Re: [clamav-users] clamav stops boot
On 04/05/14 18:00, Greg Mueller wrote: I just let it run and run and about 24 hours later I got to a debian 5 terminal login and logged in. I deleted clamav and all it's affiliated files and now I can boot to the login in a normal manner. Now if I can just get a gui running If the computer has enough oomph why not just install a new OS, Ubuntu or Linuxmint, Debian 5 is very old and will be a rough ride compared to later versions. Anyway, this is getting off-topic On Sat, 5/3/14, Dennis Peterson denni...@inetnw.com wrote: Subject: Re: [clamav-users] clamav stops boot To: ClamAV users ML clamav-users@lists.clamav.net Date: Saturday, May 3, 2014, 8:59 PM On 5/2/14, 8:34 AM, Greg Mueller wrote: Thank you for your response I did not install clamav, it came on a used computer.(not the one I'm using to write this email) I can't get that computer to boot at all so I can't upgrade. I just need to get the computer to go past the block in the boot caused by clamav (apparently) The stalled boot may have nothing to do with ClamAV - it could very well be the next thing that the init process is trying to start. You may find this information helpful: http://www.cyberciti.biz/faq/grub-boot-into-single-user-mode/ You can boot to single user mode and explore the startup scripts and logs to see if any clues pop up. If nothing else you can attempt to disable the startup script for ClamAV and any subsequent suspicious processes. dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml -- - Bob Hutchinson Midwales dot com - ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav stops boot
On 02/05/14 16:18, Greg Mueller wrote: I just got a new/used computer. It has Debian on it and was booting fine. But now when it starts to boot it gets this message. If not Ctrl-c try q * This Version of the clamavb engine is outdated Don't Panic Read http://www.clamav.nrt/support/faq * I have let it sit there thinking it might be updating or running a check or something, but it will not go past this point. Is there a combination of keystrokes or some action which will get me past this? This is my first use of Debian so I am not having easy time as it is. Thanks Greg ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml -- - Bob Hutchinson Midwales dot com - ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] freshclam Verification: Can't verify database integrity
On 23/01/12 18:27, Greg Cirino wrote: Here is the clamd log with no changes except I had lunch 2012-01-23 12:17:59.584529500 Listening daemon: PID: 25777 2012-01-23 12:17:59.584568500 MaxQueue set to: 100 2012-01-23 12:28:00.034109500 No stats for Database check - forcing reload 2012-01-23 12:28:00.318747500 Reading databases from /usr/local/share/clamav 2012-01-23 12:28:04.330376500 LibClamAV Error: cli_tgzload: Invalid checksum for file main.hdb 2012-01-23 12:28:04.330458500 LibClamAV Error: Can't load /usr/local/share/clamav/main.cvd: Malformed database 2012-01-23 12:28:04.330566500 ERROR: reload db failed: Malformed database 2012-01-23 12:28:04.373648500 Terminating because of a fatal error. 2012-01-23 12:28:09.737290500 LibClamAV Error: cli_tgzload: Invalid checksum for file main.mdb 2012-01-23 12:28:09.737333500 LibClamAV Error: Can't load /usr/local/share/clamav/main.cvd: Malformed database 2012-01-23 12:28:09.737403500 ERROR: Malformed database 2012-01-23 12:28:09.737444500 Closing the main socket. 2012-01-23 12:28:16.676138500 Limits: Global size limit set to 104857600 bytes. 2012-01-23 12:28:16.676170500 Limits: File size limit set to 26214400 bytes. 2012-01-23 12:28:16.676207500 Limits: Recursion level limit set to 16. 2012-01-23 12:28:16.676238500 Limits: Files limit set to 1. 2012-01-23 12:28:16.676268500 Limits: Core-dump limit is 0. 2012-01-23 12:28:16.676297500 Archive support enabled. 2012-01-23 12:28:16.676328500 Algorithmic detection enabled. 2012-01-23 12:28:16.676357500 Portable Executable support enabled. 2012-01-23 12:28:16.676391500 ELF support enabled. 2012-01-23 12:28:16.676421500 Mail files support enabled. 2012-01-23 12:28:16.676452500 OLE2 support enabled. 2012-01-23 12:28:16.676482500 PDF support enabled. 2012-01-23 12:28:16.676510500 HTML support enabled. 2012-01-23 12:28:16.676546500 Self checking every 600 seconds. 2012-01-23 12:28:16.676578500 Listening daemon: PID: 32757 2012-01-23 12:28:16.676616500 MaxQueue set to: 100 2012-01-23 12:38:20.307033500 No stats for Database check - forcing reload 2012-01-23 12:38:20.517357500 Reading databases from /usr/local/share/clamav 2012-01-23 12:38:27.147959500 Database correctly reloaded (1119366 signatures) 2012-01-23 12:48:29.232337500 SelfCheck: Database status OK. 2012-01-23 12:58:32.896595500 SelfCheck: Database status OK. 2012-01-23 13:08:32.542060500 SelfCheck: Database status OK. 2012-01-23 13:18:34.916892500 SelfCheck: Database status OK. This makes little sense to me I would suggest that this is incipient hardware failure, could be memory, hard drive or even nic, if the box is more than 2 or 3 years old I would replace it with a new one ASAP. Best Regards Greg ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml -- - Bob Hutchinson Midwales dot com - ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] MRTG
On Friday 14 March 2008 14:17, Tarak Ranjan wrote: Hi, i m trying to configured MRTG for clamd but it;s giving me 0 out put Title[clamd]: clamd - mail.example.com MaxBytes[clamd]: 1 AbsMax[clamd]: 10 Options[clamd]: gauge Target[clamd]: `/usr/local/bin/qmailmrtg7 C /var/log/clamav` PageTop[clamd]: Bmail.example.com ClamAV/Bbr ShortLegend[clamd]: Msg YLegend[clamd]: viri/hour Legend1[clamd]: anbsp; LegendI[clamd]: foundnbsp; LegendO[clamd]: errors:nbsp; WithPeak[clamd]: ymwd XSize[clamd]: 350 YSize[clamd]: 150 /usr/local/bin/qmailmrtg7 C /var/log/clamav 0 0 qmailmrtg7 is designed to work with daemontools multilog logs, not traditional syslog type logs. (I'm making an assumption here which might be totally wrong) If you are not using daemontools you should be able to write a perl or bash script to pull the relevant bits out of your logs. The first number is the number of viruses found in the last 5 minutes times 12 to give you a per hour rate, assuming mrtg is running every five minutes. The second is an error count handled in the same way Or perhaps someone else already has ;-) any idea ,, anyone / Tarak ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Reconfiguring Clam AV
On Tuesday 08 January 2008 18:05, Charles Mckee wrote: Cool thank you !! I must install a webserver !! or use rsync Respectfully Yours Charles McKee Török Edwin [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/08/2008 10:53 AM Please respond to ClamAV users ML clamav-users@lists.clamav.net To ClamAV users ML clamav-users@lists.clamav.net cc Subject Re: [Clamav-users] Reconfiguring Clam AV Charles Mckee wrote: I looking at where each machine gets their update from. I want to point to an internal machine that will house the update. I will place the updates there. I want each machine to look at the NFS share for the update. Hi, See this FAQ entry I?m running ClamAV on a lot of clients on my local network. Can I serve the cvd files from a local server so that each client doesn?t have to download them from your servers? http://www.clamav.org/support/faq/ Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Error downloading Malware sigs
On Thursday 27 September 2007 13:18, Gerard wrote: Has anyone other than me been having problems download the Malware signature files for the past 24 hours? http://www.malware.com.br/cgi/submit?action=list_clamav a new mbl has just come in 81262 2007-09-27 15:01 mbl.db Ciao, Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Major Problem with Clamd Startup
On Wednesday 19 September 2007 15:28, Roberto Ullfig wrote: Rob MacGregor wrote: On 9/19/07, Roberto Ullfig [EMAIL PROTECTED] wrote: We restart sendmail/clamd every morning. This morning this restart failed on several servers. The startup hung when clamd was trying to startup. I deleted everything in /var/lib/clamav (database files) and everything started up just fine. That's nice ;) Maybe you meant to include some actual technical details, like O/S, version of clamav installed etc (and possibly why you restart sendmail and clamd daily)? Redhat Linux clamav 0.91.2 Actually, it doesn't seem related to the clamav restart since some servers experienced problems beforehand. We're using sanesecurity sigs as well. In several cases, I had to delete all sigs in order to get clamd to startup. I then ran freshclam and installed sanesecurity sigs - restarted clamd again and had no problem. Sounds like some sort of file corruption, I run the sanesecurity sigs past clamscan (with -d) before making them available. I also download them once for all the servers I maintain and distribute them after they have been checked by clamscan. This helps reduce the load on sanesecurity whose sigs are stopping so much rubbish. Since we've never had any problems of this nature with clamav before I assumed that this was a signature related issue (especially since deleting the sigs allowed clamd to start) that everyone using clamav would be experiencing - that's why I didn't think it necessary to include OS and version in the original post. -- - Bob Hutchinson Midwales dot com - ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Stats script quit reporting correct number of sigs
On Saturday 26 May 2007 11:07 pm, Chris wrote:
The rest of the line is on 1 May. I run a perl script nightly that
reports several things including the total number of signatures. On 30
April it reported there were:
Total viruses detected 9,998
Total Database Signatures 113,729
On 1 May however it reported:
Total viruses detected 10,021
Total Database Signatures 9,364
On 30 April my freshclam log shows:
--
Current working dir is /var/lib/clamav
Max retries == 5
ClamAV update process started at Mon Apr 30 23:44:42 2007
Querying current.cvd.clamav.net
TTL: 900
Software version from DNS: 0.90.2
main.cvd version from DNS: 43
main.inc is up to date (version: 43, sigs: 104500, f-level: 14, builder:
sven) daily.cvd version from DNS: 3186
daily.inc is up to date (version: 3186, sigs: 9229, f-level: 15, builder:
ccordes)
--
On 1 May it shows:
--
Current working dir is /var/lib/clamav
Max retries == 5
ClamAV update process started at Tue May 1 23:07:52 2007
Querying current.cvd.clamav.net
TTL: 900
Software version from DNS: 0.90.2
main.cvd version from DNS: 43
main.inc is up to date (version: 43, sigs: 104500, f-level: 14, builder:
sven) daily.cvd version from DNS: 3191
daily.inc is up to date (version: 3191, sigs: 9364, f-level: 15, builder:
ccordes)
--
I didn't write the script and not much on perl but I see no reason why
suddenly it would quit reporting the total number of signatures versus just
reporting the daily.cvd number. The clamstats.pl script is located here:
http://mediasafe.embarq.com/chris1948/Hosted/clamstats.pl
try replacing (line 76)
if (/main\.cvd.+\(version:\s(\d+),\ssigs:\s(\d+),/) {
with
if (/main\.cvd.+\(version:\s+(\d+),\s+sigs:\s+(\d+),/) {
and
if (/daily\.(?:cvd|inc).+\(version:\s(\d+),\ssigs:\s(\d+),/) {
with
if (/daily\.(?:cvd|inc).+\(version:\s+(\d+),\s+sigs:\s+(\d+),/) {
this will allow one or more whitespace rather than just one, making the
script a bit more flexible. Whitespace has a way of sneaking in somehow.
Nothing in the script or as far as I can see in the freshclam log between
30 April and 1 May. Someone else may see something I've missed.
Thanks
Chris
--
-
Bob Hutchinson
Midwales dot com
-
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Want to submit 100+ spam images to razor and clam dbs
On Tuesday 26 December 2006 19:01, Kelly Jones wrote: I've identified 100+ spam images in my INBOX that razor/clam don't catch, and want to submit them. The images have been MIME-decoded and are in GIF/JPG/etc format. My questions: 1. For razor, can I just do razor-report *.gif *.jpg or do I need to re-MIME-encode the images first? Should I do razor-report -H *.gif *.jpg and just report the sigs to save bandwidth? 2. Does Clam consider image spams to be viruses? If yes, where can I upload/report these images en masse? Perhaps you should get in touch with the folks doing this: http://www.msrbl.com/site/msrblimagesabout -- - Bob Hutchinson Midwales dot com - ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unix/Solaris Virus DB List
On Friday 17 November 2006 14:40, Stephen Anderson wrote: Is there a list on the web of the viruses in the current clamav db by OS? I have searched the archives and FAQ and can not find a list of the current viruses. This silly question arises from a push or management requirement to install clamav on Solaris boxes for the purpose of virus scanning to protect the Solaris boxes. So I am curious if there is list of viruses that are written against Solaris which clamav protects against. The purpose of this install doesn't include email filtering or protecting windows clients and so on. The simple purpose of the proposed clamav install is scanning local Solaris drives that are not shared. This might be more to the point: http://www.chkrootkit.org/ TIA, SA ___ http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamstats
On Tuesday 26 September 2006 00:03, Gerard Seibert wrote: I installed the clamstats-0.2.pl program because it was listed on this forum recently. Prior to actually running it, I cleaned out the clamd.log file. The program is producing an error message. This is the out put of one such incident. Script started on Mon Sep 25 18:57:55 2006 Use of uninitialized value in substitution (s///) at ./clamstats.pl line 133. Use of uninitialized value in concatenation (.) or string at ./clamstats.pl line 163. Use of uninitialized value in concatenation (.) or string at ./clamstats.pl line 166. Script done on Mon Sep 25 18:57:55 2006 These errors will most likely disappear once there is some data passing through, but if not comment out the 'use strict' line and remove '-w' from the first line in the script, that should stop it. They are more warnings than errors, not serious I had to change the 'clamd_update.log' to 'freshclam.log' in order to get the script to even run. Generic scripts almost always have to be edited to get them to point to the right paths, different installs keep things in different places. I know this is not a Perl forum, but I thought that perhaps someone might have an idea what is wrong with this script. I downloaded it from: http://weblog.infoworld.com/venezia/archives/clamstats.pl I have a FreeBSD 6.1 STABLE system with Perl 5.8.8 loaded. If anyone can assist me, I would appreciate it. as you can see in the top 20 lines of code, there are a few things you can edit to change the behaviour of the script, my $logfile = /var/log/clamav/clamd.log; my $fclogfile = /var/log/clamav/clamd_update.log; my $host = `hostname`; my $text = 1; my $html = ; and you can run it with a parameter clamstats.pl --html HTH -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: ?^???G Re: [Clamav-users] clamav 0.88.4 freshclamd question
On Thursday 07 September 2006 15:47, George R. Kasica wrote: On Wed, 06 Sep 2006 21:04:16 -0700, you wrote: Wilson Kwok wrote: This problem just fixed, but when I ./freshclam have another problem occur: ./freshclam ClamAV update process started at Thu Sep 7 11:42:45 2006 SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES See the FAQ at http://www.clamav.net/faq.html for an explanation. main.cvd is up to date (version: 40, sigs: 64138, f-level: 8, builder: tkojm) daily.cvd is up to date (version: 1816, sigs: 3864, f-level: 8, builder: ccordes ) What is NO SUPPORT FOR DIGITAL SIGNATURES?? Your ClamAV installation was built without libgmp support. This library can be found here: http://www.swox.com/gmp/ It needs to be built and installed before building ClamAV so you will have support for digital signatures. It is a very nice math library. Be sure to check the version requirements so that you don't install the wrong version. Good note on the version Dennis, it IS version picky as I recall...though I don't have the specifics in front of me, I know they are in the docs that come with ClamAV. Looking at my box here I'm got the following installed and running well gmp-4.1.4.tar.gz Quick note as well on compile time, its also relatively a long make and compile process at least here, so don't be in a hurry to see it finish. I seem to recall mine took near an hour or so but again that was on a P-III 933 box so you may likely have a faster box and better compile time. Just for the record, for debian stable users: package libgmp3-dev version 4.1.4-6 ===[George R. Kasica]===+1 262 677 0766 President +1 206 374 6482 FAX Netwrx Consulting Inc. Jackson, WI USA http://www.netwrx1.com [EMAIL PROTECTED] ICQ #12862186 ___ http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Malformed files
On Tuesday 29 August 2006 15:51, Travis Rabe wrote: Starting yesterday my servers are all getting this message. SInce the 88.4upgrade it has been messy. Is there somethign worind with clamav? looks like your .cvd files have got corrupted. set LogVerbose in clamd.conf and freshclam.conf stop clamav, move the .cvd files out of the way, restart freshclam, check that new .cvd files have been fetched, restart clamav and check your logs. If the problem persists change your mirror and try again. might work ;-) ERROR: Malformed CVD header detected. ERROR: Can't read main.cvd header from database.clamav.net (216.24.174.245) ERROR: Malformed CVD header detected. ERROR: Can't read main.cvd header from database.clamav.net (216.24.174.245) ___ http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam not seeing change of clamav
On Wednesday 09 August 2006 12:22, Obantec Support wrote: - Original Message - From: ClamAV List [EMAIL PROTECTED] To: ClamAV users ML clamav-users@lists.clamav.net Sent: Wednesday, August 09, 2006 12:05 PM Subject: Re: [Clamav-users] freshclam not seeing change of clamav clamd.log is showing milter 88.4 running but freshclam is reporting 88.2 what have i missed? restart freshclam ___ http://lurker.clamav.net/list/clamav-users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.1.405 / Virus Database: 268.10.8/414 - Release Date: 09/08/2006 Hi first thing i tried but have now found this ERROR: Please edit the example config file /usr/local/etc/freshclam.conf. ERROR: You must specify at least one database mirror. my line in freshclam.conf is DatabaseMirror db.gb.clamav.net try DatabaseMirror db.uk.clamav.net DatabaseMirror db.clamav.net works for me ;-) as i am in the UK. Mark ___ http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Generating specialised reports from ClamAV {Scanned by MyndIT}
On Wednesday 26 Apr 2006 06:54, David Garrard wrote: Hello; I currently use ClamAV with MailScanner on a OpenBSD gateway. I want to be able to generate a report detailing the following: The total number of Viri found: The tope 10 most frequent Viri The top 10 users who received viri. Looking through the appropriate documentation there does not seem to be a way to generate a log containg this data that I can parse. Any assistance here would be greatly appreciated. make sure that you have the logging options set in clamd.conf settings to look for: LogFile LogFileMaxSize LogTime LogClean LogSyslog LogFacility LogVerbose read the comments with each section, enabling some of them can result in big logs ;-( These will give you viruses caught which users is most likely a function of MailScanner I don't know MailScanner (using simscan with qmail myself) but it may have settings too. All the best; David ___ http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] OT: Download script
On Monday 24 Apr 2006 22:35, Steve Basford wrote: Christopher X. Candreva wrote: I've atached my updated Perl script. It will now check the compressed archive, and if it is updated download and upcompress it. Thank you! I'll sort out the website tomorrow hopefully, with some of sample recommended scripts. Cheers, Steve I've been 'messing around' some. I note that the file inside the .gz is called phishc.ndb If I unpack it with gunzip -N phish.ndb.gz I get phishc.ndb with its timestamp intact, which is what I want, so that the various servers fetching from my copy can make decisions about wether or not to fetch it. Steve, is it your intention to name the file inside the .gz phishc.ndb, consistently, so I can script on that basis? using the --stdout method results in a new timestamp. For me that is confounding. using -N saves the original, if I run # copy the original to .old cp -fp phish.ndb phish.ndb.old # put the .gz in a tmp file for restoration later cp -p phish.ndb.gz phish.ndb.gz.tmp # unzip, preserving timestamp of the file inside gunzip -N phish.ndb.gz # move the new file into place mv -f phishc.ndb phish.ndb # restore the .gz so that it's presence can be detected next time mv phish.ndb.gz.tmp phish.ndb.gz (surrounding the above with checks for existence etc) then I should be in the same position I was before this .gz idea and I won't have to go and change a number of other scripts. ;-) There must be quite a few people who have multiple servers to stock, this way they only fetch it once and can propagate by whichever means they like, while minimising the load/bandwidth on sanesecurity. This works with Chris Candreva's perl script Phish.pl and should work with any other method, it's the timestamp preservation that is crucial. HTH -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] OT: Download script
On Tuesday 25 Apr 2006 11:07, Steve Basford wrote: On Monday 24 Apr 2006 22:35, Steve Basford wrote: Steve, is it your intention to name the file inside the .gz phishc.ndb, consistently, so I can script on that basis? Arghhh... sorry that really should have been phish.ndb, I've now corrected the script using -N saves the original, if I run Okay, I'll fix it... Thanks for pointing this out. I've just checked that it works, I've edited my script and run it. works fine, returned 200 first time, 304 thereafter Steve ___ http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] OT: Download script
On Tuesday 25 Apr 2006 12:07, Christopher X. Candreva wrote:
On Tue, 25 Apr 2006, Bob Hutchinson wrote:
On Monday 24 Apr 2006 22:35, Steve Basford wrote:
using the --stdout method results in a new timestamp. For me that is
confounding.
Yes. Unfortunately I didn't see any other way to keep the original .gz file
intact. The LWP mirror library needs the original .gz file, as that is what
will be compared to, to decide if an update is needed.
If you know a gunzip option that will NOT delete the compresed file,
that would be the prefered method.
snip
if ($result == 200) {
# not required
if ( -f $dbfile ) {
system(cp -fp $dbfile $dbfile.old);
}
if ( -f $file) {
system(cp -p $file $file.tmp);
system(gunzip -Nf $file);
system(mv $file.tmp $file);
}
}
/snip
the -f parameter should stop gunzip from asking you if you want it overwritten
It might be best *not* to do this directly into /usr/local/share/clamav (or
wherever), then a check can be done to see if the update has
1) made it
2) is newer than the live one
The trouble with perl system() calls is that you don't get any result codes, I
might experiment with backticks instead.
more later
==
Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
___
http://lurker.clamav.net/list/clamav-users.html
--
-
Bob Hutchinson
Midwales dot com
-
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] OT: Download script
On Tuesday 25 Apr 2006 16:04, Tom Metro wrote:
Bob Hutchinson wrote:
The trouble with perl system() calls is that you don't get any result
codes...
% perldoc -f system
system LIST
system PROGRAM LIST
...
You can check all the failure possibilities by inspecting $?
like this:
if ($? == -1) {
print failed to execute: $!\n;
}
elsif ($? 127) {
printf child died with signal %d, %s coredump\n,
($? 127), ($? 128) ? 'with' : 'without';
}
else {
printf child exited with value %d\n, $? 8;
}
Or simply put, to get the familiar exit code you'd see from the shell:
my $exit_code = $? 8;
oh good, I'll incorporate that into my script.
Thanks!
-Tom
--
-
Bob Hutchinson
Midwales dot com
-
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] OT: Download script
On Monday 24 Apr 2006 07:04, Steve Basford wrote: Hi All, In order to optimize the use of my bandwidth for the unofficial phishing signatures, I want to put up a few example scripts on the main page of my site that users should use to download the phish.ndb file. The reason is that I've got quite a few users, downloading every 15 mins, the same phish.ndb file, whether the contents of the phish.ndb file has changed or not :( I've just moved server onto a higher bandwidth package but it's not unlimited :) Could anyone come up with some good wget/curl scripts, with wget, I guess it's using the -N option to only download changes and only download hourly (eg. 15:00, 16:00, 17:15, 18:15) etc. Sorry to be slightly off-topic here... Here's another example: cd /home/user/html/downloads/clamav wget -N -q http://www.sanesecurity.com/clamav/phish.ndb RET=$? if [ $RET -ne 0 ]; then echo wget phish.db failed else touch /home/user/phishdb.done fi I put that on a (twice daily) cron and point other users/servers to the url associated with /home/user/html/downloads/clamav Takes a load off sanesecurity.com ;-) If it fails I get an email from cron and I've got a timestamped file telling me when it last ran successfully. Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] OT: Download script
On Monday 24 Apr 2006 13:26, Leonardo Rodrigues Magalhães wrote: Steve Basford escreveu: In order to optimize the use of my bandwidth for the unofficial phishing signatures, I want to put up a few example scripts on the main page of my site that users should use to download the phish.ndb file. I know this is a silly suggestion, but why not gzip/bzip2 the signatures file ??? That would, for sure, save a LOT of bandwidth usage from your servers !!! I have download phish.nbd now and it has 256735 bytes. bzip2ing it took the file to 35111 bytes. gzipping with --best option took it to 46424. In the worst case (gzip), you would be saving more than 210k per download ! Maybe you can keep both versions (compressed and uncompressed) for some time and decide a final date for stop keeping the uncompressed one. How about that ? or rsync? compression as part of the protocol, and only transfers the diffs ;-) sanesecurity.com would need rsync daemon running. -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures: 369 sigs: 26th February 2006
On Sunday 26 Feb 2006 14:01, Steve Basford wrote: Hi, You'll all be glad to hear I don't intend to post here every time I do an update of the sigs, but as I've added a few sigs today and updated the main website a little, I thought post to the list: http://www.sanesecurity.com/clamav/ For those interested, here are some stats from a couple of sites, using the sigs: http://www.efe.me.uk/vstat/ he, I forgot that was there, I apologise for the awful graph ;-( http://www.marietta.edu/%7Erobinsom/virus.html In order to help prevent false positives, I've now got a folder of over 1500 *genuine* ebay/paypal/amazon emails, which I now scan against before I make the signatures live. I'm very happy with the phish.ndb, several customers have commented, 'have you done something? I'm getting far less junk'. I commend it to anyone, keep up the good work Steve. Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] some trouble using clamscan options...
On Monday 06 Feb 2006 14:04, Marco Gaiarin wrote: I'm tring to build up some sort of ``system scan'' script that, nightly, scan all my debian/samba servers and report infections. Script works, but i've some strange result, or at least probably i've not understood well the clamscan command line options. I start clamscan with a cmdline like: clamscan --quiet --stdout --recursive --infected --no-mail \ --exclude-dir=/srv/quarantena --move=/srv/quarantena \ --log=/var/log/sysscan.log /home /srv and AFAI've understood well, the --exclude-dir excludes directory patterns from the scannning process. But i find in log: try --exclude-dir=quarantena as it is a pattern, not a path, might work ;-) /home/user/.profile9x/Application Data/sgrunt/IE4321.exe: Dialer-319 FOUND /home/user/.profile9x/Application Data/sgrunt/IE4321.exe: moved to '/srv/quarantena//IE4321.exe.000' [...] /srv/quarantena/IE4321.exe.000: Dialer-319 FOUND File excluded '/srv/quarantena/IE4321.exe.000' So seems that --exclude-dir apply not to scanning, but to moving... Can i tackle log the report sum script to ignore row like these, but i'd prefere not to scan --exclude-dir ... clamav is a powerful tool, a wonderful antivirus, but a bit slow... Also, i've noted that even if i've put --no-mail, this script quarantine a Thunderbird mailbox, that is in unix mailbox format. What i'm missing here? trinity:~# clamscan --version ClamAV 0.88/1278/Mon Feb 6 12:05:04 2006 debian sarge, taken from volatile, daily upgrade. -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Not sure if configured correctly
On Thursday 19 Jan 2006 21:14, Gerard Seibert wrote: I recently installed ClavAV on my FreeBSD 5.4 system. I am running Sendmail as my MTA. Clam seems to be working fine except for one small thing. First, this is the entry I have in my /etc/rc.conf file for Clam. clamav_clamd_enable=YES # Enable ClamAV clamav_freshclam_enable=YES # Enable auto updater for AV clamav_milter_enable=YES # Enable the mail AV scanner clamav_milter_socket=/var/run/clamav/clmilter.sock# Clam Milter socket clamav_milter_flags=--postmaster-only --local --outgoing --max-children=50 --quarantine dir=/var/mail/quarantine --timeout=0# Clam milter settings Each directive is on one separate line although it might not look like it here. This is a sample of the notices I receive when a virus is detected. The message k0JAB7nO094434 sent from [EMAIL PROTECTED] to [EMAIL PROTECTED] contained HTML.Phishing.Pay-6 and has not been delivered. The message in question has been quarantined as /var/tmp//clamav-48b75ba8e9a0d2da/msg.8LUShP First, you will notice that there are two // in the path. I do not understand why. Second, although the directory entry does exist, it is empty. The file mentioned is present in the /var/mail/quarantine/060119/k0JAB7nO094434.HTML.Phishing.Pay-6 directory. However, there does not appear to be anything attached to the file. It is very simple HTML code. Not sure if this will work, but have a look in your clamd.conf and look for the TemporaryDirectory directive and set it without the trailing / Unix filesystems are mostly tolerant of double slashes, so it's unlikely to cause a problem. phishing emails are not strictly speaking viruses, just a pain, only dangerous to those who believe them. Hence no attachments. My question is why is the /var/tmp/* directory being created if it is empty? Why the double '//' in the path? Also, shouldn't the file with the virus actually have something attached to it. Most of the time on WinXP machines anyway, there is a file attachment of some kind, although I guess that is not a requirement. The file most probably was there but only for a few milliseconds, when it got moved to its final location in your quarantine. Remember to delete them from time to time ;-) I am just curious as to whether I have this who thing configured correctly. run man clamd.conf from the command line and you will learn more about the configuration of clamav. Also man freshclam.conf HTH -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] minor bug in manager.c
There is a thread going on in the logwatch ML, pertaining to a bug found in the freshclam logging. It would appear to occur when syslog is used rather than freshclam's own log in Fedora. Looking at clamav-devel/freshclam/manager.c Line 67 logg(ClamAV update process started at %s, ctime(currtime)); other uses of the logg function in manager.c *do* have a linefeed (\n) -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] minor bug in manager.c
On Friday 20 Jan 2006 18:01, Jim Maul wrote: Bob Hutchinson wrote: There is a thread going on in the logwatch ML, pertaining to a bug found in the freshclam logging. It would appear to occur when syslog is used rather than freshclam's own log in Fedora. Looking at clamav-devel/freshclam/manager.c Line 67 logg(ClamAV update process started at %s, ctime(currtime)); other uses of the logg function in manager.c *do* have a linefeed (\n) Are you implying that there *should* be a linefeed? A post earlier this morning seems to say that there *shouldnt* be any linefeeds. Im confused... To be honest, so am I. It would appear that the 'ClamAV update process started at...' line puts a trailing space on the line when used in syslog under some version of Fedora. This has caused a glitch in Logwatch's parsing of freshclam entries in maillog. The easiest solution is to make Logwatch tolerant of trailing spaces in this instance, as has been discussed on the Logwatch ML. If Tomasz Kojm and the other coders feel that there shouldn't be a linefeed at this point I'm sure they are right, I'm just trying to establish wether the problem lies with Clamav, Fedora's rendition of syslog or Logwatch. As I don't use Fedora or freshclam - syslog I can't really test it out myself. I suspect that the problem is buried somewhere in Fedora, but log parsers generally should be tolerant of trailing spaces. They happen. -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: getting nag screen about old installation even after installing 0.87.1
On Thursday 22 Dec 2005 14:14, Dennis Skinner wrote: C. Andrews Lavarre wrote: thanks, now I know why freshclam runs. I don't mind it running, I just mind it complaining about an old version when I know I've installed the new version. You want it running. Either that or make cron run it (non-daemonized) every hour or so. Otherwise you won't get new virus sigs. Having it running is a good thing. I think the prev poster may have been thinking that an old version may still have been running in memory even though you updated. Correct. ;-) A common problem reported on this mailinglist occurs when someone installs from an rpm or whatever, finds in due course that they are out of date and the new rpm is not immediately forthcoming, so they have a go and install from source, which installs itself in /usr/local/* leaving the existing version running under /usr/*. Ugh. Then a chase around to find the old one and remove it, but not killing it in the process, which stops the new version from operating correctly. The cure for this confounding situation is to use the right tools: man ps man netstat man kill man rpm man freshclam.conf man clamd.conf etcetc Installing Clamav from source is very easy, the only complication I have run across is a need for the errno patch with later versions of gcc. HTH -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: getting nag screen about old installation even after installing 0.87.1
On Wednesday 21 Dec 2005 01:24, C. Andrews Lavarre wrote: snip I just ran freshclam: [EMAIL PROTECTED] services]# freshclam ClamAV update process started at Tue Dec 20 20:19:28 2005 main.cvd is up to date (version: 34, sigs: 39625, f-level: 5, builder: tkojm) daily.cvd is up to date (version: 1213, sigs: 1844, f-level: 6, builder: diego) and then checked freshclam.log. IT IS EMPTY! So it looks like clam-update is simply checking the freshclam log and echoing any complaints found there. FWIW, running clam-update in the foreground just hangs... Maybe it's waiting for a server. So I've just kicked it off in the background, we'll see if the same nag appears. What's frustrating here is that cron.daily has no reference to clam-update, but as the above shows, something is triggering it besides me (I'm asleep at 4AM) and it ain't cron doing it either. Very interesting problem... try ps ax | grep freshclam and look for something like 3073 ?Ss 0:00 /usr/local/bin/freshclam -d if it's there, try and figure out what is starting it (if you haven't removed it already), look in /etc/init.d or possibly even /etc/inetd or /etc/xinetd snip -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] WARNING: Invalid DNS reply. Falling back to HTTP mode.
On Wednesday 14 Dec 2005 18:50, [EMAIL PROTECTED] wrote: FC3, installed clamav-0.87.1 and trying to get it working. DNS problem with freshclam. I've read all the posts I can find to fix this, but nothing works. I normally run DNS on my box, so I thought that was the problem. I disabled it and set resolv.conf to look at external DNS, with same results. I can host and dig the mirrors. Here is the error output: [EMAIL PROTECTED] freshclam]# ./freshclam ClamAV update process started at Wed Dec 14 11:41:40 2005 ERROR: Not a TXT record WARNING: Invalid DNS reply. Falling back to HTTP mode. Reading CVD header (main.cvd): OK (IMS) main.cvd is up to date (version: 34, sigs: 39625, f-level: 5, builder: tkojm) Reading CVD header (daily.cvd): OK (IMS) daily.cvd is up to date (version: 1162, sigs: 1306, f-level: 6, builder: tomek) [EMAIL PROTECTED] freshclam]# Thanks in advanced for any helpful suggestions. install dnscache from djbdns. Your mailer software will appreciate it too There is also info in the FAQ on clamav.net Ron ___ http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] what is the default port that clamav (clamd) runs on
On Monday 28 Nov 2005 11:08, Grant Basson wrote: Should you ever come back to visit this list you'll learn that everything you need to know about this can be found in your clamd.conf file. That leaves for you the challenge of finding that clamd.conf file. dp MM all. I feel like a twit, but here goes anyway. How the heck do you run clamd? Man pages suggest that I just type clamd, I get the following response: [EMAIL PROTECTED] ~]$ clamd -bash: clamd: command not found you need the full path probably find it with which clamd to see if it's running ps ax | grep clamd netstat -ap | grep clamd if you installed from the tarball, clamav will most likely be installed under /usr/local I honestly cant think of where else to turn, before I get asked the obvious clam is installed, when I type clamscan I get the following: [EMAIL PROTECTED] ~]$clamscan --- SCAN SUMMARY --- Known viruses: 40192 Engine version: 0.87 Scanned directories: 1 Scanned files: 13 Infected files: 0 Data scanned: 0.05 MB Time: 1.004 sec (0 m 1 s) [EMAIL PROTECTED] ~]$ When I try clamdscan it does this: [EMAIL PROTECTED] ~]$ clamdscan ERROR: Clamd is not configured properly. --- SCAN SUMMARY --- Infected files: 0 Time: 0.000 sec (0 m 0 s) [EMAIL PROTECTED] ~]$ Does this mean clamd is running? I had to copy the man page for clamd, from the calmav website, but the others, (clamscan, clamdscan, clamd.conf.) but no clamd This is extremely confusing, any assistance would be GREATLY appreciated. By the way, I'm replying to this message, because clamd.conf man page, said clamd.conf was in /etc in my case I had to create it Many thanks in advance, God Bless, Grant. ___ http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam daemon dying
On Wednesday 16 Nov 2005 14:54, Dale Blount wrote: On Wed, 2005-11-16 at 09:27 -0500, Dale Blount wrote: Hi List, Every few months or so when a new clamav comes out, I go to update all of my servers to the latest version. The last few updates have caused me a little grief because on restarting of clamd/freshclam, it reports that freshclam wasn't running. This time I remembered to check before upgrading. This is on one host (of about 10) running Linux 2.6 and 0.87. Most upgrades anywhere from 2-4 of the 10 hosts have a dead freshclam. On closer review, there are 4 more hosts with out of date cvd files but freshclam is still running (but braindead). 3 of the hosts had the exact same size/date output: -rw-r--r-- 1 clamav clamav 149286 2005-11-04 08:50 daily.cvd -rw-r--r-- 1 clamav clamav 2560365 2005-11-04 08:50 main.cvd the 4th host had this: -rw-r--r-- 1 clamav clamav 102909 2005-10-14 04:02 daily.cvd -rw-r--r-- 1 clamav clamav 2560365 2005-09-16 11:34 main.cvd This makes 5 of 8 systems where freshclam stopped being functional. 2 of the 4 above needed kill -9 to die, the other 2 died on a normal kill signal. Is the general consensus to follow Dennis Peterson's suggestion and run freshclam from crond? That seems more like a work around than a fix, but I appreciate the option. This is a bit of a long shot, but try renaming /etc/init.d/freshclam to /etc/init.d/freshclamd, and remember to update the start/kill symlinks I'm not sure if this explanation makes sense, but kill -TERM freshclam appeared to be operating on the init.d file rather than the executable itself, changing the name solved the problem. This occurred some time ago and my recollection of the incident is a bit hazy. OS distro is Debian. Dale ___ http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Worm/Virus related to SID 3813: WEB-CGI awstats.pl configdir command execution attempt and other SIDs ?
On Saturday 05 Nov 2005 14:42, [EMAIL PROTECTED] wrote: Hi again everyone, Got the same thing few minutes ago, coming from China this time, pointing to the same address for the download Seems to be spreading ? The downloaded file is definitely for Linux. I got caught out by a vulnerability in awstats a few months back, used the same kind of method, put an executable in /tmp and ran it (somehow). It was being used to run a ddos attack, controlled by irc. Once I found it I removed it from /tmp and set the /tmp partition to noexec, upgraded awstats and added a search for 'wget' to my logwatch. Phew! Tudor __ Hi everyone, Last night I caught an attack to my web servers here, the attack consisted in command execution attempts using various CGI vulnerabilities. The fact is that after looking at the payload of all connection attempts, they all had a wget IP Address/lupii, same IP address, I can send it to the list if anybody needs it. I downloaded the file from that site, it is an elf executable and it seems to be a backdoor of some sort reporting back to the site. The attack was coming from Taiwan and the download site was in Norway. I am not good at looking at elf format programs, is anybody willing to take a look ? I can send the file on demand. Does anybody know what is this all about ? Thanks, Tudor ___ http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can not find clamd file
On Friday 28 Oct 2005 05:01, Donny Christiaan wrote: Dear Expert, I've downloaded clamav-0.87-1.i386.rpm and installed it on my Fedora Core 4. look for clamav-server-0.87-1.fc4.x86_64 RPM I can not find clamd file? Is it wrong or not? There are only: /etc/freshclam.conf /usr/bin/clamav-config /usr/bin/clamdscan /usr/bin/clamscan /usr/bin/freshclam /usr/bin/sigtool I'm using Postfix on my system, how can I use ClamAV with Postfix? Should I use ClamSMTP ? Best Regards, Donny Christiaan. ___ http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can not find clamd file
On Friday 28 Oct 2005 10:21, Bob Hutchinson wrote: On Friday 28 Oct 2005 05:01, Donny Christiaan wrote: Dear Expert, I've downloaded clamav-0.87-1.i386.rpm and installed it on my Fedora Core 4. look for clamav-server-0.87-1.fc4.x86_64 RPM or something similar, I googled for 'clamav-server' I can not find clamd file? Is it wrong or not? There are only: /etc/freshclam.conf /usr/bin/clamav-config /usr/bin/clamdscan /usr/bin/clamscan /usr/bin/freshclam /usr/bin/sigtool I'm using Postfix on my system, how can I use ClamAV with Postfix? Should I use ClamSMTP ? Best Regards, Donny Christiaan. ___ http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Getting rid of an old install
On Thursday 27 Oct 2005 16:17, Dave Filchak wrote: Hi, Just want to verify that this is the correct way to do this: (Yes I know this has been discussed before but I can't find the exact info in the archives so was hoping someone would take pity on me;-) I seem to have an old install of ClamAV somewhere because I have installed the latest version but I am still receiving a warning from LogWatch in my morning email. It is: WARNING: Local version: 0.86.2 Recommended version: 0.87: 2 Time(s) WARNING: Your ClamAV installation is OUTDATED!: 4 Time(s) DON'T PANIC! Read http://www.clamav.net/faq.html: 4 Time(s) WARNING: Current functionality level = 5, recommended = 6: 2 Time(s) I have run the command locate clamav and have come up with the following: /usr/local/bin/clamav-config /usr/local/etc/clamav.conf /usr/local/etc/clamav.conf.101704 /usr/local/include/clamav.h /usr/local/lib/libclamav.so.1.0.4 /usr/local/lib/libclamav.so.1 /usr/local/lib/libclamav.so /usr/local/lib/libclamav.la /usr/local/lib/libclamav.a /usr/local/lib/pkgconfig/libclamav.pc /usr/local/lib/libclamav.so.1.0.8 /usr/local/lib/libclamav.so.1.0.12 /usr/local/lib/libclamav.so.1.0.16 /usr/local/share/clamav /usr/local/share/clamav/main.cvd /usr/local/share/clamav/daily.cvd /usr/local/share/clamav/clamav-adab5a7718754b5e /usr/local/share/clamav/clamav-e0c80242c1c5f276 /usr/local/share/clamav/clamav-3a11f4732d664a86 /usr/local/share/clamav/clamav-515588a02c94d8dc /usr/local/share/clamav/clamav-ccb9d4e36ec6a807 /usr/local/share/clamav/clamav-c09bb90eb4c15d89 /usr/local/share/clamav/clamav-27c109e8578c2b63 /usr/local/man/man5/clamav.conf.5 /usr/local/man/man8/clamav-milter.8 /etc/log.d/conf/services/clamav-milter.conf /etc/log.d/conf/services/clamav.conf /etc/log.d/scripts/services/clamav-milter /etc/log.d/scripts/services/clamav I want to clean out any of the old stuff and re-install the latest version so I know what I have and get rid of the error. Should I just delete anything from /usr/local/lib to do with clamav? Any other suggestions? This looks like a stock compile to me, backup the stuff in /usr/local/etc, unpack the tarball in /usr/local/src, cd into the clamav source tree, run ./configure make stop clamav and freshclam make install start clamav and freshclam Check your logs for any problems. Shovel EICAR through it. stuff gets installed in /usr/local/bin etc include share man lib, so check the datestamps to see what got upgraded, which should be everything except the .conf file in etc and the old .so files in lib. There should be a symlink to the latest .so, I just leave the old ones there. You will probably find that you are still running on the old config files, so compare them with the new ones, there are some new config items in 0.87 freshclam.conf cd /usr/local diff -u etc/clamav.conf src/clamav-0.87/etc/clamav.conf diff -u etc/freshclam.conf src/clamav-0.87/etc/freshclam.conf Then when you have the install sussed, script it so that next time you only need to change the version number in the script, upload the new tarball, run the script and your upgrade is done, 5 minutes max. HTH -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Version 0.87 installed, outdated message claims 0.86.2
On Thursday 29 Sep 2005 12:08, Don Levey wrote:
[EMAIL PROTECTED] wrote:
On 9/28/05, Don Levey [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
And clamd -V reports what?
That gives me 0.87, just like the others.
I didn't kill (or restart) any of the clam processes when I
upgraded, but previous upgrades stopped/started the processes as
part of the installation (I install from RPM). I only see freshclam
as a running process; I run clamav-milter and sendmail, which
otherwise has worked well for me.
It is a bug in logwatch. If you do not logrotate daily then the
logwatch scriptlet for clamav will flag that no matter how long in the
past. I havent had time to try and find a fix.
Ah, I see - so it's not really a problem with the versions per se. When
the logs rotate again, will it clear up?
have a look in /var/log/freshclam.log and see what it says there. If it is
reporting 0.87 then all is well
The current version of logwatch (6.1.2) picks up freshclam fine, if you want
to rotate freshclam.log try adding someting like this to /etc/logrotate.d
# cat freshclam
/var/log/freshclam.log {
daily
missingok
rotate 30
compress
delaycompress
notifempty
create 600 clamav root
sharedscripts
postrotate
/etc/init.d/freshclamd restart
endscript
}
also have a look in /var/log/messages, which is most likely where clamav is
logging.
you could also set LogVerbose in clamd.conf and freshclam.conf and restart
them both. Have a look at the logs afterwards, that should help you find out
which version you are *really* running, or wether you have got a mixup in
your install, which seems quite common when RPMs are used to install, if that
is how you did it ;-|
Remember to switch off LogVerbose afterwards!
HTH
--
-
Bob Hutchinson
Midwales dot com
-
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] pandasoftware distributing Sirius.Annihilator.272?
On Saturday 10 Sep 2005 19:47, Pablo Chamorro C. wrote: I managed to deploy squid + havp + clamav for antivirus control of web pages/files, and for my surprise this morning I found: 10/09/2005 13:08:36 http://www.pandasoftware.com/activescan/as5free/motor.cab Virus: Sirius.Annihilator.272 10/09/2005 13:09:22 http://www.pandasoftware.com/activescan/as5free/motor.cab Virus: Sirius.Annihilator.272 10/09/2005 13:10:09 http://www.pandasoftware.com/activescan/as5free/motor.cab Virus: Sirius.Annihilator.272 10/09/2005 13:15:06 http://www.pandasoftware.com/activescan/as5free/motor.cab Virus: Sirius.Annihilator.272 Some comment? It's clamav. clamscan motor.cab motor.cab: Sirius.Annihilator.272 FOUND --- SCAN SUMMARY --- Known viruses: 40177 Engine version: 0.86.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 2.41 MB Time: 1.104 sec (0 m 1 s) you might be able to get around this fp with --exclude='motor.cab' somewhere in your config Thanks, Pablo -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Help On 'notifyempty' -- ignoring line
On Sunday 04 Sep 2005 11:54, [EMAIL PROTECTED] wrote: Hi, I'm not an experienced linux user, and I have now installed clamav with mailscanner on a CC Gateway server v.3.1 Every day i get the following error fron cron 'notifyempty' -- ignoring line This is OT, but probably from /etc/logrotate.d should be 'notifempty' grep 'notifyempty' /etc/logrotate.d/* should tell you which file man logrotate for more info on how to set up logrotate HTH -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: clamav-users Digest, Vol 10, Issue 26
On Friday 29 Jul 2005 21:29, Dawson wrote:
My problem is probably very simple for all the
experts out there but has stumped me
my freshclam.og is in /var/log
I set the ownership to clamav
It gets reset to root and then prevents the
program from running. You can see what happens:
is logrotate changing it?
this is the script I use, in /etc/logrotate.d
/var/log/freshclam.log {
weekly
rotate 4
compress
delaycompress
create 0600 clamav root
postrotate
/etc/init.d/freshclamd restart
endscript
}
make sure that the restart is stop then start, -HUP causes the old, now
rotated log to continue to be written to, at least it does on my system 8-|
--
-
Bob Hutchinson
Midwales dot com
-
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] v0.86.2 'OUTDATED' version check INCORRECT ... reports as OLDER than v0.86.1
On Monday 25 Jul 2005 04:38, OpenMacNews wrote: hi luca, per your a0.86.2 announcement, i just ul'd installed v0.86.2 on OSX 10.4.2; i had previously been running v0.86.1. after install, a 'freshclam' results in: ClamAV update process started at Sun Jul 24 19:38:48 2005 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.86.2 Recommended version: 0.86.1 DON'T PANIC! Read http://www.clamav.net/faq.html which, of course, is 'backwards' ... I have found that stopping freshclam and then starting it picks up the new version. -HUPing does not appear to do the trick, same goes for log rotation. I have also renamed /etc/init.d/freshclam to /etc/init.d/freshclamd, as killall was also trying to kill the /etc/init.d/freshclam. Weird but understandable. Here is a modified version of the freshclam control script: (restartquiet is for logrotation, stops spurious cron emails) #!/bin/sh # /etc/init.d/freshclamd COMMAND=$1 if [ $COMMAND == start ] ; then echo -n Starting freshclam daemon ... /usr/local/bin/freshclam -d echo done. exit elif [ $COMMAND == stop ] ; then echo -n Stopping freshclam daemon ... killall -TERM freshclam echo done. exit elif [ $COMMAND == reload ] ; then echo -n Restarting freshclam daemon ... killall -HUP freshclam echo done elif [ $COMMAND == restart ] ; then echo -n Stopping freshclam daemon ... killall -TERM freshclam echo done. sleep 5 echo -n Starting freshclam daemon ... /usr/local/bin/freshclam -d echo done. elif [ $COMMAND == restartquiet ] ; then killall -TERM freshclam sleep 5 /usr/local/bin/freshclam -d else echo usage: $0 start|stop|restart|reload exit fi HTH -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] protection
On Tuesday 26 Jul 2005 16:43, Ken Jones wrote: On Tue, July 26, 2005 10:35, Bob Hutchinson wrote: On Tuesday 26 Jul 2005 13:03, Daniel J McDonald wrote: On Tue, 2005-07-26 at 15:55 +0400, Mad Unix wrote: How can I make sure that my clamav protection working correctly ? http://www.webmail.us/testvirus That sends 30 or so variations on the eicar virus to your mail system. There are two or three that should pass (I think it's 17 and 18, but it has been a while). If any others make it through, you've done something wrong. Just tried this, using clamv v 0.86.2, daily cvd v 993 It let test No 27 through, but nothing else I just went to the site (Tuesday morning, 11:30am eastern) and there are tests 1-26, but NO 27 .. What is test 27 that it let through ? hmmm how odd, they sent me 3 emails for each test I did, one for clamav and one for Kaspersky Here is the body of the first one: begin 600 eicar.com snipremoved this, my virus scanner stops it/snip end This message was sent to you because you or someone you know is testing your mail server's virus scanner at: http://www.webmail.us/testvirus This test message contains: Test #27: Eicar virus within a ZIP file that has been manipulated to evade detection by some anti-virus software by changing the uncompressed size to zero within the ZIP file headers. If your mail server's virus scanner did not detect this email, it allows some viruses through! Please note: This test message uses the EICAR test virus, which is completely benign and contains no viral code. For more information see: http://www.eicar.org This free test has been provided to you by Webmail.us. While I was at it, I tested Kasperky AV against the same tests and it let No 27 through too. GPL is doing just fine here :-) -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: javascript virus
On Tuesday 31 May 2005 15:46, Jim Popovitch wrote: On Tue, 2005-05-31 at 09:08 -0500, René Berber wrote: Don't do this! Any wannabe-virus-builder-kid will want to get a hand on samples like this. Well, if they don't have it by now then they aren't educated enough to get it now. It doesn't make it truly newsworthy just because this is the first time that you have seen it. Besides, how do you know what I am doing with the access_log data? Submit your sample to: http://cgi.clamav.net/sendvirus.cgi I did. Never heard a thing... .thus my post here. I downloaded your zip file, neither clamscan or clamdscan found anything, either before or after I unzipped it I set it up on a linux devbox and pointed firefox running under debian at it and the javascript console told me it had failed to run, nor were there any files created. Perhaps MSIE will let the jscript run, I cannot test that, no winboxes here, and I'm not about to try either. HTH -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Freshclam and Cron
On Wednesday 23 Feb 2005 06:49, Rob MacGregor wrote: On Wed, 23 Feb 2005 00:49:20 +, Bob Hutchinson [EMAIL PROTECTED] wrote: That is a good reason, and true too, I have found the freshclam daemon not functioning on one occasion, so now I cron it. Another reason is to spread the load by setting it to cron at odd times, it must help the clamav server. However, with freshclam's DNS support, you're not gaining much as it'll only connect to the server when either the DNS record is horribly out of date, or it indicates a new update is available. Ah, so that's what that is about, good scheme ;-) -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Freshclam and Cron
On Tuesday 22 Feb 2005 23:14, René Berber wrote: Dale Walsh wrote: [snip] I can't understand why everyone runs this through cron when it doesn't eat much memory or cpu cycles when run as a daemon? If freshclam fails as a daemon you would not know it. If it fails as a cron job, then cron will let you know something is wrong. That is a good reason, and true too, I have found the freshclam daemon not functioning on one occasion, so now I cron it. Another reason is to spread the load by setting it to cron at odd times, it must help the clamav server. Of course freshclam doesn't fail so this is only useful for user errors (like a bad path or permisions, etc.) Besides, setting it up as a daemon needs more work, I would add it to the init.d/clamd script but that's my choice and is not there to make it easy. Yes, sometimes I'm lazy, adding it to cron takes 10 sec, adding it to the script probably takes 30 sec. Just my opinion. -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unable to install clamav from source or ports on openBSD 3.6
On Wednesday 16 Feb 2005 06:07, Joseph Filla wrote: I'm running openBSD 3.6 and cannot for the life of me install clamav. I've tried the ports (via cvsup) but run into gmp install errors (I can't figure that out) so I've moved to compiling from source. I've tried to compile .82 and .83 and after running 'configure' I try runing make. Check the output of ./configure, look for 'error' I just tried running ./configure on an openbsd box: configure: error: The installed zlib version may contain a security bug. Please upgrade to 1.2.2 or later: http://www.zlib.net. You can omit this check with --disable-zlib-vcheck but DO NOT REPORT any stablility issues then! wget http://www.zlib.net/zlib-1.2.2.tar.gz find out where the existing zlib stuff is installed before installing the above and make sure it is removed or overwritten by the new one locate zlib However I get a make: no target to make. ./configure did not finish, so no makefile keep trying ;-) -- - Bob Hutchinson Midwales dot com - ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: AW: [Clamav-users] Re: not updating clam
On Tuesday 15 Feb 2005 13:54, akshat wrote: Why not possible, earlier it was updated automatically. An entry is made in crontab. Only the virus definitions are updated, not the program itself eg from freshcam.log Received signal 14, wake up ClamAV update process started at Tue Feb 15 09:19:14 2005 WARNING: Your ClamAV installation is OUTDATED - please update immediately! WARNING: Local version: 0.82 Recommended version: 0.83 main.cvd is up to date (version: 29, sigs: 29086, f-level: 3, builder: tomek) daily.cvd is up to date (version: 706, sigs: 1767, f-level: 4, builder: ccordes) -- Received signal 15, terminating #(this is me shutting down clamd and freshclam, compile new clamav, restart) -- freshclam daemon 0.83 (OS: linux-gnu, ARCH: i386, CPU: i686) ClamAV update process started at Tue Feb 15 12:08:06 2005 main.cvd is up to date (version: 29, sigs: 29086, f-level: 3, builder: tomek) daily.cvd is up to date (version: 706, sigs: 1767, f-level: 4, builder: ccordes) -- done. if you stick to the same method eg compile from source then it will just replace old binaries with new ones. No need to uninstall first, this is only necessary if you are messing with different sources, precompiled RPM etc Your .conf files will remain untouched write a script install_clamav and put your commands in there, then next time you only have to edit the version number. -- - Bob Hutchinson Midwales dot com - ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Re: not updating clam
On Tuesday 15 Feb 2005 14:29, Brian Morrison wrote: On Tue, 15 Feb 2005 14:20:11 + in [EMAIL PROTECTED] Bob Hutchinson [EMAIL PROTECTED] wrote: if you stick to the same method eg compile from source then it will just replace old binaries with new ones. No need to uninstall first, this is only necessary if you are messing with different sources, precompiled RPM etc Your .conf files will remain untouched Well of course if you use rpm spec files that are properly written then the same is true of rpm updates. Never had any trouble with the Crash Hat rpms that Petr Kristof makes available Good to hear it ;-) -- - Bob Hutchinson Midwales dot com - ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] pop toaster update
The pop toaster at http://shupp.org/toaster/ now supports clamav-0.81 This includes patches for daemontools multilog support. This implementation uses simscan from inter7.com Enjoy -- - Bob Hutchinson Midwales dot com - ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Sending mail when virus is found
On Thursday 03 Feb 2005 22:24, Olaf wrote: Rob MacGregor schrieb: Well, first off, given that most email borne viruses forge the sender address, sending a we blocked a virus from you email is antisocial. This is true, no question about it. But I am also interested in a how to write email notifiation scripts. At my site, I would like to inform the recipient that a virus had been blocked, including sender address, date, time and the name of the virus. We stopped notifying customers some time ago, they get confused, hassle you because they think that you have infected their machine, and once you explain to them, sometimes repeatedly that it was information only they get bored and complain some more. We now do a monthly report, pulled from the logs for those who ask for it, mostly IT admins. IMHO of course The likelyhood of the dirty email coming from someone they know is virtually nil, unlike 3-4 years ago when most infected mail came from a known user. No more. This is organized crime creating a web of zombies, and they are getting smarter, bulk emailing in small batches to different servers so as not to disturb firewall triggers or tarpits, using dictionaries, and not always american ones either. RBL percentages are dropping, even though known zombies are now being listed, it's a constant battle. My two bits worth -- - Bob Hutchinson Midwales dot com - ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ERROR: Can't query current.cvd.clamav.net
On Saturday 29 Jan 2005 16:34, aikempshall wrote: Hi Got problems with freshclam since upgrading to 0.81. This is the before are after of my /var/log/clamav-update -- ClamAV update process started at Fri Jan 28 19:53:36 2005 main.cvd is up to date (version: 29, sigs: 29086, f-level: 3, builder: tomek) daily.cvd is up to date (version: 690, sigs: 802, f-level: 4, builder: trog) WARNING: Your ClamAV installation is OUTDATED - please update immediately! WARNING: Current functionality level = 3, required = 4 -- ClamAV update process started at Sat Jan 29 09:57:35 2005 ERROR: Can't query current.cvd.clamav.net WARNING: Invalid DNS reply. Falling back to HTTP mode. main.cvd is up to date (version: 29, sigs: 29086, f-level: 3, builder: tomek) daily.cvd is up to date (version: 685, sigs: 727, f-level: 3, builder: diego) -- I'm getting ERROR: Can't query current.cvd.clamav.net. I suspect it's my SpeedTouch Alcatel 510 Modem DNS Server that 's causing the problems as when I tried through a dialup modem I didn't get the problem. Just need some pointers. I've looked in FAQ at the closest approximate solution/suggestion which was FAQ 6 *I can't resolve current.cvd.clamav.net! Is there a problem with your/my DNS servers?* [EMAIL PROTECTED]:/var/log# host -t txt current.cvd.clamav.net Host current.cvd.clamav.net not found: 4(NOTIMP) Install djbdns, read up on dnscache http://cr.yp.to/djbdns.html -- - Bob Hutchinson Midwales dot com - ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] libclamav problems
On Tuesday 25 Jan 2005 14:21, [EMAIL PROTECTED] wrote: I am running Debian woody and had clam-0.80 working fine. I tried installing SquidClamAV_Redirector which required libclamav. I downloaded libclamav1 from Debian, installed it and now I get this: /usr/bin/freshclam: error while loading shared libraries: libgmp.so.3: cannot open shared object file: No such file or directory libgmp.so.3 is on my system, any help is greatly appreciated. ensure that the path to it is in /etc/ld.so.conf, if it is not, add it and run ldconfig -- - Bob Hutchinson Midwales dot com - ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV Install
On Monday 24 Jan 2005 16:49, Mal Herring wrote: You also need to remove the old library files that were installed with the older version of ClamAV before you do a 'fresh' install. This is why your freshclam shows that it is outdated. I had the same problem and it took me several install and un-installs before I figured it out. I had initially just installed the new version without first un-installing the old. I'll never do that again :) Being a little unsure - could you tell me the steps I need to take to remove the libs ? try locate libclamav. or if you don't have that find / -name libclamav.* likely in /usr/lib or /usr/local/lib Thanks muchly. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users -- - Bob Hutchinson Midwales dot com - ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users]
On Wednesday 19 Jan 2005 10:27, Shaun Bugler wrote: We had a problem a while back of certain zip files failing to be scanned by clam. This was apparently fixed (zzip-file.c) but now we want to test this on our machines. http://www.eicar.org/anti_virus_test_file.htm We unfortunately don't have a zip file that caused the problems anymore. I am unable to generate such a file with winrar,winzip,pkzip etc so I was wondering if anyone could point me to an application that can make these zip files or how to create one with the zip program above. Thanks, Shaun Bugler ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users -- - Bob Hutchinson Midwales dot com - ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamd - simscan -qmail-ldap nothing happeing
On Tuesday 18 Jan 2005 01:49, Stewart Walker wrote: /var/src/clamav-0.80_done/contrib/init/RedHat/clamd This is a script used to set up autostart. How it is implemented depends on which distro, any good book on linux will tell you how to do that, but to get you started try putting it in /etc/init.d or /etc/rc.d/init.d and make it executable and run it. if you are on redhat, man chkconfig Is this something that needs to be run? I'm running qmail-ldap and expected simscan to call clamd for each email msg received.. Nothing is happening as far as I can see in the log files and email headers. Thought I'd seen all of the doc's but maybe I'm missing something.. wouldn't be the first time. Any help is greatly appreciated. [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users -- - Bob Hutchinson Midwales dot com - ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] zip 2.1 example needed
On Wednesday 19 Jan 2005 13:18, Shaun Bugler wrote: - Original Message - From: Bob Hutchinson [EMAIL PROTECTED] To: clamav-users@lists.clamav.net Sent: Wednesday, January 19, 2005 2:53 PM Subject: Re: [Clamav-users] On Wednesday 19 Jan 2005 10:27, Shaun Bugler wrote: We had a problem a while back of certain zip files failing to be scanned by clam. This was apparently fixed (zzip-file.c) but now we want to test this on our machines. http://www.eicar.org/anti_virus_test_file.htm These files use zip version 1.0. The problem zip file used zip version 2.1. I have been able to make verion 1.0, 2.0 etc just not 2.1 and this version doesn't seem to be used anymore... (only extract, not create). Oh dear, I don't know much about winzip, you might have to buy it ;-( We unfortunately don't have a zip file that caused the problems anymore. I am unable to generate such a file with winrar,winzip,pkzip etc so I was wondering if anyone could point me to an application that can make these zip files or how to create one with the zip program above. Thanks, Shaun Bugler ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users -- - Bob Hutchinson Midwales dot com - ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users -- - Bob Hutchinson Midwales dot com - ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
