Re: [Clamav-users] Problem with clamav on Linux
Török Edwin wrote: Quỳnh H Nguyễn wrote: After remove it manual. There is still error when clamd start, it will create /tmp/clamd.socket And this is the next error. If solve this problem, I think you fixed my error. I'm so sorry because I can not understand to config and fix it by myself! I'm newbie. The policy file says the socket should be created here. Edit clamd.conf and move the socket here: /var/spool/amavisd/clamd\.sock-s gen_context(system_u:object_r:clamd_var_run_t,s0) And as such has absolutely nothing to do with clamav and everything to do with selinux and understanding log files. Edwin - you have been extremely kind and helpful to this clueless noob who continues to post in the wrong mailing list. Perhaps he should gain a better understanding of his system before trying to incorporate things like clamav - especially with selinux involved! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RPM 0.90.2 FC4
Steven Stern wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dennis Peterson wrote: Steven Stern wrote: Robert Niepel wrote: Hello, an anyone tell me where i can get RPM?s for Fedora Core 4? Or has anyone have an hotwo to build those rpm from tar.gz? download the unpack the tar.gz file In the directory, ./configure make make install Here's how I invoke configure: ./configure --enable-milter --prefix=/usr --exec-prefix=/usr \ - --sysconfdir=/etc --with-dbdir=/var/lib/clamav --disable-zlib-vcheck I think this will not create an rpm. An RPM isn't needed. This will install the current version of Clam. You are correct. However the OP asked for an RPM. You provided him with an irrelevant response which im sure was DPs point. -Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Install clamav on CentOS 4.4
Rob MacGregor wrote: On 4/18/07, Gustavo Gouvea [EMAIL PROTECTED] wrote: Hi there, has anyone instaled clamav on CentOS 4.4 before?? Any tips??? Which version of Openssl do I need to use? Will I have to do it from the source code? By now, Ive been using the rpm packages from Petr Kristof. [EMAIL PROTECTED] yum.repos.d]# yum install clamav Setting up Install Process Setting up repositories Reading repository metadata in from local files Parsing package install arguments Resolving Dependencies -- Populating transaction set with selected packages. Please wait. --- Package clamav.i386 110:0.90.1-1 set to be updated -- Running transaction check -- Processing Dependency: libssl.so.5 for package: clamav -- Processing Dependency: libcrypto.so.5 for package: clamav -- Processing Dependency: libkrb5support.so.0 for package: clamav -- Finished Dependency Resolution Error: Missing Dependency: libssl.so.5 is needed by package clamav Error: Missing Dependency: libcrypto.so.5 is needed by package clamav Error: Missing Dependency: libkrb5support.so.0 is needed by package clamav [EMAIL PROTECTED] yum.repos.d]# find / -name libssl* /lib/libssl.so.4 /lib/libssl.so.0.9.7a /usr/lib/libssl.a /usr/lib/thunderbird-1.5.0.5/libssl3.so /usr/lib/libssl.so /usr/lib/firefox-1.5.0.5/libssl3.so /usr/lib/libssl3.so [EMAIL PROTECTED] yum.repos.d]# rpm -qa |grep openssl openssl-devel-0.9.7a-43.14 xmlsec1-openssl-1.2.6-3 openssl-0.9.7a-43.14 Well, the most likely response is that you should install from source :) Others have already talked about this on the CentOS forums, though the general flavour was very hostile. I suspect you just need to upgrade your other packages, particularly openssl and openssl-devel. Im surprised that no one mentioned the real easy way to solve all this. Download the SRC rpm. then rebuild for your specific environment and install built rpms. quick and easy. I grab the src rpm from dag or kristof or wherever then do rpmbuild --rebuild whatever.src.rpm and your all set. Since i dont use milter i specify -without-milter as well. This allows you to keep the system updated with rpm without having to wait for someone to build it for you for your specific arch. -Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] error stops clamd
Jason Frisvold wrote: On 4/11/07, John Rudd [EMAIL PROTECTED] wrote: Depends on what your goals are. For me, a reliable email system does not just mean mail gets delivered. It also means that we reliably reject detectable viruses. If we're letting viruses through because our pants are down (because our AV tool has failed), then that's not a reliable email system. That's a dysfunctional email system. Agreed... better monitoring and notification: yes, good. Check out argus (http://argus.tcp4me.com) .. Works wonderfully for me. It's like using condoms. Just because you run out of condoms doesn't make unprotected sex suddenly safe. Accepting email from the world without your AV tool processing it is as irresponsible as having unprotected sex with the entire world. Ugh.. Thanks.. I'm gonna have nightmares for weeks now.. nightmares? hah to some that is their dream! ;) -Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] problem with clamav and cpu
[EMAIL PROTECTED] wrote: On Thu, 29 Mar 2007 11:54:18 +0200 (CEST) [EMAIL PROTECTED] wrote: Hi, usually clamav use 100% of my cpu making the load average very hight, latelay i have had even a big error in the log : clamscan: corrupt or unknown ClamAV scanner error or memory/resource/perms problem - exit status 40 i use qmail with qmail-scanner, is there a way to make clamav use less cpu ? yes, stop using clamscan and replace it with clamdscan/clamd -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 29 12:34:59 CEST 2007 ___ i will try thanks, which is better clamdscan or clamd or is it the same? You obviously do not understand anything relating to clamav. clamscan is a standalone application. It scans files for viruses. Clamd is a virus scanning daemon. You use clamDscan to pass files to clamd for scanning. Perhaps some documentation reading is in order. Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamscan-procfilter.pl stops working after upgrade to 0.9X clamav
Michael Brown wrote: Hi Everyone, I'm new to this list, but a long time user of ClamAV. For years I've been using this simple procmail (clamscan-procfilter.pl) script from http://www.virtualblueness.net/~blueness/clamscan-procfilter/ It's worked great, until I upgraded to the 0.9X ClamAV and it no longer is able to pass e-mails to the clamav daemon. I'm not sure why, but as far as I can tell everything is peachy with clamav, freshclam runs just fine, the clamd process is running. The configuration file is correct. The only thing I can guess (and after searching the mail list since no one else has reported this yet) is maybe some scanning parameters for the new clamav has changed and that's why this script is not working. The script has a section where it passes the e-mail to the clamdscan script to scan and then later in the file does other things to redirect virus infected e-mails, etc. As far as I can tell, the files are being sent over to scan, but they remain (never removed after a successful scan). I thought maybe this is not using the right command to scan the file (updated version has new parameters) and thus that's why e-mails are not getting a proper clamav scan. If anyone has experience with this procmail script, any information would be greatly appreciated. # Where are your binaries? # $MKTEMP='/bin/mktemp' ; $CLAMSCAN='/usr/bin/clamdscan' ; $FORMAIL='/usr/bin/formail' ; # # Read in the email from stdin # @file = ; # # Create/open a temp file for the output of clamscan # $TMPFILE=`$MKTEMP /tmp/clamtemp.XX` ; chomp $TMPFILE ; open CLAM, |$CLAMSCAN --stdout --mbox - $TMPFILE ; Im not running 0.9X but im pretty sure --mbox isnt valid anymore. And why is the variable CLAMSCAN when its calling clamDscan? Its just a little confusing... print CLAM @file ; close CLAM ; Thanks, Michael ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.90.1 freshclam error
Daniel T. Staal wrote: On Wed, March 14, 2007 10:08 am, Robert Isaac said: Thanks. This gave [EMAIL PROTECTED] etc]# grep LocalSocket clamd.conf # LocalSocket /tmp/clamd LocalSocket /usr/sbin Ouch, pointing LocalSocket to /usr/sbin is not a good idea. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg I have removed all of clamav/clamd and reinstalled the rpms and clamd was put in /usr/bin, but /etc/clamd.conf shows LocalSocket /tmp/clamd Is this correct? Yes. The socket is not the program, it is a connector, _created by_ the program. /tmp or /var/run are common places for it. Yes, you seem to be confusing the binary program /usr/bin/clamd with the socket file which is created by clamd when it starts up. With the clamd.conf setting you had originally: LocalSocket /usr/sbin You are attempting to overwrite the clamd executable with the socket. I cant even imagine what results this would produce. -Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem after upgrade
Awie wrote: Hi all, After upgrading to ClamAV 0.90.1, I got problem with message below: clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2 Would you tell me the source of such problem? Your answer is very appreciated and waited for. This is not a clamav issue. You are probably running clamd as a different user or maybe your install configured things as a different user than you had in the past. Check to see what user clamd is running as and make sure all clamav directories are accessible by that user. Also, is clamd running? -Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav vs norton
Sean Pinegar wrote: I trusted clamav for a long time but ran across an interesting problem today. I received an e-mail from a friend that included a powerpoint. I opened the powerpoint in linux and wine flagged it as a virus (not sure how wine knew there was a virus...can anyone enlighten me on that?). I scanned it with clamav and it said the file was ok. I scanned it with norton and it came up as being infected. I updated clamAV and tried again, same results..the file was ok. I was just curious if anyone else has ran into this type of problem? I dont want to ditch clamAV but i have to do whats best for the business. -Sean- Things like this occur frequently, and not just with clamav. If you have a file that is not detected, you should submit it so that a signature can be included in future updates. Also, whats best for the business is to run multiple virus scanners and not rely on a single one. -Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Local mirror with .90
Shawn Badger wrote: I'm sure this has been asked already, but I haven't been able to find it. How do I get the .cdiff files? I had a local mirror set up, but since .90 was installed they are looking for the .cdiff files. Before I was just doing a symbolic link on my server to .cvd files it was using and having the clients download those. That doesn't work with the new format. Sorry for the rambling, but if anyone knows how to do a a local mirror using the new format please let me know!! _ Theres a setting something about incremental updates which you should turn off. This will allow you to use the old .cvd style. I havent looekd at 0.90 yet so im not 100% sure of the actual setting. -Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Auto scan problems
carren stuart wrote: carren stuart wrote: A while back, I wrote: I'm running Clamav on DesktopBSD, with Klamav as the front end. Clamav is working fine and has detected the eicar test files as expected but I cannot get auto-scanning to work. Whenever I enable auto-scan I get the following error: The auto-scan process died unexpectedly I have dazuko installed and loaded, and as far as I know it's working OK. What causes this error and what should I do to fix it? Then I wrote again: But I haven't had any replies as yet. Can somebody please help me with this as I really want to get auto scanning working. Is there some reason why my posts aren't even being acknowledged? I can't believe that nobody knows the answer to my question. This IS the users list and I'm a user, so could somebody PLEASE help me with this. ack. Would you rather someone reply and say wow, that sucks, but i cant help you? How many people here are even using dazuko? or the KlamAV frontend for that matter. This is the ClamAV users list, if you have a problem running ClamAV, feel free to ASK your question here. Demanding help will get you nowhere. You provided no useful information either. Saying: Whenever I enable auto-scan I get the following error: The auto-scan process died unexpectedly is not helpful at all. I would imagine any number of things could cause that message to be displayed. Asking what causes that error is like asking what causes my car not to start when i turn the key? Also, you mention that as far as you know dazuko is working. You expect someone to take time to help you when you arent even sure if a base component in your setup is working properly? Why not actually verify that its working before even asking this question here? With that said, I have never used on access scanning myself so I can not offer any help in that area. -Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: ClamAV version mismatch
Mathias wrote: What mail server do you run? And how does the mailserver determine the clamdscan header? I'm running qmail with qmailscan 1.25. I guess something has got to be compiled in there although I thougt that qmailscan was just a perlscript (qmail-scanner-queue.pl). I'll dig into it unless you know right away where the problem lies? The problem is with qmail-scanner. You must run qmail-scanner-queue.pl -z to get it to re-read the version information from your installed scanners. This is all on the qmail-scanner website somewhere. FWIW, this is purely aesthetic, the old version info is stored in qmail-scanner-queue-version.txt but it is actually using the newer version of clamav you have installed. -Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Update / upgrade questions
Vanco, Don wrote: Hello all - New user here, couple quick questions. Background: I am trying to support a customer under a bit of duress. I know Linux, but have not worked with ClamAV directly myself, so am a bit hesitant because this is an env. that processes 250k emails a day. I've read over the FAQ, and things seem fairly clear, but I wanted to ask a couple quick questions to bolster my confidence before I proceed. Upgrade will be done via remote access. System: RHEL 3 Update 8, AS, on 32-bit Intel 2-way server Running QMail (netqmail 1.05) (I have seen a post in the archives about running a QMail script to update the scan headers after install/upgrade) Yes, you should run qmail-scanner-queue.pl -z after you have the new version of clamav installed to pull the new version information and update the .txt file that holds this info. Everything will work fine even if you dont do this, but the headers will have the old version info. -Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Why does clam die on a malformed database ?
Chuck Swiger wrote: Bill Landry wrote: [ ... ] You are preaching to the choir here, as you have no argument from me. I raised the same issue the last time this happened to me a few weeks ago and clamd died twice on me in one day. The script work-around to check the databases before implementing them has saved my bacon with this last string of corrupted databases from MSRBL. However, I still agree that clamd should be able to handle these kinds of issues gracefully, and in the alternative, should not simply die silently. Agreed-- it would be nice if clamd was more robust, either by continuing to run with the other DBs (as available) and either drop the bad line or the entire bad DB file, until a new update comes along which is OK. However, improving how clamd responds to a bad DB is solving a consequence or symptom rather than the original problem. Maybe we should try to persuade the MSRBL site (and others) to use a similar checking script when pushing new versions of the DB's out, rather than checking upon receipt after people have used bandwidth to download and then have to discard a bad update...? Not really. Its about the same as going to a doctor and saying hey doc, it hurts when i go like this and he responds with well, dont do that. Just as this is not a real solution, telling all DB creators to make sure their files are ok or clamd will die is not a solution. This isnt to say that these maintainers should not check the integrity of the files they produce - they indeed should - but the real solution is that clamd should not fail when it encounters a bad database file. This is the only true way to avoid problems in this case. -Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam stability as a daemon [was: DB Update email before actual update available?]
Dennis Peterson wrote: G.W. Haywood wrote: Hi there, Some time ago somebody wrote, and somebody else replied: Why not just run freshclam as a daemon? Then you really need to have a daemon watcher to keep it going. Talk of freshclam dying gives me some discomfort, yet in almost two years running freshclam as a daemon on two - not particularly busy - servers I've never seen it fail. It uses around a megabyte of memory on a machine with 2G of RAM and, doing hourly updates, it takes maybe three seconds of CPU per month on a 1GHz twin-processor Pentium box. Naturally if freshclam dies we can expect people to mention it. I'm calling for those who run freshclam as a daemon and who don't see any problems with it to chip into this thread. How many of us are there? Here are the non-comment line in my config in case it has a bearing: DatabaseDirectory /var/lib/clamav UpdateLogFile /tmp/.clam/freshclam.log LogVerbose LogSyslog PidFile /var/run/clam/freshclam.pid DNSDatabaseInfo current.cvd.clamav.net DatabaseMirror db.uk.clamav.net DatabaseMirror database.clamav.net MaxAttempts 5 Checks 24 Here's how I start it: /usr/local/bin/freshclam -d --daemon-notify=/etc/mail/clamav/clamd.conf Does anyone have any clues to the reasons behind freshclam's apparent unreliability under some circumstances? Bad DB servers? Mail load? Swap? Locking? Conflict with other processes? OS? Libraries? ... -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html The operation of freshclam is unrelated to the traffic volume of the site so that is unimportant. It does only one job and it does it well. A busy site only means it is a greater liability if it should fail or if it should copy or produce flawed files, or fail to download new files. But if you run it as a daemon in a production environment then it is a simple best practice next step to monitor it and restart it should it fail. You may have a different view of what is a best practice in this regard (and it may even extend beyond freshclam) that leads you to choose to run freshclam as a daemon without monitoring and watchdog restart capability. I can only tell you from my experience with several years and many versions of ClamAV that I have found no advantage in any category to running freshclam as a daemon, and running it in cron gives me many options not otherwise available - not the least of which is I can run it at random intervals to help break up lockstep assaults on the servers it polls. And as an old school Unix admin who still believes in the mentoring responsibility of my position, I will make recommendations from time to time regarding best practices and I recommend if you run freshclam as a daemon that you monitor it and restart it if needed. Sun's SMF and other methodologies (cfengine, watchdog) can do this trivially but fail to do other checks of data integrity which must be scripted. So long as clamd can be killed and left unable to restart because of the presence of a corrupt or badly formated ndb file and since the db update process requires scripting anyway it makes sense to me to wrap the freshclam process and fetching other db's in cron driven scripts that: Run at random intervals Validate the databases that are downloaded including those that are not collected by freshclam (Sane Security, MSRBL, for examples) Move the validated files to the working directory Test the new files against known samples Retry on error or server failures Notify the admin chain and log the error This is not rocket science. Who said it was? The OP clearly asked for people who run freshclam as a daemon who have NOT had problems with it in the setup. You are not one of those people so im still trying to figure out why you felt the need to post. Cmon, this is not rocket science. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam stability as a daemon [was: DB Update email before actual update available?]
Dennis Peterson wrote: Jim Maul wrote: Dennis Peterson wrote: This is not rocket science. Who said it was? The OP clearly asked for people who run freshclam as a daemon who have NOT had problems with it in the setup. You are not one of those people so im still trying to figure out why you felt the need to post. Cmon, this is not rocket science. As one of those who talked of freshclam dying I was offering background on why I did so and the disciplines that cause me to configure systems as I do. What was the purpose of your post? dp The purpose of my post was to point out that you did not even remotely provide what the OP was asking for. He was asking to hear from those of us who DO use freshclam as a daemon and what OUR experiences were. Instead, you chose to give a detailed explanation on why DONT use freshclam in daemon mode and what you do instead. Then you chose to throw in a little condescending this is not rocket science comment at the end. Classy really. Happy holidays. -Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.88.7 possible error
Robert Isaac wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 13 December 2006 21:13 To: ClamAV users ML Subject: Re: [Clamav-users] 0.88.7 possible error Robert Isaac wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 13 December 2006 18:55 To: ClamAV users ML Subject: Re: [Clamav-users] 0.88.7 possible error Robert Isaac wrote: Yesterday I installed 0.88.7 on our server running RHESL-4 using the rpms from DAG, previously using 0.88.6. Our LogWatch file this morning shows: **Unmatched Entries** clamd shutdown succeeded clamd shutdown failed clamd daemon 0.88.7 (OS: linux-gnu, ARCH: i386, CPU: i386) Bound to address 127.0.0.1 on port 3310 Portable Executable support enabled. Detection of broken executables enabled. clamd startup succeeded Mail: Recursion level limit set to 64. HTML support enabled. clamd daemon 0.88.7 (OS: linux-gnu, ARCH: i386, CPU: i386) bind() error: Address already in use Is there a problem here somewhere? Thanks Did you stop the old clamd server before starting the new one? Steve ___ No I didn't. Ooops. What should I do now? Bob Just kill all instances of clamd and then start up clamd again. Steve There was only one instance running. Killed it and restarted it. Then in today's LogWatch: **Unmatched Entries** clamd shutdown failed I already pointed this out, but perhaps its worth repeating. Whatever script is trying to shutdown clamd is failing. You need to figure out why this is happening. If clamd does not shut down correctly, it will ALWAYS fail when trying to start it back up. Killing it manually is not a fix, its a workaround. clamd daemon 0.88.7 (OS: linux-gnu, ARCH: i386, CPU: i386) Bound to address 127.0.0.1 on port 3310 clamd startup succeeded Portable Executable support enabled. Detection of broken executables enabled. Mail: Recursion level limit set to 64. HTML support enabled. Bob ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.88.7 possible error
[EMAIL PROTECTED] wrote: Robert Isaac wrote: Yesterday I installed 0.88.7 on our server running RHESL-4 using the rpms from DAG, previously using 0.88.6. Our LogWatch file this morning shows: **Unmatched Entries** clamd shutdown succeeded clamd shutdown failed Oops, look at that, it didnt shutdown. clamd daemon 0.88.7 (OS: linux-gnu, ARCH: i386, CPU: i386) Bound to address 127.0.0.1 on port 3310 Portable Executable support enabled. Detection of broken executables enabled. clamd startup succeeded Mail: Recursion level limit set to 64. HTML support enabled. clamd daemon 0.88.7 (OS: linux-gnu, ARCH: i386, CPU: i386) bind() error: Address already in use Of course the address is already in use. Clamd is still running. -Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamscan sped
Erez Epstein wrote: well, i'm not sure if thats the right solution, as smart virus or old file with new virus definiton will not be found. also i know all other virus scanners do scan all files. Then perhaps you should be using other virus scanners. Use the tool that best fits the job. If you find that clamav takes a long time to scan a large drive, that may be because this was not the primary purpose of the product. Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). While im sure the number of uses for clamav is growing all the time, if you try to use a product for a task that it was not designed for and it does that task poorly, why continue to try to make it work? Find a product that works for you in this particular situation and use that instead. -Jim On 11/26/06, Dennis Peterson [EMAIL PROTECTED] wrote: Erez Epstein wrote: and how can i shorten it while still scaning all files every night. Don't scan all of them every night. There is no need to scan a file that has not been modified since the last scan. There is probably no need to scan your logs, /var, /usr, /opt, /proc, /dev, /bin, /sbin, or /devices (or any root owned directory) unless you think you have been hacked and had your root account compromised. You probably don't want to scan NFS mounts or Samba mounts as it is rather expensive in terms of network traffic and speed, and introduces all kinds of interesting permissions and connection reliability issues. Clam is not a good intrusion detection tool so you might want to run TripWire or some similar tool that will tell you which files have been modified so you can limit your scan to those few files that require scanning. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: FW: [Clamav-users] clamscan sped
Arthur Sherman wrote: Hi Jim, What AV would you suggest for SAMBA? Sorry, I have no suggestions as I have never tried to do this. We have symantec AV on all our windows workstations and I use only clamav on our mail server. Im sure others will have many suggestions. -Jim Best, -- Arthur Sherman +972-52-4878851 CPTeam -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Maul Sent: Monday, November 27, 2006 3:18 PM To: ClamAV users ML Subject: Re: [Clamav-users] clamscan sped Erez Epstein wrote: well, i'm not sure if thats the right solution, as smart virus or old file with new virus definiton will not be found. also i know all other virus scanners do scan all files. Then perhaps you should be using other virus scanners. Use the tool that best fits the job. If you find that clamav takes a long time to scan a large drive, that may be because this was not the primary purpose of the product. Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). While im sure the number of uses for clamav is growing all the time, if you try to use a product for a task that it was not designed for and it does that task poorly, why continue to try to make it work? Find a product that works for you in this particular situation and use that instead. -Jim On 11/26/06, Dennis Peterson [EMAIL PROTECTED] wrote: Erez Epstein wrote: and how can i shorten it while still scaning all files every night. Don't scan all of them every night. There is no need to scan a file that has not been modified since the last scan. There is probably no need to scan your logs, /var, /usr, /opt, /proc, /dev, /bin, /sbin, or /devices (or any root owned directory) unless you think you have been hacked and had your root account compromised. You probably don't want to scan NFS mounts or Samba mounts as it is rather expensive in terms of network traffic and speed, and introduces all kinds of interesting permissions and connection reliability issues. Clam is not a good intrusion detection tool so you might want to run TripWire or some similar tool that will tell you which files have been modified so you can limit your scan to those few files that require scanning. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs
Bart Silverstrim wrote: On Nov 9, 2006, at 2:09 PM, Jim Redman wrote: Folks, I have to say, of all the lists I subscribe to, the vocal members of this list are the most arrogant and insulting. However, I consider comments such as Luca Gibelli's, bandwidth wasting, We are happy to suffer this loss. and Dennis Peterson's His specific problem is he lacks the skill to install and manage the product reflect more about the person making the comment, rather than the target. You're forgetting one detail that probably was the most provoking, though. He started right off saying he cherishes his ignorance. How many of our problems as sysadmins come from user ignorance? How much worse is it when you have to deal with another peer's ignorance, and worse yet, WILLFUL ignorance? Hi, I'm hired to do a complicated and skillful job as a sysadmin, but want to know nothing about how or why this software stuff works...can you help me? By, like, doing it for me? Maybe i missed it, but where in his original email did he ask anyone to help him by doing something for him? From what i can see, he didnt even ask for help at all. The way i took it was: Gee, I downloaded this package for clamav and installed it and now there are all sorts of other things that still need to be done to get it working correctly. Maybe clamav developers could work with the package maintainers to make this process go more smoothly? To which he received responses like: Your an idiot. We dont care. Shut up and stop posting crap like this to the list. To me it seems like everyone missed the point and made their own assumptions as to what he *really* meant. Maybe the title was worded poorly, or his post looked too similar to others that people have seen in the past and it triggered an immediate negative response from them, or maybe its just that some people on this list havent gotten any lately and are grumpy - who knows. But to berate someone like this over a post they made which i believe was interpreted incorrectly to begin with is completely wrong. I mean cmon, the subject clearly states its directed at packagers. Give the guy a flippin break. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs
James Kosin wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jim Maul wrote: Maybe i missed it, but where in his original email did he ask anyone to help him by doing something for him? From what i can see, he didnt even ask for help at all. The way i took it was: Gee, I downloaded this package for clamav and installed it and now there are all sorts of other things that still need to be done to get it working correctly. Maybe clamav developers could work with the package maintainers to make this process go more smoothly? To which he received responses like: Your an idiot. We dont care. Shut up and stop posting crap like this to the list. To me it seems like everyone missed the point and made their own assumptions as to what he *really* meant. Maybe the title was worded poorly, or his post looked too similar to others that people have seen in the past and it triggered an immediate negative response from them, or maybe its just that some people on this list havent gotten any lately and are grumpy - who knows. But to berate someone like this over a post they made which i believe was interpreted incorrectly to begin with is completely wrong. I mean cmon, the subject clearly states its directed at packagers. Give the guy a flippin break. -Jim Ok, I'm usually very patient when it comes to responses to email's like this. But, I believe he is really asking the wrong people. He should be going to the package maintainers. This group is usually content with compiling and installing directly from source. Are they really no package maintainers on this list? I find that hard to believe. Is it really necessary to punish someone for thinking that maybe, just maybe, a message about clamav packages on the clamav-users list might actually get seen by some packagers themselves? Like Dennis said Bringing it all together is what the admin is for. ClamAV is a powerful tool; but, would you give a chainsaw to your 2-year old to use I think not. Everyone has to learn. There is no shortcuts when it comes to being a sysadmin, no matter what level you are. You can make things easier; but, usually at a cost. No one here is willing to make ClamAV a butter knife when it is already a chainsaw. Of course. Im not saying i completely agree with everything the OP wrote. Im simply saying that i believe people misinterpreted what he was ultimately trying to say, and then insulted him because of it. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs
Dennis Peterson wrote: Jim Maul wrote: Bart Silverstrim wrote: On Nov 9, 2006, at 2:09 PM, Jim Redman wrote: Folks, I have to say, of all the lists I subscribe to, the vocal members of this list are the most arrogant and insulting. However, I consider comments such as Luca Gibelli's, bandwidth wasting, We are happy to suffer this loss. and Dennis Peterson's His specific problem is he lacks the skill to install and manage the product reflect more about the person making the comment, rather than the target. You're forgetting one detail that probably was the most provoking, though. He started right off saying he cherishes his ignorance. How many of our problems as sysadmins come from user ignorance? How much worse is it when you have to deal with another peer's ignorance, and worse yet, WILLFUL ignorance? Hi, I'm hired to do a complicated and skillful job as a sysadmin, but want to know nothing about how or why this software stuff works...can you help me? By, like, doing it for me? Maybe i missed it, but where in his original email did he ask anyone to help him by doing something for him? From what i can see, he didnt even ask for help at all. The way i took it was: Gee, I downloaded this package for clamav and installed it and now there are all sorts of other things that still need to be done to get it working correctly. Maybe clamav developers could work with the package maintainers to make this process go more smoothly? This is precisely a request for help and for someone, anyone but him, to build a product to his specification. Your statement is made illogical by your example. Says who, you? Sorry, but I really couldn't care less about what you have to say. By the way, it was a SUGGESTION, not precisely a request for help as you seem to think. In fact he went on to write several screens of rant about why he doesn't like the services of the ClamAV packagers. Had he written code instead of smearing their efforts he'd have a working installer now. Sorry, everyone isnt as smart as you think you are. In fact, apache, a far more common application than ClamAV, requires vastly more after-install configuration and management effort than does ClamAV, so his premise is farcical. Yes, but will it WORK without this after-install configuration and management? Yes, it will. There are no well-known IP ports for clamd and no well-known locations for Unix sockets. There is no master plan to tie various milter/filter programs together to use ClamAV. I use a milter and Sendmail. Others may prefer to use procmail. SpamAssassin is popular. Bringing it all together is what the admin is for. Continued user intervention is extremely necessary - this product has no brain - come prepared to use your own. Of course. This job is not for the braindead or those who would rather not exercise their mind. That is in no way a reason for a product not to be improved if there is room for improvement. Finally, it is a service not offered by the ClamAV team and personally I'd prefer they focus on getting 0.90 released than hand-holding slacker admins. My, aren't I being judgmental! Hell yes. I'm tired of sharing critical Internet services with admins who are not committed to their responsibilities. And the OP may very well not be one of those committed admins. Who cares? He is still human and may actually have a valid suggestion - imagine that?! You seem to have completely ignored the real reason for the post and instead focused on the negatives as you seem to have some personal vendetta against anyone that isnt as smart as you. I bet its lonely on top your little pedestal, no? The binaries page has several links to packagers who are in a position to help. One of them supports his package. Those two should get together and solve this hellish problem. And he should quit laying blame on everyone else for his dire condition. To think that there *might* actually be some packagers who are listening. Blasphemous! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs
Bart Silverstrim wrote: On Nov 9, 2006, at 2:40 PM, Daniel J McDonald wrote: On Thu, 2006-11-09 at 10:24 -0500, Bart Silverstrim wrote: On Nov 7, 2006, at 6:48 PM, Jim Redman wrote: Chris, Christopher X. Candreva wrote: On Tue, 7 Nov 2006, Jim Redman wrote: My observation is that of all the modern packages ClamAV fails to install and run successfully and securely without operator intervention. I think that this should be refined to reference Fedora packages and perhaps not all of them. I don't use Fedora - I use Mandriva. And my experience has been that the RPMS provided by Mandriva do allow you to run out of the box with very little tweaking. That is important to me - I manage about 20 linux servers, but my primary responsibility is 196 routers and firewalls. I'm not ignorant of the build process - I learned how to build SRPM's working with this package - I merely don't have the time to mess with it. So, I understand the sentiment. There are a number of reasons why I consider this a bad thing (other opinions have been expressed by others on the list). 4) (Altruism) It limits the adoption of ClamAV which in turn increase the number/penetration of viruses. Maybe the project doesn't WANT people who have problems with their installs caused by willful ignorance...just a thought. I personally think that's a poor attitude. Clueless newbies are important too. I personally will dump a project that takes too long to get working at all. As long as I can see progress it will keep my interest. Cluelessness is one thing. Willful cluelessness is another. There is a difference. What you're talking about is hassle...if it's too much hassle, you move on to something else. That's fine and dandy. But there are many many many people who are using, for example, ClamAV without throwing a fit because there's too much in the conf file to set up. The distinction is you can get frustrated and ask for help, or you can get frustrated and bitch about it rather than read the comments in the conf file. There's a lot, it can be tedious to a degree, but you're not having to go through source code to figure out how to get it to work. I have found that *overall*, with all the different distros out there, it is impossible to come up with a one-size-fits-all solution but the config files and guides for installation and configuration on the Internet are enough that you need not invest a lifetime to getting this one project working. As I've said in other posts, the problem (as I see it) isn't necessarily that he's clueless, or a newbie. It's the attitude he approached the group with, the attitude of I don't know anything and want to stay ignorant. You should make it so I can stay ignorant but get this to work. This is something that can easily ruffle some feathers, especially when so many in the group have started in that position but learned how to get it to work. It's also shocking for a sysadmin to declare that they want to stay ignorant of the equipment they're using...I want to be a rocket scientist, but don't want to take that nasty physics stuff...you should make it easier! I understand completely what you are saying and also agree with it. However, regardless of how clueless the rocket scientist wants to remain (which, yes, is a poor attitude), IF there is room for improvement or IF some part of the process CAN be made easier, shouldnt it? This has nothing to do with the fact that he wants to remain ignorant. It really seems as if everyone read that part and COMPLETELY missed what he was really trying to say and instead focused on blasting the guy because of his willingness to remain ignorant. For example, the Hobbitmonitor project is buried deep on my todo list - There are about 15 post release patches that have to be individually applied in a certain order, and I have yet to get it right and have it compile. So I ignore it, and think If I ever get about 4 hours of un-interrupted time, I'm going to tackle that beast. Of course, I don't have 4 hours, so it just gets deeper on the pile, and I never get my monitoring server built, and I never am able to contribute back to the project by helping other clueless newbies... Then cut it loose. This seems to be a hard concept...similar problems crop up, and my response is something along the lines of, Well, your company isn't hiring enough to properly staff your department or manage the staff properly...if it were truly important, you'd get the time. So either suffer with the lack of XYZ, or have them hire more people, or move to another company that does respect their IT department's role more. Well, that's not realistic... Well, then it sounds like you are going with A, suffer the lack of XYZ. Accept it, quit complaining. crickets... I'm not saying every project requires you to cut off fingers and chant voodoo incantations to work. I'm just saying that ClamAV isn't rocket
Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs
Dennis Peterson wrote: Dennis Peterson wrote: Jim Maul wrote: somebody else wrote: Gee, I downloaded this package for clamav and installed it and now there are all sorts of other things that still need to be done to get it working correctly. Maybe clamav developers could work with the package maintainers to make this process go more smoothly? This is precisely a request for help and for someone, anyone but him, to build a product to his specification. Your statement is made illogical by your example. Says who, you? Sorry, but I really couldn't care less about what you have to say. By the way, it was a SUGGESTION, not precisely a request for help as you seem to think. It was the ? at the end of your statement that gave it away. That forced it away from a suggestion to an actual beseeching. Thank you for your overly literal take on my post. Is this a question?: Hi? Adding a ? to the end of a sentence does not magically turn the sentence into a question. At least not one thats meant to be responded to as one. One can make a suggestion in a questioning manner in such a way that they are not actually looking for an answer to the question. Take this brief conversation for example: Customer: When im driving and my car reaches 50mph, my steering wheel shakes badly. Mechanic: Well there could be a couple things wrong that would cause that. Customer: Maybe its my new tires I just had installed? Would you take this to mean that the customer is actually asking if the new tires are at fault? It makes more sense to take this as the customer is SUGGESTING to the mechanic that MAYBE the tires are at fault and that it would be a good starting point to begin troubleshooting the problem. Just like the OP was suggesting that maybe the clamav team could work with package maintainers to make the process of installing clamav from packages more consistent/user friendly. If the clamav team does not like this suggestion, they are free to ignore it and if they do like it, then maybe something will be done with it some day. Either way, the OP in no way deserved the insults and harassment he received. From Webster's beseech One entry found for beseech. Main Entry: beseech Pronunciation: bi-'sEch, bE- Function: verb Inflected Form(s): -seeched or besought /-'sot/; -seeching Etymology: Middle English besechen, from be- + sechen to seek transitive verb 1 : to beg for urgently or anxiously 2 : to request earnestly : IMPLORE intransitive verb : to make supplication synonym see BEG - beseechingly /-'sE-chi[ng]-lE/ adverb I like the synomym offered. Thats nice. I like pizza. Nothing to see here, people, let's get back to work. I've been working all day, but thanks for the permission. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] let's all make a regular domation to ClamAV
Sergei Lavrov wrote: --- Jim Maul [EMAIL PROTECTED] wrote: Per Jessen wrote: Sergei Lavrov wrote: Dear ClamAV users, If you are using ClamAV in your business and you are happy about it, I would like to call upon you to make a regular donation to the ClamAV project. Those folks have spent great deal of time to provide us with timely virus updates and I hate to see they have to pay out of their own pockets for this great project. If all the users make a regular donation of as little as USD$60 a month (That's only $2 a day) to ClamAV, it will make a great difference. Of course, you can give more if you are able to. Don't just be a freeloader. I think it is entirely reasonable, but for a business to make donations, I think the ClamAV project needs to be able 1) issue invoices and 2) accept payment via non-paypal channels. Maybe even in EUR. Exactly. I use clamav on our mail gateway at a non profit 80 bed hospital. we are a tiny little thing and have a very limited budget as is. $2/day may not sound like much, but when our whole budget for the year is only $5000, there is just no way we can shell out that kind of cash. Factor in the necessary paperwork for a corporate environment and it really becomes a no-go. ___ http://lurker.clamav.net/list/clamav-users.html Then how about just donating $20 ?? Personally? Sure - I have made past personal donations to various groups. I was speaking about a commerical donation which is difficult when there is no paperwork submitted. Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] let's all make a regular domation to ClamAV
Per Jessen wrote: Sergei Lavrov wrote: Dear ClamAV users, If you are using ClamAV in your business and you are happy about it, I would like to call upon you to make a regular donation to the ClamAV project. Those folks have spent great deal of time to provide us with timely virus updates and I hate to see they have to pay out of their own pockets for this great project. If all the users make a regular donation of as little as USD$60 a month (That's only $2 a day) to ClamAV, it will make a great difference. Of course, you can give more if you are able to. Don't just be a freeloader. I think it is entirely reasonable, but for a business to make donations, I think the ClamAV project needs to be able 1) issue invoices and 2) accept payment via non-paypal channels. Maybe even in EUR. Exactly. I use clamav on our mail gateway at a non profit 80 bed hospital. we are a tiny little thing and have a very limited budget as is. $2/day may not sound like much, but when our whole budget for the year is only $5000, there is just no way we can shell out that kind of cash. Factor in the necessary paperwork for a corporate environment and it really becomes a no-go. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam says 0.90RC1.1 is outdated
Eric Peabody wrote: Installed an update of clamav using the only download available from the 'stable' link on the website, which is 0.90RC1.1. Am now getting a message that says that the installation is 'OUTDATED'. Should I be using a different entry for /DNSDatabaseInfo/? Here is the output: # freshclam -v Current working dir is /usr/local/share/clamav Max retries == 3 ClamAV update process started at Thu Oct 26 10:51:34 2006 Querying current.cvd.clamav.net TTL: 900 Software version from DNS: 0.88.5 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.90RC1.1 Recommended version: 0.88.5 Of course it says its outdated, 0.90RC1.1 != 0.88.5 If you are going to run anything but the current stable version, you shouldnt be surprised to see messages like this. There is no problem here, move along.. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] how to decern what to scan?
Jim Shupert, Jr. wrote: I have clam av on a redhat ES3 linux machine. I do not see where i can declare what directory it is to scan? pass it on the command line? what do I config to make that happen? your brain? like if I wanted to scan mnt/data ( where data is a mounted 2nd drive ) or mnt/data/dog( where dog is a dir on the drive data ) clamscan /mnt/data/dog/ ? and if I wanted to scan this once a day? cron? thanks! welcome? ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav scan crashes server
David Woolley wrote: Hi Dennis, Have I done something to offend you? Perhaps asking a question which is easily answered with a command you have already run? I have posted to this list to ask for help with an issue that the developers of the Linux distro I use have marked as WONTFIX because they identify it to be a bug in ClamAV. That may be, but if you would like to submit a bug report, you should use https://bugs.clamav.net/ rather than arguing with someone on this list. You are not obliged to answer, yet you have done so twice with rather cryptic replies that don't really move the discussion forward. I am a newbie to the cli of the clam family, but I am not an idiot. Did someone call you one? I think i missed that post. I have previously run clamscan --help and man clamscan. I haven't found my answer there. Yes, you have found the answer. Do you see an option to limit the maxfilesize? No, because there isnt one. Question answered. This is exactly what dennis was trying to show you. Why would you assume there must be some option for this when it clearly doesnt mention anything about it in the man pages or with --help? Do you think there is some secret option to limit the filesize that is undocumented and no one wants to tell you about? -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
[EMAIL PROTECTED] wrote: jef moskot wrote: I have a small script I modify to do the job of lifting the offending messages out of the mbox files. On a large scale, there's the obvious problem of modifying files that could be in use or files that the user could modifying during the stripping process. I can monitor these fairly easily in my environment, but on a larger scale, this would certainly be a much nastier problem. As to the question of whether or not the files have been accessed already, in the general case, I can get to the mailboxes before they are accessed by a majority of the users. Certainly a high enough percentage to make the task worth it. Again, though, this is due to our environment. I can see this working in a smaller environment although I still think it is less then ideal because you have the potential to scan email that has already been scanned and dubbed clean, especially using mbox. It seems to me that in a larger environment scanning at the SMTP level is ideal. Steve You seem to be missing the point here. Nowhere that i saw did anyone say that they are scanning the mailboxes INSTEAD of at smtp time. This mailbox scanning is in addition to smtp scanning. I think anyone could agree that additional scanning is beneficial (although not always necessary). Thefore, i dont see the point of your argument. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
[EMAIL PROTECTED] wrote: Jim Maul wrote: You seem to be missing the point here. Nowhere that i saw did anyone say that they are scanning the mailboxes INSTEAD of at smtp time. This mailbox scanning is in addition to smtp scanning. I think anyone could agree that additional scanning is beneficial (although not always necessary). Thefore, i dont see the point of your argument. -Jim ___ A quote from a previous email(not from me): It would be theoretically possible to do all the above on line, but the chances of dying from a DOS attack would be very high. So off-line scanning for malware and spam seems to me to be the best way to go unless you have unlimited horsepower. To me this implies that they want offline scanning instead. I could be wrong in the interpretation. It is just my counterpoint that this is not always the case. Perhaps, but i read it differently. But anyway, why would you want to perform additional virus scanning of mailboxes if it is all scanned upon arrival anyway? The only reason I could think is if virus definitions were updated after some malware had already been accepted and you want to go back and look for it. Exactly. And to me, this is a very good reason to do so. Many people also scan incoming messages (during smtp) with multiple virus scanners. Do you also ask the question, Why scan the same message twice with 2 virus scanners? The same principal applies here - redundant scanning is a good idea. I don't see this happening in large environments though. Actually, i would expect this more in large environments. The more email a particular site receives, the greater the chance of missed viruses. Its simply a matter of volume. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Rewrite subject and remove virus questions
Alejandro wrote: Nigel Horne wrote: Finally I could install my first mail server with sendmail+clamav+clamav-milter among others packages. Because I'm a newbie I have these two short questions: 1) Does clamav remove virus from mail messages or it just scan and warn about virus ??? You can have clamav-milter block the message or scan and warn (see below). The phrase remove virus from mail messages has no meaning. 2) How can I rewrite the subject of infected mails with a **VIRUS** banner in order to process them with Procmail ??? Look for the X-Virus-Status header; it isn't what you asked for, but it may produce the same effect for you. Really thanks !!! Alejandro -Nigel ___ http://lurker.clamav.net/list/clamav-users.html Ok...with remove I mean disinfectso does Clamav disinfect virus from into mail mesagges ??? ClamAV disinfects nothing. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] (no subject)
Tim Jordan wrote: Is this really a virus? No, but thats debatable. HTML.Phishing.Pay-157 I think its junk mail but CLAMAV reports it as a virus. What else would clamav report it as? Its a virus scanner. Call it junk mail, spam, just plain garbage, etc. The point is, its potentially harmful and as such, clamav detects it. Thank you, Tim -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Small number of ClamAV known viruses ?
Daniel J McDonald wrote: On Tue, 2006-07-18 at 17:11 +0200, Zvi Kave wrote: Why ClamAV has significally small number of known viruses in comparison to other AV software ? I don't think that's true. 62 thousand signatures is a healthy amount. main.cvd is up to date (version: 39, sigs: 58116, f-level: 8, builder: tkojm) daily.cvd is up to date (version: 1601, sigs: 3715, f-level: 8, builder: ccordes) But if you have samples that clamav is not finding, you are welcome to submit them. Not to mention that clamav was designed to be an email virus scanner. Including signatures of viruses that are not transported through email would be a waste of time and resources for the scope of this project. If you enjoy the warm cozy feeling of your scanner being able to detect 10 year old dos viruses or some such thing, then perhaps you should choose a different scanner. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus Definitions on a Private Network
Kathy Rossi wrote: Greetings, I am a new CLAMAV user. Is there any documentation anywhere that descibes how to load new Virus definitions onto a system (and network) that is not attached to the internet? http://www.clamav.net/faq.html#pagestart #26 -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Bug with --remove??
Daniel T. Staal wrote: On Thu, June 15, 2006 11:13 am, Kevin Lowe said: Hi, I accidentally issued the following command where I mis-spelled remove: $ ./clamscan --remov /usr/home/projects/virus/ And it actually removed the file. I would expect either an error or the flag to be ignored. Is this a (minor) bug I shoud report? ClamAV 0.88.2 running on FreeBSD Many Unix tools will allow you to abbreviate the flags to the shortest non-ambiguous string. I'd consider that normal behavior. This appears to be the case: [EMAIL PROTECTED] jmaul]$ clamscan --r clamscan: option `--r' is ambiguous ERROR: Unknown option passed. [EMAIL PROTECTED] jmaul]$ clamscan --re clamscan: option `--re' is ambiguous ERROR: Unknown option passed. [EMAIL PROTECTED] jmaul]$ clamscan --rem [EMAIL PROTECTED] jmaul]$ clamscan --remo [EMAIL PROTECTED] jmaul]$ clamscan --remov [EMAIL PROTECTED] jmaul]$ clamscan --remove [EMAIL PROTECTED] jmaul]$ clamscan --remhjhj clamscan: unrecognized option `--remhjhj' ERROR: Unknown option passed. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: Out of Office AutoReply: [Clamav-users] Question About Quarantine
Dennis Peterson wrote: Wiltshire, Michael wrote: I am currently out of office and will return on Wednesday 31st May 2006 . Please report any urgent matters to the help desk at 4008, or the computer room at 6013. People - please think long and hard before enabling broken auto-responders. Like users of the autoresponder know if it is broken or not. If you are on a mail list such as this, think longer and harder than usual. Then don't do it. Right. That seems like an acceptable solution. Hell, why even have autoresponders at all then? What ever you do, don't put useless internal phone numbers in a message that is going to be sent to the world at large unless you want to look like an idiot. This i actually agree with. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: Out of Office AutoReply: [Clamav-users] Question About Quarantine
Daniel T. Staal wrote: On Wed, May 17, 2006 12:12 pm, Jim Maul said: If you are on a mail list such as this, think longer and harder than usual. Then don't do it. Right. That seems like an acceptable solution. Hell, why even have autoresponders at all then? I figure autoresponders are relics of the way email worked in the 80's. Back before spam, and email viri, and big mailing lists, and web-accessible email. These days, being out of the office, or town, or country, is no reason for you to not be able to get your email, if you felt you needed to. So, the only reason you aren't responding is that you don't want to. Yes, i certainly dont want to check my work email when i am on vacation. Apparently you feel otherwise. The fact that some email packages still have autoresponders is a misfeature, in my eyes. Perhaps we should eliminate answering machines then too? I mean hell, if they dont answer the phone, they must not be home. Luckily, my spam filter catches them. That's all they are, anyway. More spam. Spam is unsolicited. If you send a message to a mailing list and dont expect a reply, why even bother sending your message? -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: Clam is run or not ?? was:[Re: [Clamav-users] Can't initializethe virus database]
Rob MacGregor wrote: On 5/15/06, Salvatore Basso [EMAIL PROTECTED] wrote: ..I do not know like executing freshclam !!, with the previous clamav version I executed: #/usr/local/bin/freshclam - d ...but after the installation of the new clamav version I don't have nothing in '/usr/local/bin/' and I don't have nothing also in other directories. Then you have a problem with the package you're installing. You need to contact the person who created it. Either that or learn how to install from source and read the documentation... Sounds like you didnt install the clamav-server package or whatever it happens to be called for your distro. Seems that maintainers are breaking these out into separate rpms now and its causing a lot of confusion when people dont realize it. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] aucun objet
larondedesarts wrote: What can I do when I've done a scan and this appear. See the attachement Please help umm...what attachment? -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clam-AV Corrupt
Fahmi (JN) wrote: Dear All. I had problem with Clam-AV, see the error below: Apr 21 09:52:18 mx1a X-Qmail-Scanner-1.25: [mx1a.ha.jetcoms.net114558793049323571] clamscan: corrupt or unknown ClamAV scanner error or memory/resource/perms problem - exit status 64 Question: What does cause this error ... ??? I'd guess memory/resource/permissions, but thats just me. It could be anything. Softlimit too low? permissions of /var/spool/qmailscan incorrect? permissions of clamav related directories not correct? The list goes on and on..you're going to have to track this one down yourself. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamscan error and requirements
roger martinez wrote: i saw your message and i tried So , no succes ! i just modify clamd.conf in TemporaryDirectory uncomment line and put /usr/local/tmp clamav continue to work with /tmp i don't know what to do Best regards Roger Martinez Did you kill clamd and restart it? dp ___ http://lurker.clamav.net/list/clamav-users.html clamscan command still follow to work with /tmp If i modify the 2 clamd.conf (I have sources ) to /usr/local/tmp , it's the same the error is the same as highly. can somebody try to change TemporaryDirectory /tmp to /usr/local/tmp and before shuttingdown pc control with ls -a new tmp diectory please About clamd of course it's not in use then nothing to kill clamscan doesnt listen to clamd.conf! -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] hostnames and aliases reported incorrectly on inux
Blackburn, Marvin wrote: I am running cfg2html-linux 1.14-3 for rhel 3.0 up5 I cloned this system from another and the report is generating the wrong hostname and alias information. I've checked /etc/hosts and /etc/sysconfig/network and /etc/sysconfig/network-scripts and all the information seems correct. In addition hostname and uname report the correct information. Where/howdoes cfg2html determine this? u and this has what to do with clamav? -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamscan delete the entire mailbox
Jason Haar wrote: Richard Feldmann wrote: It might be best to find a scanning system that checks at the smtp level, rather than scanning the mailbox of the user manually. This would delete the virus as it's being transferred while preserving the message, and you wouldn't have the same issue of having the entire mailbox being deleted. That's not standard practice. Most sites not only scan as mail comes in via SMTP, but they also scan *nightly* the end mailstores to pick up viruses missed at the SMTP level (e.g. Day-Zero viruses) Just because a message got delivered doesn't mean it doesn't have a virus... Then use maildirs rather than mbox format. It eliminates the problem you are having. And hey, it might even give your machine a performance boost.. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav and qmail-scanner problem?
Sam DeForest wrote: Does this look right? I have been watching the full header information lately to see if mails are being scanned with purpose. Im noticing that (or what seems like) Clamav is using an older database. Here is a snippet of the header of one message.. [EMAIL PROTECTED], uid 508) with qmail-scanner-1.25-st-qms (clamdscan: 0.88/1235. spamassassin: 3.0.0. perlscan: 1.25-st-qms. Clear:RC:0(220.175.180.80):SA:0(-1.2/5.0): Now what concerns me is the 0.88/1235 I have ran freshclam, as I do every evening to update with the latest database. According to Clamav's website the latest daily.cvd is 1288 and main.cvd is 35. 1235 is the (starter) daily.cvd that comes with the source package for ClamAV version 0.88 I have stopped and started clamd manually, and made sure that notify is uncommented in the freshclam.conf file. And the clamd.conf file was configured properly. So, in my estimation, it looks to be that clamdscan is not using the latest database release when qmail-scanner is invoked. Anyone have an idea on this? If you need to see snippets of log files just let me know what you need. run qmail-scanner-queue.pl -z in a cronjob every day or hour or whatever you like. [EMAIL PROTECTED] qscan]# cat qmail-scanner-queue-version.txt clamdscan: 0.88/1284. spamassassin: 3.1.0. [EMAIL PROTECTED] qscan]# /var/qmail/bin/qmail-scanner-queue.pl -z [EMAIL PROTECTED] qscan]# cat qmail-scanner-queue-version.txt clamdscan: 0.88/1287. spamassassin: 3.1.0. [EMAIL PROTECTED] qscan]# -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] minor bug in manager.c
Bob Hutchinson wrote: There is a thread going on in the logwatch ML, pertaining to a bug found in the freshclam logging. It would appear to occur when syslog is used rather than freshclam's own log in Fedora. Looking at clamav-devel/freshclam/manager.c Line 67 logg(ClamAV update process started at %s, ctime(currtime)); other uses of the logg function in manager.c *do* have a linefeed (\n) Are you implying that there *should* be a linefeed? A post earlier this morning seems to say that there *shouldnt* be any linefeeds. Im confused... Hello, First time posting to the list here. Perhaps this should have gone to the developers list though - not sure. Some of us over at the logwatch list have noticed that freshclam syslog entries were not being detected by the logwatch filters. The cause of this turned out to be that entries to syslog are being terminated with newlines, which syslog happily turns into trailing spaces. For example (output using vim's :set list command to end of line with a $): Jan 15 05:01:34 glacier freshclam[30051]: Daemon started. $ Jan 15 05:01:34 glacier freshclam[30051]: ClamAV update process started at Sun Jan 15 05:01:34 2006 $ Clamav is the only service that seems to include a newline in its syslog entries. This should probably be stripped before being sent to syslog. Thanks, MrC -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] minor bug in manager.c
Bob Hutchinson wrote: On Friday 20 Jan 2006 18:01, Jim Maul wrote: Bob Hutchinson wrote: There is a thread going on in the logwatch ML, pertaining to a bug found in the freshclam logging. It would appear to occur when syslog is used rather than freshclam's own log in Fedora. Looking at clamav-devel/freshclam/manager.c Line 67 logg(ClamAV update process started at %s, ctime(currtime)); other uses of the logg function in manager.c *do* have a linefeed (\n) Are you implying that there *should* be a linefeed? A post earlier this morning seems to say that there *shouldnt* be any linefeeds. Im confused... To be honest, so am I. It would appear that the 'ClamAV update process started at...' line puts a trailing space on the line when used in syslog under some version of Fedora. This has caused a glitch in Logwatch's parsing of freshclam entries in maillog. The linefeed (\n) is automatically inserted by ctime, not by anything in the code. Check man ctime as suggested by Tomasz earlier. The easiest solution is to make Logwatch tolerant of trailing spaces in this instance, as has been discussed on the Logwatch ML. This would seem to be the better solution as lots of things log to syslog and its easier to change logwatch than to make sure everything that logs to it either does or doesnt include a trailing space. If Tomasz Kojm and the other coders feel that there shouldn't be a linefeed at this point I'm sure they are right, I'm just trying to establish wether the problem lies with Clamav, Fedora's rendition of syslog or Logwatch. As I don't use Fedora or freshclam - syslog I can't really test it out myself. I suspect that the problem is buried somewhere in Fedora, but log parsers generally should be tolerant of trailing spaces. They happen. I agree. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Report infected mail to the user
[EMAIL PROTECTED] wrote: Hi, I'm using Exim4, Courier and clamav. Clamav works fine on my server. When an infected message is detected, clamav removes it and sends a report to the sender. Is it possible to inform the recipient about the rejected mail? Yes it is possible, but clamav doesnt handle this. This is done by whatever program calls clamav. Not to mention, why would you want to inform the recipient of every virus that was addressed to them but caught? -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] what is the default port that clamav (clamd) runs on
Todd Lyons wrote: Grant Basson wanted us to know: Should you ever come back to visit this list you'll learn that everything you need to know about this can be found in your clamd.conf file. That leaves for you the challenge of finding that clamd.conf file. I feel like a twit, but here goes anyway. How the heck do you run clamd? Man pages suggest that I just type clamd, I get the following response: [EMAIL PROTECTED] ~]$ clamd -bash: clamd: command not found Its also very possible that the package you installed is broken out into multiple rpm's and you didnt install the 'server' rpm so your clamd binary is missing. It's not in the path for user grant. There should be a super user on your system that will have that binary in the path. [EMAIL PROTECTED] ~]$ clamdscan ERROR: Clamd is not configured properly. Does this mean clamd is running? No. It probably also means that it is definitely not running. This is extremely confusing, any assistance would be GREATLY appreciated. By the way, I'm replying to this message, because clamd.conf man page, said clamd.conf was in /etc in my case I had to create it the rpm should create the clamd.conf so if you dont have one, it seems to verify what i said above. Check to make sure you have a clamd binary on your system. If its not there at all, check to make sure the package you installed doesnt have a server rpm which was missed during installation. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamdscan doens't recognize virus
Marco Berizzi wrote: AAAHH!!! Find! ;-) Here is the option: ArchiveMaxFileSize 500k Commenting this option has solved the problem. I really don't undestand. Umm..i wouldnt comment it. You might want to just consider raising the limit. Its there for a reason. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] handle_user: unable to find user
Fast Johnny wrote: I keep seeing these messages in my mail.info: Aug 31 10:46:40 localhost spamd[19280]: connection from localhost.localdomain [127.0.0.1] at port 60582 Aug 31 10:46:40 localhost spamd[19280]: handle_user: unable to find user '[EMAIL PROTECTED]'! Aug 31 10:46:40 localhost spamd[19280]: checking message (unknown) for [EMAIL PROTECTED]:8. Aug 31 10:46:44 localhost spamd[19280]: identified spam (6.2/5.0) for [EMAIL PROTECTED]:8 in 3.8 seconds, 3646 bytes. There is a vpopmail user named: bob (bob is a fake name I used as an example) Yet, bob does get the email. I'm wondering what is causing this error. I search this mail list and can't seem to find anything. Thanks, Eric Umm..this is clamav, not spamassassin ML. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] viruses database is not updating
Lingeshwar Pothani wrote: Dear All, We have installed and configured Clamscan in 2004. when i run /usr/local/bin/freshclam --quiet -l /var/log/clam-update.log it gives the following error in above log file ERROR: md5 sum not found on remote server ERROR: Can't get viruses.md5 sum from clamav.elektrapro.comhttp://clamav.elektrapro.com Can you explain why this error message is appearing in log and give us the remedy for this. Thanks Regards Lingesh ___ Why? Cause youre probably still running the version of clamav that you installed in 2004. Remedy? Upgrade. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] uncompressed zip size of Zero
q# wrote: On Wed, Jul 27, 2005 at 10:46:42AM -0700, [EMAIL PROTECTED] wrote: Is there currently a work around to avoid this situation? Is anyone just rejecting messages with a zip that has a zip header that says the file size is Zero when uncompressed? Could you be more specific, I don't understand what you mean. You want reject zip files with empty files inside, yes? Like this: $ unzip -vl /tmp/empty.zip Archive: /tmp/empty.zip Length MethodSize Ratio Date Time CRC-32Name -- --- - -- 0 Stored0 0% 07-27-05 19:58 empty.txt --- ------ 00 0%1 file I believe the OP is referring to a new technique being used by virus writers where the email has a zip attachment which APPEARS to be 0 bytes (in the zip header) but when uncompressed, the file is in fact not 0 bytes. There was a recent article about this somewhere but i am unable to find the link ATM. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Wrong version info in header after upgrade
Thomas Booms wrote: Hello all, I've just upgraded from 0.86.1 to 0.86.2. The test tells me this: freshclam -v Current working dir is /usr/local/share/clamav Max retries == 3 ClamAV update process started at Tue Jul 26 13:17:22 2005 Querying current.cvd.clamav.net TTL: 900 Software version from DNS: 0.86.2 main.cvd version from DNS: 33 main.cvd is up to date (version: 33, sigs: 36102, f-level: 5, builder: tkojm) daily.cvd version from DNS: 993 daily.cvd is up to date (version: 993, sigs: 1040, f-level: 5, builder: arnaud) Freeing option list...done And in the latest emails i got I see this: Received: (qmail 13171 invoked by uid 567); 26 Jul 2005 11:13:53 - Received: from 83.195.210.114 by host1 (envelope-from [EMAIL PROTECTED], uid 502) with qmail-scanner-1.25 (clamdscan: 0.86.1/993. spamassassin: 3.0.4. Clear:RC:0(83.195.210.114):SA:0(1.5/5.0):. Processed in 0.788787 secs); 26 Jul 2005 11:13:53 - I've expected to see clamdscan: 0.86.2/993. Is there something wrong? Thomas Yes, you forgot to run qmail-scanner-queue.pl -z This has nothing to do with clamav btw. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Wrong version info in header after upgrade
Steven Spence wrote: Jim Maul wrote: And in the latest emails i got I see this: Received: (qmail 13171 invoked by uid 567); 26 Jul 2005 11:13:53 - Received: from 83.195.210.114 by host1 (envelope-from [EMAIL PROTECTED], uid 502) with qmail-scanner-1.25 (clamdscan: 0.86.1/993. spamassassin: 3.0.4. Clear:RC:0(83.195.210.114):SA:0(1.5/5.0):. Processed in 0.788787 secs); 26 Jul 2005 11:13:53 - I've expected to see clamdscan: 0.86.2/993. Is there something wrong? Thomas Yes, you forgot to run qmail-scanner-queue.pl -z This has nothing to do with clamav btw. Or you can just edit /var/spool/qmailscan/qmail-scanner-queue-version.txt with the correct version. While this is true, qmail-scanner-queue.pl -z also does some quick cleanup which is also a good idea. FWIW, http://qmail-scanner.sf.net states that this could/should be run daily from cron or some such thing. I am not quite sure why qmail-scanner just doesn't pull the version from the clamd binary instead of a text file. I never really understood this either.. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Wrong version info in header after upgrade
Steven Spence wrote: Diego d'Ambra wrote: Steven Spence wrote: Or you can just edit /var/spool/qmailscan/qmail-scanner-queue-version.txt with the correct version. I am not quite sure why qmail-scanner just doesn't pull the version from the clamd binary instead of a text file. Performance? Qmail-scanner probably shouldn't have been written in perl if performance was a major factor. I would love to see a C version of qmail-scanner. Simscan has been the closest thing i've seen to a C version of qmail-scanner. http://www.inter7.com/?page=simscan -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Libclamav and zip files
Eric Scopinho wrote: But if I do that, some side effects could happen like: - I'll need free space to store the file. - The infected packets may get in while I store the next packets to scan. - I have to download the whole file before send it to the end-user. I'm trying to develop some sort of firewall+anti-virus using an embedded Linux with solid-state board, so space would be a problem. I saw one solution like that from Sonicwall's guys, but I don't know how they do that. I've hearded that Fortinet has it's own network-based anti-virus solution too (as an appliance). I was wondering how this guys handle the zip problem, since their hardware just have 128 of RAM and 16 of ROM. :-( I have a sonicwall pro 4060 which indeed does malware detection. I was curious how it could do this considering the data is passing through packet by packet. According to sonicwall, they have signatures developed which match viruses and malware on a packet level. Now this doesnt really make any sense to me because if a virus spans 20 packets or so, how can the device know this? Maybe the sonicwall tech support guy was talking out his ass..i dunno. But yes, there are devices that do this sort of thing. They cost $3,000+ though and i have no idea how they work. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] virusDB update issue
Dawson wrote: I upgraded from an earlier version of clamav due to outdated db and had problems. The only one I will mention at the moment is that the freshclam.log keeps being overwritten by root and rendering it unable to be opened. I change the ownership to clamav (which is running clamav on the box) and before long the problem reoccurs. How do I fix this? ___ You tell logrotate(?) to use clamav user instead of root. There is indication of what os you are running but on rh9, its /etc/logrotate.d/freshclam and maybe also /etc/logrotate.d/clamd -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem with zip password
Marcos Dutra wrote: Hi guys, I use actually clamav 0.86.1 version in my e-mail server, but I have problems with zip files protected by password. I made a test with clamdscan -v *.zip and the result is: clamdscan -v *.zip /home/ricardo/Cpa.zip: Zip module failure ERROR /home/ricardo/Dbf.zip: Zip module failure ERROR I posted the zip file in this url: http://200.161.4.170/zip Thanks for advice. Marcos Dutra Your probably going to get a ton of replies that ask which version of zlib you are running. Might want to post that now. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav + Exim on FreeBSD
Odhiambo Washington wrote: * Christopher X. Candreva [EMAIL PROTECTED] [20050707 17:10]: wrote: On Thu, 7 Jul 2005, Trog wrote: What I wrote and what you wrote are different, hence different results. You are correct. You wrote: http://www.gzip.org/ However, The last modified date of the www.gzip.org page is July 27, 2003. There is no mention of a new version 'yesterday' (July 6 2005). At the bottom, there is a link to http://www.gzip.org/zlib/ for zlib . Given that page, I would think that would be the place to look for updates to zlib. Which brings us back to -- if a new version of zlib was released yesterday, where is it ? And, incidently, www.info-zip.org says that the only official site for zlib is now www.zlib.net : http://www.info-zip.org/pub/infozip/zlib/ Of course that page also says 1.2.2 was release in Feb 2005, while the other sites it was released in October of last year, which also matches the file dates on the source I have. What a mess. You are right Chris. I am with you on this one ;) I ran into this EXACT same problem a couple months back. A google search for zlib shows http://www.zlib.net A google search for libz shows http://www.info-zip.org/pub/infozip/zlib/ which states that the ONLY current site for libz or zlib or whatever the hell its called is http://www.zlib.net Going to www.zlib.net shows 1.2.2 as current. There is a ton of misinformation and redirection going on with regards to this issue. Everything seems to point back to 1.2.2 and www.zlib.net . However its been stated here that this is not the correct site or the most current version. No wonder there is mass confusion. I gave up after 5 or 6 circles. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav 0.86 for REDHAT 9
Eric Rostetter wrote: Quoting Scott Woodford [EMAIL PROTECTED]: No, unfortunately I don't know of any site that has the 86 rpm packages. Sorry about that. Is there some particular reason you can't use 0.85.1 for now? Scott crash-hat always gets the newest releases out asap for FC1, which run fine on RH 9. My yum url for crash-hat is: http://crash.fce.vutbr.cz/crash-hat/1/ Yes, technically he is FC1, but they work fine on RHL 9 also. I second that one. I've been using the crash-hat rpms for clamav for many releases now. They work just great on RH9 and CentOS4. Even if there are dependency issues, you can easily rebuild the .src.rpm and install away. Really is a breeze.. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav 0.86 for REDHAT 9
Damian Mantelli (AUTORED) wrote: Thanks Eric and Jim for your help, this site seems very good but they don´t have the DB file, and Clamd file :( And I don´t know how make the rpm file since the SRC.RPM file :( I really appreciate all your help. best regards Damian Im not sure what you mean by DB file and Clamd file. If you would like to try building the rpm from the source rpm, download http://crash.fce.vutbr.cz/crash-hat/1/clamav/clamav-0.86.1-1.src.rpm and then run: rpmbuild --rebuild -without milter clamav-0.86.1-1.src.rpm NOTE: if you are using sendmail w/milter, omit the -without milter part. This will build rpms which you can then install normally. However, have you tried just downloading http://crash.fce.vutbr.cz/crash-hat/1/clamav/clamav-0.86.1-1.i386.rpm and installing that? What is the problem really? -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Why no actual data in mail header?
Jim Maul schrieb: Thomas Booms wrote: Thanks, this works. I didnt understood the text passage above before. My next question is about the option --on-update-execute= in freshclam: is it possible to call qmail-scanner-queue.pl -z with || after reload or on which way could I run both executes? My goal is to start qmail-scanner on that time point when I get the newest signatures. I dont want to run it via cron if possible. You can put this in the on-update-execute and in fact many people already do this. There is no harm in running this multiple times a day. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav updates - freshclam versus recompiling
Casey Allen Shobe wrote: Why do we have to recompile clamav all the time to get updates? I thought that's what freshclam was for. Because something is broken? I've never had to to do that. We were running clamav 0.86 with freshclam, and Worm.Mytob.FM was making it past the filter. Compiling 0.86.1 fixed things, but I don't really understand why. I dont know if this is the case for this particular virus, but sometimes older versions of clam can not detect some of the newer variants of viruses regardless of what version of the definitions you have. We generally like to test new releases of software on a test server for several days before upgrading production machines. Good idea. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 99% CPU load during boot, server freezing
Emanuel Nacht wrote: Okay, I think I found the evil-doer, and it's, gladly, not related to clamav. It appears there was an attack running towards one virtual host, which made the load skyrocket of the server - giving clamav only so much cpu time. It's still interesting that clamav showed up in top with 99% cpu: PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 806 clamav25 0 16560 16m 692 R 96.7 1.6 0:04.05 ls I will keep an eye on this, and post a follow-up if this problem persists. Why would clamav ever run the 'ls' command? Something doesnt seem right.. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Question about clamd commands
Robert Hogan wrote: I don't think it's possible to telnet to a unix socket from the command line... Actually, i believe that with the telnet that comes with freebsd, this is entirely possible. However ive never used any bsd so im really just going on what someone else said. I imagine its available for other systems as well but i never tried.. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamscan slow on large attachements
Fajar A. Nugraha wrote: Jan Alphenaar wrote: open. The problem is now that attachements 4Mb are taking ages to scan. The CPU is now busy for 100% running clamscan. Because the users connect with Outlook Express this application will now say to the user that the mailserver is not responding (since the smtp session is still open) and asks the user what to do, wait or stop ? With this in mind I have the following questions: 1) Can I configure clamscan so it will operate faster ? clamdscan should be faster than clamscan. This is true. 2) Can I configure qmail-scanner to disconnect the smtp session and starts clamav in the background (probably a qmail-scanner question) ? I don't think any MTA is able to do that. I believe qmail does this by default. It does not keep the smtp session open during scanning. There are patches that allow it to keep the session open..i imagine you are using one of these. Perhaps you want to remove them? A workaround is to tell your MTA/wrapper to scan small files only (1MB). Configuring Exim is easy, but I don't know how to configure qmail-scanner to do that. Regards, Fajar ___ -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamscan slow on large attachements
Fajar A. Nugraha wrote: Jim Maul wrote: 2) Can I configure qmail-scanner to disconnect the smtp session and starts clamav in the background (probably a qmail-scanner question) ? I don't think any MTA is able to do that. I believe qmail does this by default. It does not keep the smtp session open during scanning. There are patches that allow it to keep the session open..i imagine you are using one of these. Perhaps you want to remove them? Aah ... you mean the accept-first, scan-and-always-generate-bounces-later method? Not exactly. Somehow I was imagining something like accept-mail-but-don't-generate-bounces-when-virus-found method. Qmail-scanner can do this. I send no bounces/notifications back to the 'sender'. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Bug
Dennis Peterson wrote: Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem said: Looks like since Clamav 0.84, clamav-milter is crashing every time fleshclam get new definitions. I am running clamav on BSD/OS 4.3.1 It's probably trying to tell you your From: address is too long, eh. dp I had actually typed up Maybe its because your from name is too long but decided not to send the message at the end. Strange ;) -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] option -V reports wrong database
didier.georgieff wrote: On 18 May 2005 09:53:28 +0200 Tomasz Kojm wrote: I just noticed that clamav freshclam 0.85.1 seems to report wrong informations about the virus database There's a bug in your configuration then... == OK, I can imagine that, but unfortunatelly it seems that's this is not the point. /var/lib/clamav is setup in my clamav.conf freshclam.conf. are you really using clamav.conf?? how about clamd.conf? == freshclam also gets the right updates/ == This is a proof that the database USED (886) is not the same than REPORTED (507) # clamscan --debug -v LibClamAV debug: Loading databases from /var/lib/clamav LibClamAV debug: Loading /var/lib/clamav/main.cvd #freshclam --debug --no-dns -v Current working dir is /var/lib/clamav Max retries == 3 ClamAV update process started at Thu May 19 16:15:27 2005 Connecting via proxy Connected to db.fr.clamav.net (IP: 10.202.240.108). Trying to retrieve http://db.fr.clamav.net/main.cvd If-Modified-Since: Tue, 26 Apr 2005 10:00:18 GMT Reading CVD header (main.cvd): OK (IMS) main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: tkojm) Connecting via proxy Connected to db.fr.clamav.net (IP: 10.202.240.108). Trying to retrieve http://db.fr.clamav.net/daily.cvd If-Modified-Since: Wed, 18 May 2005 22:00:02 GMT Reading CVD header (daily.cvd): OK (IMS) daily.cvd is up to date (version: 886, sigs: 1438, f-level: 5, builder: trog) Freeing option list...done #freshclam -V ClamAV 0.85.1/507/Mon Sep 27 12:53:21 2004 Regards. ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Sergey wrote: Hello Dennis, Tuesday, May 17, 2005, 5:11:43 PM, you wrote: DP Sergey said: Hello Andrzej, Tuesday, May 17, 2005, 3:52:31 PM, you wrote: AZ Sergey wrote: AZ [...] -rw-r- 1 rootclamav 1265 May 17 15:40 clamd.log AZ ^^ AZ How clamd (in realy user clamav.clamav) can write to this file?? AZ [...] i've no idea, but 0.84 does. i've just found a solution. if clamd makes clamd.log it's useless to change the permissions. so before running clamd and so on i made touch clamd.log and than set all the permissions that is needed. now it works. DP We have a winner! Now if you put that in your startup script and log DP rotation tool you'll have the job finished. why is that? if i'll restart clamd it won't going to change the permissions of clamd.log. and by the way i don't need any log rotation because my clamd.log doesn't eveê become big or something like that. Maybe thats because clamav couldnt write to it ;) Regardless, this is a workaround not a solution. The logfile should not be created with root owner to begin with. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Dennis Peterson wrote: Jim Maul said: DP We have a winner! Now if you put that in your startup script and log DP rotation tool you'll have the job finished. why is that? if i'll restart clamd it won't going to change the permissions of clamd.log. and by the way i don't need any log rotation because my clamd.log doesn't eveê become big or something like that. Maybe thats because clamav couldnt write to it ;) Regardless, this is a workaround not a solution. The logfile should not be created with root owner to begin with. -Jim That would be a good trick if the directory it is found in is owned ro by root. I suppose it could be created by root then chowned to clam_user, but that too presumes much. To make it entirely turnkey the process should see if the user-selected log directory is readable by clam_user first, then it should see if the file already exists (or if a directory of the same name exists), and if it is writable by clam_user. If everything isn't perfect it could fail with a warning to the console. Now what to do about your log rotator? How should clam predict a misconfigured rotator? That seems like a lot of hand holding. Call me old fashioned, but this is something I like to deal with myself. There's still a roll for the thinking admin. No, dont get me wrong here, im not saying clamav should predict anything. Nor should it have to deal with misconfigured software. This is of course left up to the admin. However, it seems that it *creates* the logfile owned by root. And that..well..just isnt right. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Dennis Peterson wrote: Jim Maul said: Dennis Peterson wrote: That would be a good trick if the directory it is found in is owned ro by root. I suppose it could be created by root then chowned to clam_user, but that too presumes much. To make it entirely turnkey the process should see if the user-selected log directory is readable by clam_user first, then it should see if the file already exists (or if a directory of the same name exists), and if it is writable by clam_user. If everything isn't perfect it could fail with a warning to the console. Now what to do about your log rotator? How should clam predict a misconfigured rotator? That seems like a lot of hand holding. Call me old fashioned, but this is something I like to deal with myself. There's still a roll for the thinking admin. No, dont get me wrong here, im not saying clamav should predict anything. Nor should it have to deal with misconfigured software. This is of course left up to the admin. However, it seems that it *creates* the logfile owned by root. And that..well..just isnt right. Maybe I should have said doughnut :-) I meant role. I use syslog for the log files here because I want them available to a common remote logger server for processing. Ownership is not a problem, and it's one less issue the deal with. My underlying point is that a take-charge admin would have no problem dealing with this bug. Indeed. I was merely trying to clarify the exact issue that other admins were having. I am not experiencing this problem myself. Mainly because im still using 0.84 but thats another story ;) -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Matt Fretwell wrote: Jim Maul wrote: Call me old fashioned, but this is something I like to deal with myself. There's still a roll for the thinking admin. No, dont get me wrong here, im not saying clamav should predict anything. Nor should it have to deal with misconfigured software. This is of course left up to the admin. However, it seems that it *creates* the logfile owned by root. And that..well..just isnt right. Just to test, as an ordinary user, run: touch /var/log/test.log Now why does it create the logfile as root? While i get your point, it is irrelevant because it should not log in /var/log/ directly. It should log in /var/log/clamav/ -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Matt Fretwell wrote: Jim Maul wrote: touch /var/log/test.log Now why does it create the logfile as root? While i get your point, it is irrelevant because it should not log in /var/log/ directly. It should log in /var/log/clamav/ The main point of my point, (I know that sounds weird), is that an admin who relies upon any piece of software to correctly create and set permissions on the logfile is asking for trouble. Clam is not alone in this. This is not a bug in Clam, it is poor admin technique on the part of the admin. Your logs are vital for a smoothly running system. The admin should take full control of their logs. And the main point of my point (again with the weirdness) is that yes this should be handled by the admin, however it is indeed a (small) bug. While the situation SHOULD never come up, clamav should not attempt to create a log file which it can never write to. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Matt Fretwell wrote: Jim Maul wrote: The main point of my point, (I know that sounds weird), is that an admin who relies upon any piece of software to correctly create and set permissions on the logfile is asking for trouble. Clam is not alone in this. This is not a bug in Clam, it is poor admin technique on the part of the admin. Your logs are vital for a smoothly running system. The admin should take full control of their logs. And the main point of my point (again with the weirdness) is that yes this should be handled by the admin, however it is indeed a (small) bug. While the situation SHOULD never come up, clamav should not attempt to create a log file which it can never write to. I think we have reached stalemate on this one :) Agreed. ;) -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Dennis Peterson wrote: Jim Maul said: Matt Fretwell wrote: Jim Maul wrote: Call me old fashioned, but this is something I like to deal with myself. There's still a roll for the thinking admin. No, dont get me wrong here, im not saying clamav should predict anything. Nor should it have to deal with misconfigured software. This is of course left up to the admin. However, it seems that it *creates* the logfile owned by root. And that..well..just isnt right. Just to test, as an ordinary user, run: touch /var/log/test.log Now why does it create the logfile as root? While i get your point, it is irrelevant because it should not log in /var/log/ directly. It should log in /var/log/clamav/ It will log where ever the clamd.conf file says it will log - permissions permitting. There is no concept of should. To the program itself, no. If you tell it to log to / it will, however, it SHOULDNT. See what im saying? To say that clamav *has* to create the log file as root because only root can write to /var/log/ is irrelevant to the issue. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Dennis Peterson wrote: Jim Maul said: Dennis Peterson wrote: Jim Maul said: Matt Fretwell wrote: Jim Maul wrote: Call me old fashioned, but this is something I like to deal with myself. There's still a roll for the thinking admin. No, dont get me wrong here, im not saying clamav should predict anything. Nor should it have to deal with misconfigured software. This is of course left up to the admin. However, it seems that it *creates* the logfile owned by root. And that..well..just isnt right. Just to test, as an ordinary user, run: touch /var/log/test.log Now why does it create the logfile as root? While i get your point, it is irrelevant because it should not log in /var/log/ directly. It should log in /var/log/clamav/ It will log where ever the clamd.conf file says it will log - permissions permitting. There is no concept of should. To the program itself, no. If you tell it to log to / it will, however, it SHOULDNT. See what im saying? To say that clamav *has* to create the log file as root because only root can write to /var/log/ is irrelevant to the issue. While you're out there making up rules can you think of any reason clamd needs to be started as user root if all you do is scan incoming email? I can't. Um, where am i making up rules? Thanks for the accusation though. And no, i cant think of why you would want to or have to run clamd as root. I run clamd as user qscand, not root so im not sure what your implying here. Thanks again, -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Dennis Peterson wrote: Jim Maul said: Dennis Peterson wrote: To the program itself, no. If you tell it to log to / it will, however, it SHOULDNT. See what im saying? To say that clamav *has* to create the log file as root because only root can write to /var/log/ is irrelevant to the issue. While you're out there making up rules can you think of any reason clamd needs to be started as user root if all you do is scan incoming email? I can't. Um, where am i making up rules? Thanks for the accusation though. And no, i cant think of why you would want to or have to run clamd as root. I run clamd as user qscand, not root so im not sure what your implying here. Thanks again, -Jim You said it shouldn't log to / and there's no reason it shouldn't if that is where one wishes it to log. There's lots of reasons why that would be a bad idea, but it's an admin decision, not an application issue. Do you start clamd as root or as qscand? My point is there is, or at least can be no requirement that one start it as root and was trying to demonstrate additional administrative latitude for the reading public that isn't already put to sleep by this thread :-) If you su to qscand (in your case) it should still start and run just fine. It was just an injected factoid for thought. Many people just light things off as root and go on their way. It is frequently safer and managerially more convenient to write root scripts that su to the run-as user first, then fire off the proc (/usr/bin/su - qscand -c /usr/local/bin/blah_blah_blah). Imagine how it simplifies file ownerhips. dp ... did I mention I'm anal? Let me attempt to clear up any confusion (and hopefully put this thread to rest) by saying that I personally am not having any problems with clamav and i am not experiencing the logging issue that actually started this thread. I do and always have run clamav as qscand. My clamav logs are owned by qscand and everything works great. I simply joined the conversation somewhere in the middle because something caught my attention. The fact that clamav creates its log file as root if it doesnt already exist. Why create it at all if you cant write to it? Its just silly. Im anal as well which is why i stated that one should not tell anything to log to / or /var/log directly for that matter. I like to have all programs logging in their own directories under /var/log/. clamav is /var/log/clamav/ apache is /var/log/apache/ and so on. That was the basis for my SHOULDNT statement above. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter
Dennis Peterson wrote: Jim Maul said: SNIP That doesn't happen if you start it as the run-as user. It happens if you start it as root. That is why I say this bug is not necessarily a bug, but an administrative issue. This was the key piece to the puzzle that i was missing. From the posts of the people who are actually having this problem, it was not immediately obvious that this ONLY happens when you run clamd as root. I was under the impression that the log file was created as root regardless of the user statement in clamd.conf. My apologies. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Lars Gierling/B-W ist außer Haus. [Scan Mail hat diese Mail auf Viren überprüft]
[EMAIL PROTECTED] wrote: I will be out of the office starting 12.05.2005 and will not return until 23.05.2005. Ich werde Ihre Nachricht nach meiner Rückkehr beantworten. In dringenden Fällen kontaktieren Sie bitte meine Kollegen telefonisch oder per Mail. Great, so we get to see this crap for another 11 days. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Maybe a virus Sober.P
Bart Silverstrim wrote: On May 5, 2005, at 2:38 PM, Matt Fretwell wrote: Bart Silverstrim wrote: This is actually two separate scenarios. That was Daniel's fault instigated by his being vague :) Now, a clever man would put the poison into his own goblet, because he would know that only a great fool would reach for what he was given. I am not a great fool, so I can clearly not choose the wine in front of you. But you must have known I was not a great fool, you would have counted on it, so I can clearly not choose the wine in front of me. Bonus points if you identify what it's from :-p Princess Bride to which in my head I dreamed a few moments about what it would be like to be a true BOFH on our network and have the power...political power...to get away with locking people out of their favorite web sites despite outranking me in the org chart and what it would be like to not have to deal with the politics of XYZ not being able to get their content completely rendered because of some glitch of interaction between the proxy and scanner and the website they're trying to get forms from. Ahhh to dream a little dream! Tell the accountants they can save money by locking down a network. You would be amazed how quickly things happen :) Plus, they get all the stick from irate users|management :) Nope, doesn't work that way. User complaints and convenience are balanced against us. Over here at our hospital we got numerous requests for the ceo's secretary to have full internet access. Eventually we had to give it to her as we were told that he job function required it. To this day i see nothing but jcpenny.com and macys.com in the logs from her terminal. Seems she really likes buying shoes... -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Not accepting input?
Mike Nolan wrote: This question was asked, and advised upon, less than four hours ago. Check the archives. Matt, I don't think that thread got to me, I certainly don't recall having seeing it, and I've been watching the list closely because this problem has been bugging me for several days. Moreover, it appears from reviewing the archives that the ultimate answer was 'this is a multi-threading error that we haven't found yet'. That's not much of a solution. :-( He never said there was a solution, simply advised upon. Indeed it appears that there is no solution as of yet. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Maybe a virus Sober.P
Bart Silverstrim wrote: On May 4, 2005, at 11:12 AM, Nigel Horne wrote: On Wednesday 04 May 2005 16:02, [EMAIL PROTECTED] wrote: . If you have received this communication in error, please notify me immediately by telephone or fax But you haven't given your telephone and fax number, so how can you expect anyone to do that? I've always wondered...why do people put confidentiality notices saying if this is not meant for you, erase it, yadda yadda... at the END of the message, so you already know what you're not supposed to know? I mean, they do know that these disclaimers haven't been tested in court, but if they were...they'd probably not hold water? So far the disclaimers only seem to add cruft for people to resend if they top post their messages, and make the message a little harder to parse. :-) But they do more than that...they make the higher ups feel better...actually, i think thats the only purpose they serve. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] CLAMD+SIMSCAN+RAR V3 SUPPORT
Brian Morrison wrote: On Tue, 03 May 2005 18:55:15 +0100 in [EMAIL PROTECTED] Trog [EMAIL PROTECTED] wrote: On Tue, 2005-05-03 at 18:18 +0100, Brian Morrison wrote: Pretty sure that clamd from 0.84 supports RAR v3 archive scanning. Only CVS currently supports RAR3 scanning. Oh OK, I thought the new RAR code had made it into the released version. Sorry! Honestly, i thought so too..the release announcement was sort of misleading. - from release announcement - release 0.84 is available for download. This version improves detection of JPEG (MS04-028) based exploits, introduces support for TNEF files and new detection mechanisms. Various bugfixes (including problems with scanning of digest mail files) and improvements have been made. ** We encourage users to help testing the development versions, now with ** ** rewritten RAR code and support for 3.0 archives! ** ** http://www.clamav.net/snapshot/ ** The ChangeLog includes: - end release snippet - That little bit about encouraging users to help testing the development versions is kinda stuck in the middle of the announcement there and initially i thought the rewritten RAR code and support for 3.0 archives was referring to the release, but after a second reading, it appears they are only referring to the development snapshots. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Zip module failures and Malformed hexstrings and0viruses, Oh my!
Brian Morrison wrote: On Fri, 29 Apr 2005 12:09:16 -0500 in [EMAIL PROTECTED] Scott Henderson @ Bunzl Phoenix [EMAIL PROTECTED] wrote: I don't see how to upgrade... Which OS are you using? It may be possible to get a packaged version and install that, if it is in a different directory then you can get the configuration sorted out before letting it loose on your mail. Brian Morrison Red Hat 7.3 (kernel = 2.4.20-29.7.progeny.8) Have a look at the binary packages pages on www.clamav.net, there are two packagers there Petr Kristof and DAG. Both do RPMs that can be easily rebuilt on RedHat systems, although I'll admit I haven't used RH 7.3 in a while now. Im running Petr's clamav package on multiple rh9 systems with great success. I'd give those a shot. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav log file not logging viruses
Jose Luis Hime wrote: If I use the option LogSyslog, then the viruses are logged into the file /var/log/maillog correctly. Thanks for your tip, it opened my eyes to that. The problem is that I want a specific logfile to be used, not through the Linux syslog function. So I commented out the LogSyslog option, forcing clamd to use its internal log function (logging at its clamd.log). This is not working. You dont want to use syslog at all or you just want it in its own file? I am using the linux syslog utility but have clamav going to its own file. Perhaps that would work for you as well? -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamscan
Dwayne Hottinger wrote: Does clamscan automatically delete virus infected files if I run clamscan from the server prompt? For example, If I run clamscan /home/* to scan all home files will it delete the viruses found or just list them? It just lists them. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] LibClamAV Error: Can't create temporary file
José Miguel López Coronado wrote: Hello everybody. I have been suffering the following problem in my clamd.log: LibClamAV Error: Can't create temporary file /tmp/clamav-d0a0c6a5466f36fc/: Argumento inválido LibClamAV Error: fileblobDestroy: file not saved: report to [EMAIL PROTECTED] This have happended since I changed to 0.83 clamav version and only in one of the three servers where I have it installed. The three of them are running RedHat 9.0. Any idea why is this happening? Thanks in advance. Chemi. I believe i saw on this list that 0.84RCx fixes this problem. Check the archives. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can't parse configuration file
Mike Partyka wrote: Hello, i only just started working on ClamAV version 0.83 this morning, with a mail server product based on HP's Open Mail, running on a SuSE Ent. Server 9. I am a little confused about the two configuration files /etc/freshclam.conf and /etc/clamav.conf, they seem to overlap and contain many of the same parameters. /etc/clamav.conf is here: SNIP Um..clamav 0.83 uses clamd.conf, not clamav.conf. Unless you also have a clamd.conf i'd imagine that this is the cause of the unable to parse config file error. /etc/freshclam.conf file is here: SNIP some more Im not sure what overlap you are referring to. I mean they both have a logfile option and such, but clamd and freshclam both log, so this really isnt overlap, its necessary unless you want them to log to the same location. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can't parse configuration file
Mike Partyka wrote: Hello Jim, Thanks for the response. Um..clamav 0.83 uses clamd.conf, not clamav.conf. This also confused me, when i looked at the man page it indicated that since 0.80 the config file name was changed to clamd.conf, but this does not seem to be the problem as i sym-linked the existing /etc/clamav.conf to /etc/clamd.conf and the same error occurred again. This is on SuSE Ent. Server 9 and i don't know why but i think they (SuSE/Novell) compiled ClamAV and hardcoded the config file to /etc/clamav.conf. I'm not sure how to verify this but i don't know how else to explain it. The overlap was my imagination, i thought i was seeing many of the same options but i see what you mean, they are specific to each service. Well, its possible that its a suse specific thing, but as i never used suse, i really dont know. You could try to install from source and see if you have any more luck that way. You could also try to get more information from a suse support list if you like. Also, what are the permissions on the clamd.conf file? Is the user running clamav able to open this file? -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
René Berber wrote: Tomasz Kojm wrote: On Mon, 18 Apr 2005 14:10:35 -0500 René Berber [EMAIL PROTECTED] wrote: does not enable detecting them. Why? because you have to uncomment DisableDefaultScanOptions to enable or disable the other options; even if you have DetectBrokenExecutables uncommented the default value of disabled is in effect... This is wrong. From version 0.83 clamd.conf man page: DisableDefaultScanOptions By default clamd uses scan options recommended by lib- clamav. This option disables recommended options and allows you to enable selected options. DO NOT ENABLE IT unless you know what you are doing. Default: disabled ScanPE PE stands for Portable Executable - it's an executable file format used in all 32-bit versions of Windows oper- ating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX. Default: enabled DetectBrokenExecutables With this option clamd will try to detect broken exe- cutables and mark them as Broken.Executable. Default: disabled What is wrong? To enable detecting broken executables you have to change two options in the clamd.conf file (not only one as shown in the posted options), one is uncommenting DisableDefaultScanOptions, the second is uncommenting DetectBrokenExecutables. What is wrong? Your explanation is wrong, thats what. You only have to uncomment DetectBrokenExecutables to enable the option. The default is disabled. To enable it, uncomment it. You are thinking about options that are by default enabled but commented out. To disable these options, this is where you must enable DisableDefaultScanOptions. Your thinking is correct, but youre applying it to the wrong circumstance. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can phishing be considered one kind of spam ?
Samuel Benzaquen wrote: Sweet... here are my selections [x] viruses [x] phishing [x] spam [x] stupid jokes [x] urban myths [x] (company) will pay you $ for every person you forward this to [x] cute puppies [x] sob stories ... [x] completly useless messages from useful mailing lists Oh, no! This message would have been rejected =P! -SamSam No, clamav doesnt reject anything ;) -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Flagging with ClamAV - Not Quarantine
Jason Williard wrote: Is it possible to flag mail as infected without actually quarantining the mail using ClamAV? Preferably, I would like to be able to add a header value, such as X-Virus-Status: Yes(or No). This could then be used on the client side or by other custom filtering to decide what to do with the message. Clamav doesnt quarantine anything. You would have to make this change in whatever program you have calling clamav itself. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] eicar within tnef
Nigel Horne wrote: I have added decoding for TNEF (winmail.dat) to the CVS version. Well damn, that didnt take very long ;) Keep up the great work guys. -Nigel -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] eicar within tnef
Nigel Horne wrote: On Tue, 2005-03-22 at 21:26, jef moskot wrote: Is anyone having trouble detecting Test #14 (the TNEF test) from http://www.webmail.us/testvirus ? TNEF is on my list of things to do. To be honest it had slipped my memory, and I have spare time at the moment so I'll have a look. Jeffrey Moskot -Nigel Horne Qmail-scanner (as well as others im sure) support the decoding of tnef so this is not an issue. Just relaying some info... -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam and milter --internal notification
Damian Menscher wrote: [6th try to get this sent out.] And i've seen this messages 6 times already. I'm using clamav-milter in the default mode (no --external flag). As such, I see no need to run clamd. But freshclam doesn't like this very much: freshclam[26975]: ERROR: Clamd was NOT notified: No socket specified in /usr/local/encap/clamav-0.83/etc/clamd.conf Now, clamav-milter will still see the updates, right? Since it checks the database for changes? Or should I be doing something differently here, like setting the socket in clamd.conf to the milter.sock (rather than the clamd.sock it would normally have pointed to)? If I'm not doing something wrong here, then perhaps this freshclam message should be toned down a bit from ERROR to Warning, or have a flag to disable it? Damian Menscher ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Disabling ScanArchive ?
Daniel J McDonald wrote: On Tue, 2005-02-22 at 09:57 -0800, [EMAIL PROTECTED] wrote: At 09:39 AM 2/22/2005, you wrote: Due to license issues with the original RAR3.0 unpacker one of our developers is working on a new version written from scratch. It's planned for 0.90. secondly, is there a way to employ unrar checking if one buys an unrar license and installs unrar - i couldn't quite see a hook to do that in clamd.conf. amavis-new does rar unpacking using an external binary, then passes the unpacked pieces to clamav. As does qmail-scanner and i imagine a handful of other packages. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Broken zlib version?
Tarjei Knapstad wrote: On Wed, 2005-02-16 at 15:11, Trog wrote: On Wed, 2005-02-16 at 14:57 +0100, Tarjei Knapstad wrote: On Wed, 2005-02-16 at 08:49, Dennis Peterson wrote: snip A simple search in the archive for zlib 1.2.2 turns this up: http://lurker.clamav.net/message/20041103.143255.97fa22ec.en.html It contains the references you are asking for, a link to the *current* zlib homepage which has 1.2.2 all over it, and the front page then states this: Thanks Trog, that clears the haze. I thought the list archives were down (the archives link is borked if you follow the link attached to the bottom of each post on the list). Googling for zlib took me to the old site and does not show zlib.net in the first 100 results. (Googling for zlib 1.2.2 does not show either in the first 100). Oh well :-S Exactly, this is retarded. I had the same problem. Google for zlib returns http://www.gzip.org/zlib/ which shows 1.2.1 as current and has no mention of another website (namely zlib.net). It also shows: Canonical URL: http://www.gzip.org/zlib/ Mirror sites: http://www.doc.cs.univ-paris8.fr/mirrors/zlib/ (France) Ok fine..so now i hear zlib.net is the current site. So over to www.zlib.net which says 1.2.2 is current. Aha! there it is. But on zlib.net there is no mention anywhere that www.gzip.org/zlib/ should not be used anymore and zlib.net even says: Canonical URL: http://www.gzip.org/zlib/ Mirror sites: http://www.zlib.net/ (US) Which makes no sense at all. I realize this is not a clamav issue, im just trying to point out the source of confusion WRT zlib and clamav. -Jim ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users