Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
I meant that the other day there was a URL in the body of an email that passed through as ham when in fact it ended in 'ecard.exe' and, should the recipient download it, would be shown to be a trojan. Doesn't clamav block stuff like this, I thought? Hi Alex, If you still have a copy of the headers body, could you send me a sample: samples AT sanesecurity DOT me DOT uk I'll run it against the dbs I've got here. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Update problem on daily.cld
Dear List, This is my configuration: CentOS 4.8 # clamdscan -V ClamAV 0.95.3/10861/Thu Apr 29 04:16:19 2010 # sigtool --info=/home/amavisd/clamav/main.cld File: /home/amavisd/clamav/main.cld Build time: 15 Feb 2010 09:54 -0500 Version: 52 Signatures: 704727 Functionality level: 44 Builder: sven # sigtool --info=/home/amavisd/clamav/daily.cld File: /home/amavisd/clamav/daily.cld Build time: 28 Apr 2010 22:16 -0400 Version: 10861 Signatures: 54573 Functionality level: 51 Builder: guitar From few days ago i had these errors into the freshclam.log: http://nopaste.info/6ce68caae7.html Freshclamd running with the -d (Daemon) option at the boot of the Server. I have this problem only for the incremental update of daily.cld. Yesterday i tried to stop freshclam, remove daily.cld and after the restart the 1st update of the daily.cld worked without errors. I have the same problem on another server with Clamav 0.95.2 on Centos 5.4. Any Ideas? Best Regards Andrea ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Update problem on daily.cld
Test Andrea wrote: http://nopaste.info/6ce68caae7.html Ciao Andrea, I assume from you address that you are based in Italy. The problem is very likely related to db.it.clamav.net failing to properly sync the database files. These kind of issues are generally only temporary and are fixed within a few days. In the meantime you can either ignore the error or temporarly add another DatabaseMirror directive in freshclam.conf (specify another european mirror like db.de.clamav.net). If you choose to add a mirror make sure that you also remove mirrors.dat as by now freshclam has probably blacklisted all the servers. HtH, -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Update problem on daily.cld
Test Andrea wrote: Dear List, This is my configuration: CentOS 4.8 # clamdscan -V ClamAV 0.95.3/10861/Thu Apr 29 04:16:19 2010 # sigtool --info=/home/amavisd/clamav/main.cld File: /home/amavisd/clamav/main.cld Build time: 15 Feb 2010 09:54 -0500 Version: 52 Signatures: 704727 Functionality level: 44 Builder: sven # sigtool --info=/home/amavisd/clamav/daily.cld File: /home/amavisd/clamav/daily.cld Build time: 28 Apr 2010 22:16 -0400 Version: 10861 Signatures: 54573 Functionality level: 51 Builder: guitar From few days ago i had these errors into the freshclam.log: http://nopaste.info/6ce68caae7.html Freshclamd running with the -d (Daemon) option at the boot of the Server. I have this problem only for the incremental update of daily.cld. Yesterday i tried to stop freshclam, remove daily.cld and after the restart the 1st update of the daily.cld worked without errors. I have the same problem on another server with Clamav 0.95.2 on Centos 5.4. I'm seeing a similar problem, and I believe it's another issue caused by ClamAV's aggressive policy of disabling older software versions. If I run freshclam with debug options I see errors like this: Ignoring mirror 217.135.32.99 (has connected too many times with an outdated version) Ignoring mirror 81.91.100.173 (has connected too many times with an outdated version) Ignoring mirror 163.1.3.8 (has connected too many times with an outdated version) ...and so on for the other mirrors I'm using. I have two scanning boxes running ClamAV built from source, which I've updated to 0.96, and two boxes running Debian Lenny, with ClamAV installed from the packages in the volatile repository. The Debian boxes are running Debian's most recent package, 0.95.3; I only see this problem on those boxes. The 'outdated version' error appears to be the handling they added to stop older versions (which couldn't do incremental updates) from hammering the mirrors. I guess they're now applying it to all versions except for the most recent, even if they do incremental updates. If you're running an OS that hasn't packaged 0.96 yet, I think you now need to build ClamAV from source if you want timely signature updates. The odd thing is the ClamAV website still recommends using the Debian Volatile packages. regards, Adam -- Adam Stephens Network Specialist - Email DNS adam.steph...@bristol.ac.uk ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
I meant that the other day there was a URL in the body of an email that passed through as ham when in fact it ended in 'ecard.exe' and, should the recipient download it, would be shown to be a trojan. Doesn't clamav block stuff like this, I thought? If you still have a copy of the headers body, could you send me a sample: Attachment sent. Thanks, Alex ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
If you still have a copy of the headers body, could you send me a sample: Attachment sent. Thanks for the sample Alex. It's already being detected as: Sanesecurity.Malware.8830.UNOFFICIAL So, you should already be covered :) Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Update problem on daily.cld
Adam Stephens wrote: I'm seeing a similar problem, and I believe it's another issue caused by ClamAV's aggressive policy of disabling older software versions. If I run freshclam with debug options I see errors like this: As stated multiple times ClamAV's aggressive policy of disabling older software versions has got nothing to do with what mirrors do. In fact, as stated multiple times, the clamav project has got no control over the mirrors nor their admins which are left completely free to make use of THEIR bandwith as THEY prefer. Banning old version is THEIR option as is THEIR choice to serve older clients. If you're running an OS that hasn't packaged 0.96 yet, I think you now need to build ClamAV from source if you want timely signature updates. The odd thing is the ClamAV website still recommends using the Debian Volatile packages. Right. Because, as everybody knows, the clamav guys maintain Debian and have control over volatile... ...and world hunger must be the clamav folks fault as well. Anyway, that being said (for the milionth time), feel free to keep complaining about free services and people behind them as much as you like. This thread is dead for me. --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Update problem on daily.cld
aCaB wrote: Adam Stephens wrote: I'm seeing a similar problem, and I believe it's another issue caused by ClamAV's aggressive policy of disabling older software versions. If I run freshclam with debug options I see errors like this: As stated multiple times ClamAV's aggressive policy of disabling older software versions has got nothing to do with what mirrors do. In fact, as stated multiple times, the clamav project has got no control over the mirrors nor their admins which are left completely free to make use of THEIR bandwith as THEY prefer. Banning old version is THEIR option as is THEIR choice to serve older clients. That error doesn't come from the mirrors; it comes from freshclam - the message is in manager.c, and it's triggered by this check in mirman.c: if(mdat-dbflevel (mdat-dbflevel flevel) (mdat-dbflevel - flevel 3)) if(time(NULL) - mdat-mirtab[i].atime (mdat-dbflevel - flevel) * 3600) return 2; ClamAV's website says: Starting from ClamAV 0.9x, whenever your ClamAV engine becomes outdated and the difference between the functionality level required by the CVD and the functionality level supported by your ClamAV engine is more than 3, freshclam refuses to check for updates more often than 6 times per day The recommended functionality level is 51, and the functionality level of 0.95.3 is 44 - so I think that code restricts 0.95.3 users to checking a mirror once every 7 hours. If you're running an OS that hasn't packaged 0.96 yet, I think you now need to build ClamAV from source if you want timely signature updates. The odd thing is the ClamAV website still recommends using the Debian Volatile packages. Right. Because, as everybody knows, the clamav guys maintain Debian and have control over volatile... ...and world hunger must be the clamav folks fault as well. That's not what I said, is it? I said if your OS hasn't packaged 0.96 yet, you need to compile from source to get timely updates. And I mentioned that the ClamAV site tells people to install the package from Debian volatile (although that page also mentions sarge etch, so it clearly hasn't been updated in a while). Anyway, that being said (for the milionth time), feel free to keep complaining about free services and people behind them as much as you like. I appreciate the some people are a bit twitchy after the furore disabling 0.94 caused, but I've not complained about ClamAV or the developers. All I've done is told a user requesting help what I believe their problem is and how to fix it. This thread is dead for me. I'm delighted to hear it. Your contribution to date has been ill-informed, rude, and completely unhelpful. regards, Adam Stephens. -- Adam Stephens Network Specialist - Email DNS adam.steph...@bristol.ac.uk ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Jochen Haaf JOHA/NSU/DE/TDS ist au ßer Haus.
Ich werde ab 28.04.2010 nicht im Büro sein. Ich kehre zurück am 03.05.2010. Ich werde Ihre Nachricht nach meiner Rückkehr beantworten. Bei dringenden Anfragen senden Sie bitte Ihre Mail an nwsproje...@tds.de ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Update problem on daily.cld
Adam Stephens wrote: This thread is dead for me. I'm delighted to hear it. Your contribution to date has been ill-informed, rude, and completely unhelpful. I apologize for being dense and overreacting. The echoes of the recent flames are still in my mind... Back to topic 0.96+dfsg-4~volatile1 was accepted a couple of days ago and it's digging its way to the mirrors. It shouldn't take long till all archs are built and the debs are available. --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamd DLP(Data Loss Prevention) w/Postfix
* W S whatis...@yahoo.com: Folks, I have a simple relayer running Postfix and would like to enable ClamAV's portion of DLP. Does anyone knows - what I have to modify within mail.cf and master.cf ?? I would like to quarantine emails with SSN and CC numbers (just basic ascii digits in Subject or Body) You'd probably need to use amavisd-new -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Large File problems
Thanks for the info, I've been fighting with compiling this, with not much luck. Its been a while since I've had to compile, mostly network lately. Im trying to compile on an x86 32bit box, can I compile base config on a 64bit os and get the Large file support. any tutorials or tips on the compiling, also I cannot find any reference to the FILE_OFFSET options On 04/28/2010 06:40 PM, rick...@mm.com wrote: WARNING: Can't access file /app/ndm/misc/RT_Confirms.01122006.04222010194815.zip /app/ndm/misc/RT_Confirms.01122006.04222010194815.zip: Value too large for defined data type WARNING: Can't access file /app/ndm/misc/RT_Confirms.01122006.04222010194815.zip.gpg /app/ndm/misc/RT_Confirms.01122006.04222010194815.zip.gpg: Value too large for defined data type Looks like you are running on a 32-bit system, and you didn't compile ClamAV with -D_FILE_OFFSET_BITS=64, hence the stat() system call fails on files who's size/inode exceeds 32-bits. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Update problem on daily.cld
On 4/29/10 7:06 AM, Adam Stephens wrote: That error doesn't come from the mirrors; it comes from freshclam - the message is in manager.c, and it's triggered by this check in mirman.c: if(mdat-dbflevel (mdat-dbflevel flevel) (mdat-dbflevel - flevel 3)) if(time(NULL) - mdat-mirtab[i].atime (mdat-dbflevel - flevel) * 3600) return 2; ClamAV's website says: Starting from ClamAV 0.9x, whenever your ClamAV engine becomes outdated and the difference between the functionality level required by the CVD and the functionality level supported by your ClamAV engine is more than 3, freshclam refuses to check for updates more often than 6 times per day Freshclam is not necessary to use ClamAV. It is a convenience but only a minor one. Perhaps you should decouple your system from the freshclam method and use http. Here are the links: http://db.local.clamav.net/main.cvd http://db.local.clamav.net/daily.cvd Here's a way to test signature versions: dig TXT current.cvd.clamav.net ;; ANSWER SECTION: current.cvd.clamav.net. 900 IN TXT 0.96:52:10878:1272589985:1:51:19931:12 The first three : separated numbers are the current clamav version, the current version of the daily.cvd file, and the current version of the main.cvd file. The fourth field is a Unix time number (Unix epoch time). Now write a very simple script that gets the current version with dig, use curl to download the new signatures, use clamscan to test the new signatures, and drop them into the working directory. This is maybe 20 lines of shell script. Take the challenge. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
