Re: [Clamav-users] Is anyone using ClamAV on Redhat Linux
DBS Labs wrote: Rob MacGregor, I am aware that your crystal ball is broken, because you could not see my original post either, which I have included again for your benefit. This was my second post because no one responded to my first. You didn't mention where you installed from or how. I can tell you that the dag.wieers repository has a fantastic rpm for all the clam products. Out of the box, they simply work. I do occasionally get an error like below, but it is rare and I'm assuming caused by overloads to the db servers. For Redhat or its variants, I'd suggest using dag. The install is almost too easy and the updates come just long enough after a new release to avoid most of the bugs. This is a very active area in the dag repository. John Hinton I just installed ClamAV-0.91.2 on a Redhat EL 4 server for testing. There were no errors during the install. I then edited the clamd and freshclam configuration files because our system is behind a firewall and I have to use a proxy server. When I run freshclam I get these error messages -ClamAV update process started at Wed Sep 12 09:38:19 2007Connecting via firewall.commain.cvd is up to date (version: 44, sigs: 133163, f-level: 20, builder: sven)Connecting via firewall.comERROR: getfile: Unknown response from remote server (IP: 199.169.119.19)ERROR: getpatch: Can't download daily-4016.cdiff from db.us.clamav.netERROR: getfile: Unknown response from remote server (IP: 199.169.119.19)ERROR: getpatch: Can't download daily-4016.cdiff from db.us.clamav.netERROR: getfile: Unknown response from remote server (IP: 199.169.119.19)ERROR: getpatch: Can't download daily-4016.cdiff from db.us.clamav.netWARNING: Incremental update failed, trying to download daily.cvdERROR: getfile: Unknown response from remote server (IP: 199.169.119.19)ERROR: Can't download daily.cvd from db.us.clamav.netTrying again in 5 secs... Our firewall does use agent strings, which I have not configured. Should it be changed? _ Gear up for Halo® 3 with free downloads and an exclusive offer. It’s our way of saying thanks for using Windows Live™. http://gethalo3gear.com?ocid=SeptemberWLHalo3_WLHMTxt_2 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html !DSPAM:46f8fd56118001280715606! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs
Jim Redman wrote: snippage I no longer possess the desire to build Linux systems from scratch, or to customize them so heavily that I cannot benefit from the work of some of the greats in the community, although I may occasionally humbly make suggestions that I think might be of benefit (some of these are not necessarily accepted as such). more snippage I have to agree with the general request made by Jim. Unfortunately, most of us end user sysadmins have a lot on our plates. Compiling is not that hard, but it is definitely harder than using something like an RPM. And as the config file is normally not replaced, setting things up the way you want it normally is left alone. I really can't imagine trying to keep up with a full linux server these days with all the security issues, if I had to compile each and every update to each and every program... thus the success of distros such as Redhat, Suse and Debian to name just a few. I personally run CentOS for all my systems. I use the dag repository for many additional packages, ClamAV being one of the main packages. I find his ClamAV RPM works right out of the box, and is updated as needed, which allows the use of yum or up2date to keep Clam updated. But his repository is aimed at Redhat. I have to compliment the ClamAV team for providing a great list of other sources for obtaining ClamAV. Perhaps taking a careful look there first is something we should all consider, if that resource has been overlooked. http://clamav.net/binary.html Thanks for a great product. John Hinton ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav scan crashes server
Travis Rabe wrote: I was one of those newbies (when it comes to new applications, still am. I repect the knowledge others have to part on me and I too find that man pages are of littl ehelp unless you yourself are a coder - some of us are not. Many people mistaken think that 'man' is short for manual, but it is actually an acronym for 'm'uch 'a'bout 'n'othing. But some are actually quite helpful! John Hinton ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Rewrite subject and remove virus questions
Nigel Horne wrote: Ok...with remove I mean disinfectso does Clamav disinfect virus from into mail mesagges ??? Disinfect has no meaning for mail born viruses theses days. Sure it does. It's how big Anti-Virus companies self promote their service via scare tactics to get money out of you each year! ;) And why they keep signatures for broken executables going as well... the more of these warnings a person gets, the more they think they need the service. Yes, sorry.. just couldn't resist. But really these actions are very irritating to me. I really like the way ClamAV just does it's work and on we go having a great day without nagging pop-ups telling me about what I didn't ask to receive or want know about to start with. My AMD processor doesn't pop-up with a message about how good it did with the big database I just fed it! It just works. And a hearty thanks to the ClamAV team!!! Best, John Hinton ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] have I been banned?
Chris Burton wrote: 09:12 http-proxy[14382]: [194.201.85.161:42872 84.18.202.162:80/daily.cvd] Error while sending/receiving. Can't receive data from server (Connection refused) Have I been banned from the system? No configuration changes made at this end. If so what do I do about it? Last night many mirrors with 100Mbit connections seemed to be maxed out or close to it (including 84.18.202.162) which is why you would of experienced issues getting updates. The mirror 84.18.202.162 is no more as I pulled the plug on it last night, but if you keep trying you should get to a working mirror eventually. Regards, Chris Burton ___ http://lurker.clamav.net/list/clamav-users.html !DSPAM:4449fedc275841243770228! This seems to have broken my systems as well, or at least two of them. I upgraded weeks ago, but suddenly yesterday I started getting the dread ERROR: Problem with internal logger. I have checked permissions on the logs and everything looks fine. These two systems are CentOS 3.7 using the Dag repo for ClamAV installs and updates. Can anyone lead me in the direction for repairing this issue? Best, John Hinton ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] have I been banned?
John Hinton wrote: Chris Burton wrote: 09:12 http-proxy[14382]: [194.201.85.161:42872 84.18.202.162:80/daily.cvd] Error while sending/receiving. Can't receive data from server (Connection refused) Have I been banned from the system? No configuration changes made at this end. If so what do I do about it? Last night many mirrors with 100Mbit connections seemed to be maxed out or close to it (including 84.18.202.162) which is why you would of experienced issues getting updates. The mirror 84.18.202.162 is no more as I pulled the plug on it last night, but if you keep trying you should get to a working mirror eventually. Regards, Chris Burton ___ http://lurker.clamav.net/list/clamav-users.html This seems to have broken my systems as well, or at least two of them. I upgraded weeks ago, but suddenly yesterday I started getting the dread ERROR: Problem with internal logger. I have checked permissions on the logs and everything looks fine. These two systems are CentOS 3.7 using the Dag repo for ClamAV installs and updates. Can anyone lead me in the direction for repairing this issue? Best, John Hinton ___ http://lurker.clamav.net/list/clamav-users.html !DSPAM:444a53cd61029427810705! I love answering my own post... I found the problem. Freshclam must have bombed due to the dying server. It left a truncated log at the end of the log file. I forced a rotate of the freshclam and clamav logs and everything is now back in working condition. Best, John Hinton ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] No ClamAV LogWatch report
Robert Isaac wrote: After many attempts at getting the LogWatch report to *not* tell me my ClamAV was out of date when I knew I was running 0.87.1 I used some advice from this list and ran find / -name *clam* -print and removed everything associated with ClamAV that did not get removed after removing all the rpms. I then reinstalled all the rpms and looked forward to todays LogWatch report. When it came there was nothing at all about ClamAV. Does nothing get installed to include the clam updates in LogWatch? ProLiant 3.0 Ghz DL360 running RHESL-4 and Apache 2.0.52. Bob ___ Robert Isaac Director/Web Admin Volvo Owners Club ___ http://lurker.clamav.net/list/clamav-users.html !DSPAM:43be79ba48892187310922! I'm not sure about the standard Logwatch distro, but the Logwatch distro for RHEL from Dag Weers does include clamav information. Seems that the RedHat version is a bit outdated or I guess one should say, a bit old fashioned. Best, John Hinton ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] No ClamAV LogWatch report
John Hinton wrote: Robert Isaac wrote: After many attempts at getting the LogWatch report to *not* tell me my ClamAV was out of date when I knew I was running 0.87.1 I used some advice from this list and ran find / -name *clam* -print and removed everything associated with ClamAV that did not get removed after removing all the rpms. I then reinstalled all the rpms and looked forward to todays LogWatch report. When it came there was nothing at all about ClamAV. Does nothing get installed to include the clam updates in LogWatch? ProLiant 3.0 Ghz DL360 running RHESL-4 and Apache 2.0.52. Bob ___ Robert Isaac Director/Web Admin Volvo Owners Club ___ http://lurker.clamav.net/list/clamav-users.html I'm not sure about the standard Logwatch distro, but the Logwatch distro for RHEL from Dag Weers does include clamav information. Seems that the RedHat version is a bit outdated or I guess one should say, a bit old fashioned. Best, John Hinton Sorry to reply to my own message... I should have mentioned that this was in combo with the Dag Weers RHEL clamav rpms as well. John Hinton ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] W32.Netsky.P reported by Norton
René Bellora wrote: John Hinton wrote: Seems all other viruses are being handled by Clam on these machines. do you have 'DetectBrokenExecutables' enabled in clamd.conf ? regards, René Rene, You put me onto the right track. I guess I should admit to egg on my face, or perhaps call myself 'some.fool'. I had a month or more ago switched to the Dag repository and did upgrades to my various Clam installs. The short of it, there were two config files on one of my servers, clamav.conf and clamd.conf. I thought I was running off of clamd.conf, but in fact I was still on the old conf file. Broken viruses were not enabled. I guess standardizing is a good practice, as long as one makes sure they get to the end of the standardizing? Nortor was reporting Netsky.P, whereas Clam was reporting some.fool.P, but not sending those to /dev/null. My apologies to the list for my waste of bandwidth/time. I hate it when I'm just a dumb user!!! :) John Hinton ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sendmail + clamav + mailscanner + spamassassin
On Tue, 22 Mar 2005 19:33:03 +0530, Nabin Limbu [EMAIL PROTECTED] wrote: Hi, What are the benefits of using 3rd party software like Mailscanner, Mimedefang and many others with clamav? Why do people use when it can be done simply with clamav-milter and spamassassin. Mailscanner is sort of like the 'SuperStore'. Just about anything and everything you'd ever like to have all in one location. It is a great powerful and well written/supported program. However, if you leave the store with everything you want, your wallet might be way worse than empty. Wallet = System Resouces If you turn it all on, I've seen system loads increase by 30 times vs. a system running almost none of the options. Personally, I stayed with my milters (ClamAssassin for ClamAV)... at least for now. John Hinton ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] W32.Netsky.P reported by Norton
John Hinton wrote: In the last couple of weeks, I'm getting reports from users that Norton is reporting W32.Netsky.P making it through from my servers. I'm configured right, have the latest db updates. I'm wondering if this is another of Norton's reporting of 'broken' viruses? I searched the list and only could find data from 2004. I do know that these are appearing as at least .pif and .jpg extensions. Sorry, but I don't have one of these messages to send to the clam report virus system. Seems all other viruses are being handled by Clam on these machines. Meanwhile if I could interupt the regularly posted AV/Phishing thread :) And yes, I have had to bite my fingers on that one. Have I missed something here? Did I ask the wrong question? Did I not provide clear or enough information? Am I on the wrong list? Basically, all I'm trying to find out. Norton is detecting W32.Netsky.P in Clamscanned email coming from my servers. ClamAV is not catching it. ClamAV seems to be working fine in all other areas on other viruses. Virus DBs are updated. (ClamAV 0.83/779/Tue Mar 22 07:34:41 2005 signatures) Does anyone know why? Thanks for any help or direction for where I should go to find help. Best, John Hinton ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] W32.Netsky.P reported by Norton
René Bellora wrote: John Hinton wrote: John Hinton wrote: In the last couple of weeks, I'm getting reports from users that Norton is reporting W32.Netsky.P making it through from my servers. I'm configured right, have the latest db updates. I'm wondering if this is another of Norton's reporting of 'broken' viruses? I searched the list and only could find data from 2004. I do know that these are appearing as at least .pif and .jpg extensions. Sorry, but I don't have one of these messages to send to the clam report virus system. Seems all other viruses are being handled by Clam on these machines. do you have 'DetectBrokenExecutables' enabled in clamd.conf ? regards, René ___ Darn! Good call... but as I read it I think I do.. from config... # With this option clamav will try to detect broken executables and mark # them as Broken.Executable # Default: disabled DetectBrokenExecutables I assume this a the proper entry. I'll try to lay my hands on one of these examples and get it to the powers that be. It might be helpful if ClamAV had a sort of 'Virus News' area. A quick place for us to go look for what's going on out there right now. Seems the last time I had an issue like this was a case of a broken exe and back then Clam was not writing sigs for those. Somehow though, I found my answer very quickly. Sites like F-secure and Norton, and the full list here, seem to have an annoucement area just for viruses. I do see the annouce list. Perhaps I should join that. I also am well aware that Clam is open source, making it radically different from those others. And, I should follow this whole statement with a big thank you to all those putting time, bandwidth and efforts into Clam as it is a most fantastic product. I'm not meaning to be moaning. :) Best, John Hinton ___ http://lurker.clamav.net/list/clamav-users.html
