Re: [clamav-users] New Version of ClamAV
On Thu, 2013-03-21 at 13:45 +1300, Spiro Harvey wrote: We're currently scoping out the next version of ClamAV. We have a number of ideas in house, but I wanted to solicit some feedback from our users about what you might be interested in seeing. Timely release announcement on the mailing list. /ducks ;) OHHH! SO NAUGHTY! Go to your room... no electronics! -- greg folkert - systems administration and support web:donor.com email: g...@donor.com phone: 877-751-3300 x416 direct: 616-328-6449 (direct dial and fax) Be faithful to that which exists within yourself. -- Andre Gide ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] New Version of ClamAV
Spiro, a messenger has just arrived by horse. Apparently we have released ClamAV 0.97.7 :) We'll do better next time :) Matt On Wed, Mar 20, 2013 at 8:45 PM, Spiro Harvey sp...@knossos.net.nz wrote: We're currently scoping out the next version of ClamAV. We have a number of ideas in house, but I wanted to solicit some feedback from our users about what you might be interested in seeing. Timely release announcement on the mailing list. /ducks ;) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] New Version of ClamAV
That it will simply work on all platforms and if not, a more efficient way to debug what is going on. I have a win xp sp3 machine and all versions higher than 0.95 do not run on this box. Thx Konrad Am 20.03.2013 15:35, schrieb Matt Olney: Hey all, We're currently scoping out the next version of ClamAV. We have a number of ideas in house, but I wanted to solicit some feedback from our users about what you might be interested in seeing. Before you ask, we don't have a lot of information that we're ready to share on our end about what we're planning, so I don't want to promise anything yet. In general we're looking to expand the detection capability, the engine's stability and make the system a little more usable. As we firm things up, we'll let you guys know more about what we're working on. We will also be interested, as we get further down the road, in beta testers. I think you'll see a lot of new functionality in ClamAV and we'd appreciate as many eyes as possible on it once we're ready to show it off. And no, we don't have an estimated release date :) Thanks in advance for your ideas! Please send your ideas to this list so we can track them. Matt ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] New Version of ClamAV
On 20 Mar 2013, at 14:35, Matt Olney mol...@sourcefire.com wrote: efore you ask, we don't have a lot of information that we're ready to share on our end about what we're planning, so I don't want to promise anything yet. In general we're looking to expand the detection capability, the engine's stability and make the system a little more usable. As we firm things up, we'll let you guys know more about what we're working on. …. Thanks in advance for your ideas! Please send your ideas to this list so we can track them. Focus on stability and usability. I use Exim, Clam, and Spamassassin (in order of descending importance). I regard Exim as essential for continuity of service. Clam, when available, is trusted absolutely to reject emails that are a security threat to my network - so it's important to me that it's as available as possible. Unfortunately, it occasionally hangs leaving zombie processes that require a reboot to fix. When it's available, I want it to block malware attachments, but I also want it to block emails with links to malware, and links to phishing sites. BTW, I use Clam to scan outbound email, as well as inbound, in order to improve herd immunity to infections. One thing that I'd like to do with outbound email is to prevent people from emailing their own passwords. Something along these lines: https://grepular.com/Defending_Against_Spear_Phishing_with_Exim That's a useful tool, but it's Exim specific, and it would be neat to have clam deal with this. -- Ian Eiloart Postmaster, University of Sussex +44 (0) 1273 87-3148 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Strange error with freshclam
Hi, For some reason one of our mail servers is being denied access to download the latest cvd file because it is too out of date. Current version is the latest 97.7 and before that it was 97.6. Current working dir is /usr/local/share/clamav Max retries == 3 ClamAV update process started at Thu Mar 21 12:02:36 2013 Using IPv6 aware code Querying current.cvd.clamav.net TTL: 900 Software version from DNS: 0.97.7 main.cvd version from DNS: 54 main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) daily.cvd version from DNS: 16879 Retrieving http://database.clamav.net/daily-16682.cdiff Ignoring mirror 208.70.244.158 (has connected too many times with an outdated version) Ignoring mirror 24.215.0.24 (has connected too many times with an outdated version) Ignoring mirror 200.236.31.1 (has connected too many times with an outdated version) Ignoring mirror 128.177.8.248 (has connected too many times with an outdated version) Ignoring mirror 208.70.244.158 (has connected too many times with an outdated version) ... Regards, Rick ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] New Version of ClamAV
On Mar 20, 2013, at 8:45 PM, Spiro Harvey sp...@knossos.net.nz wrote: We're currently scoping out the next version of ClamAV. We have a number of ideas in house, but I wanted to solicit some feedback from our users about what you might be interested in seeing. Timely release announcement on the mailing list. 97.7's release announcement was my fault. Olney is talking about future future features. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] PUA types
What PUA category does PUA.OLE.EmbeddedPDF come under? (Triggered by a Word document). paul ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Strange error with freshclam
Hi, Re-post since I didn't see it hit the list. For some reason one of our mail servers is being denied access to download the latest cvd file because it is too out of date. Current version is the latest 97.7 and before that it was 97.6. Current working dir is /usr/local/share/clamav Max retries == 3 ClamAV update process started at Thu Mar 21 12:02:36 2013 Using IPv6 aware code Querying current.cvd.clamav.net TTL: 900 Software version from DNS: 0.97.7 main.cvd version from DNS: 54 main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) daily.cvd version from DNS: 16879 Retrieving http://database.clamav.net/daily-16682.cdiff Ignoring mirror 208.70.244.158 (has connected too many times with an outdated version) Ignoring mirror 24.215.0.24 (has connected too many times with an outdated version) Ignoring mirror 200.236.31.1 (has connected too many times with an outdated version) Ignoring mirror 128.177.8.248 (has connected too many times with an outdated version) Ignoring mirror 208.70.244.158 (has connected too many times with an outdated version) ... Regards, Rick ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Strange error with freshclam
On Mar 21, 2013, at 12:05 PM, Rick Macdougall ri...@ummm-beer.com wrote: Hi, For some reason one of our mail servers is being denied access to download the latest cvd file because it is too out of date. Current version is the latest 97.7 and before that it was 97.6. Current working dir is /usr/local/share/clamav Max retries == 3 ClamAV update process started at Thu Mar 21 12:02:36 2013 Using IPv6 aware code Querying current.cvd.clamav.net TTL: 900 Software version from DNS: 0.97.7 main.cvd version from DNS: 54 main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) daily.cvd version from DNS: 16879 Retrieving http://database.clamav.net/daily-16682.cdiff Ignoring mirror 208.70.244.158 (has connected too many times with an outdated version) Ignoring mirror 24.215.0.24 (has connected too many times with an outdated version) Ignoring mirror 200.236.31.1 (has connected too many times with an outdated version) Ignoring mirror 128.177.8.248 (has connected too many times with an outdated version) Ignoring mirror 208.70.244.158 (has connected too many times with an outdated version) Dear Rick, Thanks for your email. I believe you will find what you are looking for here: http://blog.clamav.net/2013/02/resolving-issues-with-freshclam.html -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Strange error with freshclam
On 2013-03-22 10:55 AM, Joel Esler wrote: On Mar 21, 2013, at 12:05 PM, Rick Macdougall ri...@ummm-beer.com wrote: Hi, For some reason one of our mail servers is being denied access to download the latest cvd file because it is too out of date. Current version is the latest 97.7 and before that it was 97.6. Dear Rick, Thanks for your email. I believe you will find what you are looking for here: http://blog.clamav.net/2013/02/resolving-issues-with-freshclam.html -- Joel Esler That did it, thanks Joel. Regards, Rick ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] New Version of ClamAV
Ian, if you can put more detail about your zombie issue into a bug, it would be easier for us to deal with it. Thanks, Matt On Thu, Mar 21, 2013 at 7:57 AM, Ian Eiloart i...@sussex.ac.uk wrote: On 20 Mar 2013, at 14:35, Matt Olney mol...@sourcefire.com wrote: efore you ask, we don't have a lot of information that we're ready to share on our end about what we're planning, so I don't want to promise anything yet. In general we're looking to expand the detection capability, the engine's stability and make the system a little more usable. As we firm things up, we'll let you guys know more about what we're working on. …. Thanks in advance for your ideas! Please send your ideas to this list so we can track them. Focus on stability and usability. I use Exim, Clam, and Spamassassin (in order of descending importance). I regard Exim as essential for continuity of service. Clam, when available, is trusted absolutely to reject emails that are a security threat to my network - so it's important to me that it's as available as possible. Unfortunately, it occasionally hangs leaving zombie processes that require a reboot to fix. When it's available, I want it to block malware attachments, but I also want it to block emails with links to malware, and links to phishing sites. BTW, I use Clam to scan outbound email, as well as inbound, in order to improve herd immunity to infections. One thing that I'd like to do with outbound email is to prevent people from emailing their own passwords. Something along these lines: https://grepular.com/Defending_Against_Spear_Phishing_with_Exim That's a useful tool, but it's Exim specific, and it would be neat to have clam deal with this. -- Ian Eiloart Postmaster, University of Sussex +44 (0) 1273 87-3148 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] PUA types
Paul, That alert is to indicate that the file it alerted on is a likely an MS Office document that has a PDF embedded within it. You may want to take a closer look to it as we have observed malicious payloads being distributed this way in the past. As for what PUA category it comes under, I suppose you are referring to the old PUA categories we used to have. We are in the process of streamlining our signatures names (we will have an announcement soon). This PUA alert doesn't fall under any of the old PUA categories. Hope this answers your questions. Thanks, - Alain ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] New Version of ClamAV
On Friday 22 March 2013 11:16:26 Matt Olney did opine: Spiro, a messenger has just arrived by horse. Apparently we have released ClamAV 0.97.7 :) We'll do better next time :) Matt URL? Those are generally nice. ducks On Wed, Mar 20, 2013 at 8:45 PM, Spiro Harvey sp...@knossos.net.nz wrote: We're currently scoping out the next version of ClamAV. We have a number of ideas in house, but I wanted to solicit some feedback from our users about what you might be interested in seeing. Timely release announcement on the mailing list. /ducks ;) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Cheers, Gene -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) My web page: http://coyoteden.dyndns-free.com:85/gene is up! My views http://www.armchairpatriot.com/What%20Has%20America%20Become.shtml Diplomacy is the art of saying nice doggy until you can find a rock. I was taught to respect my elders, but its getting harder and harder to find any... ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Strange error with freshclam
On Friday 22 March 2013 11:19:25 Rick Macdougall did opine: Hi, Re-post since I didn't see it hit the list. It did. For some reason one of our mail servers is being denied access to download the latest cvd file because it is too out of date. Current version is the latest 97.7 and before that it was 97.6. Current working dir is /usr/local/share/clamav Max retries == 3 ClamAV update process started at Thu Mar 21 12:02:36 2013 Using IPv6 aware code Querying current.cvd.clamav.net TTL: 900 Software version from DNS: 0.97.7 main.cvd version from DNS: 54 main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) daily.cvd version from DNS: 16879 Retrieving http://database.clamav.net/daily-16682.cdiff Ignoring mirror 208.70.244.158 (has connected too many times with an outdated version) Ignoring mirror 24.215.0.24 (has connected too many times with an outdated version) Ignoring mirror 200.236.31.1 (has connected too many times with an outdated version) Ignoring mirror 128.177.8.248 (has connected too many times with an outdated version) Ignoring mirror 208.70.244.158 (has connected too many times with an outdated version) ... Regards, Rick ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Cheers, Gene -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) My web page: http://coyoteden.dyndns-free.com:85/gene is up! My views http://www.armchairpatriot.com/What%20Has%20America%20Become.shtml Diplomacy is the art of saying nice doggy until you can find a rock. I was taught to respect my elders, but its getting harder and harder to find any... ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Strange error with freshclam
On 2013-03-22 11:19 AM, Gene Heskett wrote: On Friday 22 March 2013 11:19:25 Rick Macdougall did opine: Hi, Re-post since I didn't see it hit the list. It did. Yah, I saw that. Took over 24 hours though. Regards, Rick ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] PUA types
On 22 Mar 2013 at 11:12, Alain Zidouemba wrote: Paul, That alert is to indicate that the file it alerted on is a likely an MS Office document that has a PDF embedded within it. You may want to take a closer look to it as we have observed malicious payloads being distributed this way in the past. Thanks Alan - this was a large document which did not trigger any other alerts. As for what PUA category it comes under, I suppose you are referring to the old PUA categories we used to have. We are in the process of streamlining our signatures names (we will have an announcement soon). This PUA alert doesn't fall under any of the old PUA categories. OK, but the categories are still listed in your website and clamd still still has IncludePUA and ExcludePUA config items. Do they still function? Let us know what you are planning there. paul ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Memory level
In your new version, can you please consider how to run it on low memory systems (512MB) for spamassassin other than direct from the command line which takes time to load each time it's called. Our basic internet servers we roll out to dedicated clients run on the Amazon EC2 micro servers and consist of mysql, postfix, dovecot, apache, spamassassin and clamd (disabled). Disabled because it consumes too much RAM and deemed the least required because antivirus is readily available on desktops, tablets and phones and most clients would prefer to deal with one or two virus' messages than 100's of spam messages. At the moment, on the Amazon EC2 micro servers, there is 512Mb RAM available, of which, clamd consumes 30% if enabled, taking the RAM load from 165/512MB to 337/512MB, and that's before the server has started processing anything. Kind regards, Christian ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Client disconnected while scanjob was active
Hi, I was using clamscan for daily scanning of our user's home directories, but it was getting too slow with scan times of up to 6 hours. Therefor I'm testing clamdscan and using multiple threads to scan. (cmd line is /usr/local/bin/clamdscan -m --fdpass /home) I am getting the following error messages from clamd while scanning, and it's missing a lot of files. If put the Eicar test file at various spots and it's being missed by the scan. Thu Mar 21 22:00:01 2013 - SelfCheck: Database status OK. Thu Mar 21 22:10:01 2013 - SelfCheck: Database status OK. Thu Mar 21 22:13:48 2013 - Client disconnected while scanjob was active Thu Mar 21 22:13:48 2013 - Client disconnected while scanjob was active (repeat...) Thu Mar 21 22:14:06 2013 - Client disconnected while scanjob was active Thu Mar 21 22:17:29 2013 - Reading databases from /var/db/clamav Thu Mar 21 22:17:36 2013 - Database correctly reloaded (2019434 signatures) Output from clamdscan, no errors: --- SCAN SUMMARY --- Infected files: 0 Time: 3846.032 sec (64 m 6 s) This is on FreeBSD 7.4-stable, clamav-0.97.7 (clamav-0.97.6 had the same problem). The home directories are all zfs based. clamd runs as user clamav, clamdscan as user root. What could be causing this? Kind regards, Ben ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Client disconnected while scanjob was active
On Fri, Mar 22, 2013 at 1:11 PM, Ben Stuyts b...@altesco.nl wrote: Hi, I was using clamscan for daily scanning of our user's home directories, but it was getting too slow with scan times of up to 6 hours. Therefor I'm testing clamdscan and using multiple threads to scan. (cmd line is /usr/local/bin/clamdscan -m --fdpass /home) I am getting the following error messages from clamd while scanning, and it's missing a lot of files. If put the Eicar test file at various spots and it's being missed by the scan. Thu Mar 21 22:00:01 2013 - SelfCheck: Database status OK. Thu Mar 21 22:10:01 2013 - SelfCheck: Database status OK. Thu Mar 21 22:13:48 2013 - Client disconnected while scanjob was active Thu Mar 21 22:13:48 2013 - Client disconnected while scanjob was active (repeat...) Thu Mar 21 22:14:06 2013 - Client disconnected while scanjob was active Thu Mar 21 22:17:29 2013 - Reading databases from /var/db/clamav Thu Mar 21 22:17:36 2013 - Database correctly reloaded (2019434 signatures) Output from clamdscan, no errors: --- SCAN SUMMARY --- Infected files: 0 Time: 3846.032 sec (64 m 6 s) This is on FreeBSD 7.4-stable, clamav-0.97.7 (clamav-0.97.6 had the same problem). The home directories are all zfs based. clamd runs as user clamav, clamdscan as user root. What could be causing this? Kind regards, Ben ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Ben, The Client disconnected while scanjob was active lines can also show up when the scanning threads are being told to shutdown. Did freshclam run and update your signatures during this scan? Dave R. -- --- Dave Raynor Sourcefire Vulnerability Research Team dray...@sourcefire.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Client disconnected while scanjob was active
On 22 mrt. 2013, at 18:29, David Raynor dray...@sourcefire.com wrote: On Fri, Mar 22, 2013 at 1:11 PM, Ben Stuyts b...@altesco.nl wrote: Hi, I was using clamscan for daily scanning of our user's home directories, but it was getting too slow with scan times of up to 6 hours. Therefor I'm testing clamdscan and using multiple threads to scan. (cmd line is /usr/local/bin/clamdscan -m --fdpass /home) I am getting the following error messages from clamd while scanning, and it's missing a lot of files. If put the Eicar test file at various spots and it's being missed by the scan. Thu Mar 21 22:00:01 2013 - SelfCheck: Database status OK. Thu Mar 21 22:10:01 2013 - SelfCheck: Database status OK. Thu Mar 21 22:13:48 2013 - Client disconnected while scanjob was active Thu Mar 21 22:13:48 2013 - Client disconnected while scanjob was active (repeat...) Thu Mar 21 22:14:06 2013 - Client disconnected while scanjob was active Thu Mar 21 22:17:29 2013 - Reading databases from /var/db/clamav Thu Mar 21 22:17:36 2013 - Database correctly reloaded (2019434 signatures) Output from clamdscan, no errors: --- SCAN SUMMARY --- Infected files: 0 Time: 3846.032 sec (64 m 6 s) This is on FreeBSD 7.4-stable, clamav-0.97.7 (clamav-0.97.6 had the same problem). The home directories are all zfs based. clamd runs as user clamav, clamdscan as user root. What could be causing this? Kind regards, Ben ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Ben, The Client disconnected while scanjob was active lines can also show up when the scanning threads are being told to shutdown. Did freshclam run and update your signatures during this scan? Dave R. -- --- Dave Raynor Sourcefire Vulnerability Research Team dray...@sourcefire.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Yes it ran, but at the end at 22:17, not at 22:13 when the first errors appeared. From freshclam.log: -- Received signal: wake up ClamAV update process started at Thu Mar 21 20:17:17 2013 ... and then the next entry: -- Received signal: wake up ClamAV update process started at Thu Mar 21 22:17:23 2013 main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) WARNING: getfile: daily-16881.cdiff not found on remote server (IP: 217.19.16.188) WARNING: getpatch: Can't download daily-16881.cdiff from database.clamav.net Downloading daily-16881.cdiff [100%] daily.cld updated (version: 16881, sigs: 980411, f-level: 63, builder: guitar) bytecode.cld is up to date (version: 214, sigs: 41, f-level: 63, builder: neo) Database updated (2024839 signatures) from database.clamav.net (IP: 145.58.29.83) Clamd successfully notified about the update. ... and the next: -- Received signal: wake up ClamAV update process started at Fri Mar 22 00:17:29 2013 There were also a few incoming e-mails during that time which were scanned via clamav-milter and clamd. Could that have an effect? Ben ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Memory level
HI Christian, Yep, we've heard that a couple of times. We'll do our best to address it. Matt On Fri, Mar 22, 2013 at 12:40 PM, Christian Salway ccsal...@itmanx.comwrote: In your new version, can you please consider how to run it on low memory systems (512MB) for spamassassin other than direct from the command line which takes time to load each time it's called. Our basic internet servers we roll out to dedicated clients run on the Amazon EC2 micro servers and consist of mysql, postfix, dovecot, apache, spamassassin and clamd (disabled). Disabled because it consumes too much RAM and deemed the least required because antivirus is readily available on desktops, tablets and phones and most clients would prefer to deal with one or two virus' messages than 100's of spam messages. At the moment, on the Amazon EC2 micro servers, there is 512Mb RAM available, of which, clamd consumes 30% if enabled, taking the RAM load from 165/512MB to 337/512MB, and that's before the server has started processing anything. Kind regards, Christian ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml