that do NOT fake the sender. The only ones you'd expect to find in email are things like eicar, joke and macro viruses. For the last couple years amavisd-new assumes the sender is fake but for a few exceptions by default. The above list is from a much older version which required manual updating. -- Noel Jones ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] anti-virus imap scanner
hi there, i'm looking for a way to scan e-mails that arrive on my imap server. i'm looking for a way to scan incomming mail on am imap server before if gets to the user? is there a program out there that does this? ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] anti-virus imap scanner
Paul Matthews said: hi there, i'm looking for a way to scan e-mails that arrive on my imap server. i'm looking for a way to scan incomming mail on am imap server before if gets to the user? is there a program out there that does this? How are they getting onto your imap server? dp ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] anti-virus imap scanner
How are they getting onto your imap server? dp either via squirrielmail web client or thunderbird. ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] anti-virus imap scanner
i'm sorry i think i ready your last e-mail wrong, are you asking how my users check there mail or how virus are getting in? i just want to scan e-mails before they get to my clients. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Paul Matthews Sent: Wednesday, 11 January 2006 2:57 To: ClamAV users ML Subject: RE: [Clamav-users] anti-virus imap scanner How are they getting onto your imap server? dp either via squirrielmail web client or thunderbird. ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] anti-virus imap scanner
Paul Matthews said: i'm sorry i think i ready your last e-mail wrong, are you asking how my users check there mail or how virus are getting in? i just want to scan e-mails before they get to my clients. Please resist the urge to top post. So then is there an smtp server that is receiving these messages and storing them locally for pickup via imap, and if so, what is the name of that smtp server? dp ___ http://lurker.clamav.net/list/clamav-users.html
