[Clamav-users] [sanesecurity] clamd now crashes

[Chambers, Phil]

Having used clamd for several years without it ever crashing, I am now faced 
with it crashing quite often.  This follows me setting up the new sanesecurity 
system!

I used the old system, before that was stopped, without any problems (I am 
using 0.94.2).

I have written a simple perl script to monitor clamd and re-start it if it 
crashes because the Sanesecurity signatures are too useful to drop.

Th symptoms are quite strange.  I am running the fetchsanesigs and freshclam 
utilities under cron (at different times) and both generally work fine.  
However, sometimes clamd crashed when freshclam or fetchsanesigs tells clamd to 
reload.  clamd.log shows the 'Reading databases ...' message, but no more.  
clamd restarts without a problem every time it is restarted.

So, it does not look as if there is anything obviously wrong with the 
Sanesecurity signatures because clamd is happy to load them when it starts.  
fetchsanesigs uses the USR2 signal, while freshclam connects to the clamd 
socket to request the reload.  Both can cause the crash.

It would be nice to be able to log each signature file as it is being loaded, 
but that does not appear to be simple.  It did not work when I put a call to 
logg() in cli_load() (in readdb.c).

Can anyone give me a patch so that I can make clamd log each signature file as 
it loads it?  That way I could see if it always the same file which is being 
loaded when the crash occurs.

Help in diagnosing this would be much appreciated.

Regards,

Phil.

Phil Chambers
Postmaster
University of Exeter
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] simplest replacement for ancient amavis-perl

[Chambers, Phil]

 
 -Original Message-
 
 There are some big names that play badly with greylisting. They play
 badly with greet-pause, too. A problem I've seen with 
 greylisting is the
 round-robin MTA pool. Each is told in turn to come back later 
 and if the
 pool is large it can take a long time to cycle through all of 
 them. You
 have to be careful how you screen the addresses.
 
 dp

The greylisting scheme I have implemented works at the DATA phase.  It
uses the sender IP address (top 24 bits only), the sender e-mail address
and header date field to form the key for the message.  Once a message
has passed the greylist test the original sender IP address (full 32
bits) is placed in a whitelist.

So, a particular server only needs to demonstrate once that it re-tries
and will then be let through in future.  By using the top 24 bits of the
IP address in the key I hope to cope with a message being re-tried by a
different MTA.  I have not encountered such a problem yet.

I have had a couple of instances where there was a problem because
people had written their own code on web servers.  They did not re-send
the same message, but re-generated it when re-trying and so gave it a
new date header.  In both cases they modified their code when I
explained the problem.

Phil.

Phil Chambers
Postmaster
University of Exeter

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Clamav phishing sigs

[Chambers, Phil]

Take a look at

  http://iserv.rs-hilter.de/doc/clamav-0.91.2/signatures.pdf

Which I found very useful for exactly this situation.

Phil.

Phil Chambers
Postmaster
University of Exeter
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Clamav phishing sigs

[Chambers, Phil]

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Darren G Pifer
 Sent: Fri 08 August 2008 15:09
 To: ClamAV users ML
 Subject: Re: [Clamav-users] Clamav phishing sigs
 
 Chambers, Phil wrote:
  Take a look at
 
http://iserv.rs-hilter.de/doc/clamav-0.91.2/signatures.pdf

 I have seen this document but it does not show how to add 
 signatures to a database OR for clamd to detect the phishing 
 e-mail.  I was able to create the signature (a .hbd file) and 
 clamscan detects the phishing but clamd does not.  Maybe I am 
 missing something.
 
 Darren
 ODU

It appears that you need to wait until clamd sees that the signature
files in the database directory have changed.  I think the default is
for clamd to check every 3 hours.  It will also check if freshclam
downloads updates because freshclam tells clamd to check.

What I have done is to lift the bit of code from freshclam which
notifies clamd and put it into a script called clamdreload.pl.  If I put
a new signature in my local list I then run that script to make clamd
read it.

You should see the reload in the clamd log.

Phil.

Phil Chambers
Postmaster
University of Exeter
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] Malformed database problem

[Chambers, Phil]

I have a local ndb file containing signatures of some spear phishing
attacks targeted specifically at us.

I recently added another signature and it cause clamd to shut down!

Two points:

1) Surely clamd should log the problem but skip the faulty signature and
carry on?

I am now extremely concerned about creating new signatures because of
the risk of taking clamd out, with the serious consequences that that
entails.

2)  I have gone through my new signature time and time again and
compared it with others that are fine and I can't find anything wrong
with it!

I have looked at the source code and there are numerous places where it
detects problems with signature, but they all generate the same failure
message: Malformed database.

It is going to take me a very long time to patch the code to make it
generate different error messages for each case where a signature can be
malformed, so that I can diagnose my problem, but I see no alternative.

That is, unless there is a tool available to check signatures before
they are installed. Does anyone have any suggestions?

The failing signature is:

Email.Phishing.Exeter.0002:0:0,6:44656172{-18}537562736372696265722c{-4}
5765{-4}617265{-4}63757272656e746c79{-4}6361727279696e672d6f7574{-4}61{-
4}6d656e7461696e616e6365{-4}70726f63657373{-4}746f{-4}796f7572{-18}61636
36f756e742c{-4}746f{-4}636f6d706c657465{-4}74686973

Cheers,

Phil.

Phil Chambers
Postmaster
University of Exeter
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Malformed database problem

[Chambers, Phil]

 -Original Message-
 The failing signature is:
 
 Email.Phishing.Exeter.0002:0:0,6:44656172{-18}537562736372696
 265722c{-4
 }
 5765{-4}617265{-4}63757272656e746c79{-4}6361727279696e672d6f7
 574{-4}61{
 -
 4}6d656e7461696e616e6365{-4}70726f63657373{-4}746f{-4}796f757
 2{-18}6163
 6
 36f756e742c{-4}746f{-4}636f6d706c657465{-4}74686973
 
 You might try perhaps placing your new signature into an 
 ndb file and then running something like:
 
   clamscan -d Path-2-NDB-file
 
 That would report if there were a malformed signature in the file.
 
 --
 Gerard

I had tried that and I get the same problem, it just says 'Malformed
database', which gives no hint as to what it is about the signature
which is the problem!  I was looking for something which would point out
where the problem is in the signature.

Regards,

Phil.

Phil Chambers
Postmaster
University of Exeter
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml