Re: [Clamav-users] clamav-daemon didn't recognise attached virus
Rob MacGregor wrote: On Wed, Apr 21, 2010 at 16:02, Thomas Herzog thomas.her...@leoni.com wrote: Hello, We're running clamav 0.95.3 with amavisd-new-2.6.1and postfix 2.5.5. Sending a message with a virus attached clamav-daemon didn't find it. - http://www.clamav.net/lang/en/sendvirus/ -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Thanks for your reply, just to get this right. The virus is detected by the binaries clamdscan or clamscan, but not by the deamon called through amavis - see the attachment of my first post. I've uploaded the the virus anyway as requested. Thanks Thomas H. WARNING: Ignoring deprecated option ArchiveLimitMemoryUsage at line 12 WARNING: Ignoring deprecated option ArchiveLimitMemoryUsage at line 12 /tmp/UPS_invoice_4557.zip: Suspect.Bredozip-zippwd-5 FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.004 sec (0 m 0 s) LibClamAV Warning: *** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *** /tmp/UPS_invoice_4557.zip: Suspect.Bredozip-zippwd-5 FOUND --- SCAN SUMMARY --- Known viruses: 757667 Engine version: 0.95.3 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.04 MB (ratio 0.00:1) Time: 5.698 sec (0 m 5 s) -- View this message in context: http://old.nabble.com/clamav-daemon-didn%27t-recognise-attached-virus-tp28288042p28324556.html Sent from the clamav-users mailing list archive at Nabble.com. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus
Thomas Herzog wrote: Rob MacGregor wrote: On Wed, Apr 21, 2010 at 16:02, Thomas Herzog thomas.her...@leoni.com wrote: Hello, We're running clamav 0.95.3 with amavisd-new-2.6.1and postfix 2.5.5. Sending a message with a virus attached clamav-daemon didn't find it. - http://www.clamav.net/lang/en/sendvirus/ -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Thanks for your reply, just to get this right. The virus is detected by the binaries clamdscan or clamscan, but not by the deamon called through amavis - see the attachment of my first post. I've uploaded the the virus anyway as requested. Thanks Thomas H. WARNING: Ignoring deprecated option ArchiveLimitMemoryUsage at line 12 WARNING: Ignoring deprecated option ArchiveLimitMemoryUsage at line 12 /tmp/UPS_invoice_4557.zip: Suspect.Bredozip-zippwd-5 FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.004 sec (0 m 0 s) LibClamAV Warning: *** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *** /tmp/UPS_invoice_4557.zip: Suspect.Bredozip-zippwd-5 FOUND --- SCAN SUMMARY --- Known viruses: 757667 Engine version: 0.95.3 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.04 MB (ratio 0.00:1) Time: 5.698 sec (0 m 5 s) Result: This virus is already recognized by ClamAV 0.96/10781/Thu Apr 22 04:55:30 2010 (timezone: ) as Suspect.Bredozip-zippwd-5 . Be careful when submitting samples and remember to run freshclam! Check the FAQ now -- View this message in context: http://old.nabble.com/clamav-daemon-didn%27t-recognise-attached-virus-tp28288042p28324584.html Sent from the clamav-users mailing list archive at Nabble.com. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus
On Thu, Apr 22, 2010 at 07:16, Thomas Herzog thomas.her...@leoni.com wrote: Thanks for your reply, just to get this right. The virus is detected by the binaries clamdscan or clamscan, but not by the deamon called through amavis - see the attachment of my first post. Then you have a problem with the way Amavis is calling ClamAV. The few lines in that log file aren't sufficient to identify the cause of the problem. Amongst other things, check that you don't have multiple copies of ClamAV installed and that Amavis isn't running one while you're manually running a different one. -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Way, way, way OT: Re: (no subject)
On 4/21/10 11:08 PM, Steve Holdoway wrote: Alienating those 'asshat whiners' will revert them to being windows admins, and our career prospects dwindle ever further. I'm over that, too. It means I'll always have a job if there is no competition. I don't have any notion of ever being a Windows admin (else why all the study of computer science?) so can't relate to your concern. Fact is I'm old and tired and long for the promise of retirement. I'm 64 now but if I were 20 and just getting into this business I'd listen to me. I know many immutable things about data centers. It's a vanishing art. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
On 22.04.2010 06:20, Dennis Peterson wrote: Suggest at least one way to inform all the users successfully that obsolete software is going to die soon - and don't let it slip past you in your solution that the ClamAV people have know way of knowing who they need to inform. And recall too, this: Filling their logs with warnings didn't work. Posting the notice on the front page of their website didn't work. Running commentary in this list didn't work. Announcing it in their Announcements list didn't work. Every major software project hits this road block sooner or later and solves it in an acceptable way. This is not rocket science. I am pretty sure some way of versioning support was on the table during the decision making process and was rejected. Knowing the rationale behind it would be nice. I think it was a bad decision but knowing how the decision was made (the other side of the argument so to speak) would help. [...] We're left with this: The problem affected only those that did not pay adequate attention. There is no cure for that. Our problem statements differ. I am against clamav's right to turn off services on other people's computers which does not say anything on sysadmins who may or may not be paying attention. So here's a message to everyone that was surprised: PAY ATTENTION because there's going to be a next time! I hope not. -- Eray ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus
Rob MacGregor wrote: On Thu, Apr 22, 2010 at 07:16, Thomas Herzog thomas.her...@leoni.com wrote: Thanks for your reply, just to get this right. The virus is detected by the binaries clamdscan or clamscan, but not by the deamon called through amavis - see the attachment of my first post. Then you have a problem with the way Amavis is calling ClamAV. The few lines in that log file aren't sufficient to identify the cause of the problem. Amongst other things, check that you don't have multiple copies of ClamAV installed and that Amavis isn't running one while you're manually running a different one. -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Amavis seems to be calling the clam deamon, it finds also some other exploits, viruses... /var/log/clamav/clamav.log: Thu Apr 22 08:15:07 2010 - /tmp/UPS_invoice_4557.zip: Suspect.Bredozip-zippwd-5 FOUND Thu Apr 22 08:23:53 2010 - /var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p002: Exploit.HTML.IFrame-8 FOUND Thu Apr 22 08:23:53 2010 - /var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p003: Worm.NetSky-14 FOUND Here you can see (UPS_invoice_4557.zip) was recognized with manually scanning. lxhv1m02:~# dpkg -l | grep clam ii clamav0.95.3+dfsg-1~volatile1 anti-virus utility for Unix - command-line i ii clamav-base 0.95.3+dfsg-1~volatile1 anti-virus utility for Unix - base package ii clamav-daemon 0.95.3+dfsg-1~volatile1 anti-virus utility for Unix - scanner daemon ii clamav-freshclam 0.95.3+dfsg-1~volatile1 anti-virus utility for Unix - virus database ii libclamav60.95.3+dfsg-1~volatile1 anti-virus utility for Unix - library lxhv1m02:~# ps -eaf| grep clam clamav2926 1 0 2009 ?00:01:49 /usr/bin/freshclam -d --quiet clamav 16517 1 1 Apr21 ?00:12:39 /usr/sbin/clamd root 25902 23655 0 08:58 pts/100:00:00 grep clam lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners \ask_daemon, [CONTSCAN {}\n, /var/run/clamav/clamd.ctl], lxhv1m02:~# grep ctl /etc/clamav/clamd.conf LocalSocket /var/run/clamav/clamd.ctl Looks good to me...any ideas left? /Thomas -- View this message in context: http://old.nabble.com/clamav-daemon-didn%27t-recognise-attached-virus-tp28288042p28324892.html Sent from the clamav-users mailing list archive at Nabble.com. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
Dennis Peterson wrote: I believe that best practice with this sort of thing is to only issue warnings and not to actually force a potentially harmful change without *express* consent of the user. Suggest at least one way to inform all the users successfully that obsolete software is going to die soon - and don't let it slip past you in your solution that the ClamAV people have know way of knowing who they need to inform. And recall too, this: Filling their logs with warnings didn't work. Posting the notice on the front page of their website didn't work. Running commentary in this list didn't work. Announcing it in their Announcements list didn't work. You don't know a way, they don't know a way, and I know for a fact it cannot be done If you start with the pre-requisite that you must stop old versions working then you are correct. Remove that pre-requisite and you are not. More than one suggestion has been made of how the team could have just moved on and left the old versions behind - without having to kill them. These suggestions have been rubbished for various (mostly false) reasons. People keep saying it's the user/admin's fault, that the user/admin should take all the blame, and that the user/admin should suffer the consequences. Fair enough - how this for a really odd idea - why not just stop providing AV updates to the older versions, and let the users/admins take the responsibility and consequences if they continue to ignore the warnings that updates have stopped working. If they ignore things aren't working errors then I'd agree with you - let them deal with it. I don't agree with the argument that things are not optimal is a warning to upgrade before things go bang. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus
On 04/22/2010 10:24 AM, Török Edwin wrote: lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners \ask_daemon, [CONTSCAN {}\n, /var/run/clamav/clamd.ctl], You need to tell amavis to pass the entire message to ClamAV, try: $bypass_decode_parts = 1; I think your amavis tried to decode the message, and pass only parts of it to ClamAV. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] clamscan fails from mimedefang with large third-party databases
This might be a question for the mimedefang list, but I thought I'd try here first in case I'm missing something obviously related to clam. I've had 0.95.3 running since it came out with no problems, but 0.96 returns an error of 2 (which the man explains as Some error(s) occured.) when mimedefang tries to run it with my default config. It's using clamscan, which works fine from the command line. If I go into my signature directory and move the largest of the databases away (SaneSecurity's jurlbl.ndb, for example), it works fine. When I move them back, I get the error code 2 again. I didn't notice if specific databases were causing the problem, or if it was only when the total size topped a certain number. (I've rolled back for the moment and am not in a good position to experiment right now, but I can test that later if necessary.) I tried to add a --debug, but I don't know where those messages go (yes, I know a question for the mimedefang guys) in that context. But, anyway, do you guys have any clever suggestions? Before you ask, I don't use clamdscan because I've never needed to, and it's been one less thing to go wrong, up until now anyway. I suppose I should note that I got a number of compiler warnings during the make (see thread: 0.96 compile warnings on FreeBSD 7.1). Things ran smoothly for a little while without the larger databases, but I'd rather not leave the system up without the phish database and such. Jeffrey Moskot System Administrator j...@math.miami.edu ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus
Török Edwin wrote: On 04/22/2010 10:01 AM, Thomas Herzog wrote: Amavis seems to be calling the clam deamon, it finds also some other exploits, viruses... /var/log/clamav/clamav.log: Thu Apr 22 08:15:07 2010 - /tmp/UPS_invoice_4557.zip: Suspect.Bredozip-zippwd-5 FOUND BTW attachments are automatically removed on this mailing list. Thu Apr 22 08:23:53 2010 - /var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p002: Exploit.HTML.IFrame-8 FOUND Thu Apr 22 08:23:53 2010 - /var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p003: Worm.NetSky-14 FOUND Here you can see (UPS_invoice_4557.zip) was recognized with manually scanning. Is that the email, or the attachment? I guess it is the attachment. Try scanning the email containing that attachment with clamscan/clamdscan, and see if it is detected. lxhv1m02:~# dpkg -l | grep clam ii clamav0.95.3+dfsg-1~volatile1 anti-virus utility for Unix - command-line i ii clamav-base 0.95.3+dfsg-1~volatile1 anti-virus utility for Unix - base package ii clamav-daemon 0.95.3+dfsg-1~volatile1 anti-virus utility for Unix - scanner daemon ii clamav-freshclam 0.95.3+dfsg-1~volatile1 anti-virus utility for Unix - virus database ii libclamav60.95.3+dfsg-1~volatile1 anti-virus utility for Unix - library lxhv1m02:~# ps -eaf| grep clam clamav2926 1 0 2009 ?00:01:49 /usr/bin/freshclam -d --quiet clamav 16517 1 1 Apr21 ?00:12:39 /usr/sbin/clamd root 25902 23655 0 08:58 pts/100:00:00 grep clam lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners \ask_daemon, [CONTSCAN {}\n, /var/run/clamav/clamd.ctl], lxhv1m02:~# grep ctl /etc/clamav/clamd.conf LocalSocket /var/run/clamav/clamd.ctl Looks good to me...any ideas left? /Thomas ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Hi, The attachment should be listed as logging.TXT under following link: http://old.nabble.com/clamav-daemon-didn%27t-recognise-attached-virus-to28288042.html#a28288042 direct link: http://old.nabble.com/file/p28288042/logging.TXT Scanning the msg gives me the same output: lxhv1m02:~# clamdscan /tmp/UPS Delivery Problem NR 09045..msg WARNING: Ignoring deprecated option ArchiveLimitMemoryUsage at line 12 WARNING: Ignoring deprecated option ArchiveLimitMemoryUsage at line 12 /tmp/UPS Delivery Problem NR 09045..msg: Suspect.Bredozip-zippwd-5 FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.102 sec (0 m 0 s) lxhv1m02:~# clamscan /tmp/UPS Delivery Problem NR 09045..msg LibClamAV Warning: *** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *** /tmp/UPS Delivery Problem NR 09045..msg: Suspect.Bredozip-zippwd-5 FOUND --- SCAN SUMMARY --- Known viruses: 757668 Engine version: 0.95.3 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.06 MB (ratio 0.00:1) Time: 2.137 sec (0 m 2 s) lxhv1m02:~# tail /var/log/clamav/clamav.log Thu Apr 22 08:15:07 2010 - /tmp/UPS_invoice_4557.zip: Suspect.Bredozip-zippwd-5 FOUND Thu Apr 22 08:23:53 2010 - /var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p002: Exploit.HTML.IFrame-8 FOUND Thu Apr 22 08:23:53 2010 - /var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p003: Worm.NetSky-14 FOUND Thu Apr 22 09:13:35 2010 - SelfCheck: Database status OK. Thu Apr 22 10:13:35 2010 - SelfCheck: Database status OK. Thu Apr 22 10:48:33 2010 - Reading databases from /var/lib/clamav Thu Apr 22 10:48:34 2010 - Database correctly reloaded (757668 signatures) Thu Apr 22 11:04:45 2010 - /var/lib/amavis/tmp/amavis-20100422T110144-19947/parts/p001: HTML.Phishing.Bank-1272 FOUND Thu Apr 22 11:13:35 2010 - SelfCheck: Database status OK. Thu Apr 22 11:45:19 2010 - /tmp/UPS Delivery Problem NR 09045..msg: Suspect.Bredozip-zippwd-5 FOUND Thanks Thomas -- View this message in context: http://old.nabble.com/clamav-daemon-didn%27t-recognise-attached-virus-tp28288042p28326571.html Sent from the clamav-users mailing list archive at Nabble.com. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamscan fails from mimedefang with large third-party databases
On Thu, 22 Apr 2010, jef moskot wrote: Things ran smoothly for a little while without the larger databases... Hmm, looks like I spoke too soon. While it did catch bad messages, it barfed a little while doing so. A couple of examples... === libclamav JIT: Allocation failed when allocating new memory in the JIT ^[[0;1;31mlibclamav JIT: *** FATAL error encountered during bytecode generation ^[[0m./Work/INPUTMBOX: Sanesecurity.Junk.9210.UNOFFICIAL FOUND === libclamav JIT: Allocation failed when allocating new memory in the JIT ^[[0;1;31mlibclamav JIT: *** FATAL error encountered during bytecode generation ^[[0mLibClamAV Warning: fmap: map allocation failed LibClamAV Warning: fmap: map allocation failed LibClamAV Error: CRITICAL: fmap() failed LibClamAV Warning: fmap: map allocation failed LibClamAV Error: CRITICAL: fmap() failed LibClamAV Warning: fmap: map allocation failed LibClamAV Error: CRITICAL: fmap() failed ./Work/INPUTMBOX: local.sig.939.UNOFFICIAL FOUND === clamscanning from the command line doesn't seem to cause this problem. Maybe because it's doing something funky decoding mail messages when launched from mimedefang, as opposed to regular files sitting in a directory? Scanning mbox files from the command line doesn't seem to cause these errors. Jeffrey Moskot System Administrator j...@math.miami.edu ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamscan fails from mimedefang with large third-party databases
On 04/22/2010 12:47 PM, jef moskot wrote: This might be a question for the mimedefang list, but I thought I'd try here first in case I'm missing something obviously related to clam. I've had 0.95.3 running since it came out with no problems, but 0.96 returns an error of 2 (which the man explains as Some error(s) occured.) when mimedefang tries to run it with my default config. It's using clamscan, which works fine from the command line. If I go into my signature directory and move the largest of the databases away (SaneSecurity's jurlbl.ndb, for example), it works fine. When I move them back, I get the error code 2 again. I didn't notice if specific databases were causing the problem, or if it was only when the total size topped a certain number. (I've rolled back for the moment and am not in a good position to experiment right now, but I can test that later if necessary.) I tried to add a --debug, but I don't know where those messages go (yes, I know a question for the mimedefang guys) in that context. Well you can add --debug 2/tmp/clamscan-debug. That way it'll always go to a place you know (assuming mimedefangs allow the redirection). --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamscan fails from mimedefang with large third-party databases
On 04/22/2010 01:02 PM, jef moskot wrote: On Thu, 22 Apr 2010, jef moskot wrote: Things ran smoothly for a little while without the larger databases... Hmm, looks like I spoke too soon. While it did catch bad messages, it barfed a little while doing so. A couple of examples... === libclamav JIT: Allocation failed when allocating new memory in the JIT ^[[0;1;31mlibclamav JIT: *** FATAL error encountered during bytecode generation ^[[0m./Work/INPUTMBOX: Sanesecurity.Junk.9210.UNOFFICIAL FOUND === libclamav JIT: Allocation failed when allocating new memory in the JIT ^[[0;1;31mlibclamav JIT: *** FATAL error encountered during bytecode generation ^[[0mLibClamAV Warning: fmap: map allocation failed LibClamAV Warning: fmap: map allocation failed You are running out of memory (or rather mmap()s). We have a bugreport about this, but we haven't figured how to fix it. Increasing the max number of mmaps FreeBSD allows won't fix it :( LibClamAV Error: CRITICAL: fmap() failed LibClamAV Warning: fmap: map allocation failed LibClamAV Error: CRITICAL: fmap() failed LibClamAV Warning: fmap: map allocation failed LibClamAV Error: CRITICAL: fmap() failed ./Work/INPUTMBOX: local.sig.939.UNOFFICIAL FOUND === clamscanning from the command line doesn't seem to cause this problem. Try scanning the same file mimedefang scans. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamscan fails from mimedefang with large third-party databases
On Thu, 22 Apr 2010, Török Edwin wrote: You are running out of memory (or rather mmap()s). We have a bugreport about this, but we haven't figured how to fix it. Increasing the max number of mmaps FreeBSD allows won't fix it :( Yikes. Well, at least there's already an open report. Try scanning the same file mimedefang scans. It cleans up after itself, so I'm not sure exactly what's in the working directory that causes the trouble. We quarantine messages, however, and command-line scanning all the parts left in the quarantine doesn't produce any complaints, other than the infection detection message. Jeffrey Moskot System Administrator j...@math.miami.edu___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamd memory usage (Solved)
Chris wrote: I've misplaced the original post I made so I can't reply to it, however I'd like to make a note for the archives what the problem is and to thank Steve Basford and Edwin for the their help in finding it. Seems like I had both a main.cvd and main.cld. I removed the main.cld file and all is back to the way it should be. Chris I was interested in this thread and so checked my clam folder on seeing this. I've got a main.cld file and no main.cvd have I got a problem (everything seems to be working correctly)? FAS ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamd memory usage (Solved)
Francis Stevens wrote: Chris wrote: I've misplaced the original post I made so I can't reply to it, however I'd like to make a note for the archives what the problem is and to thank Steve Basford and Edwin for the their help in finding it. Seems like I had both a main.cvd and main.cld. I removed the main.cld file and all is back to the way it should be. Chris I was interested in this thread and so checked my clam folder on seeing this. I've got a main.cld file and no main.cvd have I got a problem (everything seems to be working correctly)? FAS Having one of main.cld or main.cvd is fine, having both is the problem. Same's true of daily.cld and daily.cvd. If you have both, delete the .cld file and then run freshclam to make sure you're up to date. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus
Török Edwin wrote: On 04/22/2010 10:24 AM, Török Edwin wrote: lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners \ask_daemon, [CONTSCAN {}\n, /var/run/clamav/clamd.ctl], You need to tell amavis to pass the entire message to ClamAV, try: $bypass_decode_parts = 1; I think your amavis tried to decode the message, and pass only parts of it to ClamAV. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml BINGO! After setting $bypass_decode_parts = 1; the virus was found: lxhv1m02:/etc/amavis/conf.d# tail -n 2 /var/log/clamav/clamav.log Thu Apr 22 13:39:02 2010 - /var/lib/amavis/tmp/amavis-20100422T133603-19502/parts/p001: Suspect.Bredozip-zippwd-5 FOUND Thu Apr 22 13:40:56 2010 - /var/lib/amavis/tmp/amavis-20100422T134024-20718/parts/p001: Suspect.Bredozip-zippwd-5 FOUND Thank You very much Edwin, Regards Thomas -- View this message in context: http://old.nabble.com/clamav-daemon-didn%27t-recognise-attached-virus-tp28288042p28327757.html Sent from the clamav-users mailing list archive at Nabble.com. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamscan fails from mimedefang with large third-party databases
On 2010/04/22 6:23 AM, jef moskot wrote: Try scanning the same file mimedefang scans. It cleans up after itself, so I'm not sure exactly what's in the working directory that causes the trouble. Try mimedefang's -d switch: -d The -d switch causes mimedefang not to delete the temporary spool files it creates for incoming messages. -- /Jason smime.p7s Description: S/MIME Cryptographic Signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Way, way, way OT: Re: (no subject)
Steve Holdoway wrote: On Wed, 2010-04-21 at 22:08 -0700, Dennis Peterson wrote: On 4/21/10 10:06 PM, Eric Rostetter wrote: Quoting Jim Preston jimli...@commspeed.net: Read what I said. *functional* not security. Like, for example, php is at 5.2.6 on lenny, unless you configure is differently. That's the whole point of releases. There are distros that release functional (feature) upgrades as well as security/bug upgrades... Just as there are ones that don't. Most distros will provide: Show me the contract. dp This is just going round in circles. The vast majority ( I'm sure! ) of non-hobbyist linux users will install debian lenny or ubuntu LTS or CentOS 5 on their VPS using a single click ( for example ) for whatever reason. It'll be a default install, probably with apt / yum running automagically to install security upgrades... minimal maintenance effort. Who's the sysadmin? The one who drew the short straw, usually by asking 'who does the backups?' or something similar, and also usually have about -10 hours a week available to perform this function. These are the people who need looking after, not a career sysadmin like me ( and you IIRC Dennis? ) who do keep up to date. We've heard of debian volatile, and building from scratch isn't scary at all, but that sort of thing is way beyond this majority. This is what I'm saying. It's a practical appraisal - how it's been working for the last 5-10 years - not a legal or academic one. I reckon that - another example - a patch to freshclam to convert new to old database format would have kept everyone happy ( no functional change there: it's just acquiring new sigs ), keeps the effort on the client servers, and lenny, etc would have kept on running until end of life. There will always be edge conditions if you want the exception to prove the rule. Personally I'd like to see the masses catered for. And sure, maybe I'm being clever after the fact, and should have joined in. However, after 4 years fighting spam I am just so over it. Sorry ): Steve Well Steve, I have to disagree with you. In the case of the VPS users (and in reality and remote system where the only human interaction is the the service provider) I feel it is the responsibility of the provider to help their customers. They are providing a service and if they do not provide good service users should switch. I ended up do that with a very notorious provider of PS and VPS (was with the company before VPS was invented). I will not post the company name as that would be Way, way, way OT. Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
Eray Aslan wrote: On 22.04.2010 06:20, Dennis Peterson wrote: Suggest at least one way to inform all the users successfully that obsolete software is going to die soon - and don't let it slip past you in your solution that the ClamAV people have know way of knowing who they need to inform. And recall too, this: Filling their logs with warnings didn't work. Posting the notice on the front page of their website didn't work. Running commentary in this list didn't work. Announcing it in their Announcements list didn't work. Every major software project hits this road block sooner or later and solves it in an acceptable way. This is not rocket science. I am pretty sure some way of versioning support was on the table during the decision making process and was rejected. Knowing the rationale behind it would be nice. I think it was a bad decision but knowing how the decision was made (the other side of the argument so to speak) would help. [...] We're left with this: The problem affected only those that did not pay adequate attention. There is no cure for that. Our problem statements differ. I am against clamav's right to turn off services on other people's computers which does not say anything on sysadmins who may or may not be paying attention. So here's a message to everyone that was surprised: PAY ATTENTION because there's going to be a next time! I hope not. If you bothered to read this entire thread you would understand that ClamAV did no such thing. In a couple of weeks these very same systems would have failed when the new signature format went into affect. The issue is that without code changes to 0.95 installations the new signatures will crash Clamd by design of 0.95 versions. This was built into the versions NOT as a method of breaking clamd but as preventing loading of what this version considers malformed databases. They are not guilty of intentionally turn off services but of not WASTING their money to protect users who want to continue to use EOL software. Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] PhishingScanURLs FPing too often
I've had reports of several FPs due to PhishingScanURLs recently - is there any way it can be made less aggressive rather than just turning it off outright? The messages triggering it so far have been both outgoing and incoming mail from our customers: forwarded copies of legitimate Amazon.ca mail and eBay replies on the outgoing side; a newsletter linking to a bank website for a contest of some kind on the incoming side. Some customers may not want to send the message in question to our reporting address due (quite reasonably) to privacy concerns, and it's a bit hard to create a .wdb entry when a) I don't have an example URL that triggers the test and b) I'm groping in the dark on exactly how to correctly format an entry. -kgd ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus
Török Edwin wrote: On 04/22/2010 10:24 AM, Török Edwin wrote: lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners \ask_daemon, [CONTSCAN {}\n, /var/run/clamav/clamd.ctl], You need to tell amavis to pass the entire message to ClamAV, try: $bypass_decode_parts = 1; I think your amavis tried to decode the message, and pass only parts of it to ClamAV. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Hello, this solution seems to lever my banned_filename_re-filter out. Perhaps, there's another solution? Thanks Thomas -- View this message in context: http://old.nabble.com/clamav-daemon-didn%27t-recognise-attached-virus-tp28288042p28330848.html Sent from the clamav-users mailing list archive at Nabble.com. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus
On 04/22/2010 06:51 PM, Thomas Herzog wrote: Török Edwin wrote: On 04/22/2010 10:24 AM, Török Edwin wrote: lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners \ask_daemon, [CONTSCAN {}\n, /var/run/clamav/clamd.ctl], You need to tell amavis to pass the entire message to ClamAV, try: $bypass_decode_parts = 1; I think your amavis tried to decode the message, and pass only parts of it to ClamAV. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Hello, this solution seems to lever my banned_filename_re-filter out. Perhaps, there's another solution? I don't know, try asking on the Amavis list. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus
On 4/22/2010 10:51 AM, Thomas Herzog wrote: Török Edwin wrote: On 04/22/2010 10:24 AM, Török Edwin wrote: lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners \ask_daemon, [CONTSCAN {}\n, /var/run/clamav/clamd.ctl], You need to tell amavis to pass the entire message to ClamAV, try: $bypass_decode_parts = 1; I think your amavis tried to decode the message, and pass only parts of it to ClamAV. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Hello, this solution seems to lever my banned_filename_re-filter out. Perhaps, there's another solution? Find the @keep_decoded_original_maps section and uncomment the line with: # qr'^MAIL$', # retain full original message The side effect of this is that the mail will be virus scanned twice; once for the whole message, and again each decoded part. On my machine clam is fast enough that this doesn't make a significant difference in processing time. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus
Paul Whelan wrote: I think your amavis tried to decode the message, and pass only parts of it to ClamAV. In general then, clamav may only recognise some malware when it is still attached to a mail message and not after it has been separately stored. Is that correct? It may or may not, depending on the message and the signature that catches it. Since clamav internally process the mail message and all its attachments anyway, having this done twice (by amavis and by clamav) is probably pointless... ---acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Can't map file into memory - mostly PDFs
Hi-- [ CC:ing Jason as the domain expert. :-) ] On Apr 22, 2010, at 10:01 AM, Royce Williams wrote: 2010/4/8 Török Edwin edwinto...@gmail.com: On 04/08/2010 11:03 PM, Chuck Swiger wrote: [ ... ] # sysctl vm.max_proc_mmap vm.max_proc_mmap: 78951 It's the number of mmap() entries which the kernel is willing to make available per process; what you display should be plenty, unless there is some kind of problem where mmap()ed files never get munmap()ed. Actually thats a pretty low number if FreeBSD is using mmap() for malloc() and it is not merging adjacent maps when counting this limit. 78951 (maps) * 4KB (pagesize) = 308 MB 308 MB is a pretty low limit for clamd, especially since the database alone is ~100MB. The maximum maps count on Linux is even lower, and yet everything works: vm.max_map_count = 65530 I guess Linux merges adjacent mmap()s into a single map, and only counts those. I don't know what FreeBSD does, but if it doesn't merge the maps then that max_proc_mmap limit doesn't make sense. For anyone who picks up this thread, it's in Bugzilla here: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1941 There may be some confusion with regard to this matter. FreeBSD's JE malloc() which landed with 7.x doesn't call mmap() for every call to malloc(), or even for every page allocated by malloc(), but I believe will call mmap() once per run for sizes up to a megabyte at a time: http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/stdlib/malloc.c?rev=1.193 I believe it will also try fall back to using sbrk() to get DSS memory if it needs to. It might be interesting for Royce to try: ln -s 'DmP' /etc/malloc.conf ...(or set $MALLOC_OPTIONS in clamd's environment) and see whether disabling mmap() allocations entirely in favor of sbrk() helps. The P flag will also cause malloc statistics to be generated to stderr, which might also be helpful for debugging the issue. Regards, -- -Chuck ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus
On 4/22/2010 12:30 PM, aCaB wrote: Paul Whelan wrote: I think your amavis tried to decode the message, and pass only parts of it to ClamAV. In general then, clamav may only recognise some malware when it is still attached to a mail message and not after it has been separately stored. Is that correct? It may or may not, depending on the message and the signature that catches it. Since clamav internally process the mail message and all its attachments anyway, having this done twice (by amavis and by clamav) is probably pointless... ---acab For amavisd-new to block attachments by file(1) type, it must unpack the mail. Clam must scan the whole email message because (as you know) some signatures only trigger on files that look like a mail message. To have both attachment blocking and full email scanning, the mail ends up being scanned twice. Maybe I'll put in a request for a don't scan decoded parts feature ... -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Can't map file into memory - mostly PDFs
Hi, Jason-- On Apr 22, 2010, at 12:33 PM, Jason Evans wrote: The failure mode was trimmed before I was CC'ed, so I'm missing background information. Thanks for the response. The bug report here: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1941 ...contains the useful details, but the ktrace of the point of failure is: 61805 clamdCALL mmap(0,0x9d55d6,PROT_READ,MAP_PRIVATE,0xb,0,0) 61805 clamdRET mmap -1 errno 12 Cannot allocate memory 61805 clamdCALL write(0x2,0xbf5c850c,0x28) 61805 clamdGIO fd 2 wrote 40 bytes LibClamAV Error: cli_pdf: mmap() failed ...which lead to mmap()'s documentation: [ENOMEM] MAP_FIXED was specified and the addr argument was not available. MAP_ANON was specified and insufficient memory was available. The system has reached the per- process mmap limit specified in the vm.max_proc_mmap sysctl. However, I doubt the number of map entries is the problem. See procfs(5) on how to mount the proc filesystem, then look at /proc/pid/maps to see the VM map. My observation has been that the total number of entries is quite small, even for large applications (shared libraries tend to contribute more entries than malloc does). As an aside, jemalloc maps at least 1 MiB at a time, so it doesn't substantially contribute to the number of map entries even if the application somehow causes bad map fragmentation. Acknowledged. Hopefully Royce can use this feedback to gather better information. Regards, -- -Chuck ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus
Noel Jones wrote: Clam must scan the whole email message because (as you know) some signatures only trigger on files that look like a mail message. To have both attachment blocking and full email scanning, the mail ends up being scanned twice. Maybe I'll put in a request for a don't scan decoded parts feature ... I've updated the page here with the new info: http://www.sanesecurity.com/clamav/problems.htm In order to get the best out of the Sanesecurity signatures the FULL message must be passed to ClamAV, as a lot of the signatures use From header/Subject/Others Headers and combination of header/body. As for performance, I'd agree it not double-scan would be a good idea. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Make check for 0.96 fails on PPC Macintosh running 10.5.8 client
I've have 0.96 running just fine (I think) on my PPC Macintosh running Leopard (10.5.8) (after applying the patch for bug 1921 (https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1921). But then after reading various notes here, realized I should run make check. But it fails making 'CXXLD not' with an undefined symbol error. I am way out of my league in understanding what this is trying to tell me. Make check runs fine for 0.95.3 on the same system and 0.96 make check runs fine on an Intel Macintosh running Snow Leopard 10.6.3 . From the second run of make check: Making check in libltdl make check-am make[2]: Nothing to be done for `check-am'. Making check in libclamav make check-recursive Making check in c++ make check-am make libllvmbitreader.la libllvmsupport_nodups.la libllvmsupport.la libllvmfull codegen.la libllvmasmprinter.la libllvmbitwriter.la libllvmasmparser.la libgoogl etest.la libllvminterpreter.la count not lli llc llvm-as llvm-dis llvmunittest_A DT llvmunittest_Support llvmunittest_VMCore llvmunittest_ExecutionEngine llvmuni ttest_JIT FileCheck \ llvmcheck.sh make[5]: `libllvmbitreader.la' is up to date. make[5]: `libllvmsupport_nodups.la' is up to date. make[5]: `libllvmsupport.la' is up to date. make[5]: `libllvmfullcodegen.la' is up to date. make[5]: `libllvmasmprinter.la' is up to date. make[5]: `libllvmbitwriter.la' is up to date. make[5]: `libllvmasmparser.la' is up to date. make[5]: `libgoogletest.la' is up to date. make[5]: `libllvminterpreter.la' is up to date. make[5]: `count' is up to date. CXXLD not Undefined symbols: operator delete(void*), referenced from: llvm::sys::Path::FindLibrary(std::basic_stringchar, std::char_traitschar , std::allocatorchar )in libllvmsystem.a(Path.o) llvm::sys::Path::getDirectoryContents(std::setllvm::sys::Path, std::less llvm::sys::Path, std::allocatorllvm::sys::Path , std::basic_stringchar, st d::char_traitschar, std::allocatorchar *) constin libllvmsystem.a(Path.o) (... Many, many lines deleted...) llvm::sys::Program::FindProgramByName(std::basic_stringchar, std::char_tr aitschar, std::allocatorchar const)in libllvmsystem.a(Program.o) ld: symbol(s) not found collect2: ld returned 1 exit status make[5]: *** [not] Error 1 make[4]: *** [check-am] Error 2 make[3]: *** [check] Error 2 make[2]: *** [check-recursive] Error 1 make[1]: *** [check] Error 2 make: *** [check-recursive] Error 1 -- Larry Stone lston...@stonejongleux.com http://www.stonejongleux.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml