[Clamav-users] [sanesecurity] clamd now crashes
Having used clamd for several years without it ever crashing, I am now faced with it crashing quite often. This follows me setting up the new sanesecurity system! I used the old system, before that was stopped, without any problems (I am using 0.94.2). I have written a simple perl script to monitor clamd and re-start it if it crashes because the Sanesecurity signatures are too useful to drop. Th symptoms are quite strange. I am running the fetchsanesigs and freshclam utilities under cron (at different times) and both generally work fine. However, sometimes clamd crashed when freshclam or fetchsanesigs tells clamd to reload. clamd.log shows the 'Reading databases ...' message, but no more. clamd restarts without a problem every time it is restarted. So, it does not look as if there is anything obviously wrong with the Sanesecurity signatures because clamd is happy to load them when it starts. fetchsanesigs uses the USR2 signal, while freshclam connects to the clamd socket to request the reload. Both can cause the crash. It would be nice to be able to log each signature file as it is being loaded, but that does not appear to be simple. It did not work when I put a call to logg() in cli_load() (in readdb.c). Can anyone give me a patch so that I can make clamd log each signature file as it loads it? That way I could see if it always the same file which is being loaded when the crash occurs. Help in diagnosing this would be much appreciated. Regards, Phil. Phil Chambers Postmaster University of Exeter ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
-Original Message- There are some big names that play badly with greylisting. They play badly with greet-pause, too. A problem I've seen with greylisting is the round-robin MTA pool. Each is told in turn to come back later and if the pool is large it can take a long time to cycle through all of them. You have to be careful how you screen the addresses. dp The greylisting scheme I have implemented works at the DATA phase. It uses the sender IP address (top 24 bits only), the sender e-mail address and header date field to form the key for the message. Once a message has passed the greylist test the original sender IP address (full 32 bits) is placed in a whitelist. So, a particular server only needs to demonstrate once that it re-tries and will then be let through in future. By using the top 24 bits of the IP address in the key I hope to cope with a message being re-tried by a different MTA. I have not encountered such a problem yet. I have had a couple of instances where there was a problem because people had written their own code on web servers. They did not re-send the same message, but re-generated it when re-trying and so gave it a new date header. In both cases they modified their code when I explained the problem. Phil. Phil Chambers Postmaster University of Exeter ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav phishing sigs
Take a look at http://iserv.rs-hilter.de/doc/clamav-0.91.2/signatures.pdf Which I found very useful for exactly this situation. Phil. Phil Chambers Postmaster University of Exeter ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav phishing sigs
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren G Pifer Sent: Fri 08 August 2008 15:09 To: ClamAV users ML Subject: Re: [Clamav-users] Clamav phishing sigs Chambers, Phil wrote: Take a look at http://iserv.rs-hilter.de/doc/clamav-0.91.2/signatures.pdf I have seen this document but it does not show how to add signatures to a database OR for clamd to detect the phishing e-mail. I was able to create the signature (a .hbd file) and clamscan detects the phishing but clamd does not. Maybe I am missing something. Darren ODU It appears that you need to wait until clamd sees that the signature files in the database directory have changed. I think the default is for clamd to check every 3 hours. It will also check if freshclam downloads updates because freshclam tells clamd to check. What I have done is to lift the bit of code from freshclam which notifies clamd and put it into a script called clamdreload.pl. If I put a new signature in my local list I then run that script to make clamd read it. You should see the reload in the clamd log. Phil. Phil Chambers Postmaster University of Exeter ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Malformed database problem
I have a local ndb file containing signatures of some spear phishing attacks targeted specifically at us. I recently added another signature and it cause clamd to shut down! Two points: 1) Surely clamd should log the problem but skip the faulty signature and carry on? I am now extremely concerned about creating new signatures because of the risk of taking clamd out, with the serious consequences that that entails. 2) I have gone through my new signature time and time again and compared it with others that are fine and I can't find anything wrong with it! I have looked at the source code and there are numerous places where it detects problems with signature, but they all generate the same failure message: Malformed database. It is going to take me a very long time to patch the code to make it generate different error messages for each case where a signature can be malformed, so that I can diagnose my problem, but I see no alternative. That is, unless there is a tool available to check signatures before they are installed. Does anyone have any suggestions? The failing signature is: Email.Phishing.Exeter.0002:0:0,6:44656172{-18}537562736372696265722c{-4} 5765{-4}617265{-4}63757272656e746c79{-4}6361727279696e672d6f7574{-4}61{- 4}6d656e7461696e616e6365{-4}70726f63657373{-4}746f{-4}796f7572{-18}61636 36f756e742c{-4}746f{-4}636f6d706c657465{-4}74686973 Cheers, Phil. Phil Chambers Postmaster University of Exeter ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Malformed database problem
-Original Message- The failing signature is: Email.Phishing.Exeter.0002:0:0,6:44656172{-18}537562736372696 265722c{-4 } 5765{-4}617265{-4}63757272656e746c79{-4}6361727279696e672d6f7 574{-4}61{ - 4}6d656e7461696e616e6365{-4}70726f63657373{-4}746f{-4}796f757 2{-18}6163 6 36f756e742c{-4}746f{-4}636f6d706c657465{-4}74686973 You might try perhaps placing your new signature into an ndb file and then running something like: clamscan -d Path-2-NDB-file That would report if there were a malformed signature in the file. -- Gerard I had tried that and I get the same problem, it just says 'Malformed database', which gives no hint as to what it is about the signature which is the problem! I was looking for something which would point out where the problem is in the signature. Regards, Phil. Phil Chambers Postmaster University of Exeter ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml