Re: [Clamav-users] 0.95 rc1 in Solaris 9
Bill Landry wrote: Török Edwin wrote: There is something wrong with the background color, this is how it should look like (screenshot from an earlier version): https://wwws.clamav.net/bugzilla/attachment.cgi?id=769 On Fedora 10, mine looks the same as Dennis' - oh, and the F1 - help key appears to do nothing, and I'm not sure if the R - reset maximums does anything either. But at lease Q - quit works. Bill ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml It didn't work here either until I started a new ssh session. That one worked. It may be a problem with my Xterm. The problem has not repeated. F1 produces this screen: NO Unique clamd number CONNTIME How long it is connected LIV Total number of live threads IDL Total number of idle threads QUEUENumber of items in queue MAXQ Maximum number of items observed in queue MEM Total memory usage (if available) HOST Which clamd, local means unix socket ENGINE Engine version DBVERDatabase version DBTIME Database publish time Primary threads Threadpool used to receive commands Multiscan pool Threadpool used for multiscan live Executing commands, or scanning idle Waiting for commands, will exit after idle_timeout max Maximum number of threads configured for this pool QueueTasks queued for processing, but not yet picked up by a thread COMMAND Command this thread is executing QUEUEDSINCE How long this task is executing FILE Which file it is processing (if applicable) Mem Memory usage reported by libc Libc Used/free memory reported by libc Pool Memory usage reported by libclamav's pool dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] 0.95 rc1 in Solaris 9
Dennis Peterson wrote: Bill Landry wrote: Török Edwin wrote: There is something wrong with the background color, this is how it should look like (screenshot from an earlier version): https://wwws.clamav.net/bugzilla/attachment.cgi?id=769 On Fedora 10, mine looks the same as Dennis' - oh, and the F1 - help key appears to do nothing, and I'm not sure if the R - reset maximums does anything either. But at lease Q - quit works. It didn't work here either until I started a new ssh session. That one worked. It may be a problem with my Xterm. The problem has not repeated. On second thought it may have been the version I built in Sol 10 with gcc (vs Studio 12) that had the failed F1 function... Too many plates spinning :) dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] 0.95 rc1 in Solaris 9
Nathan Brink wrote: Gary L Burnore wrote: That is correct, no X. Get yourself a copy of Xming (free) and set it up. You'll have X. Make sure some sort of display variable is set. (The ssh -X merely enables X connections if it's not already part of your shell). If xclock or xterm aren't in your path, find where they exist and add that dir. Then xterm To start a copy of an X terminal. I'm pretty sure the point is to get the F1 key and ncurses working over virtual terminal+ssh. I'm sure that the user is able to use X if he needed too. I'd be interested in having the clamdtop program work without X as well - especially since it's designed to be run from the terminal. It would be nice too if it wrote to a socket - not snmp, but just to poll it from time to time (from Big (Brother|Sister), for example, could be useful. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] 0.95 rc1 in Solaris 9
Bill Landry wrote: Nathan Brink wrote: Gary L Burnore wrote: That is correct, no X. Get yourself a copy of Xming (free) and set it up. You'll have X. Make sure some sort of display variable is set. (The ssh -X merely enables X connections if it's not already part of your shell). If xclock or xterm aren't in your path, find where they exist and add that dir. Then xterm To start a copy of an X terminal. I'm pretty sure the point is to get the F1 key and ncurses working over virtual terminal+ssh. I'm sure that the user is able to use X if he needed too. I'd be interested in having the clamdtop program work without X as well - especially since it's designed to be run from the terminal. That's correct, I'm not even remotely interested in running X, I'm perfectly happy with a plain old virtual terminal via ssh. Bill When I use the OEM console terminal on my Mac it sends \033OP when pressing F1. It doesn't do anything in clamdtop. It does work when using Mac's X11 Xterm app but I haven't looked up what is sent with it. Perhaps the clamdtop author knows what it is expecting to receive from F1. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] 0.95 rc1 in Solaris 9
There is no stdinit.h in my system so clamdtop failed. I disabled the #include in the clamdtop.c code and it built and linked. Not sure what it might fail to do later. $ gcc --version gcc (GCC) 3.3.2 It built fine in RedHat Linux 2.6.9-67.0.15.EL, 32-bit Intel. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] 0.95 rc1 in Solaris 9
Dennis Peterson wrote: There is no stdinit.h in my system so clamdtop failed. I disabled the #include in the clamdtop.c code and it built and linked. Not sure what it might fail to do later. $ gcc --version gcc (GCC) 3.3.2 It built fine in RedHat Linux 2.6.9-67.0.15.EL, 32-bit Intel. dp Fat fingers - that should be stdint.h. Sorry. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] 0.95 rc1 in Solaris 9
Gary L Burnore wrote: You can use inttypes.h instead, but you'd do well to just upgrade to Solaris 10 as there are MANY good reasons to do so. Look up ZFS. Gary L. Burnore gburn...@databasix.com There are not enough reasons to do so - it's a very big job to drag a lot of user-level application support forward. I have Sol 10 installed on several other systems including the data store running ZFS. It is very nice! Regarding stdint.h, I'm surprised the code linked without it. I can't expect this to be the only surprise. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] please remove
Jerry wrote: It might help though if the program used to manage the forum, when adding its usually superfluous nonsense at the end of a post, would at least prefix it properly with a sig delimiter. I am sick of receiving messages with the following type of message appended to every new post. since example ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml The Mailman software is at least aware of it's own footers and is designed to not repeat them but it doesn't always work. It's worse in the digest form. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Injury
Kurt Buff wrote: Well, I hope you were having fun! Best wishes for the knitting... Pruned and bottom posted dittos. I broke the same bone once - it hurts to sleep :) dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] please remove - 27 emails and counting
jef moskot wrote: On Sat, 21 Feb 2009, Matus UHLAR - fantomas wrote: Did you find the unsubscribe unsubscribe link? Neither the URL nor the mail reply work if you don't remember what email address you signed up with. I suppose it could be added to the message somewhere. A lot of lists will do that for you. It would be the email address he uses to complain to the list with, no? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] please remove
jim.me...@co.hennepin.mn.us wrote: And some people's email systems, which are moronically locked down by management and admins do NOT let you do anything other than top post. Even though they can. So sometimes it's not anyone's fault. In nearly 30 years of running mail systems I have never seen nor heard of such a thing. Color me lucky, I guess. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] please remove
Tomasz Papszun wrote: On Fri, 20 Feb 2009 at 13:55:30 -0600, jim.me...@co.hennepin.mn.us wrote: And some people's email systems, which are moronically locked down by management and admins do NOT let you do anything other than top post. Even though they can. You mean one can't move down the cursor with arrows and use the Delete key? The worst MUA I was made to use was MS Outlook and even there I could trim messages, automatically mark quoted lines with characters and bottom-post. Lotus Notes puts the original text you are replying to at the bottom if one chooses to include it. But there is nothing to keep one from copy/pasting in the appropriate amount of original text and replying below that. It does two thing - prunes the original text which folks should be doing anyway, and defeats a annoying mailer issue. LN mail between LN users begins to look like a mail archiver as it grows and grows with each reply. It's ridiculous but not a hard requirement to allow it. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] please remove - 27 emails and counting
Andy wrote: I believe (and this email is probably no exception) but Gmail and others default to top posting. This mail is me just hitting reply, and typing where the cursor defaults to. Won't happen again, but just FYI. Your mailer has no brain - you must use your own :), and yes, I know, it's hard to put that cursor at the bottom, but since you're going to prune the thread anyway to remove unneeded footers and content... And no, I didn't miss your point and example, so you above isn't you that I am writing of, here. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] OT: Re: please remove
Laurens wrote: I have been wanting to unsubscribe from this fucking thing for over a year can not remember log in details etc and as a result I keep getting this shit. I have written, mailed and asked politely all to no avail it is now called spam. STOP THIS SHIT PLEASE The instructions to unsubscribe are in the headers of each post sent from this list server. If you follow them you should be able to remove yourself from the list. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ClamAV Webinar on 4th March
chen wrote: Why don't this lists webmaster install a simple forum ? Yes a link to unsubscribe this list would be welcome. The link is in the headers of the messages. There's no need to put multiple links that I can think of since you can use the ones that are already in the message you receive. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] please remove
Francesco Peeters wrote: Gary L Burnore wrote: Stuart Rowan wrote: Alpine and afaicr pine expose this information. Each ML mail has a link at the bottom in the mail viewer which gives you a list of all the things you can do e.g. unsubscribe. Stu. On Thu, 19 Feb 2009, Ian Eiloart wrote: --On 18 February 2009 14:26:11 -0800 Dennis Peterson denni...@inetnw.com As long as most MTAs don't expose the List-Unsubscribe: header (none do by default, as far as I'm aware), it can't be described as easy to use. Some MTAs even make it really hard to find the full message headers. Thunderbird doesn't by default, but has a plugin that *does*... Alpine and Pine are not MTAs. Thunderbird is not an MTA. Alpine, Pine, Thunderbird, Outlook, Eudora etc are MUAs. You are correct, but given the context, I assumed that that was what Dennis Peterson meant... We, many of us, are messaging professionals. If any of us are confused or unable to read our email headers then we have larger problems. The list here works pretty much like lists have since the earliest days of list-serve. There should be no surprises. If the occasional user doesn't know how it works a gentle nudge should be adequate. I run a lot of mail lists and I do it all the time. As professionals we should not require our hands be held and a label put on all we touch. This thread is getting a bit silly. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Blog about the Active Malware Report System
Nigel Horne wrote: Folks, We've just added an entry to the blog at clam-av.blogspot.com which covers the new statistics system. The article gives some background information, what we've published to date and what we hope to do in the future. It also covers why you should consider submitting data and how to do so. All suggestions for future blog entries are welcome - please let me know any ideas you have. -Nigel Maybe some stats on all the spam coming from various blogspot blogs would be helpful the the hosts to review. It's gotten so bad I've put blogspot.com in my urlbl list and it's blocked thousands of posts in just a matter of days. But back to your topic - good information, first, but with this blog and the ClamAV wiki and the mail lists, is information becoming too scattered? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] please remove
Jim Potter wrote: please remove me from your mailing list. thank you. The instructions for you to follow to get this done are in the headers of every post from this list server. It's pretty much self-service. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Trying out the subversion milter
Steve wrote: On Sat, 14 Feb 2009 23:21:16 +0100 aCaB aca...@digitalfuture.it wrote: Steve wrote: Unfortunately, no change. That's likely because you didn't update the svn checkout or recompiled, or reinstalled, or restarted the daemons. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Did you not check the version number in the clamd log, or the timestamps? Are all vestiges of previous versions of ClamAV gone? Specifically, libraries. What do you get when running ldd against the ClamAV binaries? I suggest this only to eliminate a common and recurring problem with ClamAV installations and that is left-overs from earlier versions. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Trying out the subversion milter
Steve wrote: On Sat, 14 Feb 2009 16:50:44 -0800 Dennis Peterson denni...@inetnw.com wrote: Steve wrote: On Sat, 14 Feb 2009 23:21:16 +0100 aCaB aca...@digitalfuture.it wrote: Steve wrote: Unfortunately, no change. That's likely because you didn't update the svn checkout or recompiled, or reinstalled, or restarted the daemons. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Did you not check the version number in the clamd log, or the timestamps? Are all vestiges of previous versions of ClamAV gone? Specifically, libraries. What do you get when running ldd against the ClamAV binaries? I suggest this only to eliminate a common and recurring problem with ClamAV installations and that is left-overs from earlier versions. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml I shut everything down, ran the uninstall for 0.94.2, then the install from svn, with no change ): Ok -- looks good so far. But... One thing I forgot to mention in the earlier note is to never ever trust the uninstall tool nor the rpm tool dejur to actually completely uninstall anything. They can fail with mysterious results. The other issue is any tests you do with ldd can be account-sensitive. Some accounts for example may have LD_LIBRARY_PATH defined, others not. Some systems admins set that as a global, some don't. Some systems (Solaris, for example) have global library paths set using crle, others use ldconfig. It's a crazy world. Then there are the hard-coded path dependencies built into the build process of specific applications. You absolutely cannot depend on version x.xx.x to uninstall version x.xx, so if you no longer have the earlier version source to do the uninstall you should expect to manually review the debris left behind. This is especially true of rpm's that come from different sources - the builders don't connect with each other to ensure one builder's package is compatible in any way with that of another builder. What this means is don't trust anything, scan your environment to see if there are legacy bits laying about and get rid of them. You may not find them but if you do you certainly would not be the first. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Trying out the subversion milter
Steve wrote: On Sat, 14 Feb 2009 20:57:52 -0800 Dennis Peterson denni...@inetnw.com wrote: Steve wrote: On Sat, 14 Feb 2009 16:50:44 -0800 Dennis Peterson denni...@inetnw.com wrote: Steve wrote: On Sat, 14 Feb 2009 23:21:16 +0100 aCaB aca...@digitalfuture.it wrote: Steve wrote: Unfortunately, no change. That's likely because you didn't update the svn checkout or recompiled, or reinstalled, or restarted the daemons. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Did you not check the version number in the clamd log, or the timestamps? Are all vestiges of previous versions of ClamAV gone? Specifically, libraries. What do you get when running ldd against the ClamAV binaries? I suggest this only to eliminate a common and recurring problem with ClamAV installations and that is left-overs from earlier versions. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml I shut everything down, ran the uninstall for 0.94.2, then the install from svn, with no change ): Ok -- looks good so far. But... One thing I forgot to mention in the earlier note is to never ever trust the uninstall tool nor the rpm tool dejur to actually completely uninstall anything. They can fail with mysterious results. I've had no problems with the uninstall/install method when building clamav from source so far... and debian doesn't use rpm (: The other issue is any tests you do with ldd can be account-sensitive. Some accounts for example may have LD_LIBRARY_PATH defined, others not. Some systems admins set that as a global, some don't. Some systems (Solaris, for example) have global library paths set using crle, others use ldconfig. It's a crazy world. Then there are the hard-coded path dependencies built into the build process of specific applications. You absolutely cannot depend on version x.xx.x to uninstall version x.xx, so if you no longer have the earlier version source to do the uninstall you should expect to manually review the debris left behind. This is especially true of rpm's that come from different sources - the builders don't connect with each other to ensure one builder's package is compatible in any way with that of another builder. I am the sysadm, installs/startups/tests are all run as root. I never use LD_LIBRARY_PATH unless absolutely necessary, it's too much of a security liability. This is all running on a 32 bit debian stable VPS. As I said before, I uninstalled using 0.94.2 and installed the current subversion install. I can find no fault with this, the developers of clamav have been exemplary in this. All of this is built from source, I have never, ever mentioned rpms. What this means is don't trust anything, scan your environment to see if there are legacy bits laying about and get rid of them. You may not find them but if you do you certainly would not be the first. Look, I'm a systems administrator, so I'm paid to be a pessimist (: dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml My main frustration is that the only way I can get more information from the applications is to rewrite the code itself... at least it's written in a real language (runs for cover!). but it would be great to be able to change the log level to get more detailed info out. Then I would be able to take a more proactive approach in debugging this problem. Cheers, Steve Ok - I'm just a guy sitting here in Bellevue, Washington sharing experiences while having no specific information about your environment. Not everything (and often nothing) will apply. But you and I agree about LD_LIBRARY_PATH and other things. But I've been doing this for 30 years so when we get to this point and it still doesn't work I fall back on my favorite piece of advice. If you have a problem that is uncommon then very often something you are sure of is wrong. Best of luck getting it sorted out - pessimism is your friend :) dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] what about sanesecurity phising database
Steve Basford wrote: Hello, Anyone knows when sanesecurity phishing databases will be online? They are online... but the old scripts wil not work See: http://sanesecurity.co.uk/news.htm Cheers, Steve Sanesecurity Sure glad you're back Steve - a quick look at my server logs pretty much pinpoints your time off! :) dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] WARNING: DNS record is older than 3hours. (freshclam.log)
da...@davidwbrown.name wrote: Hello aCaB, thanks for the informative and speedy reply. The command returns the expected TXT string. My clam updates 17 minutes after the hour every 2 hours. In about 40 minutes or so I will recheck the log and report back upon getting this error again unless you can suggest how-to proceed. Please advise, David. You might consider randomizing the times at which you check for signatures so you don't dogpile on with everyone else who has hard-coded 17 minutes past the hour. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] WARNING: DNS record is older than 3hours.(freshclam.log)
da...@davidwbrown.name wrote: Hello Dennis, thanks for the reply. Though I am far from being a ClamAV expert I was not aware the default config leads to 17 minutes after the hour(+2) for the DB update. All I can see possible is to edit freshclam.conf for: # # Run command when database update process fails. # Default: disabled #OnErrorExecute command # Number of database checks per day. # Default: 12 (every two hours) #Checks 24 # If you run it as a daemon then it lights off each 2 hours starting from when you started it - which for all users is likely a random time, of course, else it would truly be a dogpile at 17 minutes past. I presumed when you nailed it at 17 minutes past that you were not running it as a daemon but through a script. I run it in a script via cron, and the script does randomize the actual connect time. There may be some discussion on the ClamAV wiki regarding this. I found the randomization improved the connection success when I first installed it - there are more clients out there now so that may no longer be true. I haven't checked in the past year. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] WARNING: DNS record is olderthan 3hours.(freshclam.log)
da...@davidwbrown.name wrote: Hello Dennis, in any case I have it backwards: the freshclam is running as a daemon and the clamscan is running as a script (cron). Howto reverse this? Thanks, David. I checked the wiki and there's nothing there. I found this link on Google: http://www.gossamer-threads.com/lists/clamav/users/30708 The options you have available to you depend on your cron tool. Some have a random feature built in. If that is the case then you can use it to directly launch freshclam. If that is not the case then a short bash script as suggested in the above link can be used. I use Solaris which does not have the more versatile version of cron so I wrote this script and call it from cron. There's many ways to do it, though. #!/bin/bash if /usr/bin/pgrep -x freshclam /dev/null 21; then echo 'Killing an instance of freshclam that is already running!' |\ /usr/bin/mailx -s '[example.com] freshclam error' myn...@example.com pkill freshclam fi if [ -z $1 ]; then sleep $[ RANDOM % 900 ] fi /usr/local/bin/freshclam --quiet \ --daemon-notify=/usr/local/etc/clamd.conf # /dev/null 21 #echo Return code: $? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to test ClamAV
Andy wrote: You'll need to find a nastie that your local/server AV don't detect, but ClamAV does. Or make an exception for a file extention... rename eicar.txt to eicar.z43 (something random) and make sure your server and local av will ignore that file extention. It's not that difficult if you've properly set up the system to check for outgoing viruses as well as incoming viruses. You need only send a sample virus to a friend or test address. ClamAV doesn't care which way the bug is going - it should reject it before it leaves the building. Checking for outgoing viruses does seem to be an alien concept for some mail admins, though. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Using clamav on internet gateway
Sunny K wrote: Hi, Is there any way to use clamav on an internet gateway (linux based) to protect connected hosts from virus/malicious content? (Internet)-| Internet Gateway (linux on x86) | Host-1 | | Host-2 ClamAV is used successfully in gateway systems for web proxy (squid, for example), email, and ftp traffic, all in real time. This requires some horsepower to keep from introducing lag into the system. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to test ClamAV
Alex Davidson wrote: I am running ClamAV tying into ASSP on Debian 4. To test ClamAV I have tried using http://www.aleph-tec.com/eicar/index.php to send myself EICAR test virus strings but firstly only 3 of the 7 tests hit my mail server, and secondly ClamAV doesn't detect anything, yet the next-level AV detects it just fine. What is being logged by the ClamAV software? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] differences between clamscan, clamd and realtime scanning with dazuko
ist...@stong.org wrote: Hi, I'm setting up a file transfer server and as people send files to it I want to scan them and either move to a clean file directory or to an infected directory. Looking at the various options available and need some advice on what course to take. Also I don't understand what clamd does for you versus clamscan. I was thinking I could create a cronjob that calls a script that runs clamscan and then when it's finished it copies the scanned files to a safe folder. If any viruses found then clamscan moves the files to a quarantine directory. Another option might be to somehow use clamd but not sure how that would work. The third option looks to incorporate dazuko and do real time scanning somehow. Hope someone has already solved this and can shed some light on the various options and which works best. Here's an example of how to do this using ProFTPd: http://www.thanosk.net/node/6 Clamd is a persistent process and does not need to load all the signatures each time it is called. You simply tell it where to find the file to scan and assuming it has permissions to do so, it scans the file(s). You connect to it via Unix or TCP sockets. Clamscan has to load the signatures each time it is run so on a busy system this can be a burden. If you wish to do this in real time then the clamd method is faster and less load on your system. I don't use Linux so don't know what the Dazuko issues or advantages are. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Mac virus question
Anyone have any comments on the iServices.a virus found in illegal distributions of iLife '09? http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9126609intsrc=hm_list dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamd not creating socket or pid file
Tom H wrote: Hi, I have the 0.90.3 rpm from the fedora core 6 repos running on my fedora 6 box. It is running as the defang user, and has been running fine for a long while, however the clamd was restarted last night and mimedefang is complaining that there is no /var/run/clamav/clamd.sock file, and sure enough there is not. There is also no pid file also; It looks like the /etc/clamd.conf parses ok; [r...@vs802 MIMEDefang]# clamconf -n /etc/clamd.conf: clamd directives - LogFile = /var/log/clamav/clamd.log LogFileMaxSize = 0 LogTime = yes LogVerbose = yes LogSyslog = yes PidFile = /var/run/clamav/clamd.pid TemporaryDirectory = /tmp ArchiveMaxCompressionRatio = 300 LocalSocket = /var/run/clamav/clamd.sock MaxConnectionQueueLength = 30 MaxThreads = 50 ReadTimeout = 300 FixStaleSocket = yes User = defang /etc/freshclam.conf: freshclam directives - PidFile = /var/run/clamav/freshclam.pid DatabaseOwner = defang Checks = 24 UpdateLogFile = /var/log/clamav/freshclam.log DatabaseMirror = db.gb.clamav.net NotifyClamd = /etc/clamd.conf Any ideas on what has happened and how to fix it? (I am going to update the server fedora core 10 soon, which should give me the new clamav packages - but for the moment I would just like to get this working again) Does user dfang have read/write permissions in the /var/run/clamav directory (and does that directory exist?). dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav and MRTG
Gary L Burnore wrote: Andrew McGlashan wrote Tarak Ranjan wrote: i m trying to configured MRTG for clamd but it;s giving me 0 out put That is probably because MRTG is a Multi-Router Traffic Grapher and all your clamav traffic is local, ie not routing anywhere. Sorry Andrew, but MRTG really does do more than just monitor routers. I was searching for the same solution as Tarak as I just managed to get Spamassasin to graph. Spamassasin attaches via a socket or a local tcp connection. One can also use mrtg to monitor things such as CPU, Memory and the like. See http://www.inter7.com/qmailmrtg/ for an example. Within that example is a listing for Clamav so SOMEONE's done it. Once I dig through it all and figure it out, I'll post it here. For now, the answer to his 0/0 question is simple: It's looking for a line starting with @nnn from multilog and clamd.log isn't in multilog format. rrd-tools may be easier to set up and use. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Mandriva 2009 and ClamAv
Chris wrote: I'm working on updating my old Mandrake 10.1 system to Mandriva 2009, what a pain, anyway, using urpmi I installed 94.2. When trying to start it I got a 'command not found' and noticed that in /usr/bin there is no clamd file. There is a clamdscan and a freshclam which in fact is getting updates. Is there any reason why there would be no clamd executable included with a Mandriva package? There was always one when I rolled my own for 10.1. Thanks Chris Does that package come separate client and server distributions? I've lost track of all the ways all the different Linuxes deal with services vs client installations, but I have a recollection that some Linuxes need more than one RPM installed to get it all. You have all the client software, for exemple, but not the server software (clamd, and probably clamav-milter). dp ... just thinking out loud ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Can I force ClamAV to scan a data file?
Aleksey Tsalolikhin wrote: Hi. I just created a 250 MB file, using dd if=/dev/zero of=file.dat When I tried to run clamscan on it, I got Scanned Files: 1 Data Scanned: 0.00 MB So clamscan didn't actually scan it... Is there any way to force clamscan to scan the file, please? Best, -at There is a configurable max filesize you can set. Read the man page or run clamscan --help for details. The default max size is 100 mb. There is also a setting for archive sizes and other archive parameters to adjust. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Non-Windows Malware
Derek Currie wrote: Greetings folks, This is a reply to a thread started way back in April of 2008 (when it used to have the unfortunate subject line Non-Windoze Viruses). Concerning the controversy about whether Clamav has definitions for Mac OS X malware, I managed to find the answer is YES, but only sort of. I has been remarkably hard to find what malware are in Clamav's Definitions List. Persistent pounding of the net provided me with the answer, which was embedded in the earlier thread. You can to do a search for what you want here: I'm not sure I follow any of what you're saying. It makes no sense. It is and has always been trivial to know what the virus names are in ClamAV. But knowing that is nearly worthless just as knowing what the names of viruses are in Symantec's product. The names you see are guaranteed to apply only within the product they are found in. There is no naming standard. The only way to know if an actual virus signature is in a product is to submit that virus to the product you are curious about. And even then there's no guarantee because there are variants of viruses that may or may not have multiple identities as when a single signature is found in multiple variants. If an AV product discovers several variants with a single signature there will be only one named signature where another product may have 5 different signatures that find only a single variant each. There are a number of virus signatures in ClamAV that, because they were found first by the ClamAV people, were named by those same ClamAV people. It's not like there has always been a virus name clearing house for day 0 threats. There is no reason Symantec, TrendMicro, et al, are going to use that same name. In fact there is very little chance of it. They don't have a good history of sharing names among themselves. And how can that even work? All companies that share a common virus name must develop signatures from the same exact virus in order to ensure they are all talking about the same virus. What are the chances that's always going to happen? There is a competitive advantage in not doing it, in fact. If you're first to market with a new signature you put that on your front page because you have an exclusive signature. That's free advertising when all the pundits and news rooms start spreading it around. There has been no successful attempt to standardize on names for viruses for which signatures have been found that I am aware of. I don't care because names are meaningless except to the press. There have been efforts at creating cross-reference tables for virus names but lordy what a waste of time. If you have actual OS X viruses that can be submitted to ClamAV's signature team then provide them. I run only Mac desktops but run ClamAV on my Unix MTA's because it's the right thing to do. I've never seen a virus that targets Mac systems specifically so have no possibility to contribute to the effort. It would be very useful to know not what the virus names are, but what if any resources are committed to locating and identifying Mac malware. Does the ClamAV group have OS X spam traps running anywhere? Maybe so, maybe not. If not then you have a legitimate gripe. Do they have Mac systems to evaluate viruses? Maybe so, maybe not. Again, if not then there's reason to gripe. If a Mac malware submission comes in on their web page do they have the capability to evaluate it? I don't know. Do you? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Non-Windows Malware
Derek Currie wrote: On Dec 6, 2008, at 12/06, 7:26 PM, Dennis Peterson wrote: There is no naming standard. Again with the misinformation. There is, in fact, a naming standard, and an organization designated to provide those names. Whether an anti-malware provider chooses to use the official name is up to them. I'll let you find that standardized naming organization on your own. Homework. Sheesh. Must be a low pressure day.. I have a bad feeling you're referring to CME. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Non-Windows Malware
[EMAIL PROTECTED] wrote: In any case, I believe, mac users should come out of their self imposed complacence and should be encouraged to upload the threats that they find to clamAV database and that to happen Macintosh clamAV users should spread the word on all Macintosh forums that they have access to. I'll do that just as soon as I see one. I can do nothing to rush that along. That may be a common problem. What is the name of the group of commercial Mac anti-malware providers that ClamAV is not a member of? What does it mean to share definitions? Why not share the virus itself? Of the members of this group which has the best product for Mac and why? Since they are sharing definitions how are they even different? Why is this entire discussion cloaked in such secrecy? This seems a little silly. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Non-Windows Malware
Spiro Harvey wrote: No doubt some people run mail servers on OS-X that are delivering mail to windows users, so it is possible for those people to run clam. I used to build very nice headless Mac Mini mail MTA's for rapid deployment at corporate acquisitions. They work very well running Postfix though I prefer Sendmail, and so too does ClamAV run well on the Mac. Hard to beat the price and footprint. They don't have enough disk IO for large sites, but a refrigerator full of them stuffed in a closet running XGrid should do the job nicely. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] freshclam version logic
Jason Bertoch wrote: I understand this is harmless, but shouldn't there be some logic in freshclam to avoid this error? freshclam[29375]: Your ClamAV installation is OUTDATED! freshclam[29375]: Local version: 0.94.2 Recommended version: 0.94.1 It's not an error, it is an advisory to let you know there is a newer version and that you should take the time to discover the importance of the new version. If you decide the new version is not critical then you can ignore the advisory. If you use syslog-ng for clamav logging you can map out those messages. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] freshclam version logic
Rick Macdougall wrote: Dennis Peterson wrote: Jason Bertoch wrote: I understand this is harmless, but shouldn't there be some logic in freshclam to avoid this error? freshclam[29375]: Your ClamAV installation is OUTDATED! freshclam[29375]: Local version: 0.94.2 Recommended version: 0.94.1 It's not an error, it is an advisory to let you know there is a newer version and that you should take the time to discover the importance of the new version. If you decide the new version is not critical then you can ignore the advisory. If you use syslog-ng for clamav logging you can map out those messages. Errr, he's running 94.2 and freshclam is telling him that 94.1 is newer. I don't think that 94.1 94.2 I took that to be a typo - you're right that it may not be the case. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] freshclam version logic
Brandon Perry wrote: His definition mirrors just haven't caught up with the main mirror yet, it happens. Just wait a day or so. It is even more confused - this is what is in my log: Local version: 0.94.1 Recommended version: 0.94.2 And this is what is on the clamav home page: Latest ClamAV™ stable release is: 0.94.1 Total number of signatures: 469148 ClamAV Virus Databases: main.cvd ver. 49 released on 22 Oct 2008 22:03 + daily.cvd ver. 8684 released on 26 Nov 2008 15:37 + and this is what is on the linked page for stable releases: Production quality releases Latest stable release: ClamAV 0.94.2 (signature) dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clean up of clamav directories
Steve Douville wrote: Hi All, I searched in vain for this on Google, so thought I'd put it to the list... In my /usr/local/share/clamav directory, I have quite a large number of clamav-# directories. My /usr partition is getting quite full because of these. There are some pretty old directories so I'm wondering if they have to be there or if clamav maybe isn't cleaning up after itself. Can I delete any of these? Thanks in advance, Steve Yes - they should never be around more than a few hours on a slow day. ClamAV is doing a better job of cleaning up temporary files now and I've not seen any temp files for quite a long time. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] 550 This message was detected as possible malware (Zip.ExceededFileSize).
Robert Steinmetz AIA wrote: The best I can figure this is an issue with either ArchiveMaxFileSize or ArchiveBlockMax, which I understand were discontinued in 0.93. I'd like to understand what the issue is. I am unlikely to upgrade just clamav, unless there is some really major issue because such upgrades have a tendency to break other things and make general administration too time consuming. I also don't like blindly following advice. Tomaz has some pretty good credentials. I've never gone wrong following his advice: From ClamAV Team Members page: Tomasz Kojm * Role: project leader * Email: tkojm at*clamav*net * Country: Poland dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter installation question
martinnitram wrote: if you used /etc/rc.d/init.d/clamav-milter to start the milter, at around line 20, you can see ... # Local clamav-milter config CLAMAV_FLAGS= test -f /etc/sysconfig/clamav-milter . /etc/sysconfig/clamav-milter ... so the milter config file should be /etc/sysconfig/clamav-milter hope helpful. Nope - you don't source the config file. That is a parameter file for the rc startup process. See the httpd file in that same directory (if installed) - no way is that a conf file for Apache. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] FW: How to Uninstall ClamAV?
Mac Carter wrote: Recently, I attempted to un-install ClamXav as part of an effort to diagnose some kernel panics that have been happening on my MacBook Pro (OS 10.5.5). A search shows there are NO files on my computer with the name ³clam² (partial or whole). However, I still get regular Console log alerts saying: Did you kill the freshclam process? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Twitter
ANANT S ATHAVALE wrote: Dear Developers, When we run, clamscan, it gives output similar to the one below. Apart from the information shown below, I would like to have one more filed that indicates the date/time of the last update of signature. What I mean is, it should be easy for me to know, whether I have latest updates. I have not checked, whether some optional option of clamscan can show it or not. Sorry, if I it is already there. Let me know, if that feature is already there. Regards, ANANT. Run freshclam -v dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Twitter
ANANT S ATHAVALE wrote: Quoting Dennis Peterson [EMAIL PROTECTED]: ANANT S ATHAVALE wrote: Dear Developers, When we run, clamscan, it gives output similar to the one below. Apart from the information shown below, I would like to have one more filed that indicates the date/time of the last update of signature. What I mean is, it should be easy for me to know, whether I have latest updates. I have not checked, whether some optional option of clamscan can show it or not. Sorry, if I it is already there. Let me know, if that feature is already there. Regards, ANANT. Run freshclam -v Thanks, My freshclam runs on a system which is connected to internet. Later we transfer the signature files to a system connected to Intranet only by a continuous defined procedure at definite intervals. I would like to check the status of those signatures on Intranet. ssh hostname.intranet sigtool -i daily.cld ssh hostname.intranet sigtool -i main.cld dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Announcing ClamAV 0.94.1 RC1
Tomasz Kojm wrote: On Thu, 16 Oct 2008 13:43:12 +0100 Randal, Phil [EMAIL PROTECTED] wrote: I haven't had the time to check the source code. How does it send it? What protocol and port, to which servers? Anything that firewall admins will need to be aware of? It sends information about a file name, malware name and time to stats.clamav.net using HTTP (POST) port 80. HTH, That is just one host. Does the connection die gracefully if that host is unavailable? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Announcing ClamAV 0.94.1 RC1
Nigel Horne wrote: Folks, 0.94.1 RC1 was published on schedule yesterday. Built fine but installed with errors on Solaris 9. Solaris has obsoleted ranlib but has a stub file, /usr/ccs/bin/ranlib. Configure found it and of course it failed. I renamed it and clamav built and installed fine. Running diff on the new config files and old config files did not reveal any new options. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Announcing ClamAV 0.94.1 RC1
Stephen Gran wrote: On Thu, Oct 16, 2008 at 03:51:32PM -0700, Dennis Peterson said: Running diff on the new config files and old config files did not reveal any new options. Freshclam has one new option, disabled by default - fairly harmless for upgrades, but useful for redistributors to note if they handle that sort of thing in maintainer scripts. I failed to indicate no new options turned on by default - those are the ones that seem to create problems for some folks. The new stats option actually requires a bit of effort to get going if one is logging to syslog. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Stop it!
Bowie Bailey wrote: Jerry wrote: From my experience, if an end user refuses to RTFM, adding additional reading material is not going to solve the problem. The needed documentation is all ready readily available. The motivation to fetch and read it are what is sorely lacking. I disagree. I think this would be VERY useful. Not for the people who don't want to RTFM, but for the people who would rather not have to wade through the docs and changelog to figure out if there are config changes. Let me help avoid prevent wading: diff new-config old-config There - now you know what changed, no wading. Happy to help with this very serious source of arduous effort. dp ... who has no doubt this is still too much work for some people who think of themselves as admins ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Stop it!
John Smith wrote: On 2008/10/7 Charles Gregory wrote: We only 'demand' the right to have our suggestions heard in their proper context, and not held up against the idealistic standards of the lucky few. I must say that for the disadvantaged, this has been a great debate. However, it has missed the basic premise. The Question and Issue is that ClamAV is failing without warning. So does Oracle, Apache, Python, Perl, MySQL, and a zillion other products. Dead processes are widely accepted to not be chatty. Pardon my Dennis Miller moment here, but I'm going to go ahead and blame the admin if a critical process dies and they don't know about it. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Stop it!
David F. Skoll wrote: Dennis Peterson wrote: So does Oracle, Apache, Python, Perl, MySQL, and a zillion other products. Dead processes are widely accepted to not be chatty. Pardon my Dennis Miller moment here, but I'm going to go ahead and blame the admin if a critical process dies and they don't know about it. You are (as usual) utterly missing the point. The ClamAV developers have asked to make a policy change that makes upgrading easier. And you've missed the point that some people here have claimed that their clamd process has silently failed and was off line for days, and other such claims. No amount of hand holding for creating config files is going to make that problem better. That requires an interested admin. They politely asked to have a bug report opened. They seem willing to make the change. It's little effort for them, will make many users happier, and will have absolutely no effect on you. And I've offered earlier an excellent example of a product that goes down that path to help create a new config or to integrate an existing config file with a newer release. Nothing wrong with that - it's a great idea. But in the absence of that, to complain that one's processes have died and mail was tempfailed because of it and that it is the vendor's problem to fix is a freaking stretch. Yet you, as a non-ClamAV-developer, are ranting about sysadmin incompetence and completely ignoring the real issue. The change DOES NOT AFFECT YOU in the slightest. So what the HECK is your problem? I have no problem, David - I simply offered a means to help empower the interested admin to avoid wading through the docs to see what has changed. I snarkily noted it would probably be too much work for some and damn if the next post didn't validate that. The gentleman truly believes it is necessary to install ClamAV in order to preview the config files. Where do ideas like that spring from? Here's my concern - I'm sharing port 25 with a lot of these people's systems as we all are, and so there is a need and I think expectation that people who have systems that connect to other's systems have a responsibility to keep their systems running properly even when a vendor is not helpful. If they are lax in such a simple thing as configuring this product what other shortcomings do their systems have? I don't run AV tools because I have a problem - I run them because others have a problem. If everyone knew what they were doing and did a good job there'd be no need for any of this. That is an impossible expectation as evidenced by comments in this thread. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Stop it!
John Smith wrote: Dennis Peterson Wrote: And you've missed the point that some people here have claimed that their clamd process has silently failed and was off line for days, and other such claims. No amount of hand holding for creating config files is going to make that problem better. That requires an interested admin. Maybe this will shine a different light on the issue. I personally have ClamAV running as both a service on my firewall and as a desktop application (ClamWinAV). For my desktop, I have watched the update logs and seen issue. My firewall is IPCOP and it has ClamAV as part of the system. It updates and does not display errors through an automated process. I admit that I am still learning to control this beast, but having it fail with no notification is scary (at best) and dangerous (at worst). As I've pointed out many processes die quietly. ClamAV is not unique in any way in this regard. My response to that for the last 30 years is to write or implement existing tools that monitor critical processes and notify if there are failures. Those same monitors attempt to restart the process and oft times this is successful. In any event, in my business I am finally responsible for the safety of my customers and that is something I take very seriously - even on weekends. With the tools we have available to us today there is no reason a failed process should remain a secret. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Stop it!
John Rudd wrote: Dennis Peterson wrote: With the tools we have available to us today there is no reason a failed process should remain a secret. Which does not explain the push-back on having the applications/services/daemons provide better documentation and triggers for helping that effort, instead of immediately attacking the OP as though they're an inadequate sysadmin for having requested that higher level of participation from the application/service/daemon authors. For my part I'm only kvetching about admins who become helpless when these services on not included in the box. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [0.0] Re: Handling of unknown configuration lines (was Re: Stop it!)
Charles Gregory wrote: On Sat, 4 Oct 2008, Eric Rostetter wrote: The principle of least surprise says But it is a big surprise when the action that old line was supposed to take is no longer taken... But NOT as big a surprise as NO FILTERING AT ALL. That's the sticking point here. Unless we are all expected to tempfail mail when ClamAV aborts, and then deal with irate users who have been waiting all weekend to get their critical mail, then ClamAV should NOT abort unless it very literally cannot figure out what to do. And honestly, is it really that hard to have it interpret the *old* config items for a release or two? ClamAV can fail for a number of reasons having nothing to do with configuration changes. What is your default policy for mail processing in the event of a ClamAV failure (Tempfail or at-risk delivery)? What have you put in place for notification and recovery in the event of a ClamAV failure? If this is done right you should have no problems recovering from config file changes. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Stop it!
Charles Gregory wrote: On Sat, 4 Oct 2008, Dennis Peterson wrote: Hopefully they're not running mail servers on the Internet elsewise they could easily be considered derelict in their responsibilities. Ah. Yes, I must be 'derelict' because there is only ONE sysadmin (me) and I go home on weekends? I'm only one Sysadmin and I go home weekends, too. That does not mean the systems are unattended. Unmonitored failures that are potentially harmful are not acceptable and if the systems cannot recover by reasonable self-help scripting then I will be notified and will correct the problem. It's part of the job. I know it's part of the job because I own the business and I have customers to protect. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Stop it!
Colin Alston wrote: On 2008/10/04 12:50 PM Jerry wrote: From my experience, if an end user refuses to RTFM, adding additional reading material is not going to solve the problem. The needed documentation is all ready readily available. The motivation to fetch and read it are what is sorely lacking. You're confusing RTFM with Being required to RTFM all over again with every single new release just to get the daemon to run all over again. I'm not all that interested if you have time for that. I don't, and neither do most end users regardless of your opinion about their intellect or ability. Hopefully they're not running mail servers on the Internet elsewise they could easily be considered derelict in their responsibilities. If they do run mail servers on the Internet I'd be interested in some domain names for my filters. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Handling of unknown configuration lines (was Re: Stop it!)
Eric Rostetter wrote: Quoting Aecio F. Neto [EMAIL PROTECTED]: I don't agree with that, but let me put another option: 1) Break on unknown options 2) Ignore obsolete options and warn OP Valid in many cases... If any Op (or poor user) adds an option like PleaseClamAVCleanInfectedFilesForMe yes and expects it to work, are you really sure that the software should not ignore this? Yes. What happens if he means to type ScanRAR but makes a typo and enters ScnaRAR. If it ignores the entry, then the RAR isn't scanned according to their wishes/desires. That is, the software acts in a way that isn't expected. I see no difference from mine example to yours, because one should understand at minimum which options are availble before adding one he *thinks* exists. What about a simple typo? Jose-Marcio's elegant J-Chkmail milter has a beautiful option. It will create a new config file using to the extent possible all your existing options. (That same tool can generate a clean config file that has all defaults filled in, too.) If earlier options have changed or have been disabled the tool will flag them with comments and place them at the top of the config file where they are clear and obvious. It is still very important to pause in the installation to read and understand new options and to determine if the defaults are appropriate for your environment. It is the responsibility of each installer to fulfill a few simple tasks that are required for an implementation to work correctly. People who claim to not have time really need to defer to others that do. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Stop it!
Tonix (Antonio Nati) wrote: Strange... A boring thread whose subject is stop it, does not stop! Tonino Thanks for playing! dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Stop it!
Aecio F. Neto wrote: On Sat, Oct 4, 2008 at 5:15 PM, Bernd Petrovitsch [EMAIL PROTECTED] wrote: users could take the appropriate action ASAP instead of finding out or having to check the logs on an hourly basis for problems. You're (by you I mean everyone agreeing here with how ClamAV fails) assuming users install packages. That's old fashioned. Most people distribute updates with Puppet and such tools automatically. With a largely complex system (which a good mail system And it was *their* decision to do so. And it was *their* decision to actually use the free as in beer ClamAV in the first place. Perhaps these people should move to a commercial virus-scanner where such problems probably do not happen. That's one kind of argument I cannot stand for. Because one decide to use a free as in free beer software one must suffer due this decision. This seems a bit dramatic. Nobody is suffering. It takes but 10 minutes 3 or 4 times each year to visit and modify the ClamAV config files, if at all. Somebody's inner drama queen is getting the best of them here. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Stop it!
David F. Skoll wrote: Dennis Peterson wrote: This seems a bit dramatic. Nobody is suffering. It takes but 10 minutes 3 or 4 times each year to visit and modify the ClamAV config files, if at all. Somebody's inner drama queen is getting the best of them here. If you are managing one machined or a few identically-configured machines, that's true. If you are managing 500+ customer machines, each of which may have had local modifications, Clam's policy is *really* annoying. I don't understand the resistance to a proposal that will make ClamAV much better software, with very little developer effort and no impact on users who don't care about the change. Annoying is not the same as suffering. Oracle is annoying - perl is insufferable. Java is even worse. And 500 machines that are different enough to affect ClamAV configurations probably have other more serious configuration problems. You need to classify those machines and knock off some class-based templates and be done with it. I don't see that as a vendor problem. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Stop it!
Colin Alston wrote: On 2008/10/04 10:55 PM Dennis Peterson wrote: configuration problems. You need to classify those machines and knock off some class-based templates and be done with it. I don't see that as a vendor problem. Of course it's a vendor problem! :) You even just said why. We'd have to keep continuously adjusting those class-based templates. It's a matter of trends too. If people don't care about the effects of their changes then there's a deep problem. If you don't feel like you're getting your money's worth then the thing to do is spend it somewhere else. Vote with your pocket book. That of course begs the question: Are you getting your money's worth? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Stop it!
Colin Alston wrote: On 2008/10/03 05:57 PM James Kosin wrote: Colin Alston wrote: I've had enough now, and I want all you ClamAV people to listen up. Hay, maybe the packagers could write a script or something to indicate a problem with the current configuration when it is being installed. Then users could take the appropriate action ASAP instead of finding out or having to check the logs on an hourly basis for problems. You're (by you I mean everyone agreeing here with how ClamAV fails) assuming users install packages. That's old fashioned. Most people distribute updates with Puppet and such tools automatically. I've never heard of puppet but suspect this conversation is Linux/BSD centric. I install from source, I read the change log, and I compare the config files. When I have a golden installation it is turned over to Cfengine for distribution. I never have the OP's problems. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Lame mirror at [67.15.61.160]
Paul Griffith wrote: On Thu, 25 Sep 2008 16:39:30 -0400, Michael Deutschmann [EMAIL PROTECTED] wrote: Lately I've noticed that freshclam is always running slowly for me. The problem appears to be that it is always first trying to use a mirror at [67.15.61.160], and there seems to be a blackhole between myself (at a static IP of [208.181.210.223]) and that mirror. Freshclam always pauses for a while and then reports a timeout. (Afterwards it moves on to a working mirror, so I do get my updates eventually.) I'm in Canada and have set freshclam.conf appropriately, so this problem mirror is under the db.ca.clamav.net name. Could someone look into this? Is anyone else getting actual service from that IP? Michael Deutschmann [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml I have nothing but problems with (67.15.61.160). Same here - it's never worked, in fact: $ grep 67.15.61.160 /var/log/clamd.log* /var/log/clamd.log:Sep 29 03:43:51 rainier freshclam[22471]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.0:Sep 21 07:43:03 rainier freshclam[27336]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.0:Sep 21 09:41:40 rainier freshclam[1118]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.0:Sep 21 15:35:15 rainier freshclam[12584]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.0:Sep 21 21:31:02 rainier freshclam[24090]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.0:Sep 22 07:43:07 rainier freshclam[12803]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.0:Sep 24 01:39:07 rainier freshclam[10336]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.0:Sep 25 03:33:25 rainier freshclam[1245]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.0:Sep 25 07:33:01 rainier freshclam[8444]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.0:Sep 25 13:31:53 rainier freshclam[21344]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.0:Sep 27 01:33:49 rainier freshclam[13752]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.1:Sep 14 13:38:11 rainier freshclam[16270]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.1:Sep 14 15:45:18 rainier freshclam[20331]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.1:Sep 14 21:45:09 rainier freshclam[1372]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.1:Sep 15 13:31:06 rainier freshclam[1707]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.1:Sep 15 17:33:37 rainier freshclam[10034]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.1:Sep 16 03:43:46 rainier freshclam[28958]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.1:Sep 16 07:42:04 rainier freshclam[6699]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.1:Sep 16 17:41:32 rainier freshclam[27104]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.1:Sep 17 17:36:50 rainier freshclam[13920]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.1:Sep 18 05:31:13 rainier freshclam[5750]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.1:Sep 18 07:39:16 rainier freshclam[9576]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.1:Sep 18 11:42:04 rainier freshclam[17976]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.1:Sep 18 15:40:21 rainier freshclam[26339]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) /var/log/clamd.log.1:Sep 18 19:38:04 rainier freshclam[4067]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP:
Re: [Clamav-users] Updating OS X Server version of clamav
Rob Lewis wrote: Is there an explanation anywhere of how to update the version that's included with OS X Server (Tiger)? In my case I downloaded the source, ran configure, make, and make install. Naturally it's necessary to uninstall any existing versions. The above instructions install clamav in /usr/local but that is configurable. It took about 10 minutes total time. I already have the requisite support libraries installed (gmp, for example). dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus not detected on Linux/MacOSX
fchan wrote: I read your links and I understand possible DoS and other issues but to repeat Alexandre's idea, why is there no error message for file that are too large to notify the admin so they can adjust clamd.conf or other action. Right now this infected file passes through like if it was not infected which would be dangerous under certain conditions. IMHO this file shouldn't pass through clamav without any error message. Frank What would the error message say? There was no error in my view. The file was larger than what the OP was willing to test so it was not tested (if I understand it correctly). As such it is accepted at risk. It is the OP's job to decide what else to do with files that are accepted at risk. That may require yet another milter or other process spawned by procmail, for example. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus not detected on Linux/MacOSX
Alexandre Biancalana wrote: On 9/19/08, Dennis Peterson [EMAIL PROTECTED] wrote: fchan wrote: I read your links and I understand possible DoS and other issues but to repeat Alexandre's idea, why is there no error message for file that are too large to notify the admin so they can adjust clamd.conf or other action. Right now this infected file passes through like if it was not infected which would be dangerous under certain conditions. IMHO this file shouldn't pass through clamav without any error message. Frank What would the error message say? There was no error in my view. The file was larger than what the OP was willing to test so it was not tested (if I understand it correctly). As such it is accepted at risk. It is the OP's job to decide what else to do with files that are accepted at risk. That may require yet another milter or other process spawned by procmail, for example. Could not be an error message, just a warning, a informative message, saying that the file was not scanned and not that the file is clean In this case I'm using clamav on a file server to scan user files not emails... Doesn't matter - if you tell clamav to ignore certain files you are then obliged to use another method to test those files or ignore them. It would be rather trivial to write a script that finds large files and takes an action on them, but if you're going to scan them, then why prevent clamav from scanning them in the first place? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Weird Freshclam behaviour
Brandon Perry wrote: What do you make of this? With --enable-experimental: [EMAIL PROTECTED]:~/tmp/clamav-0.94/freshclam$ ./freshclam -V ClamAV 0.94-exp/8190/Mon Sep 8 08:45:44 2008 [EMAIL PROTECTED]:~/tmp/clamav-0.94/freshclam$ Without: [EMAIL PROTECTED]:~/tmp/clamav-0.94/freshclam$ ./freshclam -V ClamAV 0.94/8190/Mon Sep 8 08:45:44 2008 [EMAIL PROTECTED]:~/tmp/clamav-0.94/freshclam$ Is this intentional? The reason I ask is I usually compile with the --enable-experimental flag for the ClamAV Live CD, but now it complains that the engine is out of date if I do... Check the archives - this was addressed some days ago. There is no longer any experimental code and the error you see will be removed in 0.94.1. In the mean time you can recompile it with that flag removed as it now seems to do nothing but cause that alert to be generated. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Can't search wiki
Ian Eiloart wrote: Hi, Why is it necessary to log in to the wiki in order to use the search function? http://wiki.clamav.net/Main/WebSearch?search=pua This works very well for me: Google.com pattern site:wiki.clamav.net/ dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Webinar Recording
Bill Maidment wrote: On Mon, 08 Sep 2008 12:53:48 +0100, Nigel Horne wrote Folks, Edwin's Webinar given last week on the topic of 0.94 is now available for download from https://sourcefire.webex.com/sourcefire/lsr.php?AT=pbSP=ECrID=12075182rKey=51C99713B66EECED So how do I play the .arf in Fedora 9 ? Use VMPlayer to run a Windows virtual machine in Fedora. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Webinar Recording
Bill Maidment wrote: On Mon, 08 Sep 2008 17:39:16 -0700, Dennis Peterson wrote Bill Maidment wrote: On Mon, 08 Sep 2008 12:53:48 +0100, Nigel Horne wrote Folks, Edwin's Webinar given last week on the topic of 0.94 is now available for download from https://sourcefire.webex.com/sourcefire/lsr.php?AT=pbSP=ECrID=12075182rKey=51C99713B66EECED So how do I play the .arf in Fedora 9 ? Use VMPlayer to run a Windows virtual machine in Fedora. I'm not buying Windoze just to watch the webinar. Think again. It was humor. I think Windows-centric presentations are kinda sucky. I use a Mac so had no problems but would not have been able, so far as I know, to see it from the office where I have only Unix. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] strcat(newname, .UNOFFICIAL);
This little tidbit has really screwed up a lot of reporting code for me. Thanks but no thanks, I'll be taking it out. You might want to make this a configure switch for your users who know the difference between official and not official signatures. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Abnormal end
What might have happened here: clamdscan test /test/.split/split.clam.arjaa: Input/Output error ERROR ... $ clamscan test/.split ]$ clamscan test/.split test/.split/split.clam-upack.exeaa: OK test/.split/split.clam-upack.exeab: OK test/.split/split.clam.ole.docaa: OK test/.split/split.clam.ole.docab: OK test/.split/split.clam.arjaa: Input/Output error test/.split/split.clam.arjab: OK test/.split/split.clam.cabaa: OK test/.split/split.clam.cabab: OK test/.split/split.clam.chmaa: OK test/.split/split.clam.chmab: OK test/.split/split.clam.exeaa: OK test/.split/split.clam.exeab: OK test/.split/split.clam.pdfaa: OK test/.split/split.clam.pdfab: OK test/.split/split.clam.pptaa: OK test/.split/split.clam.pptab: OK test/.split/split.clam.sisaa: OK test/.split/split.clam.sisab: OK test/.split/split.clam-mew.exeaa: OK test/.split/split.clam-mew.exeab: OK test/.split/split.clam.zipaa: OK test/.split/split.clam.zipab: OK test/.split/split.clam-petite.exeaa: OK test/.split/split.clam-petite.exeab: OK test/.split/split.clam.d64.zipaa: OK test/.split/split.clam.d64.zipab: OK test/.split/split.clam-wwpack.exeaa: OK test/.split/split.clam-wwpack.exeab: OK test/.split/split.clam-aspack.exeaa: OK test/.split/split.clam-aspack.exeab: OK test/.split/split.clam-fsg.exeaa: OK test/.split/split.clam-fsg.exeab: OK test/.split/split.clam.mailaa: OK test/.split/split.clam.mailab: OK test/.split/split.clam.exe.mbox.uuaa: OK test/.split/split.clam.exe.mbox.uuab: OK test/.split/split.clam.exe.mbox.base64aa: OK test/.split/split.clam.exe.mbox.base64ab: OK test/.split/split.clam.ea05.exeaa: OK test/.split/split.clam.ea05.exeab: OK LibClamAV Error: TNEF: Incorrect length field in tnef_attachment LibClamAV Error: Error reading TNEF attachment test/.split/split.clam.tnefaa: OK test/.split/split.clam.tnefab: OK test/.split/split.clam.exe.szddaa: OK test/.split/split.clam.exe.szddab: OK test/.split/split.clam.exe.binhexaa: OK test/.split/split.clam.exe.binhexab: OK test/.split/split.clam.ea06.exeaa: OK test/.split/split.clam.ea06.exeab: OK test/.split/split.clam-upx.exeaa: OK test/.split/split.clam-upx.exeab: OK test/.split/split.clam-nsis.exeaa: OK test/.split/split.clam-nsis.exeab: OK test/.split/split.clam-pespin.exeaa: OK test/.split/split.clam-pespin.exeab: OK test/.split/split.clam.exe.bz2aa: OK test/.split/split.clam.exe.bz2ab: OK test/.split/split.clam.exe.rtfaa: OK test/.split/split.clam.exe.rtfab: OK test/.split/split.clam-v2.raraa: OK test/.split/split.clam-v2.rarab: OK test/.split/split.clam.tar.gzaa: OK test/.split/split.clam.tar.gzab: OK test/.split/split.clam-v3.raraa: OK test/.split/split.clam-v3.rarab: OK test/.split/split.clam.impl.zipaa: OK test/.split/split.clam.impl.zipab: OK --- SCAN SUMMARY --- Known viruses: 446156 Engine version: 0.94-exp Scanned directories: 1 Scanned files: 66 Infected files: 0 Data scanned: 0.59 MB Time: 21.529 sec (0 m 21 s) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Abnormal end
Dennis Peterson wrote: What might have happened here: Should have added: Solaris 9, gcc 3.3.2. Also seeing the duplicate uniq_get in libclamav.map on one but not both sol 9 systems. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No viruses detected since 1711GMT August 29, 2008?
fchan wrote: Hello, Maybe it is just my mail server, but I noticed that I haven't detected any virus infected email message since 1711 GMT August 29, 2008 Send yourself a test file. There are several in the ClamAV distribution. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] announcing ClamAV 0.94rc1
Charles Gregory wrote: On Wed, 20 Aug 2008, Spiro Harvey, Knossos Networks Ltd wrote: Bandwidth costs money. How big will the database have to grow before the ClamAV team starts to take notice? Fifty megabytes? A hundred? Americans don't understand this dilemma. To them traffic is free... Minor correction: RICH Americans (and Canadians) don't appreciate this dilemma. All the POOR people still using dial-up internet are the victims of ever-increasing software/download size. I am routinely helping our (community NFP internet) members clear out their mailboxes when some ignorant friend on high speed keeps sending 5-10MB worth of photos. :( I recently *stopped* advising our members to use AVG Free edition because the latest download had bloated to nearly 40MB. That's roughly SEVEN hours on a dial-up connection. I've started to recommend ClamWin, but that package is also slowly increasing in size. It's up to 21MB. Still, ClamAV has the most efficient updates I've seen (smile) It will be a bad day for all when poor people set the standards of quality and functionality for the rest of the world. It will happen only at the point of a gun. Get over it. Meanwhile, I believe you can pick and choose what you need from the cvs server, no? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] announcing ClamAV 0.94rc1
reiner otto wrote: It will be a bad day for all when poor people set the standards of quality and functionality for the rest of the world. It will happen only at the point of a gun. Get over it. Meanwhile, I believe you can pick and choose what you need from the cvs server, no? dp That is really arrogant, typically American style. I'm Danish. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] announcing ClamAV 0.94rc1
G.W. Haywood wrote: Hi there, On Tue, 19 Aug 2008 Brian Morrison wrote: On Mon, 18 Aug 2008 10:59:29 +0100 G.W. Haywood wrote: On Mon, 18 Aug 2008, Luca Gibelli wrote: ... release candidate for 0.94. I started to download it, but when I saw that it was going to be just under 20 megabytes I cancelled it. Well it's not *that* big! My point was that it's ten times as big as it should be Which begs the question: How big should it be, and why is that size better than the one it is? It's not like we're all downloading this thing several times a day. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Sanesecurity: new database
Tomasz Kojm wrote: libclamav is right, the entry at the line 53 in rogue.hdb is incorrect (double colon before the virus name) Interesting that clamscan -d rogue.hdb didn't catch that, but the error also didn't cause clamd to die nor even fail to find viruses. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Sanesecurity: new database
Tomasz Kojm wrote: On Mon, 18 Aug 2008 08:09:18 -0700 Dennis Peterson [EMAIL PROTECTED] wrote: Tomasz Kojm wrote: libclamav is right, the entry at the line 53 in rogue.hdb is incorrect (double colon before the virus name) Interesting that clamscan -d rogue.hdb didn't catch that, but the error also didn't cause clamd to die nor even fail to find viruses. As mentioned by the OP, only 0.94rc1 was able to detect this problem. The previous versions would load the entry but in the worst case scenario could crash while reporting this particular malware. Ok - I'm running 0.94rc1 on my dev system and it appears to be doing the right thing. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
Charles Gregory wrote: On Mon, 11 Aug 2008, rick pim wrote: prime advantages of greylisting -- the fact that it will never block 'real' mail -- turns out, um, not to be true. there are so many standards-noncompliant MTAs out there .. some of the offenders are high profile, fortune-500 companies. Could I just clarify this discussion? It started out with a specific comment about greylisting, which I am preparing to implement. So naturally it concerns me as to whether these remarks about 'big name' non-compliant MTA's still apply specifically to greylisting. I mean, I can't really imagine a 'big' (fortune 500?) company having an MTA that does not attempt to resend mail if it gets a 400 response from another MTA. I realize they break all sorts of other stuff. Non-compliant 'helo's and all that, but at least please tell me there isn't a 'big' company out there that is failing to handle 4xx codes properly (holding breath) There are some big names that play badly with greylisting. They play badly with greet-pause, too. A problem I've seen with greylisting is the round-robin MTA pool. Each is told in turn to come back later and if the pool is large it can take a long time to cycle through all of them. You have to be careful how you screen the addresses. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Using ClamAV with Dspam - how do I verify it's working?
Jeff Weinberger wrote: Thanks Dennis - much appreciated!! I've looked at the log files and all they are recording is the virus- updated-induced reloads. So I'm not sure what's happening. I assume ClamAV would only report anything at all (even to log files) if it was handed a message and found it to have a virus. If it had no virus, I assume ClamAV would deliver it as clean. The question is: if I were to look at the log file, what would/should I see there if: 1) ClamAV found something to be a virus? or 2) Clam AV processed a message that had no virus in it In my configuration I have clamd and freshclam logging to syslog using local6. This way all logging shows up in a common file. Here is a section of today's log and includes some FOUND viruses, attempts by freshclam to download new signatures, and a notification to clamd that it successfully downloaded signatures. The lines are long and will linewrap - all lines begin with Aug 10. I don't have LogClean enabled so only found signatures are reported. Aug 10 04:51:29 rainier clamd[7572]: [ID 702911 local6.info] SelfCheck: Database status OK. Aug 10 05:23:17 rainier last message repeated 1 time Aug 10 05:43:17 rainier freshclam[21878]: [ID 702911 local6.info] ClamAV update process started at Sun Aug 10 05:43:17 2008 Aug 10 05:43:17 rainier freshclam[21878]: [ID 702911 local6.info] main.cvd is up to date (version: 47, sigs: 312304, f-level: 31, builder: sven) Aug 10 05:43:39 rainier clamd[7572]: [ID 702911 local6.info] /var/spool/jchkmail/489EE272.000.: Email.Malware.Sanesecurity.08062502 FOUND Aug 10 05:43:51 rainier freshclam[21878]: [ID 702911 local6.info] nonblock_connect: connect timing out (30 secs) Aug 10 05:43:51 rainier freshclam[21878]: [ID 702911 local6.info] Can't connect to port 80 of host db.ca.clamav.net (IP: 67.15.61.160) Aug 10 05:43:51 rainier freshclam[21878]: [ID 702911 local6.info] Trying host db.ca.clamav.net (208.70.244.158)... Aug 10 05:43:51 rainier freshclam[21878]: [ID 702911 local6.info] Downloading daily-7999.cdiff [100%] Aug 10 05:43:52 rainier freshclam[21878]: [ID 702911 local6.info] daily.cld updated (version: 7999, sigs: 82973, f-level: 33, builder: ccordes) Aug 10 05:43:52 rainier freshclam[21878]: [ID 702911 local6.info] Database updated (395277 signatures) from db.ca.clamav.net (IP: 208.70.244.158) Aug 10 05:43:52 rainier freshclam[21878]: [ID 702911 local6.info] Clamd successfully notified about the update. Aug 10 06:22:15 rainier clamd[7572]: [ID 702911 local6.info] SelfCheck: Database modification detected. Forcing reload. Aug 10 06:22:15 rainier clamd[7572]: [ID 702911 local6.info] Reading databases from /usr/local/share/clamav Aug 10 06:22:42 rainier clamd[7572]: [ID 702911 local6.info] Database correctly reloaded (433857 signatures) Aug 10 06:39:20 rainier clamd[7572]: [ID 702911 local6.info] /var/spool/jchkmail/489EEF7B.000.: Email.Hdr.Sanesecurity.08022900 FOUND Aug 10 07:05:49 rainier clamd[7572]: [ID 702911 local6.info] SelfCheck: Database status OK. Aug 10 07:34:42 rainier freshclam[25217]: [ID 702911 local6.info] ClamAV update process started at Sun Aug 10 07:34:42 2008 Aug 10 07:34:42 rainier freshclam[25217]: [ID 702911 local6.info] main.cvd is up to date (version: 47, sigs: 312304, f-level: 31, builder: sven) Aug 10 07:34:42 rainier freshclam[25217]: [ID 702911 local6.info] daily.cld is up to date (version: 7999, sigs: 82973, f-level: 33, builder: ccordes) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
G.W. Haywood wrote: On the point about accepting and then rejecting, no, you misunderstand the SMTP conversation. It is perfectly possible to read an entire mail message and yet still reject it. Presuming you mean the message is read up to the final cr.cr, this is true. It is the last decision point for accepting or rejecting the message. That is the point at which delivery responsibility changes from the sending MTA to the recipient MTA. It is also possible the sending system will send the final cr.cr and drop the connection before receiving the status - spammers have no use for the status. But it's worth knowing what happens with the message and your MTA when the connection is dropped at that instant. Beyond that, some MTAs will accept responsibility for message handling and then later discover it is not deliverable. They then send an NDR to the From: address which can be any random string that looks like an email address. Often it is a real address with an active mail box and so that is where the NDR goes. This is allowed by the RFCs but is incredibly stupid to allow. The problem is often a matter of the secondary not having a current (or any) list if valid users. This even happens when the primary is not privy to the valid user base but simply throws incoming mail to an Exchange server inside the firewall. It can also happen when multiple MX servers for a domain have dissimilar filtering, for example. The secondary with weaker filtering accepts the message and delivers it to the primary which rejects it. The secondary still has the delivery responsibility and is compelled to send an NDR to the original sender so somebody's granny gets spammed. Back to the original discussion - nothing I've read has convinced me that using 5xx codes is anything but a good idea, and it allows me to focus on problems in my own part of the net and more importantly to ignore problems others are having because they are too altruistic, or too misconfigured. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
David F. Skoll wrote: [EMAIL PROTECTED] wrote: [...] What backscatter? If done at SMTP the only person that should be notified is the sender. I see. And it's impossible for a virus to forge MAIL FROM:, is it? That is the concern of the connecting system - they will suffer any consequences of accepting the responsibility of forwarding bad mail and I really don't care if that happens. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
David F. Skoll wrote: [EMAIL PROTECTED] wrote: No need to be condescending about it. I have no problem taking it off list and explaining how you are mistaken. OK, look. I guess I need to spell it out for you. End-user PC has virus. Virus does this: telnet isps-smtp-server 25 HELO bogus MAIL FROM:[EMAIL PROTECTED] RCPT TO:[EMAIL PROTECTED] DATA . Then ISP's mail server does this: telnet victims-smtp-server 25 HELO isps-smtp-server MAIL FROM:[EMAIL PROTECTED] RCPT TO:[EMAIL PROTECTED] DATA . If victim's SMTP server fails the DATA with a 5xx code, then backscatter goes [EMAIL PROTECTED] Understand now? Sounds like the isps-smtp-server operator has a problem of accepting responsibility to forward mail that may be undeliverable. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav phishing sigs
Noel Jones wrote: Darren G Pifer wrote: Chambers, Phil wrote: Take a look at http://iserv.rs-hilter.de/doc/clamav-0.91.2/signatures.pdf I have seen this document but it does not show how to add signatures to a database OR for clamd to detect the phishing e-mail. I was able to create the signature (a .hbd file) and clamscan detects the phishing but clamd does not. Maybe I am missing something. If the sig works with clamscan, it will also work with clamdscan. Clamd must be stopped and restarted to recognize new signature files. Make sure you have the latest version of clamav. I think there are times when a milter might pull an incoming message apart and submit it in pieces to clamd that creates a different situation than scanning a message that is whole, and stored as a disk file. In this case two entirely different objects are being scanned, and depending on the way the signature was defined, there can be differences in the results. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
rick pim wrote: On Fri, 8 Aug 2008, Charles Gregory wrote: Well, first of all, yes it IS. It's *everyone's* problem. That forged address could be on *your* server, and *you* get the backscatter from some other victim system that also doesn't care what the ISP does with it... what he said: we have two accounts/addresses that get, between them, about 200,000 bounces a day; this has been going on for something more than 8 months. If the bulk of thoses is coming from infected PC's there is no harm in rejecting them with a 5xx - the PC is going to ignore that anyway - it is certainly not going to bounce the message back to the sender. If it is coming from a legitimate system it would be useful to provide feedback to that system's operator that they are handling dirty mail. In that case a 5xx error is appropriate. If they then bounce the message to some unsuspecting victim then they will get additional feedback. I don't see where dropping those messages is helpful but do see all manor of advantages of rejecting with 5xx. My 5xx rejects, which are in the thousands, are 10 to one generated by DNSBL or dictionary attempts (user unknown), not ClamAV hits. (that said, there's something to be said for bouncing mail: one of our vendors is occasionally silently blocking my email to them. clearly SOMETHING about my messages are triggering their spam filters. it sure would be nice if i got the bounces for those) Can't have it both ways - although you could ask to be whitelisted. I do that for all our regular customers and contacts, and also whitelist any mail lists our users are on. I'm very happy to expect connecting systems to be well run or to suffer the consequences. In fact I feel that way about my systems. If I make a mistake I expect to pay for it. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
[EMAIL PROTECTED] wrote: I meant to imply that when the ISP does not virus filter and the recipient silently drops the message the problem never gets resolved because nobody is made aware of it. The ISP customer will continue to be infected and continue to send out garbage. I suppose this is all based on the assumption that the ISP even cares. Cause as everyone knows *all* ISPs care. Right? ;) http://www.spam-site.com/isp-doing-business-with-spammers.shtml Oh, sure :) dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
Gerard wrote: On Thu, 7 Aug 2008 11:36:32 -0400 (EDT) jef moskot [EMAIL PROTECTED] wrote: You did not mention your MTA. Oops, sorry. We're married to sendmail at this point. Would you entertain a divorce? IMHO, switching to Postfix might very well make your life easier. The configuration is far simpler It has been a long time since Postfix was simpler than Sendmail in any important way. They are now nearly equally complex as Postfix has become nearly as capable as Sendmail. When they are equally capable they will be equally complex. There's no free lunch. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] on-error-execute=COMMAND
Albert E. Whale wrote: I am trying to get freshclam to execute a COMMAND whenever it encounters an error. I have tested the /dir/ReportClamAv.sh script, and it works as expected. However the command is not getting launched from the command line. Any Suggestions? Sounds like it might be an environment problem. Is the script in the path of the clamav user or are you declaring a fully qualified pathname in the freshclam arguments string? Are all needed libraries seen by the clamav user? This is where dependancy on LD_LIBRARY_PATH can be a nuisance. When you test your scripts you should probably su - to the clamav user first if you're not already doing that. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Database correctly reloaded (0 signatures)
Oscar Usifer wrote: Folks, On Monday, 12:49 Pacific Time, June 23, 2008 freshclam on my production system updated the virus signatures and notified clamd. During that time, clam did not properly reload the previously cited 231780 plus signatures and as a result began marking all checked files as 'safe', including possible virus candidate files. Did it subsequently recover on its own or did you have to intervene? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] UNDETECTED EXECUTABLE
jean-paul wrote: Not sure if it is a virus, but it sailed right through clam/symantec/and avg naturally not from where it claims From: United Parcel Service [mailto:[EMAIL PROTECTED] file name is ups_invoice.exe Jean-Paul Natola Did you submit it to the clamav virus upload page? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Database correctly reloaded (0 signatures)
Oscar Usifer wrote: It did *not* recover on it's own. I had to intervene. Unfortunately not discovering that this occurred two weeks later, causing me to have to go through 7K plus files to verify they are not virus files. We could become legally liable as a result, but I doubt this is a likely scenario. Thanks There is a clamav monitoring script in the contrib area of the source distribution that would likely have caught this and alerted you. It's saved my butt a few times. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] 0.93.3 memory doubling problem
Tomasz Kojm wrote: On Fri, 11 Jul 2008 09:48:01 -0500 Russell Jones [EMAIL PROTECTED] wrote: .. the memory usage jumps to 131 megs and stays there. What is causing this, and how can I fix it? Please have a look at https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1028 Is this not a problem with Sparc processors, then? I've not witnessed it at all on my systems. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] 0.93.3 memory doubling problem
Stephen Gran wrote: On Fri, Jul 11, 2008 at 09:52:43AM -0700, Dennis Peterson said: Tomasz Kojm wrote: On Fri, 11 Jul 2008 09:48:01 -0500 Russell Jones [EMAIL PROTECTED] wrote: .. the memory usage jumps to 131 megs and stays there. What is causing this, and how can I fix it? Please have a look at https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1028 Is this not a problem with Sparc processors, then? I've not witnessed it at all on my systems. I can't remember - are you a solaris shop? A different c library could certainly explain it, although I suspect a different cpu wouldn't make much of a difference. It has to do with how memory is allocated and garbage collected, and a different malloc/free/realloc/etc implementation might make a difference there. I'm all Solaris. It runs at around 73M all the time on all systems (Sol9). It has been running constantly since the day 9.3.3 came out. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] cld vs cvd - (forked thread)
Noel Jones wrote: Where is daily.cvd ? When incremental updates (the *.cdiff files) are applied, the *.cvd file is replaced with a *.cld file. This replaces some previous methods used for managing updates. I'm finding I end up with both a main.cld and a main.cvd file, and clamd dutifully load double the number of signatures. What am I doing wrong? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav know virus count reduced.
G.W. Haywood wrote: But it seems to me that there's hardly a week goes by without someone posting to the list a new and interesting way in which his freshclam- driven update has failed. Take today, for example. I haven't have a freshclam failure yet but I've had errors reported. Freshclam doesn't give up on error, it goes to plan B which for a very long time has been working fine. It is just less efficient. Perhaps the solution is to report only true failures and not intermediate failures while on the path to success. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav know virus count reduced.
Tomasz Kojm wrote: On Wed, 02 Jul 2008 08:46:28 -0700 Dennis Peterson [EMAIL PROTECTED] wrote: Perhaps the solution is to report only true failures and not intermediate failures while on the path to success. the latest version of freshclam with --no-warnings should do it That's going to be a freshclam.conf option, too, I hope! dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] freshclam (0.93.1) error
Frank Elsner wrote: Hello ALL, today my freshclam (0.93.1) showed the error ERROR: cdiff_cmd_close: Can't apply XCHG at line 1 of daily.ign ERROR: cdiff_apply: Can't execute command CLOSE ERROR: cdiff_apply: Error executing command at line 4 ERROR: getpatch: Can't apply patch What's behind? Should I worry about this? Same error showed up here a few minutes ago. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml