Re: [clamav-users] reject/flag files based on extension

[Marc via clamav-users]

> 
> Is it possible to configure clamav, so it rejects or marks files as virus
> just based on their file extension?
> 

When it processes data from milter. Maybe someone has experience with this? I 
have the impression from these pages that somewhere filenames are available 
within clamav, so I guess rules on extensions should be possible, not?

https://docs.clamav.net/manual/Signatures/FileTypeMagic.html
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] reject/flag files based on extension

[Marc via clamav-users]

Is it possible to configure clamav, so it rejects or marks files as virus just 
based on their file extension?

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] more false positives?

[Marc via clamav-users]

> >
> > I run clamav on linux, but I also have windows 7 installed.
> > I mounted the windows partition and ran a clamav scan,
> > which found the following viruses:
> >
> > /mnt/windows/Windows/System32/cliconfg.exe: Win.Virus.Expiro-9965977-0
> > /mnt/windows/Windows/System32/spool/tools/PrintBrmEngine.exe:
> > Win.Virus.Expiro-9958014-0
> >
> > I submitted both these files at virustotal.com. PrintBrmEngine.exe
> > was not detected by anything besides clamav, and cliconfg.exe
> > was only detected by clamav and google. So I am assuming these are
> > probably
> > fasle positives. Just wondering if anyone has an opinion about these.
> >
> 
> I think the db maintainers would be very pleased with your help fixing
> false positives.
> 
> OT I think you need to airgap Windows7. If I remember correctly Microsoft
> distributed remote exploits just after it's EOL.
> 


- Transcript of session follows -
... while talking to smtp.usol.com.:
<<< 550 Your country is not allowed to connect to this server.
554 5.0.0 Service unavailable

:D it think you need to find different provider.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] more false positives?

[Marc via clamav-users]

> 
> I run clamav on linux, but I also have windows 7 installed.
> I mounted the windows partition and ran a clamav scan,
> which found the following viruses:
> 
> /mnt/windows/Windows/System32/cliconfg.exe: Win.Virus.Expiro-9965977-0
> /mnt/windows/Windows/System32/spool/tools/PrintBrmEngine.exe:
> Win.Virus.Expiro-9958014-0
> 
> I submitted both these files at virustotal.com. PrintBrmEngine.exe
> was not detected by anything besides clamav, and cliconfg.exe
> was only detected by clamav and google. So I am assuming these are
> probably
> fasle positives. Just wondering if anyone has an opinion about these.
> 

I think the db maintainers would be very pleased with your help fixing false 
positives.

OT I think you need to airgap Windows7. If I remember correctly Microsoft 
distributed remote exploits just after it's EOL.


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV 1.0.X for EPEL 7 & 8

[Marc via clamav-users]

> 
> With the help of John Sullivan and Sérgio M. Basto we have gotten the
> Fedora ClamAV 1.0.X package in shape to be built for EPEL 7 and 8.  We
> have a COPR available now with builds of 1.0.6 ready for testing here:
> 

Hi Orion, I wrote Sergio a few months ago about implementing ip/port lookups 
dynamically. Did some of this find its way into these updates?



___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Help with clamav

[Marc]

You can use smbclient on linux not? But I have the impression you are handling 
this incorrectly I am always disabling file and printersharing. Maybe better is 
to scan a snapshot of the vm disk image?

You also have to consider the traffic you are generating, I am already having 
issues getting my windows images below 40GB. So all this windows crap is 
constantly going over your network. How often do you even want to scan? What is 
with this real time protection of windows is it running or not? So maybe just 
see if you can focus on user data + running integrity check with sfc /scannow 
(? not sure about this)
Maybe first start thinking a bit what it is you actually want to achieve.  


> If I mapped a network drive to my server running clamav would it be
> possible to scan that network drive?
> 
> So if I map another servers C drive to my clam server could I run a scan
> of that mapped c drive using clamav?
> 
> 
> On Fri, 5 Apr 2024, Nathan Millard via clamav-users wrote:
> 
> > So I have a kali Linux server, could I use that to scan my windows vms
> > for viruses using this "For Linux etc. you can get a central machine
> > (either the same server or a different one) to connect to each client,
> > eg with ssh, and make it run the above scan?"
> >
> > Sorry I am quite clamav so sorry if I am being stupid but I just want
> > a simple way to scan my LAN for viruses and get results back and not
> > have to run 15 different clam scans on all my vms.
> 
> I cannot speak for any Windows ClamAV packages, but the official ClamAV
> and the linux packages I have seen do not have a network level interface
> to do that.
> 
> Since you wish to scan VMs, there may be a way to scan them from the host
> server, though that would only be safe when they are idle, and probably
> only when the filesystems are unmounted.
> 
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Help with clamav

[Marc]

> Hi, I hope I am emailing the right address.
> 
> I would like some help setting up clamav to scan remote hosts form a
> clamd server is this possible?
> 

Don't you mean you want to scan hosts with a remote clamd server?
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] How does one Obtain ClamAV Linux Anvi-Virus Database File Updates for Systems not Connected to the internet

[Marc]

> 
> How does one Obtain ClamAV Linux Anvi-Virus Database File Updates for
> Systems not Connected to the internet?  All our systems are air-gapped (not
> internet connected) so as ClamAV provides Linux Anvi-Virus Database File
> Updates for viruses as they are identified, what link or website can I
> connect to download the latest signature files?
> 
> 
> 
> I am running Red Hat Enterprise 7 and 8 as well as CentOS 7 and 8.
> 

use something like a proxy that is 'multi' homed that can temporary allow 
downloading. I am having something like a private vlan with some instances that 
or on the private vlan and the internet access vlan. Or automatically create 
container images, and just deploy those on the private vlan. etc etc 
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Error installing from source

[Marc]

off topic a bit. I have the impression distributions are ending for anything 
other than being an os. Over the last view years you can just notice how they 
have problems with maintaining packages. This redhat is just taking source and 
redesigning functionality for their own interests. On the other hand you have 
'dumb' developers that do not even know about LTS versions and just use any 
(unsupported) library they can find.

You have to start thinking about putting things like clamav into containers. I 
am currently using this alpine linux <50MB, this goes well with clamav. Even 
better would be if no container os image was required. 
Redhat/centos is totally unusable for containers because they have 'idiots' 
there creating dependencies on everything, before you know it you have 
installed >200MB of useless packages. 
I think Redhat fixed something for me once, but I am not going to file endless 
bug reports there.


> 
> You need to find a later version of GCC for your servers.
> 
> I had a similar problem with some legacy Ubuntu machines. Fortunately an
> upgrade to GCC 7.5 was available in the Ubuntu release archive.
> 
> The C++ code in libunrar has been uplifted as well as a very nasty bug
> being fixed.
> 
> Paul
> 
> On 13/10/2023 08:42, Nikos Gatsis via clamav-users wrote:
> > Hello,
> >
> > On Centos 7 server:
> > Name    : gcc
> > Arch    : x86_64
> > Version : 4.8.5
> > Release : 44.el7
> >
> > On Centos 6 server:
> >
> > Name    : gcc
> > Arch    : x86_64
> > Version : 4.4.7
> > Release : 23.el6
> >
> > Regards
> >
> >> Hi
> >
> >> What version of GCC is installed on the server you are seeing this
> > problem ?
> >
> >> Regards Paul
> >
> >> On 12/10/2023 13:40, Nikos Gatsis via clamav-users wrote:
> >> NG> Hello list.
> >>
> >> NG>  I am try to install from source 0.103.10 on some mailservers,
> >> most of them have
> >> NG>  Centos 7 last version and one with Centos 6. When I run make
> >> (after ./configure
> >> NG>  --sysconfdir=/etc --enable-milter) and I get many errors like:
> >>
> >> NG>  cc1plus: warning: unrecognized command line option
> >> "-Wno-dangling-else" [enabled
> >> NG>  by default]
> >> NG>  cc1plus: warning: unrecognized command line option
> >> "-Wno-logical-op-parentheses"
> >> NG>  [enabled by default]
> >> NG>  make[4]: *** [../libclamunrar/libclamunrar_la-archive.lo] Error 1
> >> NG>  make[4]: Leaving directory `/home/qbit/clamav-0.103.10/libclamav'
> >> NG>  make[3]: *** [all-recursive] Error 1
> >> NG>  make[3]: Leaving directory `/home/qbit/clamav-0.103.10/libclamav'
> >> NG>  make[2]: *** [all] Error 2
> >> NG>  make[2]: Leaving directory `/home/qbit/clamav-0.103.10/libclamav'
> >> NG>  make[1]: *** [all-recursive] Error 1
> >> NG>  make[1]: Leaving directory `/home/qbit/clamav-0.103.10'
> >> NG>  make: *** [all] Error 2
> >>
> >> NG>  All servers have already 0.103.8 and I had never problem
> >> installing before.
> >>
> >>> Build with -DENABLR_UNRAR=OFF option.
> >>
> >>> Regards.
> >>
> >> I run:
> >>
> >> ./configure --sysconfdir=/etc --enable-milter --disable-unrar
> >>
> >> and my problem solved.
> >>
> >> Thank you for your help.
> >>
> >> Nikos
> > ___
> >
> > Manage your clamav-users mailing list subscription / unsubscribe:
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/Cisco-Talos/clamav-documentation
> >
> > https://docs.clamav.net/#mailing-lists-and-chat
> >
> ___
> 
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Freshclam version 1.0.2 warnings

[Marc via clamav-users]

then you can add

--no-warnings

to your freshclam execution


Von / From: Jorge Bastos 
An / To: Newcomer01 
Gesendet / Sent: Sonntag, September 03, 2023 um 19:55 (at 07:55 PM) +0200
Betreff / Subject: Re: [clamav-users] Freshclam version 1.0.2 warnings


Hi,

No, no change on it,

On 2023-09-03 18:39, newcomer01 via clamav-users wrote:


Maybe a newer clamav update has change your freshclam.conf-file please check 
your settings for:

Debug
TestDatabases

here on my ubuntu all updates change anything on my system and i don't why 
ubuntu this do ...


Von / From: Jorge Bastos 
An / To: Newcomer01 
CC / CC: Matus Uhlar - Fantomas 
Gesendet / Sent: Sonntag, September 03, 2023 um 18:23 (at 06:23 PM) +0200
Betreff / Subject: Re: [clamav-users] Freshclam version 1.0.2 warnings


On 2023-09-03 15:36, Matus UHLAR - fantomas wrote:


On 02.09.23 22:32, Jorge Bastos wrote:

Since version 1.0.2 i'm having this information on freshclam update, in 
previous 1.0.0 it was not happening.
Any ideia how to solve it, or it's something that has an ongoing fix?
Sat Sep  2 21:25:12 2023 -> Received signal: wake up
Sat Sep  2 21:25:13 2023 -> ClamAV update process started at Sat Sep  2 
21:25:13 2023
Sat Sep  2 21:25:13 2023 -> daily.cld database is up-to-date (version: 27019, 
sigs: 2040213, f-level: 90, builder: raynman)
Sat Sep  2 21:25:13 2023 -> main.cvd database is up-to-date (version: 62, sigs: 
6647427, f-level: 90, builder: sigmgr)
Sat Sep  2 21:25:13 2023 -> bytecode.cvd database is up-to-date (version: 334, 
sigs: 91, f-level: 90, builder: anvilleg)
Sat Sep  2 21:25:14 2023 -> WARNING:  *** RESULT 304, SIZE: 0 ***
Sat Sep  2 21:25:14 2023 -> malware.expert.ndb is up-to-date (version: custom 
database)


HTTP code 304 means "not modified" which means your files are accurate.

I have no idea why that produces warning, it should be treated as OK state, 
possibly INFO message...


Oh I see, it's the HTTP code, didn't associated to that.
well, maybe someone left this warning info for debug, I had no change on my 
configuration,


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat





___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Cloudflare ban?

[Marc]

> 
> Today I did a clean cvd update, meaning I removed everything in
> /var/lib/clamav, I flushed my fw rules, so it won't block anything, I
> have clamav version 0.103.8 which is LTS, so it shouldn't be banned.
> Here is the full log of freshclam: https://pastebin.com/RbSNnM5C
> It specifically says I get 403 from Cloudflare. I must be banned,
> otherwise I don't know where to look.

Cloudflare sucks, I constantly have such pages telling that it is not 
cloudflare's error but the server. Which statistically is very unlikely.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] clamdscan streaming over TCP

[Marc]

> 
> I'm trying to scan a files (email, so not huge load) over my_internal_
> LAN.
> 
> I have a dockerized clamd running on hostA, and on hostB, I can run
> clamdtop hostA, and get the expected output.
> 
> However, from within the same container that I just started clamdtop, I
> can't do the same with clamdscan. There is no argument to specify the
> host, or it is not in the `--help`. Also it is all hidden i n the
> documentation, even though it suggests that this SHOULD be possible.
> 
> I'll look into the clamav-milter next, but still curious if this is
> possible at all, while testing this.

Maybe this is helpfull, I have this in some old docs for client side testing.

cat < /tmp/clam-remote.conf
TCPSocket 3310
TCPAddr clamav.local
EOF

clamdscan -c /tmp/clam-remote.conf --fdpass --stream '/tmp/clam-remote.conf'
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] dry run freshclam

[Marc]

> 
> On 01.05.23 10:34, Marc wrote:
> > this freshclam needs to have something like a --dry-run or so.  Super
> > annoying if you test with something like proxy auth and you are
> constantly
> > having this cdn throttling.
> 
> what should it do? Just parse the config file?
> 

I would make it like that you can test the whole chain of events. Maybe add 
something like a http header X-test and the servers will respond with a tiny 
download or so. It should be as close as possible to a real request. (Without 
obviously causing this load/data)
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] dry run freshclam

[Marc]

this freshclam needs to have something like a --dry-run or so. Super annoying 
if you test with something like proxy auth and you are constantly having this 
cdn throttling.


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] run freshclam without notifying clamd

[Marc]

It is building now, although I am still getting an error. What I do not get 
this the design change behind this. Normally I could install only freshclam, 
and without doing anything download the current databases for the container.
Now I have to create a clamd.conf file[1] and getting all kinds of errors. 
Either freshclam is part of the clamav-daemon clamav-db clamav packages or not. 
If it not, there should not be a dependency on file included in an external 
package. What kind of logics is this. Why even change something that was good 
...

etc/clamav # freshclam --stdout
ClamAV update process started at Sun Apr 30 11:05:23 2023
daily database available for download (remote version: 26892)
Time:0.8s, ETA:0.0s [>]   58.40MiB/58.40MiB
Testing database: 
'/var/lib/clamav/tmp.2d473bc9f9/clamav-8dd1897da8048bac7afd3c826a555c43.tmp-daily.cvd'
 ...
Database test passed.
daily.cvd updated (version: 26892, sigs: 2032828, f-level: 90, builder: raynman)
main database available for download (remote version: 62)
Time:1.6s, ETA:0.0s [>]  162.58MiB/162.58MiB
Testing database: 
'/var/lib/clamav/tmp.2d473bc9f9/clamav-93d1ad81cac0cfad9b0a2305580caccc.tmp-main.cvd'
 ...
Database test passed.
main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode database available for download (remote version: 334)
Time:0.1s, ETA:0.0s [>]  285.12KiB/285.12KiB
Testing database: 
'/var/lib/clamav/tmp.2d473bc9f9/clamav-f4998549cecd71d461021e791730d124.tmp-bytecode.cvd'
 ...
Database test passed.
bytecode.cvd updated (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
ERROR: Missing argument for option at /etc/clamav/clamd.conf:2
ERROR: NotifyClamd: Can't find or parse configuration file 
/etc/clamav/clamd.conf

[1]
/etc/clamav # cat /etc/clamav/clamd.conf

[freshclam.conf]


> 
> Just comment the line NotifyClamd path-to-clamd.conf in freshclam.conf
> 
> [freshclam.conf]
> .
> .
> # NotifyClamd 
> 
> 
> Re
> 
> 
> El mié, 26 abr 2023 a las 13:21, Marc ( <mailto:m...@f1-outsourcing.eu> >) escribió:
> 
> 
> 
>   I am running freshclam in a build layer in docker to download
> default databases for the docker image. Obviously nothing else is
> installed at this stage.
> 
>   apk add freshclam --no-cache
>   touch /etc/clamav/clamd.conf (added this, otherwise freshclam
> complained about it not existing)
>   freshclam
> 
>   results in this error:
> 
>   ERROR: NotifyClamd: No communication socket specified in
> /etc/clamav/clamd.conf
>   ERROR: Can't send to clamd: Not a socket
> 
> 
>   How do I execute freshclam and do not inform clamd? This used to be
> the default, it is sort of obvious that if the clamd.conf does not exist
> freshclam does not need to do anything.
>   ___
> 
>   Manage your clamav-users mailing list subscription / unsubscribe:
>   https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
>   Help us build a comprehensive ClamAV guide:
>   https://github.com/Cisco-Talos/clamav-documentation
> 
>   https://docs.clamav.net/#mailing-lists-and-chat
> 

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] run freshclam without notifying clamd

[Marc]

I am running freshclam in a build layer in docker to download default databases 
for the docker image. Obviously nothing else is installed at this stage. 

apk add freshclam --no-cache
touch /etc/clamav/clamd.conf (added this, otherwise freshclam complained about 
it not existing)
freshclam

results in this error:

ERROR: NotifyClamd: No communication socket specified in /etc/clamav/clamd.conf
ERROR: Can't send to clamd: Not a socket


How do I execute freshclam and do not inform clamd? This used to be the 
default, it is sort of obvious that if the clamd.conf does not exist freshclam 
does not need to do anything.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Freshclam to not write to syslog?

[Marc]

> 
> Good day Guys
> 
> I would like to double check something per taining to Freshclam
> 
> Is it possible to get Freshclam to not write to syslog (want all logging
> to /var/log/clamav/freshclam.log )?
> 
> Currently I have the following in my freshclam conf file.
> 
> UpdateLogFile /var/log/clamav/freshclam.log
> LogVerbose no (also tried false)
> LogSyslog no (also tried false)
> LogFacility LOG_MAIL
> Debug false
> 
> Is my understand correct that it is not possible to not write to syslog?
> https://docs.clamav.net/#mailing-lists-and-chat

My logging goes to syslog, maybe remove this UpdateLogFile? I have only this in 
my config.

LogSyslog yes
LogFacility LOG_MAIL
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Funny --include-dir behaviour

[Marc via clamav-users]

Sorry, the attachment i will not open!

You send over an .de Domain and the descriptions are in french only and 
contanins ONLY javascript Codes!

NO!

@Admin: maybe we should block the user from list?

Von / From: Clamav Users Ml <mailto:agoye...@finer-food.de>
An / To: Newcomer01 <mailto:newcome...@posteo.de>
Gesendet / Sent: Mittwoch, März 22, 2023 um 14:14 (at 02:14 PM) +0100
Betreff / Subject: Re: [clamav-users] Funny --include-dir behaviour


Would you please look through the last agreement? I have attached some extra 
details about it.

--
Hi,

For
>        nice -n -20 clamscan \
> --include-dir="^/home/$SUDO_USER/.thunderbird/Marc/Mail/" \
>        --recursive="yes" \
>        --quiet \
>        --infected \
>        --alert-broken-media="no" \
>        --database="/var/lib/clamav" \
>        --log="/var/log/clamav/clamscan.log"
>        #--move="/etc/clamav/virusevent.d/Mail"

what is your current directory?  Since none is specified, the current directory 
is chosen, so if you aren't in a parent directory of Mail, it will not be 
scanned.

Thanks,
Andy

--
*From:* clamav-users on behalf of newcomer01 via clamav-users
*Sent:* Monday, February 13, 2023 4:51 AM
*To:* ClamAV User Mailinglist
*Cc:* newcomer01
*Subject:* [clamav-users] Funny --include-dir behaviour
this is hilarious, why this won't work?
>        nice -n -20 clamscan \
> --include-dir="^/home/$SUDO_USER/.thunderbird/Marc/Mail/" \
>        --recursive="yes" \
>        --quiet \
>        --infected \
>        --alert-broken-media="no" \
>        --database="/var/lib/clamav" \
>        --log="/var/log/clamav/clamscan.log"
>        #--move="/etc/clamav/virusevent.d/Mail"
this should scan only the included path recursive

But when i do this:
>        nice -n -20 clamscan \
>        "/home/$SUDO_USER/.thunderbird/Marc/Mail" \
>        --recursive="yes" \
>        --quiet \
>        --infected \
>        --alert-broken-media="no" \
>        --database="/var/lib/clamav" \
>        --log="/var/log/clamav/clamscan.log"
>        #--move="/etc/clamav/virusevent.d/Mail"
it worked well.
Can someone explain what's the reason for this?
Oh and the var SUDO_USER is the whoami

regards,
Marc

___

Manage your clamav-users mailing list subscription / unsubscribe:



Help us build a comprehensive ClamAV guide:





___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] clamav milter auto ip address update

[Marc]

I recently had an issue where mail was temporarily rejected because 
clamav-milter/spamass-milter could not connect to clamd/spamd. Clamd/Spamd are 
a tasks that can automatically change hosts and thus their ips. A simple 
restart of the milter fixes this (resolves the new ip).

However, it would be nice if something could be added to the milter code that, 
if it can't contact clamd, it tries to re-resolve the ip address automatically. 

ps. as you can deduct from the text I am not a 100% sure which milter caused 
this actually. 

pps. even nicer would be, the ability to use srv records and use dynamic ports.


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] 0 length bytecode.cvd causing problems with clamav daemon

[Marc via clamav-users]

i would suggest, to delete alle libraries in /var/lib/clamav and download all 
complete new.
CLD Files comes not regularly, normally we have CVD only.

If i understand this well, CLD Files comes only when error occures while 
updating.
https:/blog.clamav.net/2021/03/clamav-cvds-cdiffs-and-magic-behind.html


Von / From: Kevin O'connor 
An / To: Newcomer01 
Gesendet / Sent: Montag, Februar 27, 2023 um 18:38 (at 06:38 PM) +0100
Betreff / Subject: Re: [clamav-users] 0 length bytecode.cvd causing problems 
with clamav daemon

Heh, good question.  Just checked again, and it looks like that was a 
copy-paste error.  There is only one PrivateMirror line.
Kevin

On Mon, Feb 27, 2023 at 12:02 PM newcomer01 via clamav-users 
 wrote:

why you have set two times the "PrivateMirror" with identically IP's?
Can't believe that this happens with the automated PostInst 


Von / From: Clamav User Mailinglist 
An / To: Newcomer01 
CC / CC: Kevin O'connor 
Gesendet / Sent: Montag, Februar 27, 2023 um 16:58 (at 04:58 PM) +0100
Betreff / Subject: [clamav-users] 0 length bytecode.cvd causing problems 
with clamav daemon
> I am having an issue with 0 length bytecode.cvd files on my scanner 
instances.  This seems to have started sometime on 22 Feb, I'm afraid I don't have 
an exact time. The clamav daemon produces logs like the following:
>
> Feb 27 14:39:11 av-scan-wrhn clamd[163614]: LibClamAV Error: 
cli_cvdverify: Can't read CVD header
> Feb 27 14:39:11 av-scan-wrhn clamd[163614]: LibClamAV Error: Can't load 
/var/lib/clamav/bytecode.cld: Broken or not a CVD file
> Feb 27 14:39:11 av-scan-wrhn clamd[163614]: LibClamAV Error: 
cli_loaddbdir(): error loading database /var/lib/clamav/bytecode.cld
> Feb 27 14:39:11 av-scan-wrhn clamd[163614]: Mon Feb 27 14:39:11 2023 -> 
!Broken or not a CVD file
> Feb 27 14:39:11 av-scan-wrhn systemd[1]: clamav-daemon.service: Main 
process exited, code=exited, status=1/FAILURE
> Feb 27 14:39:11 av-scan-wrhn systemd[1]: clamav-daemon.service: Failed 
with result 'exit-code'.
> Feb 27 14:39:11 av-scan-wrhn systemd[1]: clamav-daemon.service: Consumed 
8.679s CPU time.
>
>
> I feel like I have narrowed the problem down to a 0 length 'bytecode.cvd' 
file.  Here is a listing of the definitions directory:
>
> $ ls -l /var/lib/clamav
> total 226168
> -rw-r--r-- 1 clamav clamav    314802 Feb 27 14:06 bytecode.cld
> -rw-r--r-- 1 clamav clamav         0 Feb 27 02:00 bytecode.cvd
> -rw-r--r-- 1 clamav clamav  60787973 Feb 27 10:01 daily.cld
> -rw-r--r-- 1 clamav clamav        69 Feb 23 15:33 freshclam.dat
> -rw-r--r-- 1 clamav clamav 170479789 Feb 27 02:00 main.cvd
>
>
> My initial fix (before narrowing the problem down to bytecode.cvd) was to
>
> 1. stop freshclam
> 2. clean this directory
> 3. restart freshclam
> 4. give it time to get the definitions (from a private mirror)
> 5. start clamav daemon
>
> This would work for maybe 1/2 day then the empty bytecode.cvd file would 
reappear and the daemon would fail.
>
> This morning I was able to spend some more time and find that it was just 
the one file that needed to be removed.
>
> I have a local mirror because there are several instances of this scanner 
in use (at least 2 instances for several environments).  I have checked the mirror 
and it appears to be working fine and keeping the definitions up to date inside 
our environment.  In addition, the scanner instances appear to be keeping the 
local set of definitions up to date with the mirror.
>
> The mirror does not have a bytecode.cvd file on it (here is a listing of 
its definitions directory)
>
> $ ls -l /var/lib/clamav
> total 226172
> -rw-r--r-- 1 clamav clamav    314802 Feb 22 22:02 bytecode.cld
> -rw-r--r-- 1 clamav clamav  60787973 Feb 27 09:06 daily.cld
> -rw-r--r-- 1 clamav clamav        69 Jan 29  2022 freshclam.dat
> -rw-r--r-- 1 clamav clamav 170479789 Jan 29  2022 main.cvd
> -rw-r--r-- 1 clamav clamav        87 Jan 29  2022 test.html
>
>
> To the best of my knowledge, the software is up to date:
>
> $ sudo freshclam -V
> ClamAV 0.103.8/26825/Mon Feb 27 08:24:38 2023
>
>
> Here is the freshclam.conf used on all the local sanner instances
>
> $ cat /etc/clamav/freshclam.conf
> # Automatically created by the clamav-freshclam postinst
> # Comments will get lost when you reconfigure the clamav-freshclam package
>
> DatabaseOwner clamav
> UpdateLogFile /var/log/clamav/freshclam.log
> LogVerbose false
> LogSyslog false
> LogFacility LOG_LOCAL6
> LogFileMaxSize 0
> LogRotate true
> LogTime true
> Foreground false
> Debug false
> MaxAttempts 

Re: [clamav-users] ClamAV Private Mirror Question

[Marc]

> 
> I have setup a private mirror for ClamAV. I have pointed it to the private
> mirror on freshclam.conf. My question is how do i test this to make sure I am
> pulling the most up to date definitions from the private mirror to the server
> being scanned? Thanks in advance.
> 

turn off gateway / change routing
tcpdump
block with iptables

etc
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] remove me

[Marc]

> 
> perhaps it could contain better unsubscribe info, the top-down link:
> https://docs.clamav.net/#mailing-lists-and-chat
> does not contain unsubscribe

What about doing some sort of IQ test before users subscribe something like 
2+2=?

;)
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] remove me

[Marc]

moron, search at least how to be removed from a mailinglist
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Permanently banned from clamav

[Marc]

> 
> Please clarify what "regularly" means in this case?
> 
> Once a day / hour / week / month / other?
> 
> Regular just implies a cadence without specifying what that cadence is.

:) :) Better not go and reply on Instagram. The users there tend to have their 
own definition of words, and totally dislike references to something like a 
dictionary.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Patent troll attacks AV vendors

[Marc]

Just move the legal entity to Europe, and end of story with such claims.

> 
> Is Clam affected by this?
> 
>  lawsuit-malware-detection-endpoint-security>
> 
> 
> > In early March, cybersecurity firm Webroot and its parent company
> > OpenText launched a series of patent litigation containing some
> > eye-opening claims. Filed March 4th in the famously patentholder-friendly
> > Western District of Texas court, the four lawsuits claim that techniques
> > fundamental to modern malware detection are based on patented technology
> > — and that the company's competitors are infringing on intellectual
> > property rights with their implementation of network security software.
> >
> > The defendants named in the suits are a who's who of security
> > companies: CrowdStrike, Kaspersky, Sophos, and Trend Micro are all named.
> > According to OpenText, the companies are using patented technology in
> > their anti-malware applications, specifically in the endpoint security
> > systems that protect specific devices on a network. It's a sweeping
> > lawsuit that puts much of the security industry in immediate danger. And,
> > for critics, it's a bitter reminder of how much damage a patent troll
> > can still do.
> 
> 
> > Though the lawsuit is being brought in 2022, a judgment would hinge in
> > part on whether the techniques described in the patent were widely known
> > at the time that the patent application was filed. One of the patents at
> > the heart of the suit — US Patent No. 8,418,250, referred to as "the
> > '250 patent" in the lawsuit — was granted in the United States in
> > 2013 but first issued by the British patent office in 2005. Another, US
> > Patent No. 8,726,389 or the '389 patent, was also issued in the UK in
> > 2005 and granted in the US in 2014.
> 

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Reservations towards clamAV

[Marc]

> I keep running into reservations about clamAV. It is often claimed that
> clamAV has a poor detection rate compared to other solutions. I then often
> lack an answer based on hard facts. Do you also have this problem? If so,
> is there good data somewhere to compare clamAV with other solutions?

I was recently thinking exactly the same. I even tried searching for some test 
results, but found nothing significant.

> Or do
> you have good arguments with which you have convinced?
> 

Having something is always better than nothing, as long as you keep in mind 
that virus scanning processes is always a few steps behind. Thus if someone 
targets you specifically, they are useless. 
I see them more like to prevent accidental spreading, which is probably the 
most common scenario.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] is there a kill signal to have freshclam do an update check?

[Marc]

> >>> Is there a command that can make a running freshclam daemon do an
> update
> >> request instantly?
> >>
> >> SIGUSR1, assuming it's compiled with it enabled.
> >
> > Yes thanks, I was already trying with this command
> >
> > kill -s SIGUSR1 $(pidof freshclam)
> >
> > However it gets the wrong pid from the container environment where I
> have these processes listed
> >
> > clam 4051769 4051758  0 16:27 ?00:00:00 [freshclam]
> 
> > clam 4051770   1  0 16:27 ?00:00:04 freshclam -d
> >
> > If I start freshclam -d in the docker testing environment I do not have
> this first proces '[freshclam] '. Any idea what this can be?
> 
> Often what happens when a daemon starts up is that the parent forks a
> child with the right permissions etc. and the parent then exits. 

Ok so maybe this code is a bit buggy currently? Because I am using freshclam as 
unpriviledged user.

> This
> can leave a defunct process until it's cleaned up.  There's no need to
> worry about it.  The PPID (parent process ID) of the child will be the
> PID of the parent until the parent exits, but after that the PPID of
> the child is the PID of the 'init' process (or whatever passes for the
> 'init' process on your system - systemd?) which will usually be PID 1.

Thanks for explaining :) It is just a bit annoying when it is there and pidof 
is not working, nothing more.

> I have no experience with managing processes in Docker, but there's an
> optional 'PidFile' directive in the freshclam configuration file from
> which you might get the number you need if you configure freshclam to
> write it there.
> 
> Alternatively, as Mr. Aitchison suggested, you could start freshclam
> whenever you want it to update and let it terminate.  So instead of
> running it as a daemon you might for example want to run it from cron.

I prefer to stick as close as possible to one process per container and have as 
little processes as possible. Having to execute systemd run level commands 
means I need to get a container shell, and I am just to lazy to do that. ;)

> Why do you need to do this?  Most people seem to be happy enough with
> a couple of updates per day, and if you hit the CDN too hard you could
> easily find yourself blacklisted.  I recommend that you let freshclam
> do what it's designed to do.  It's pretty good at it.
> 

I am just testing the proxy access when the ip address has changed when the 
task is restarted. It is fine for production. Although the defunct could 
generate a false positive on monitoring.



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] is there a kill signal to have freshclam do an update check?

[Marc]

> 
> > Is there a command that can make a running freshclam daemon do an update
> request instantly?
> 
> SIGUSR1, assuming it's compiled with it enabled.
> 

Yes thanks, I was already trying with this command

kill -s SIGUSR1 $(pidof freshclam)

However it gets the wrong pid from the container environment where I have these 
processes listed

clam 4051769 4051758  0 16:27 ?00:00:00 [freshclam] 
clam 4051770   1  0 16:27 ?00:00:04 freshclam -d

If I start freshclam -d in the docker testing environment I do not have this 
first proces '[freshclam] '. Any idea what this can be?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CLAMAV: Docker Tag 0.104.2 has 9 Medium Vulnerabilities for Busy Box

[Marc]

> 
> My team is new to maintaining images on Docker Hub. We hadn't yet
> identified the best practices for how to publish an image for the same
> ClamAV version with a new base image. After a little investigation, I
> settled on this on this scheme.
> 

Maybe it is time to allow environment variables in the config files? 


sed -e "s|^\(Example\)|\# \1|" \
-e "s|.*\(PidFile\) .*|\1 /run/lock/clamd.pid|" \
-e "s|.*\(LocalSocket\) .*|\1 /run/clamav/clamd.sock|" \
-e "s|.*\(TCPSocket\) .*|\1 3310|" \
-e "s|.*\(TCPAddr\) .*|\1 0.0.0.0|" \
-e "s|.*\(User\) .*|\1 clamav|" \
-e "s|^\#\(LogFile\) .*|\1 /var/log/clamav/clamd.log|" \
-e "s|^\#\(LogTime\).*|\1 yes|" \
"/clamav/etc/clamav/clamd.conf.sample" > 
"/clamav/etc/clamav/clamd.conf" && \
sed -e "s|^\(Example\)|\# \1|" \
-e "s|.*\(PidFile\) .*|\1 /run/lock/freshclam.pid|" \
-e "s|.*\(DatabaseOwner\) .*|\1 clamav|" \
-e "s|^\#\(UpdateLogFile\) .*|\1 /var/log/clamav/freshclam.log|" \
-e "s|^\#\(NotifyClamd\).*|\1 /etc/clamav/clamd.conf|" \
-e "s|^\#\(ScriptedUpdates\).*|\1 yes|" \
"/clamav/etc/clamav/freshclam.conf.sample" > 
"/clamav/etc/clamav/freshclam.conf" && \
sed -e "s|^\(Example\)|\# \1|" \
-e "s|.*\(PidFile\) .*|\1 /run/lock/clamav-milter.pid|" \
-e "s|.*\(MilterSocket\) .*|\1 inet:7357|" \
-e "s|.*\(User\) .*|\1 clamav|" \
-e "s|^\#\(LogFile\) .*|\1 /var/log/clamav/milter.log|" \
-e "s|^\#\(LogTime\).*|\1 yes|" \
-e "s|.*\(\ClamdSocket\) .*|\1 unix:/run/clamav/clamd.sock|" \
"/clamav/etc/clamav/clamav-milter.conf.sample" > 
"/clamav/etc/clamav/clamav-milter.conf" || \

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CLAMAV: Docker Tag 0.104.2 has 9 Medium Vulnerabilities for Busy Box

[Marc]

> My team is new to maintaining images on Docker Hub. We hadn't yet
> identified the best practices for how to publish an image for the same
> ClamAV version with a new base image. After a little investigation, I
> settled on this on this scheme.
> 
I can see ;)

This is of course crap. 

# Wait forever (or until canceled)
exec tail -f "/dev/null"

The goal of the entrypoint.sh exec is that if it terminates the OC can take 
proper action, eg restart the task. In your case clamd can crash and no action 
will be taken, because the OC monitors a useless tail?



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav milter + sendmail, sendmail not reporting reject

[Marc]

> >
> > >
> > > this looks like your sendmail DID reject mail from client.
> > >
> >
> > I think you are maybe right, however this is not being reported and it
> > gets stuck in my delivering mail server. Which I do not get because if I
> > put my own email address on the email blacklist, I am getting the
> delivery
> > error reported from the same server.
> >
> > This can not be related to that clamav reports 554 5.0.0 and my email
> > blacklist reports  550 5.7.4?
> >
> >
> 
> I think I am not getting the report, because the report contains still the
> attachment with the test virus, pf.
> 
> 

I managed to receive the ndr message from my own server by this change in 
sendmail.mc, which removes the whole body and also thus the attachment.

define(`confPRIVACY_FLAGS',`authwarnings,novrfy,noexpn,restrictqrun')dnl

to

define(`confPRIVACY_FLAGS',`authwarnings,novrfy,noexpn,nobodyreturn,restrictqrun')dnl

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] is there a kill signal to have freshclam do an update check?

[Marc]

Is there a command that can make a running freshclam daemon do an update 
request instantly?




___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Locating clamav-milter to match v0.104.2

[Marc]

> 
> I am hoping to find a clamav-milter to match the current version of
> clamav.
> 
> The current link on website seems to go to GitHub.
> 
> GitHub then says that you need to get software from ClamAV.
> 
> If there is somewhere that I can get a clamav-milter v0.104.2 RPM, it
> would be much appreciated.
> 

Are you sure they have constantly the same versions? The milter of spamassassin 
hardly changed and is from 2014 (+ some patches)

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav milter + sendmail, sendmail not reporting reject

[Marc]

> 
> >
> > this looks like your sendmail DID reject mail from client.
> >
> 
> I think you are maybe right, however this is not being reported and it
> gets stuck in my delivering mail server. Which I do not get because if I
> put my own email address on the email blacklist, I am getting the delivery
> error reported from the same server.
> 
> This can not be related to that clamav reports 554 5.0.0 and my email
> blacklist reports  550 5.7.4?
> 
> 

I think I am not getting the report, because the report contains still the 
attachment with the test virus, pf. 


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav milter + sendmail, sendmail not reporting reject

[Marc]

> > That is the problem of the server that is contacting mine. They should
> not be relaying such crap to me anyway.
> 
> No, this is *your* problem.
> If you start annoying people with inappropriate bounces, you'll get into
> blacklists fast.
> 
> In any case, we are OT, so I'll stop here.
> 

Try reading, then thinking and then replying. (I don't you were ever OT)

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav milter + sendmail, sendmail not reporting reject

[Marc]

> >Normally when a client connection is reject by my sendmail server, the
> > client is notified of the Reject message and the client server is
> > generating a NDR.  This is listed in my log as [1]
> 
> > however when I send a virus
> 
> what's the difference between "you" and a "client connection"?

Not much I hope, both are delivering to the same server but from my message I 
have the logs and can see if I receive a bounce or not. Now I switched testing 
via a thunderbird client, I do have better reporting.

> 
> this looks like your sendmail DID reject mail from client.
> 

I think you are maybe right, however this is not being reported and it gets 
stuck in my delivering mail server. Which I do not get because if I put my own 
email address on the email blacklist, I am getting the delivery error reported 
from the same server.

This can not be related to that clamav reports 554 5.0.0 and my email blacklist 
reports  550 5.7.4?



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav milter + sendmail, sendmail not reporting reject

[Marc]

> 
> > So please explain, why should I not do this, and why I should care about
> a server that is delivering a spam message to mine?
> 
> You might not care about the server that sent a virus to you, but you
> should care about the *apparent* sender, which has probably nothing to
> do with this; so you should not bounce.
> 

That is the problem of the server that is contacting mine. They should not be 
relaying such crap to me anyway.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav milter + sendmail, sendmail not reporting reject

[Marc]

> > Normally when a client connection is reject by my sendmail server,
> > the client is notified of the Reject message and the client server
> > is generating a NDR. This is listed in my log as [1] however when I
> > send a virus it looks like sendmail is not reporting the reject back
> > to the client server. How should I 'enable' this?
> 
> This isn't a ClamAV question, more one about Sendmail configuration
> and MTA/client behaviour.

I am not sure about this, also because I have no knowledge of how the 
communication between the MTA and the milter is handled. I think it could be 
related to the way the reject is being done by the milter. I have a bit of 
experience with mailfromd and if I reject a message there the MTA processes it 
correctly but different from clamav-milter. 

> If I've understood what you've said you want, and your configuration,
> it all seems OK.  Both log snippets show a rejection in replies which
> are made to the client.
> 
> They do not however show any NDR, they're just parts of the client/MTA
> conversation which starts with "connect from" and can be terminated by
> the MTA more or less at any point during what follows, right up to the
> final '.' on a line on its own.  If the MTA terminates with a 4xx code
> or 5xx code the message[*] is considered rejected (respectively either
> temporarily or permanently) and the client MAY take some optional text
> attached to the reply by the MTA and use it in an NDR which it creates
> for return to the originator of the mail.  In this case the MTA does
> not create the NDR, it's up to the client,

correct! I am only working with this setup.

> If the MTA actually accepts the message but later on finds that it's
> undeliverable then according to the RFCs it must create an NDR itself
> (but that doesn't appear to be the case in either of your examples).

correct! the frontend servers know what can be relayed.

> If you're thinking about what are sometimes called 'bounce' messages,
> where a message is received (and accepted) by an MTA and it promptly
> replies to that message with one of its own saying that the message
> has been dropped in the trash can, then please don't do that because
> it will likely add to the problems caused by the original message.

Indeed, I noticed somewhere in clamav or clamav-milter there was a '--bounce' 
option. And I was wondering if it really generates a message or it is 
facilitating the reject function. 


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav milter + sendmail, sendmail not reporting reject

[Marc]

> On 2/7/22 22:36, Marc wrote:
> > however when I send a virus it looks like sendmail is not reporting the
> reject back to the client server.
> > How should I 'enable' this?
> 
> Don't.
> Viruses are usually sent with a spoofed sender address; you would only
> annoy victims who didn't really send what you received.
> 
>   bye
>   av.
> 

There is a difference between rejecting the message and having the client 
server decide whether or not it creates a message to the sender. (which is what 
I want)

or 

my server is generating a message to the sender (which is what I do not want)

So please explain, why should I not do this, and why I should care about a 
server that is delivering a spam message to mine?



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] clamav milter + sendmail, sendmail not reporting reject

[Marc]

Normally when a client connection is reject by my sendmail server, the client 
is notified of the Reject message and the client server is generating a NDR. 
This is listed in my log as [1] however when I send a virus it looks like 
sendmail is not reporting the reject back to the client server. How should I 
'enable' this?


[1]
x sendmail[3880]: 217LNkNB003880: ruleset=check_rcpt, 
arg1=, relay=hosting.unibit.bg [194.141.8.30], 
reject=550 5.7.1 < .x...@x.xxx>... Relaying denied

[2]
Feb  7 22:24:18 x clamav-milter[27526]: Message from  to 
 infected by Eicar-Signature
Feb  7 22:24:18 x sendmail[27607]: 217LOGRO027607: Milter insert (1): 
header: X-Virus-Scanned: clamav-milter 0.103.5 at x
Feb  7 22:24:18 x sendmail[27607]: 217LOGRO027607: Milter insert (1): 
header: X-Virus-Status: Infected (Eicar-Signature)
Feb  7 22:24:18 x sendmail[27607]: 217LOGRO027607: Milter: data, reject=554 
5.7.1 Command rejected
Feb  7 22:24:18 x sendmail[27607]: 217LOGRO027607: 
to=, delay=00:00:00, pri=31328, stat=Command rejected

[3] config clamav milter
[@mail]# cat /etc/mail/clamav-milter.conf | grep -v '^#' | sed '/^$/d'
MilterSocket /var/run/clamav-milter/clamav-milter.socket
User clamilt
ClamdSocket tcp:xxx:3310
OnInfected Reject
AddHeader Add
LogSyslog yes
LogFacility LOG_MAIL
LogInfected Basic
LogClean Basic

[4] sendmail
INPUT_MAIL_FILTER(`clamav', 
`S=local:/var/run/clamav-milter/clamav-milter.socket, F=, T=S:4m;R:5m')dnl
INPUT_MAIL_FILTER(`spamassassin', 
`S=local:/var/run/spamass-milter/spamass-milter.sock, F=, 
T=C:1m;S:4m;R:4m;E:5m')dnl
define(`confINPUT_MAIL_FILTERS', `mailfromd,clamav,spamassassin')dnl

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malware alert???

[Matthes, Marc]

Same here

Marc Matthes
Director of Computer Networking Programs
Iowa Central CC
5155741099


From: clamav-users  on behalf of 
Jean-Francois Tasse 
Sent: Saturday, October 13, 2018 10:10:56 AM
To: ClamAV users ML
Subject: [clamav-users] Malware alert???


Today during ClamWin update:

main.cvd version 58

daily.cvd version 25033

bytecode version 327


Windows Defender stopped the update process saying that 
"TrojanDownloader:JS/Nemucod" was present.  Scanned all of my system nothing 
found and tried updating ClamWin again and everything was ok.


anyone else got a weird message like that today?


JF
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [Clamav-users] Subject: False Positive about Phishing.Heuristics.Email.SSL-Spoof

[Jean-Marc Pigeon]

On Thu, 2007-08-30 at 15:42 +0200, Doug Andrews wrote:
 Hi Jean-Marc,
 I am seeing the same problem - did you manage to resolve this?
 I'd appreciate any advice you can give.
 Thanks,
The only way for us to resolve the problem was
to remove the  CL_DB_PHISHING_URLS
from the scanning standard option

We have our own tool directly calling the clamav lib such
I can't give you specific beside our own.

Never got reply from the clamav team and
didn't find anything in 91.2 changelog.

From my standpoint the issue is still open
(and it is a rather annoying one).



 
 Doug
 Selfcateringhols
  
 Author: Jean-Marc Pigeon
 Date:  2007-07-19 15:142007-07-19 13:14  +200UTC
 To: ClamAV users ML
 Subject: [Clamav-users] False Positive about
 Phishing.Heuristics.Email.SSL-Spoof
 
 Bonjour 
 
 Got an official E-mail from network solution 
 which was detected as phishing.Heuristics.Email.SSL-Spoof. 
 
 I know I can set the configuration flag Off, but my concern 
 is more about the Phishing SSL-Spoof detection, either 
 clamav is code is wrong or Network solution is Wrong 
 
 Unfortunately I can't provide the e-mail contents (mail 
 was rejected), here are the local logs.. 
 
 22:52:37 MENID: XX-20785dc642507 
 +00 Clip: [205.178.190.228]/mrelay2.networksolutions.com 
 +00 M-From: [EMAIL PROTECTED] 
 +00 MRCPT: 250 XXX 
 Address Accepted 
 +00 E-From: [EMAIL PROTECTED] 
 +00 Subject: Reset Password Request 
 +00 Message-Id: [EMAIL PROTECTED] 
 +00 VIRUS=Phishing.Heuristics.Email.SSL-Spoof 
 +01 Spam-lvl: 0.2 
 +01 MsgInf: size=5912,n_error=0 
 +01 RCPT: Rejected  
 
 
 Is there somebody else getting the same problem?, will 
 the spoofing detection code fixed? (if it can?) 
 
 Thanks...
 -- 
 A bientôt
 ==
 Jean-Marc Pigeon   Internet: [EMAIL PROTECTED]
 SAFE Inc.  Phone: (514) 493-4280
Fax:   (514) 493-1946
 Clement, 'a kiss solution' to get rid of SPAM (at last)
Clement' Home base http://www.clement.safe.ca;
 ==
-- 
A bientôt
==
Jean-Marc Pigeon   Internet: [EMAIL PROTECTED]
SAFE Inc.  Phone: (514) 493-4280
   Fax:   (514) 493-1946
Clement, 'a kiss solution' to get rid of SPAM (at last)
   Clement' Home base http://www.clement.safe.ca;
==

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] False Positive about Phishing.Heuristics.Email.SSL-Spoof

[Jean-Marc Pigeon]

Bonjour

Got an official E-mail from network solution
which was detected as phishing.Heuristics.Email.SSL-Spoof.

I know I can set the configuration flag Off, but my concern
is more about the Phishing SSL-Spoof detection, either 
clamav is code is wrong or Network solution is Wrong

Unfortunately I can't provide the e-mail contents (mail
was rejected), here are the local logs..

22:52:37  MENID: XX-20785dc642507
 +00  Clip: [205.178.190.228]/mrelay2.networksolutions.com
 +00  M-From: [EMAIL PROTECTED]
 +00  MRCPT: 250 XXX
  Address Accepted
 +00  E-From: [EMAIL PROTECTED]
 +00  Subject: Reset Password Request
 +00  Message-Id: [EMAIL PROTECTED]
 +00  VIRUS=Phishing.Heuristics.Email.SSL-Spoof
 +01  Spam-lvl: 0.2
 +01  MsgInf: size=5912,n_error=0
 +01  RCPT:   Rejected 


Is there somebody else getting the same problem?, will
the spoofing detection code fixed? (if it can?)

Thanks...
-- 
A bientôt
==
Jean-Marc Pigeon   Internet: [EMAIL PROTECTED]
SAFE Inc.  Phone: (514) 493-4280
   Fax:   (514) 493-1946
Clement, 'a kiss solution' to get rid of SPAM (at last)
   Clement' Home base http://www.clement.safe.ca;
==

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Clamd use up 99.9 % cpu

[Marc]

Hi list,

4 days ago me clamd started using 99.9% of me cpu. Without I had made
any changes on the server.
I use clamd together with amavis to scan mails for virus, clamd still
works it catches all virus mails that comes in throw mail.
But it slowes me server down alot(avaged time for a mail to leave the
server is now up to 10 to 15 min).

I have looked in the log files but nothing seems to be wrong, I have set
clamd to log verbose(but can not se any changes in the log, still only
gets a line when it finds a virus).
Is there a way to monitor clamd to see where i hangs or just what it
is doing?

Some background, when I restart clamd it starts out find only using
around 1 to 4% cpu(normal). But after runing for abort 30 min it starts
using 99.9% cpu and stays there until next restart for clamd.

The system is amavis, clamd and postfix.


Hopes this is the right forum for the Q, if not then please let me know.

Best regards

Marc



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Handling the daily.cvd to daily.inc transition in a packaging context

[Marc Haber]

On Sat, Mar 10, 2007 at 11:38:47AM +0100, Jan-Pieter Cornet wrote:
 On Sat, Mar 10, 2007 at 11:26:10AM +0100, Marc Haber wrote:
  On Sat, Mar 10, 2007 at 11:11:39AM +0100, Jan-Pieter Cornet wrote:
   Just put this in your freshclam.conf:
   
   ScriptedUpdates no
   
   It will make sure only .cvd files are downloaded.
  
  This is the quick fix I have taken, but is this the right way in the
  long term? Scripted updates were implemented for a reason, and I don't
  think that it is the right way to turn them off again to fix the
  issues that came up with them.
 
 Ah, I assumed for a moment you would only build the .cvd package
 centrally for the entire debian distribution, so it wouldn't make
 much of a difference. I see now what you mean...

We are using the same script to build a central .cvd, and I have
understood in the mean time that if we want our packages to be
compatible with the outdated engines in Debian stable, we _need_ to
disable Scripted Updates. And so be it ;)

Thanks for helping me realize this.

 I guess packing up the entire contents of the database directory would
 work just as well. Verification can be done by pointing clamscan to the
 downloaded directory and trying to scan a test-file. (That's not
 signature verification, but you'd assume that freshclam already did
 that).

The test file signatures, though, are in the main.cvd, and thus a
botched daily.cvd won't be noticed here. Signature Verification is
much better.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Handling the daily.cvd to daily.inc transition in a packaging context

[Marc Haber]

Hi,

in Debian, we have a package called clamav-getfiles which uses
freshclam to download new virus patterns and in turn packages up
main.cvd and daily.cvd into a .deb package which can then be installed
on systems that cannot run their own freshclam, for example for policy
reasons. We also use clamav-getfiles to have current .deb packages of
the clamav virus database in our unstable and volatile archive.

This process of course broke horribly when freshclam suddenly began to
produce daily.inc instead of daily.cvd. I am now wondering how to
handle this in the future.

Is there any possibility to pack up a daily.inc into a local
daily.cvd file which can be verified with sigtool?

Or are we better off with just distributing main.cvd in conjunction
with the entire daily.inc directory?

What do we do if both daily.cvd and daily.inc are present after the
freshclam run? Should any one take precedence, or is this an error
which requires manual intervention?

Any hints will be appreciated.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] How to verify daily.inc?

[Marc Haber]

Hi,

sigtool --stdout --info= does neither like to be pointed to the
daily.inc directory nor does it correctly verify any single file
inside daily.inc.

Is there any possibility to verify the contents of the downloaded
daily.inc directory before actually activating it?

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Handling the daily.cvd to daily.inc transition in a packaging context

[Marc Haber]

On Sat, Mar 10, 2007 at 11:11:39AM +0100, Jan-Pieter Cornet wrote:
 Just put this in your freshclam.conf:
 
 ScriptedUpdates no
 
 It will make sure only .cvd files are downloaded.

This is the quick fix I have taken, but is this the right way in the
long term? Scripted updates were implemented for a reason, and I don't
think that it is the right way to turn them off again to fix the
issues that came up with them.

 You will probably also want to exclude the mirrors.dat file from
 the distribution that freshclam 0.90 now puts in the virus
 database directory.

That one is already excluded.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Strange behaviour on x86_64 (was 'Memory leakon x86_64!?')

[Jean-Marc Pigeon]

Bonjour a Tous,

I would like to know if more data has been collected on that 
subject.
My application use libclamav, on the BOTH production system
under X86_64 a memory exhaustion is reported, while I32
got no trouble (E-mail usage volume beeing roughly the same).
Trouble are noticed on X86_64, CentOS release 4.4 (Final)
and Fedora Core release 6 (Zod).

According ps axl, X86_64 version is requesting
more than 2 times VSZ memory on X86_64 than I32 (at
starting time)... (meaningful)???

The memory leak is showing up via the free command
where the used memory is steadily increasing over USAGE time.
Strangely enough ps axl is not reporting memory
usage increase (VSZ and RSS stay the roughly the
same over time for application) but an application
restart immediatly free the system memory, beside free' 
and 'ps' what is suggested to prove/show-up, memory leak 
is really pertaining to application.

Could the memory leak within de decompress library
used by libclamav and beeing specific to X86_64

My observations are very close to what is reported on
this threadSo let me know about your side of the story.


  Please run clamscan in debug mode over these files (--debug).
 
 I have appended the output for file2 and file3 to this email.
 In both cases, the increased memory consumption starts when the following 
 lines are printed:
 
 LibClamAV debug: Calculated MD5 checksum: a07774f93dc2c5da62ddf502692a208e
 LibClamAV debug: in cli_scanhtml()
 LibClamAV debug: mmap'ed file
 LibClamAV debug: Type: 519, expected: 502 (Trojan.IRC.Philix)
 
 From then on, only the line
 LibClamAV debug: Type: 519, expected: 502 (Trojan.IRC.Philix)
 (despite some 'LibClamAV debug: Calculated MD5 checksum: ...')
 is printed until the scan completes.
 
 Stephan
 ___ Help us build a comprehensive 
 ClamAV guide: visit http://wiki.clamav.net 
 http://lurker.clamav.net/list/clamav-users.html
-- 
A bientôt
==
Jean-Marc Pigeon Internet:
[EMAIL PROTECTED]
SAFE Inc.   Phone: (514) 493-4280  Fax: (514)
493-1946
Clement, 'a kiss solution' to get rid of SPAM (at last)
   Clement' Home base http://www.clement.safe.ca;
==

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Clamav 0.88.4 MD5 and OpenSSL (Crash!)

[Jean-Marc Pigeon]

Bonjour a Tous,

(problem with linux Implementation)

Starting clamav-0.83 the md5.c modules was changed and
name as MD5_Init, MD5_Update, MD5_Final collide with
the same exact module/procedure defined within Openssl
(libcrypto)

Problem, and application using both clamav and openssl
library could end-up with openssl using clamav/md5 or
reverse. The end result are pretty nasty crash and it
is depending about the dynamic library order within
the system library cache... (Pretty unpredictable!)

My advice is either use openssl/md5 or (may be easier
in your case) change the MD5_xxx name to something else.
(a simple define within your md5.h could do the trick).
-- 
A bientôt
==
Jean-Marc Pigeon Internet: [EMAIL PROTECTED]
SAFE Inc.   Phone: (514) 493-4280  Fax: (514) 493-1946
Clement, 'a kiss solution' to get rid of SPAM (at last)
   Clement' Home base http://www.clement.safe.ca;
==

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] ClamAv

[Marc Haber]

On Tue, Nov 29, 2005 at 10:36:13AM +, Markus Braun wrote:
 yes thank you. I found in the clamav log this:
 
 Mon Nov 28 23:26:24 2005 - 
 /var/spool/exim4/scan/1EgrS4-0006HV-FL/1EgrS4-0006HV-FL.eml: 
 Eicar-Test-Signature FOUND
 Mon Nov 28 23:26:36 2005 - 
 /var/spool/exim4/scan/1EgrSG-0006Ha-Bn/1EgrSG-0006Ha-Bn.eml: 
 Eicar-Test-Signature FOUND
 Mon Nov 28 23:27:07 2005 - 
 /var/spool/exim4/scan/1EgrSl-0006Hv-6G/1EgrSl-0006Hv-6G.eml: 
 Eicar-Test-Signature FOUND
 Mon Nov 28 23:27:23 2005 - 
 /var/spool/exim4/scan/1EgrT1-0006I0-OR/1EgrT1-0006I0-OR.eml: 
 Eicar-Test-Signature FOUND
 Mon Nov 28 23:27:43 2005 - 
 /var/spool/exim4/scan/1EgrTL-0006IE-IW/1EgrTL-0006IE-IW.eml: 
 Eicar-Test-Signature FOUND
 
 So he found the eicar test signature. But why is it in my inbox?
 What does clamav do with virus files?

Clamav does only detect them. What you do with them depends on the
configuration of the MTA. You are off-topic here.

Since the ACL statement you posted recently seems to be OK, it looks
like you have added it to your configuration at the wrong place. Where
did you add it?

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: RELOAD/VERSION issues

[Marc Haber]

On Fri, Aug 19, 2005 at 12:09:36AM -0700, Dennis Peterson wrote:
 Marc Haber said:
  On Thu, Aug 18, 2005 at 11:30:38AM -0500, René Berber wrote:
  Marc Haber wrote:
   the clamd docs say quite clearly that it is necessary to either send
   the RELOAD command to the daemon or to send SIGUSR2 to the daemon to
   have it reload the database.
  
   However, the VERSION command and clamdscan -V report the new database
   version immediately after putting the new databases in place.
 
  By putting you mean using freshclam?
 
  No. I mean dropping new databases in place manually especially to test
  the behavior in this situation.
 
 You do know clamd does a self-check every n seconds where n is declared in
 the clamd.conf file? Even if you do nothing it will become aware of new
 pattern files, on average, in n/2 seconds.

I know. And if that fails for some unknown reason, it will happily
continue using the old database while VERSION reports the new one.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: RELOAD/VERSION issues

[Marc Haber]

On Fri, Aug 19, 2005 at 07:10:39AM -0700, Dennis Peterson wrote:
 And you're certain the database has not been reloaded while you're
 examining this?

Which puts us back to the beginning. How do I find out _for_ _sure_
which database version clamav-daemon actually works at a given moment?

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: RELOAD/VERSION issues

[Marc Haber]

On Fri, Aug 19, 2005 at 11:44:24AM -0300, Julio Maidanik wrote:
 Marc Haber wrote:
  On Fri, Aug 19, 2005 at 07:10:39AM -0700, Dennis Peterson wrote:
  And you're certain the database has not been reloaded while you're
  examining this?
 
  Which puts us back to the beginning. How do I find out _for_ _sure_
  which database version clamav-daemon actually works at a given moment?
 
 Why not save a copy of the old database on a different directory, and set in
 clamd.conf the option DatabaseDirectory to point to the desired version ?

That still does not give me the guarantee which database the clamav
daemon has loaded at a certain time.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: RELOAD/VERSION issues

[Marc Haber]

On Fri, Aug 19, 2005 at 03:54:11PM +0100, Brian Morrison wrote:
 My freshclam/clamd setup logs to syslog and indicates when freshclam
 retrieves an updated database and when clamd reloads the database
 following the notification from freshclam.

Does your clamav daemon say from which file the database is being
loaded? Mine only states the directory, and it doesn't log which
version the database is. It would be nice if one could say from the
log database 1034 was loaded from 2005-08-18 18:53, until 2005-08-20
07:35 when it was replaced with 1035.

And it would be nice to obtain the currently loaded database from the
daemon without having to parse the log files.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: RELOAD/VERSION issues

[Marc Haber]

On Fri, Aug 19, 2005 at 08:26:05AM -0700, Todd Lyons wrote:
 What he needs to do is write a perl script that connects to the local
 clamd socket and prints VERSION and then look at the resulting reply.

NACK, clamd accesses the database file as well when VERSION is
received on the socket, and reports back immediately the new database
number even if it has not been loaded according to the log.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: RELOAD/VERSION issues

[Marc Haber]

On Fri, Aug 19, 2005 at 04:31:55PM +0100, Brian Morrison wrote:
 Does clamdscan do the same thing then?
 
 I've just tried that and it reports a version, presumably supplied by
 clamd.

clamdscan -V doesn't communicate with the daemon at all, it opens the
configuration file, presumably finds out where the databases are
located and then accesses the daily.cvd before printing the version
number.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: RELOAD/VERSION issues

[Marc Haber]

On Fri, Aug 19, 2005 at 04:37:43PM +0100, Brian Morrison wrote:
 On Fri, 19 Aug 2005 17:31:17 +0200 in
 [EMAIL PROTECTED] Marc Haber
 [EMAIL PROTECTED] wrote:
 
  On Fri, Aug 19, 2005 at 08:26:05AM -0700, Todd Lyons wrote:
   What he needs to do is write a perl script that connects to the
   local clamd socket and prints VERSION and then look at the
   resulting reply.
  
  NACK, clamd accesses the database file as well when VERSION is
  received on the socket, and reports back immediately the new database
  number even if it has not been loaded according to the log.
 
 Except that then it will have been loaded and this information will
 have been entered in the log.

Looks like you have more faith in things than I have. All software
sucks, why should clamav be the exception?

 Clamd only reloads the database when it
 has some work to do, clamdscan -V being some work obviously.

NACK, clamdscan -V doesn't talk to the daemon _at_ _all_, so this
doesn't qualify as some work.

 You might ask the developers to change the database reloaded message to
 include the version number, as long as that doesn't break anything I
 don't see why this should not be done.

The developers don't at least read here? Well, at least Debian has a
bug (#323803) about it.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] RELOAD/VERSION issues

[Marc Haber]

Hi,

the clamd docs say quite clearly that it is necessary to either send
the RELOAD command to the daemon or to send SIGUSR2 to the daemon to
have it reload the database.

However, the VERSION command and clamdscan -V report the new database
version immediately after putting the new databases in place.

This looks to me like either
(1) VERSION is lying and not reporting the database version that the
daemon actually uses or
(2) RELOAD is unnecessary (at least in current daemon versions)

If (1) is correct, how do I find out which database version the daemon
is using for scanning?

If (2) is correct, could please the docs be updated to clearly state
that RELOAD is currently unneeded but might be neede in a future
daemon version and that it is recommended that database RELOAD is
issued to the daemon after touching the databases?

Thanks for the clarification.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: RELOAD/VERSION issues

[Marc Haber]

On Thu, Aug 18, 2005 at 11:30:38AM -0500, René Berber wrote:
 Marc Haber wrote:
  the clamd docs say quite clearly that it is necessary to either send
  the RELOAD command to the daemon or to send SIGUSR2 to the daemon to
  have it reload the database.
  
  However, the VERSION command and clamdscan -V report the new database
  version immediately after putting the new databases in place.
 
 By putting you mean using freshclam?

No. I mean dropping new databases in place manually especially to test
the behavior in this situation.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Problem to compile clamav+milter under Linux/Debian

[Marc ROMERO]

Dear clamav-users

I've a Linux Debian (2.4.20) whose running clamav-0.75.1. I'm trying to compile
clamav-0.80rc2 and I didn't manage to compile a new version because I'm
getting the following error message (The error message is given at the
end of the message). Can you help me ?

Thank

Marc

marc export CFLAGS=-L/opt/sendmail/include
marc export LDFLAGS=-L/opt/sendmail/lib
marc export SENDMAIL=/opt/sendmail/sbin/sendmail

marc ./configure --prefix=/opt/clamav-0.80rc2 --enable-milter --with-user=smmsp 
--with-group=smmsp

marc make

.../...

gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./zziplib -I./mspack -L/opt/sendmail/include 
-c message.c -Wp,-MD,.deps/message.TPlo  -fPIC -DPIC -o .libs/message.lo
message.c: In function `messageExport':
message.c:1431: warning: assignment discards qualifiers from pointer target type
message.c: In function `messageToFileblob':
message.c:1554: warning: passing arg 3 of `messageExport' from incompatible pointer 
type
message.c:1554: warning: passing arg 4 of `messageExport' from incompatible pointer 
type
message.c:1554: warning: passing arg 5 of `messageExport' from incompatible pointer 
type
message.c:1554: warning: passing arg 6 of `messageExport' from incompatible pointer 
type
message.c:1554: warning: passing arg 7 of `messageExport' from incompatible pointer 
type
message.c: In function `messageToBlob':
message.c:1564: warning: passing arg 3 of `messageExport' from incompatible pointer 
type
message.c:1564: warning: passing arg 4 of `messageExport' from incompatible pointer 
type
message.c:1564: warning: passing arg 5 of `messageExport' from incompatible pointer 
type
message.c:1564: warning: passing arg 6 of `messageExport' from incompatible pointer 
type
message.c:1564: warning: passing arg 7 of `messageExport' from incompatible pointer 
type

.../...

gcc -DHAVE_CONFIG_H -I. -I. -I.. -I../clamd -I../libclamav -I../shared 
-DSENDMAIL_BIN=\/opt/sendmail/sbin/sendmail\ -L/opt/sendmail/include -c 
clamav-milter.c
clamav-milter.c: In function `main':
clamav-milter.c:834: `LC_ALL' undeclared (first use in this function)
clamav-milter.c:834: (Each undeclared identifier is reported only once
clamav-milter.c:834: for each function it appears in.)
make[2]: *** [clamav-milter.o] Error 1
make[2]: Leaving directory `/staff/clamav-0.80rc2/clamav-milter'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/staff/clamav-0.80rc2'
make: *** [all] Error 2

marc 

--
Marc.Romero Marc Romero, Institut de Biologie Physico-Chimique
@ibpc.fr13 rue Pierre et Marie Curie
http://www.curie.fr 75005 Paris, France
PUSHJ P, POPJ P recursively +33 [0]1 58 41 5034 / 5021 (fax)
_

 This message and any attachment are  confidential and may be privileged
 or otherwise  protected  from disclosure. If you  are not the intended
 recipient, please telephone or email the sender and delete this message
 and  any  attachment  from your system.  If you  are not  the intended
 recipient   you must not  copy this message  or attachment or disclose
 the contents to any other person and destroy all copies of the original
 message and attachment.



---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] upgrade to 0.75.1: Not suported signature type detected

[Marc]

Hi,
I get following output when starting clamd (0.75.1)
Starting virus daemon: clamdLibClamAV debug: Loading databases from 
/usr/local/share/clamav
LibClamAV debug: Loading /usr/local/share/clamav/main.cvd
LibClamAV debug: /usr/local/share/clamav/main.cvd: CVD file detected
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 88a34570dc174c184b6a7c8350e24d4e
LibClamAV debug: Decoded signature: 88a34570dc174c184b6a7c8350e24d4e
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /tmp/clamav-dd866dec80b7bbf2/COPYING
LibClamAV debug: Unpacking /tmp/clamav-dd866dec80b7bbf2/viruses.db
LibClamAV debug: Loading databases from /tmp/clamav-dd866dec80b7bbf2
LibClamAV debug: Loading /tmp/clamav-dd866dec80b7bbf2/viruses.db
LibClamAV debug: Initializing trie.
LibClamAV debug: Loading /usr/local/share/clamav/daily.cvd
LibClamAV debug: /usr/local/share/clamav/daily.cvd: CVD file detected
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = da7b93b670584772f5ffd002ac219ece
LibClamAV debug: Decoded signature: da7b93b670584772f5ffd002ac219ece
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /tmp/clamav-272bb8f2e537df50/COPYING
LibClamAV debug: Unpacking /tmp/clamav-272bb8f2e537df50/viruses.db2
LibClamAV debug: Loading databases from /tmp/clamav-272bb8f2e537df50
LibClamAV debug: Loading /tmp/clamav-272bb8f2e537df50/viruses.db2
LibClamAV debug: Not suported signature type detected at line 15. Skipping.
LibClamAV debug: Not suported signature type detected at line 1039. 
Skipping.
.
.

Should I take some action for the 'Not suported signature' message?
What does it mean to the clamav system?
-- Marc
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Problem detecting Worm.Mydoom.I with strange Mime_base64

[Marc Berenschot]

On Thu, 22 Jul 2004, Nigel Horne wrote:

 On Thursday 22 Jul 2004 17:45, Jesse Guardiani wrote:

  In my opinion a bug that major should warrant a new release, if only 0.74a
  or 0.74.1. Asking people to update to CVS to fix a serious bug doesn't make
  sense.

 Tomasz and I are already in discussions about this...

I have just installed 0.75. It detects the virus.

Thank you very much for the prompt reply!

Marc.
-- 

Marc Berenschot Email: [EMAIL PROTECTED]
UNIX Systeembeheerder   Phone: 053 4894615



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Problem detecting Worm.Mydoom.I with strange Mime_base64

[Marc Berenschot]

Hello all,

I am currently receiving e-mails with incorrect Mime_base64 encoding.
Spamassassin adds the MIME_BASE64_ILLEGAL tag and if I cat the mailbox
part of the mime looks like this (only showing the last part of the
mail):

Qa6y+0PJZh4KsJU2CmwBOgpqIZgKgwFICoAZNQqAGT4Kp
gU4CnQJmwoBAjUKcA
lQCrBVRgqDAUUK
pgFECoctSRB+gPQPLD24RZ70iQ9QVbYQs7JJRQPtig9inXYPAvKNRHiY50QFk
zjMRbYBRCJqN0VC
Gs0QbBJVpXmlyBBTzDIPPlcXD/TM/hBQpaep/rzeD/TK0g8SAQMPP/ZVDzjYiccpxW
LH3WIEP75h
shB2J0c
PPQ24EH4JmA/ksSUQc8OmgVFmkERZslkQU8PuD3vRDBCbJJcQU8gfD/RTGw/0yIgQHLBy
EGUheA/0S8gQdiarD8wUig/0xTLRkLXC0KImZMw8NnjP9oxo2Ew+QkJSwgbRgGL20Oqg/Q/kq+wP
riOBEIEdHA8XixAQZiPDmBCFN0Q6TX0PzBSBEEULkqYbJ86BzFnghr38tUEYv+NEy7y5wKj+Bw9Q
eWwKFQ1AD107IM/X3bhDc3YFqo
wjfURpLneYECt5GHDNMkRe1ujHWpBVlalli0UhD7imTemlgMFd
xUGUfb8EEePJRUytU0OtI3FDJpO50OPzJMJwNRup/trJqf4Zjqn+OVAKDAYswKgAAQ==

--Boundary-00=_LI6/AsRuKRMJPIk--



This is not what I normally see, all lines in other e-mails have the same
length, these are different lengths.

I am using pine, a collegue of mine is using kmail and we are able to save
the attachement. The attachement is the Worm.Mydoom.I virus. If I do a
clamscan on the saved attachement it finds the virus. If I do a clamscan
--mbox on the mbox file it does not find it. I assume this is because of
the broken Mime-encoding. Is there something I have overseen that can
stop  this kind of virus e-mail? I could not find anything on the list or
in the manpages. I have not tested what outlook does with this illegal
Mime-encoding, but it wouldn't surprise me if it is also able to decode
the attachement.

I am using the stable 0.74 release (just updated my configuration to make
sure it was recent), combined with clamav-milter 0.74a. It is running on a
Solaris 8 server. Database is recent and it is detecting other viruses.
There are no errors in the log file.

Thanks for any help or pointers,

Marc Berenschot.

-- 

Marc Berenschot Email: [EMAIL PROTECTED]
UNIX Systeembeheerder   Phone: 053 4894615



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clamwin issue - last one

[Marc Hultquist]

Just quickly. I have been looking on the clamwin mailing list and through 
their archives, but as of yet I have not found anything in regards to what I 
am trying todo, I am trying to get clamwin to use a different server to use 
its updates for the main.cvd and daily.cvd files, however I cant find 
anything or any setting that I can use ? I looked through the .dll files, 
the .exe files and just about anywhere else that I could, but alas I found 
nothing :p Wondering if anyone knows how I can do this? I have RTFM and I 
have looked through the mailing list, but as I said, I was unable to find 
anything about changing which database clamwin uses :\

Kind Regards
-- 
 Marc Hultquist ([EMAIL PROTECTED])
 Computerkit Systems (Pty) Ltd
 http://www.cks.co.za
 (P) +27 11 695 5317
 (F) +27 11 312 1408
 (C) +27 82 563 2861 
 Quote: Its a bad idea for geeks to be on low-carb diets. Low-carb means no 
sugar, no sugar means cravings, cravings mean a loss of concentration, losing 
concentration makes geeks irritable and geeks run the computers that run the 
world's banks and militaries !!! . . . . . . .  . YE GODS !!! Give me a 
frosted chocolate cake before we plunge into anarchy !!! - (c) J.D. Illad 
Frazer(Userfriendly.org)
Confidentiality Notice:
The above message and all attachments may contain privileged and confidential 
information intended only for the person or entity to which it is addressed. Any 
review, retransmission, dissemination, copy or other use of, or taking of any action 
in reliance upon this information by persons or entities other than the intended 
recipient is prohibited. If you received this message in error, please notify the 
sender immediately by e-mail, facsimile or telephone and thereafter delete the 
material from your computer. Any views expressed in this message are those of the 
individual sender, except where the sender specifically states them to be the view of 
the entity transmitting the message.  Computerkit Retail Systems (Pty) Ltd hereby 
distances itself from and accepts no liability in respect of the unauthorised use of 
its e-mail facility or the sending of e-mail communications for other than strictly 
business purposes


---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamwin issue - last one

[Marc Hultquist]

On Wednesday, 14 July 2004 11:00, Fajar A. Nugraha wrote:
 Marc Hultquist wrote:
 I was unable to find
 anything about changing which database clamwin uses :\
 Last I heard, it is HARDCODED to database.clamav.net :)
 Regards,
 Fajar
Ya, but with the latest version of clamwin, you can change the database ip.


-- 
 Marc Hultquist ([EMAIL PROTECTED])
 Computerkit Systems (Pty) Ltd
 http://www.cks.co.za
 (P) +27 11 695 5317
 (F) +27 11 312 1408
 (C) +27 82 563 2861 
 Quote: Its a bad idea for geeks to be on low-carb diets. Low-carb means no 
sugar, no sugar means cravings, cravings mean a loss of concentration, losing 
concentration makes geeks irritable and geeks run the computers that run the 
world's banks and militaries !!! . . . . . . .  . YE GODS !!! Give me a 
frosted chocolate cake before we plunge into anarchy !!! - (c) J.D. Illad 
Frazer(Userfriendly.org)
Confidentiality Notice:
The above message and all attachments may contain privileged and confidential 
information intended only for the person or entity to which it is addressed. Any 
review, retransmission, dissemination, copy or other use of, or taking of any action 
in reliance upon this information by persons or entities other than the intended 
recipient is prohibited. If you received this message in error, please notify the 
sender immediately by e-mail, facsimile or telephone and thereafter delete the 
material from your computer. Any views expressed in this message are those of the 
individual sender, except where the sender specifically states them to be the view of 
the entity transmitting the message.  Computerkit Retail Systems (Pty) Ltd hereby 
distances itself from and accepts no liability in respect of the unauthorised use of 
its e-mail facility or the sending of e-mail communications for other than strictly 
business purposes


---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] new to clamav

[Marc Hultquist]

Morning afternoon and evening

I am busy experimenting with clamav as we are looking for an alternative to 
our current av sollution, now while I managed without a single issue to 
install clam onto a debian based system (apt-get is my friend) :p now I 
_have_ to get it working on a Redhat 7.3 based system.

I have tried installing from the normal binary rpm, but it wont work, so I am 
taking the route of installing from a src.rpm file. Heres where the problem 
lies, when running rpm --rebuild clamav-0.72-1.src.rpm I get the screen 
output, all goes well, up untill a specific point, heres the error I get, now 
in the past the _only_ way i have been able to get around this problem was by 
doing a complete install. In my current situation this is not possible as the 
systems are a kicistart system we install at our clients, hence the need for 
limitation. 
Heres my error

checking for C compiler default output... conftest.c
checking whether the C compiler works... configure: error: cannot run C 
compiled programs.
If you meant to cross compile, use `--host'.
error: Bad exit status from /var/tmp/rpm-tmp.86120 (%build)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.86120 (%build)
[EMAIL PROTECTED] clam]#

Any ideas ? :\
-- 
 Marc Hultquist ([EMAIL PROTECTED])
 Computerkit Systems (Pty) Ltd
 http://www.cks.co.za
 (P) +27 11 695 5317
 (F) +27 11 312 1408
 (C) +27 82 563 2861 
 Quote: Its a bad idea for geeks to be on low-carb diets. Low-carb means no 
sugar, no sugar means cravings, cravings mean a loss of concentration, losing 
concentration makes geeks irritable and geeks run the computers that run the 
world's banks and militaries !!! . . . . . . .  . YE GODS !!! Give me a 
frosted chocolate cake before we plunge into anarchy !!! - (c) J.D. Illad 
Frazer(Userfriendly.org)
Confidentiality Notice:
The above message and all attachments may contain privileged and confidential 
information intended only for the person or entity to which it is addressed. Any 
review, retransmission, dissemination, copy or other use of, or taking of any action 
in reliance upon this information by persons or entities other than the intended 
recipient is prohibited. If you received this message in error, please notify the 
sender immediately by e-mail, facsimile or telephone and thereafter delete the 
material from your computer. Any views expressed in this message are those of the 
individual sender, except where the sender specifically states them to be the view of 
the entity transmitting the message.  Computerkit Retail Systems (Pty) Ltd hereby 
distances itself from and accepts no liability in respect of the unauthorised use of 
its e-mail facility or the sending of e-mail communications for other than strictly 
business purposes


---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clam-db-0.72 ?

[Marc Hultquist]

Does anyone know where I can download the 0.72 clamav-dv file ? I looked on 
rpmfind.net, freshmeat.net, clamav.net and as of yet I have not been able to 
find _anything_ :\ 

Any help would be greatly appreciated !

Kind Regards
-- 
 Marc Hultquist ([EMAIL PROTECTED])
 Computerkit Systems (Pty) Ltd
 http://www.cks.co.za
 (P) +27 11 695 5317
 (F) +27 11 312 1408
 (C) +27 82 563 2861 
 Quote: Its a bad idea for geeks to be on low-carb diets. Low-carb means no 
sugar, no sugar means cravings, cravings mean a loss of concentration, losing 
concentration makes geeks irritable and geeks run the computers that run the 
world's banks and militaries !!! . . . . . . .  . YE GODS !!! Give me a 
frosted chocolate cake before we plunge into anarchy !!! - (c) J.D. Illad 
Frazer(Userfriendly.org)
Confidentiality Notice:
The above message and all attachments may contain privileged and confidential 
information intended only for the person or entity to which it is addressed. Any 
review, retransmission, dissemination, copy or other use of, or taking of any action 
in reliance upon this information by persons or entities other than the intended 
recipient is prohibited. If you received this message in error, please notify the 
sender immediately by e-mail, facsimile or telephone and thereafter delete the 
material from your computer. Any views expressed in this message are those of the 
individual sender, except where the sender specifically states them to be the view of 
the entity transmitting the message.  Computerkit Retail Systems (Pty) Ltd hereby 
distances itself from and accepts no liability in respect of the unauthorised use of 
its e-mail facility or the sending of e-mail communications for other than strictly 
business purposes


---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Malformed CVD ?

[Marc Hultquist]

[EMAIL PROTECTED] etc]# freshclam
ClamAV update process started at Tue Jul 13 15:05:11 2004
Connecting via 196.23.149.50
Reading CVD header (main.cvd): ERROR: Malformed CVD header detected.
ERROR: Can't read main.cvd header from clamav.sonic.net (196.23.149.50)
[EMAIL PROTECTED] etc]#
Can someone help me here? No matter what mirror I set it to use in the 
freshclam.conf file I get the above error, this is with the correct proxy 
settings, STRANGE thing is that with a windows machine on the same desk, same 
everything, proxy settings etc, it can download the main.cvd and daily.cvd 
files just fine ? Please can someone help me here as I am at the end of my 
string ! :\

Kind Regards
-- 
 Marc Hultquist ([EMAIL PROTECTED])
 Computerkit Systems (Pty) Ltd
 http://www.cks.co.za
 (P) +27 11 695 5317
 (F) +27 11 312 1408
 (C) +27 82 563 2861 
 Quote: Its a bad idea for geeks to be on low-carb diets. Low-carb means no 
sugar, no sugar means cravings, cravings mean a loss of concentration, losing 
concentration makes geeks irritable and geeks run the computers that run the 
world's banks and militaries !!! . . . . . . .  . YE GODS !!! Give me a 
frosted chocolate cake before we plunge into anarchy !!! - (c) J.D. Illad 
Frazer(Userfriendly.org)
Confidentiality Notice:
The above message and all attachments may contain privileged and confidential 
information intended only for the person or entity to which it is addressed. Any 
review, retransmission, dissemination, copy or other use of, or taking of any action 
in reliance upon this information by persons or entities other than the intended 
recipient is prohibited. If you received this message in error, please notify the 
sender immediately by e-mail, facsimile or telephone and thereafter delete the 
material from your computer. Any views expressed in this message are those of the 
individual sender, except where the sender specifically states them to be the view of 
the entity transmitting the message.  Computerkit Retail Systems (Pty) Ltd hereby 
distances itself from and accepts no liability in respect of the unauthorised use of 
its e-mail facility or the sending of e-mail communications for other than strictly 
business purposes


---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] freshclam --quiet isn't

[Marc]

Damian Menscher wrote:

Every 2 hours I get the following in my logs:

May  2 13:31:34 hostname freshclam[3193]: Received signal 14, wake up
May  2 13:31:34 hostname freshclam[3193]: ClamAV update process started at Sun May  2 
13:31:34 2004
May  2 13:31:35 hostname freshclam[3193]: main.cvd is up to date (version: 22, sigs: 
20229, f-level: 1, builder: tkojm)
May  2 13:31:35 hostname freshclam[3193]: daily.cvd is up to date (version: 298, sigs: 
1141, f-level: 2, builder: diego)
May  2 13:31:35 hostname freshclam[3193]: --
This is with the --quiet option.  Checking the source it looks like
freshclam completely ignores the --quiet option.  It would be nice if
it only added one line per run, rather than five.
I'm using freshclam 0.70 and with the --quiet options there is no output.

Marc

---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav attachment not deleted from /tmp

[jean-marc pouchoulon]

Are you running in debug mode? When doing so, all tmp files are left for
debugging purposes.
Jim

 

That was the problem
thanks to all.
Jean-Marc

---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] scanning streams

[Marc]

We are using clamd and clamscan for our mail and are very pleased with 
it.  Keep up the good work.

I was wondering if it is possible to scan streams too (http-traffic, ...)?

Marc

---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Alias Database

[Marc]

Kevin Spicer wrote:

I've put up a proof-of-concept (read 'ugly') virus alias database at
http://www.kevinspicer.co.uk  Its currently rather limited in that it
only fully indexes Clam, Fsecure and Symantec (although some aliases for
other vendors are picked up).  If people feel it is worth pursuing then
I'll try and find time to add some other vendors and maybe even make it
less ugly (and validate the html!)
Great idea, keep up the good work...

Marc



---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] installation update require

[Marc]

Fajar A. Nugraha wrote:

Either 0.70 (not the -rc one) or the lastest CVS snapshot version (mine 
is ClamAV version devel-20040426)

I'm using clamav 0.70 stable.
How can I get the version of clamav (including devel-x)
Marc

---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] 70rc1 problems

[Marc Balmer]

Hi all

I updated a few servers to ClamAV 70rc1.  We only use clamd.  OS is 
OpenBSD 3.5.

The problem we have: clamd terminates.  Seems unstable like the 6x series.

Did anyone succed to use this software in a production environment?

- Marc Balmer

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clamdscan gives wrong output

[Marc Cuypers]

Hi,

I'm using clamav 0.67 on Debian Woody.

When I run 'clamdscan file1'.  I get the message it contains the virus 
Worm.Gibe.F FOUND.
When I run 'clamdscan file1'.  I get the file is OK.

What could be wrong?

-- Marc



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamdscan gives wrong output

[Marc Cuypers]

Tomasz Papszun wrote:

On Wed, 03 Mar 2004 at 11:18:15 +0100, Marc Cuypers wrote:

Hi,

I'm using clamav 0.67 on Debian Woody.

When I run 'clamdscan file1'.  I get the message it contains the virus 
Worm.Gibe.F FOUND.
When I run 'clamdscan file1'.  I get the file is OK.

What could be wrong?


?! The commands you typed are identical.

Sorry for the lapsus:
I meant that clamdscan file1' detects the virus and 'cat file1 | 
clamdscan -' doesn't.

-- Marc



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clamdscan: input via stdin

[Marc Cuypers]

Hi,

I'm running clamav 0.60 on Debian.

Can I 'cat' a file to clamdscan, or must it be a physical file on the disk?

Thanks for your time,

--Marc



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] ClamAV 0.67 upgrade from.065 doesn't work

[Marc Brooks]

After upgrading from 0.65 to 0.67 on FreeBSD clamav went from finding 100+
viruses a day to 0 a day..

Any suggestions? The daemon and milter are running.




Marc S. Brooks
Programmer/Systems Admin
975 Andreasen
Escondido, CA 92029
760-740-2625 ph
760-740-2643 fx



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] ClamAV 0.67 upgrade from.065 doesn't work [SOL VED]

[Marc Brooks]

This has been solved..

The sendmail.mc for some strange reason needed to be rebuilt.

-Original Message-
From: Marc Brooks [mailto:[EMAIL PROTECTED]
Sent: Friday, February 27, 2004 10:37 AM
To: '[EMAIL PROTECTED]'
Subject: [Clamav-users] ClamAV 0.67 upgrade from.065 doesn't work


After upgrading from 0.65 to 0.67 on FreeBSD clamav went from finding 100+
viruses a day to 0 a day..

Any suggestions? The daemon and milter are running.




Marc S. Brooks
Programmer/Systems Admin
975 Andreasen
Escondido, CA 92029
760-740-2625 ph
760-740-2643 fx



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Clmilter: Unable to bind to port /var/run/clmilter.sock: Address already in use

[Marc Brooks]

Hello all,

When I try to start the clamav-milter under sendmail on my BSD box I get the
following error..

*** Unable to bind to port /var/run/clmilter.sock: Address already in use

Marc S. Brooks
Programmer/Systems Admin
975 Andreasen
Escondido, CA 92029
760-740-2625 ph
760-740-2643 fx



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] (no subject)

[Marc Brooks]

Hello all,

Currently running clamav-0.67 on FreeBSD.

When I try to start the clamav-milter under sendmail using-

/usr/local/sbin/clamav-milter -blo /var/run/clmilter.sock

It fails and leaves me with this error in my /var/log/messages

Feb 26 14:50:45 xcon5 clamav-milter: ClamAv: Unable to bind to port
/var/run/clmilter.sock: Address already in use
Feb 26 14:50:45 xcon5 clamav-milter: ClamAv: Unable to create listening
socket on conn /var/run/clmilter.sock

Port? What port? currently my machine has one port open..

Any help would be super..


Marc S. Brooks
Programmer/Systems Admin
975 Andreasen
Escondido, CA 92029
760-740-2625 ph
760-740-2643 fx

Marc S. Brooks
Programmer/Systems Admin
975 Andreasen
Escondido, CA 92029
760-740-2625 ph
760-740-2643 fx



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] ./configure --prefix=/usr/local --enable-milter failes on ClamAV- 0.67

[Marc Brooks]

ac_cv_prog_make_make_set=yes
ac_cv_header_sys_param_h=yes
ac_cv_header_ndir_h=no
ac_cv_header_unistd_h=yes
ac_cv_header_string_h=yes
lt_cv_global_symbol_to_cdecl='sed -n -e '\''s/^. .* \(.*\)$/extern char
\1;/p'\'''
lt_cv_path_LD=/usr/libexec/elf/ld
ac_cv_build_alias=i386-unknown-freebsd4.7
ac_cv_env_CPPFLAGS_value=
ac_cv_prog_ac_ct_RANLIB=ranlib
ac_cv_header_memory_h=yes
ac_cv_target_alias=i386-unknown-freebsd4.7
ac_cv_header_pthread_h=yes
ac_cv_prog_ac_ct_STRIP=strip
ac_cv_host=i386-unknown-freebsd4.7
ac_cv_env_host_alias_value=
ac_cv_lib_bz2_bzReadOpen=no
ac_cv_header_zlib_h=yes
ac_cv_type_off_t=yes
lt_cv_global_symbol_to_c_name_address='sed -n -e '\''s/^: \([^ ]*\) $/
{\\1\, (lt_ptr) 0},/p'\'' -e '\''s/^[BCDEGRST] \([^ ]*\) \([^ ]*\)$/
{\2, (lt_ptr) \\2},/p'\'''
lt_cv_compiler_c_o=yes
lt_cv_prog_cc_pic_works=yes
lt_cv_file_magic_test_file=
ac_cv_path_SENDMAIL=/usr/sbin/sendmail
ac_cv_prog_CPP='gcc -E'
ac_cv_prog_AWK=nawk
ac_cv_build=i386-unknown-freebsd4.7
ac_cv_env_build_alias_value=
ac_cv_lib_gmp_mpz_init=yes
ac_cv_header_malloc_h=yes
lt_cv_prog_cc_pic=' -fPIC'
lt_cv_sys_global_symbol_pipe='sed -n -e '\''s/^.*[
]\([ABCDGISTW][ABCDGISTW]*\)[   ][  ]*\(\)\([_A-Za-z][_A-Za-z0-9]*\)$/\1
\2\3 \3/p'\'''
lt_cv_deplibs_check_method=pass_all
ac_cv_prog_ac_ct_CC=gcc
lt_cv_compiler_o_lo=yes
ac_cv_target=i386-unknown-freebsd4.7
ac_cv_env_target_alias_value=
ac_cv_header_syslog_h=yes
ac_cv_sizeof_short=2
ac_cv_env_CC_value=
lt_cv_path_NM='/usr/bin/nm -B'
ac_cv_env_CPP_set=
ac_cv_header_dlfcn_h=yes
ac_cv_header_sys_mman_h=yes
ac_cv_objext=o

## --- ##
## confdefs.h. ##
## --- ##

#define PACKAGE_NAME 
#define PACKAGE_TARNAME 
#define PACKAGE_VERSION 
#define PACKAGE_STRING 
#define PACKAGE_BUGREPORT 
#define PACKAGE clamav
#define VERSION 0.67
#define STDC_HEADERS 1
#define HAVE_SYS_TYPES_H 1
#define HAVE_SYS_STAT_H 1
#define HAVE_STDLIB_H 1
#define HAVE_STRING_H 1
#define HAVE_MEMORY_H 1
#define HAVE_STRINGS_H 1
#define HAVE_INTTYPES_H 1
#define HAVE_UNISTD_H 1
#define HAVE_DLFCN_H 1
#define SCANBUFF 131072
#define FILEBUFF 8192
#define STDC_HEADERS 1
#define HAVE_UNISTD_H 1
#define HAVE_DLFCN_H 1
#define HAVE_INTTYPES_H 1
#define HAVE_SYS_INTTYPES_H 1
#define HAVE_MEMORY_H 1
#define HAVE_STDLIB_H 1
#define HAVE_STRINGS_H 1
#define HAVE_STRING_H 1
#define HAVE_SYS_MMAN_H 1
#define HAVE_SYS_PARAM_H 1
#define HAVE_SYS_STAT_H 1
#define HAVE_SYS_TYPES_H 1
#define HAVE_MALLOC_H 1
#define SIZEOF_SHORT 2
#define SIZEOF_INT 4
#define SIZEOF_LONG 4
#define HAVE_ZLIB_H 1
#define HAVE_BZLIB_H 1
#define HAVE_SETSID 1
#define HAVE_MEMCPY 1
#define HAVE_SNPRINTF 1
#define HAVE_GMP 1
#define CLAMD_USE_SYSLOG 1
#define CLAMAVUSER clamav
#define CLAMAVGROUP clamav
#define DB1NAME main.cvd
#define DB2NAME daily.cvd
#define DATADIR /usr/local/share/clamav
#define CONFDIR /usr/local/etc
#define C_URANDOM 1
#define WITH_TCPWRAP 1
#define CL_THREAD_SAFE 1
#define _REENTRANT 1
#define C_BSD 1
#define BUILD_CLAMD 1
#define WORDS_BIGENDIAN 0

configure: exit 0

Marc S. Brooks
Programmer/Systems Admin
975 Andreasen
Escondido, CA 92029
760-740-2625 ph
760-740-2643 fx



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] ./configure --prefix=/usr/local --enable-milter

[Marc Brooks]

ac_cv_header_stdint_h=no
ac_cv_header_inttypes_h=yes
ac_cv_prog_make_make_set=yes
ac_cv_header_sys_param_h=yes
ac_cv_header_ndir_h=no
ac_cv_header_unistd_h=yes
ac_cv_header_string_h=yes
lt_cv_global_symbol_to_cdecl='sed -n -e '\''s/^. .* \(.*\)$/extern char
\1;/p'\'''
lt_cv_path_LD=/usr/libexec/elf/ld
ac_cv_build_alias=i386-unknown-freebsd4.7
ac_cv_env_CPPFLAGS_value=
ac_cv_prog_ac_ct_RANLIB=ranlib
ac_cv_header_memory_h=yes
ac_cv_target_alias=i386-unknown-freebsd4.7
ac_cv_prog_ac_ct_STRIP=strip
ac_cv_host=i386-unknown-freebsd4.7
ac_cv_env_host_alias_value=
ac_cv_type_off_t=yes
lt_cv_global_symbol_to_c_name_address='sed -n -e '\''s/^: \([^ ]*\) $/
{\\1\, (lt_ptr) 0},/p'\'' -e '\''s/^[BCDEGRST] \([^ ]*\) \([^ ]*\)$/
{\2, (lt_ptr) \\2},/p'\'''
lt_cv_compiler_c_o=yes
lt_cv_prog_cc_pic_works=yes
lt_cv_file_magic_test_file=
ac_cv_prog_CPP='gcc -E'
ac_cv_prog_AWK=nawk
ac_cv_build=i386-unknown-freebsd4.7
ac_cv_env_build_alias_value=
ac_cv_header_malloc_h=yes
lt_cv_prog_cc_pic=' -fPIC'
lt_cv_sys_global_symbol_pipe='sed -n -e '\''s/^.*[
]\([ABCDGISTW][ABCDGISTW]*\)[   ][  ]*\(\)\([_A-Za-z][_A-Za-z0-9]*\)$/\1
\2\3 \3/p'\'''
lt_cv_deplibs_check_method=pass_all
ac_cv_prog_ac_ct_CC=gcc
lt_cv_compiler_o_lo=yes
ac_cv_target=i386-unknown-freebsd4.7
ac_cv_env_target_alias_value=
ac_cv_env_CC_value=
lt_cv_path_NM='/usr/bin/nm -B'
ac_cv_env_CPP_set=
ac_cv_header_dlfcn_h=yes
ac_cv_header_sys_mman_h=yes
ac_cv_objext=o

## --- ##
## confdefs.h. ##
## --- ##

#define PACKAGE_NAME 
#define PACKAGE_TARNAME 
#define PACKAGE_VERSION 
#define PACKAGE_STRING 
#define PACKAGE_BUGREPORT 
#define PACKAGE clamav
#define VERSION 0.65
#define STDC_HEADERS 1
#define HAVE_SYS_TYPES_H 1
#define HAVE_SYS_STAT_H 1
#define HAVE_STDLIB_H 1
#define HAVE_STRING_H 1
#define HAVE_MEMORY_H 1
#define HAVE_STRINGS_H 1
#define HAVE_INTTYPES_H 1
#define HAVE_UNISTD_H 1
#define HAVE_DLFCN_H 1
#define SCANBUFF 131072
#define FILEBUFF 8192
#define STDC_HEADERS 1
#define HAVE_UNISTD_H 1
#define HAVE_DLFCN_H 1
#define HAVE_INTTYPES_H 1
#define HAVE_SYS_INTTYPES_H 1
#define HAVE_MEMORY_H 1
#define HAVE_STDLIB_H 1
#define HAVE_STRINGS_H 1
#define HAVE_STRING_H 1
#define HAVE_SYS_MMAN_H 1
#define HAVE_SYS_PARAM_H 1
#define HAVE_SYS_STAT_H 1
#define HAVE_SYS_TYPES_H 1
#define HAVE_MALLOC_H 1

configure: exit 1

Marc S. Brooks
Programmer/Systems Admin
975 Andreasen
Escondido, CA 92029
760-740-2625 ph
760-740-2643 fx



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] checking size of short... configure: error: cannot determine a si ze for short

[Marc Brooks]

Anyone experience this error on compilation?

checking size of short... configure: error: cannot determine a size for
short

I have sucessfully installed this package before. For some strange reason it
won't recompile without this error.

Any help would be appreciated..




---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] ./configure fails

[Marc Brooks]

Trying to re-compile on FreeBSD 4.7 w/ milter

# ./configure --prefix=/usr/local --enable-milter

It fails with the error messages below.

Any help or suggestions would be great.

checking build system type... i386-unknown-freebsd4.7
checking host system type... i386-unknown-freebsd4.7
checking target system type... i386-unknown-freebsd4.7
creating target.h - canonical system defines
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... no
checking for mawk... no
checking for nawk... nawk
checking whether make sets ${MAKE}... yes
checking for gawk... (cached) nawk
checking for gcc... gcc
checking for C compiler default output... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables... 
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for style of include used by make... GNU
checking dependency style of gcc... gcc
checking for a BSD-compatible install... /usr/bin/install -c
checking whether ln -s works... yes
checking whether make sets ${MAKE}... (cached) yes
checking for ld used by GCC... /usr/libexec/elf/ld
checking if the linker (/usr/libexec/elf/ld) is GNU ld... yes
checking for /usr/libexec/elf/ld option to reload object files... -r
checking for BSD-compatible nm... /usr/bin/nm -B
checking how to recognise dependant libraries... pass_all
checking command to parse /usr/bin/nm -B output... ok
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking for sys/types.h... no
checking for sys/stat.h... no
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... no
checking for unistd.h... no
checking dlfcn.h usability... yes
checking dlfcn.h presence... yes
checking for dlfcn.h... yes
checking for ranlib... ranlib
checking for strip... strip
checking for objdir... .libs
checking for gcc option to produce PIC... -fPIC
checking if gcc PIC flag -fPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.lo... yes
checking if gcc supports -fno-rtti -fno-exceptions... yes
checking whether the linker (/usr/libexec/elf/ld) supports shared
libraries... yes
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking dynamic linker characteristics... freebsd4.7 ld.so
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking whether -lc should be explicitly linked in... yes
creating libtool
checking for ANSI C header files... (cached) yes
checking for stdint.h... (cached) no
checking for unistd.h... (cached) no
checking sys/int_types.h usability... no
checking sys/int_types.h presence... no
checking for sys/int_types.h... no
checking for dlfcn.h... (cached) yes
checking for inttypes.h... (cached) yes
checking sys/inttypes.h usability... yes
checking sys/inttypes.h presence... yes
checking for sys/inttypes.h... yes
checking for memory.h... (cached) yes
checking ndir.h usability... no
checking ndir.h presence... no
checking for ndir.h... no
checking for stdlib.h... (cached) yes
checking for strings.h... (cached) yes
checking for string.h... (cached) yes
checking sys/mman.h usability... no
checking sys/mman.h presence... yes
configure: WARNING: sys/mman.h: present but cannot be compiled
configure: WARNING: sys/mman.h: check for missing prerequisite headers?
configure: WARNING: sys/mman.h: proceeding with the preprocessor's result
checking for sys/mman.h... yes
checking sys/param.h usability... no
checking sys/param.h presence... yes
configure: WARNING: sys/param.h: present but cannot be compiled
configure: WARNING: sys/param.h: check for missing prerequisite headers?
configure: WARNING: sys/param.h: proceeding with the preprocessor's result
checking for sys/param.h... yes
checking for sys/stat.h... (cached) no
checking for sys/types.h... (cached) no
checking malloc.h usability... yes
checking malloc.h presence... yes
checking for malloc.h... yes
checking for off_t... no
checking size of short... configure: error: cannot determine a size for
short

Marc S. Brooks
Programmer/Systems Admin
975 Andreasen
Escondido, CA 92029
760-740-2625 ph
760-740-2643 fx



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] ClamAV instabilities

[Marc Balmer]

Tomasz Kojm wrote:

clamd hangs at leats twice a day, does no longer respond to network 
connections.  It has to be killed and restarted.  It has become
unusable on OpenBSD.


Sorry, we're not telepathic - we need backtraces, logs, etc.
If there only was an error message.  clamd still runs, according to ps, 
to does no longer handle the network protocol.

- Marc

---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] ClamAV instabilities

[Marc Balmer]

Hello

About since the big-virus import of about 10'000 viruses I experience 
a lot of problems with the until then stable ClamAV 0.65 on 
OpenBSD/Sparc64 and i386.

clamd hangs at leats twice a day, does no longer respond to network 
connections.  It has to be killed and restarted.  It has become unusable 
on OpenBSD.

Is there any news regardings clamd notorious instability?  Is nclamd the 
way to go?

Regards,
Marc
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] RE: FD_SETSIZE error

[Marc Brooks]

I made the change to the 

sys/types.h

and everything now works fine without any errors.

Thanks...


Marc S. Brooks
Programmer/Systems Admin
Tech Deck/Modifiers Cars/Skumm/X Concepts
975 Andreasen
Escondido, CA 92029
760-740-2625 ph
760-740-2643 fx
[EMAIL PROTECTED]


 On Monday 29 Dec 2003 7:52 pm, Marc Brooks wrote:
 
  I have recently installed Clamav w/ clamav-milter and everything seems
to
  work o.k.
  Occasionally clamd will stop and the /var/messages logs the errors
below.
 
  Dec 25 11:09:59 localhost clamav-milter: ClamAv: fd 2224 is larger than
  FD_SETSIZE 1024
 
 This is a sendmail issue. As I understand it (and someone will no doubt
 gleefully shout at me if I am wrong), the problem is that whilst the
number of
 file descriptors available per process is configurable on some operating
systems (you
 didn't state which you are using), sendmail uses hard coded Posix values.
Look up
 FD_SETSIZE in /usr/include and set you number of per process file
descriptors to that, 
 restart the milter and then see what happens, on mine (Linux - Fedora Core
1) it is 
 1024.
 Please report back to here since it will be useful to include in the
documentation.
 
 -Nigel
 
 -- 
 Nigel Horne. Arranger, Composer, Typesetter.
 NJH Music, Barnsley, UK.  ICQ#20252325


-Original Message-
From:  Marc Brooks  
Sent:  Mon, 29 Dec 2003 13:04:27 -0800 
To:'[EMAIL PROTECTED]'
Subject:   FD_SETSIZE error

 Hello,

 I have recently installed Clamav w/ clamav-milter and everything seems to
 work o.k.
 Occasionally clamd will stop and the /var/messages logs the errors below.

 Dec 25 11:09:59 localhost clamav-milter: ClamAv: fd 2224 is larger than
 FD_SETSIZE 1024
 Dec 25 11:10:02 localhost clamav-milter: ClamAv: fd 2225 is larger than
 FD_SETSIZE 1024
 Dec 25 11:10:05 localhost clamav-milter: ClamAv: fd 2225 is larger than
 FD_SETSIZE 1024
 Dec 25 11:10:05 localhost clamav-milter: ClamAv: fd 2226 is larger than
 FD_SETSIZE 1024
 Dec 25 11:10:05 localhost clamav-milter: ClamAv: fd 2225 is larger than
 FD_SETSIZE 1024
 Dec 25 11:10:11 localhost last message repeated 3 times
 Dec 25 11:10:11 localhost clamav-milter: ClamAv: fd 2226 is larger than
 FD_SETSIZE 1024
 Dec 25 11:10:13 localhost clamav-milter: ClamAv: fd 2225 is larger than
 FD_SETSIZE 1024
 Dec 25 11:10:33 localhost last message repeated 10 times
 Dec 25 11:10:37 localhost clamav-milter: ClamAv: fd 2228 is larger than
 FD_SETSIZE 1024
 Dec 25 11:10:38 localhost last message repeated 2 times
 Dec 25 11:10:38 localhost clamav-milter: ClamAv: fd 2229 is larger than
 FD_SETSIZE 1024
 Dec 25 11:10:39 localhost clamav-milter: ClamAv: fd 2228 is larger than
 FD_SETSIZE 1024
 Dec 25 11:11:08 localhost last message repeated 12 times
 Dec 25 11:11:17 localhost clamav-milter: ClamAv: fd 2233 is larger than
 FD_SETSIZE 1024
 Dec 25 11:11:49 localhost last message repeated 21 times
 Dec 25 11:13:04 localhost last message repeated 50 times
 Dec 25 11:13:04 localhost clamav-milter: ClamAv: fd 2234 is larger than
 FD_SETSIZE 1024
 Dec 25 11:13:04 localhost clamav-milter: ClamAv: fd 2233 is larger than
 FD_SETSIZE 1024
 Dec 25 11:13:37 localhost last message repeated 10 times
 Dec 25 11:13:43 localhost last message repeated 5 times
 Dec 25 11:13:43 localhost clamav-milter: ClamAv: fd 2234 is larger than
 FD_SETSIZE 1024
 Dec 25 11:13:43 localhost clamav-milter: ClamAv: fd 2235 is larger than
 FD_SETSIZE 1024
 Dec 25 11:13:46 localhost clamav-milter: ClamAv: fd 2233 is larger than
 FD_SETSIZE 1024
 Dec 25 11:13:48 localhost clamav-milter: ClamAv: fd 2233 is larger than
 FD_SETSIZE 1024
 Dec 25 11:13:48 localhost clamav-milter: ClamAv: fd 2234 is larger than
 FD_SETSIZE 1024
 Dec 25 11:13:48 localhost clamav-milter: ClamAv: fd 2233 is larger than
 FD_SETSIZE 1024
 Dec 25 11:13:48 localhost clamav-milter: ClamAv: fd 2234 is larger than
 FD_SETSIZE 1024

 Been pulling my hair out on this one. I realy don't understand why this is
 happening.
 Is this a file descriptor issue. If so what do I need to change to avoid
 this issue in the future.
 
 Currently my # limit 's are:
 
 cputime unlimited
 filesizeunlimited
 datasize524288 kbytes
 stacksize   65536 kbytes
 coredumpsizeunlimited
 memoryuse   unlimited
 vmemoryuse  unlimited
 descriptors unlimited 
 memorylockedunlimited
 maxproc unlimited 
 sbsize  unlimited
 
 Thanks in advance...
 
 M. Brooks
 Sys Admin/Programmer


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] freshclam exited with return code 1

[Marc Balmer]

Philipp Ringli wrote:

i am getting an email from my server, every time freshclam ran and there 
wasn't an update:
run-parts: /etc/cron.daily/freshclam exited with return code 1
I run freshclam every six hours directly from a crontab with the 
entry below and I get only mail when there was a real problem.  Maybe 
you should add exit 0 to your script or try running freshclam from a 
crontab:

*   */6 *   *   *   /usr/local/bin/freshclam --quiet

- mb

---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] FD_SETSIZE error

[Marc Brooks]

Hello,

I have recently installed Clamav w/ clamav-milter and everything seems to
work o.k.
Occasionally clamd will stop and the /var/messages logs the errors below.

Dec 25 11:09:59 localhost clamav-milter: ClamAv: fd 2224 is larger than
FD_SETSIZE 1024
Dec 25 11:10:02 localhost clamav-milter: ClamAv: fd 2225 is larger than
FD_SETSIZE 1024
Dec 25 11:10:05 localhost clamav-milter: ClamAv: fd 2225 is larger than
FD_SETSIZE 1024
Dec 25 11:10:05 localhost clamav-milter: ClamAv: fd 2226 is larger than
FD_SETSIZE 1024
Dec 25 11:10:05 localhost clamav-milter: ClamAv: fd 2225 is larger than
FD_SETSIZE 1024
Dec 25 11:10:11 localhost last message repeated 3 times
Dec 25 11:10:11 localhost clamav-milter: ClamAv: fd 2226 is larger than
FD_SETSIZE 1024
Dec 25 11:10:13 localhost clamav-milter: ClamAv: fd 2225 is larger than
FD_SETSIZE 1024
Dec 25 11:10:33 localhost last message repeated 10 times
Dec 25 11:10:37 localhost clamav-milter: ClamAv: fd 2228 is larger than
FD_SETSIZE 1024
Dec 25 11:10:38 localhost last message repeated 2 times
Dec 25 11:10:38 localhost clamav-milter: ClamAv: fd 2229 is larger than
FD_SETSIZE 1024
Dec 25 11:10:39 localhost clamav-milter: ClamAv: fd 2228 is larger than
FD_SETSIZE 1024
Dec 25 11:11:08 localhost last message repeated 12 times
Dec 25 11:11:17 localhost clamav-milter: ClamAv: fd 2233 is larger than
FD_SETSIZE 1024
Dec 25 11:11:49 localhost last message repeated 21 times
Dec 25 11:13:04 localhost last message repeated 50 times
Dec 25 11:13:04 localhost clamav-milter: ClamAv: fd 2234 is larger than
FD_SETSIZE 1024
Dec 25 11:13:04 localhost clamav-milter: ClamAv: fd 2233 is larger than
FD_SETSIZE 1024
Dec 25 11:13:37 localhost last message repeated 10 times
Dec 25 11:13:43 localhost last message repeated 5 times
Dec 25 11:13:43 localhost clamav-milter: ClamAv: fd 2234 is larger than
FD_SETSIZE 1024
Dec 25 11:13:43 localhost clamav-milter: ClamAv: fd 2235 is larger than
FD_SETSIZE 1024
Dec 25 11:13:46 localhost clamav-milter: ClamAv: fd 2233 is larger than
FD_SETSIZE 1024
Dec 25 11:13:48 localhost clamav-milter: ClamAv: fd 2233 is larger than
FD_SETSIZE 1024
Dec 25 11:13:48 localhost clamav-milter: ClamAv: fd 2234 is larger than
FD_SETSIZE 1024
Dec 25 11:13:48 localhost clamav-milter: ClamAv: fd 2233 is larger than
FD_SETSIZE 1024
Dec 25 11:13:48 localhost clamav-milter: ClamAv: fd 2234 is larger than
FD_SETSIZE 1024

Been pulling my hair out on this one. I realy don't understand why this is
happening.
Is this a file descriptor issue. If so what do I need to change to avoid
this issue in the future.

Currently my # limit 's are:

cputime unlimited
filesizeunlimited
datasize524288 kbytes
stacksize   65536 kbytes
coredumpsizeunlimited
memoryuse   unlimited
vmemoryuse  unlimited
descriptors unlimited 
memorylockedunlimited
maxproc unlimited 
sbsize  unlimited

Thanks in advance...

M. Brooks
Sys Admin/Programmer


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] smtp-vilter-1.1.2/clamav-0.65 - error scanning file, temporary failure

[Marc Balmer]

Sancho2k.net Lists wrote:

OpenBSD 3.3 / smtp-vilter-1.1.2 / clamav-0.65 port (flinn's) / 
spamassasin/spamd

  My services all start up fine:

  But when a message is inbound I cannot scan it:
   (The following example assumes we are chrooted to /var/smtp-vilter)

   The temporary directory must be readable by clamd.

/home/marc (1) $ ls -l /var/smtp-vilter/
total 6
drwx--  2 _vilter  _vilter  512 Nov 16 15:50 etc
drwx--  2 _vilter  _vilter  512 Dec 14 22:24 run
drwxrwx--T  2 _vilter  _clamd   512 Dec 15 07:18 tmp
/home/marc (2) $
Then the temporary files created by smtp-vilter must be made group 
readable, you need the following setting in 
/etc/smtp-vilter/smtp-vilter.conf:

tmpfiles=g+r

As the pathname for tempfiles is /tmp/filename for smtp-vilter, but 
/var/smtp-vilter/tmp/filename for clamd, you need to define 
chroot-scanrealpath in /etc/smtp-vilter/vilter-clamd.conf:

option=chroot-scanrealpath

With these settings it should work.  Take care about the timouts in 
your sendmail config and in the backend.  And make sure to read 
smtp-vilter(8).

- Marc

---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] smtp-vilter 1.1.1 now with backend chaining and spam control

[Marc Balmer]

Version 1.1.1 of smtp-vilter, a high performance content filter for 
sendmail, is out.

This version adds the possibility to chain backends and adds a new 
backend to scan for spam using SpamAssassins spamd.

More information on http://www.etc.msys.ch/software/smtp-vilter/

(I post this on the OpenBSD and ClamAV mailing lists because smtp-vilter 
is developed an maintained on OpenBSD and uses ClamAV as a virus 
scanning engine by default.)

- Marc



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Process based clamd

[Marc Balmer]

Tomasz Kojm wrote:
The current CVS code contains a new directive: UseProcesses that will
cause clamd to use processes instead of threads. Initial version but
seems to work ;) It should be really useful for clamav-milter users.
What are the advantages of processes vs. threads in this case?  Doesn't 
the creation of processes use more ressources?

Thanks for clarification.

- Marc



---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Process based clamd

[Marc Balmer]

There _are_ current issues with thread-based clamd (and thread-based 
software in general, as everything (memory, fd's etc)is shared between 
threads:
No wonder there are issues with threading in clamd.  When I pointed the 
author at Programming with Posix Threads he responded that he had no 
time to read books...  So I guess the problem could also be a bit 
related to not fully understanding the topic ;-)

- some users (especially milter users) report clamd freezing, 
effectively stopping mail queueing
This situation can be detected and dealt wit if the communication 
between the milter and clamd uses a timeout for reads and writes 
(setsockopt()).  The clamav-milter, however, does not set timeouts on 
the sockets and relies on the libmilter timeouts.  In the case of 
failure only sendmails default behaviour is available, which normally 
means that mail queuing is stopped.

There is third-party software which can (optionally) deliver mail even 
if clamd is defunct.  If the timeout expires due clamd gone mad it 
marks messages as unchecked and delivers them the usual way.  As a side 
effect, the situation is logged and can thus be detected.

- resource cleanup in clamd is not optimal (especially on internal 
failures, where fd's are not closed and some memory is not free()'d)
This is not related to using threads or not.  It's just bad style and 
needs correction anyway IMHO.

I think it's a great leap toward real production quality for clamd. A 
For sure. It is always good to have the choice.  I quess that once the 
threading problems are solved, the threaded solution will be much more 
performant.  On a busy server it will be problematic to spawn a process 
for every mail message.  That will lead to other ressource starvation 
problems.

IMHO ClamAV already has production quality.  At least we use it on some 
production servers and since the release of 0.65 there was not a single 
problem with the software.  The team really made a big, big effort 
between 0.60 and 0.65.

- mb



---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Updated Clam Antivirus Stable 0.65 OpenBSD Port

[Marc Balmer]

Flinn Mueller wrote:
Please test this latest stable version (0.65) of clamav stable.  There  
was a small work around in the Makefile of the port.  It seems that the  
It works on 3.4-current/i386 and 3.3/sparc64 without problems here.

- Marc



---
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Updated Clam Antivirus Stable 0.65 OpenBSD Port

[Marc Balmer]

Scott Deacon wrote:

Did you build including milter support?
No.  I use smtp-vilter because we also access Symantec Scanners.

- Marc



---
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clamav-milter vuln. reported on bugtraq

[Marc Balmer]

FYI.

Secure Network Operations, Inc. http://www.secnetops.com/research
Strategic Reconnaissance Team   [EMAIL PROTECTED]
Team Lead Contact   [EMAIL PROTECTED]


Our Mission:

Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 

To learn more about our company, products and services or to request a 
demo of ANVIL FCS please visit our site at http://www.secnetops.com, or 
call us at: 978-263-3829


Quick Summary:

Advisory Number : SRT2003-11-11-1151
Product : Clam AntiVirus
Version : clamav-0.60 through clamav-0.60p
Vendor  : http://clamav.elektrapro.com/
Class   : Remote
Criticality : High (to clamav-milter users)
Operating System(s) : *nix, cygwin


Notice

The full technical details of this vulnerability can be found at:
http://www.secnetops.com under the research section. 


Basic Explanation

High Level Description  : clamav-milter contains format strings issues.
What to do  : disable syslog support, upgrade to clamav-0.65


Basic Technical Details

Proof Of Concept Status : SNO has proof of concept. 

Low Level Description   : Clam AntiVirus is an anti-virus toolkit for 
UNIX. The main purpose of the software is to integrate with mail servers 
for attachment scanning. Clam AntiVirus works with Linux, Solaris, 
FreeBSD, OpenBSD, NetBSD, AIX, Mac OS X, and Cygwin B20.

Snapshot clamav-devel-2003 and clamav-0.65 fix a potentially 
exploitable format string issue that can be triggered by a remote attacker. 
Only versions above clamav-0.54 that include syslog() functionality are 
vulnerable to this attack. CVS snapshots up to but not including version 
clamav-devel-2003 may be vulnerable to attack. Versions clamav-0.60 
through clamav-0.60p are confirmed to be at least exploitable for a DoS 
condition. This issue only poses a problem for clamav-milter users.

*0.60q   11/11/03 Fixed handling of % characters in e-mail addresses
*pointed out by [EMAIL PROTECTED]

This issue may potentially be used to run code as either the clamav user or
root depending on how clamav is configured. At the very least a DoS attack
on clamav-milter can be caused using mail from: %n%n%n%n%n%n%n along with 
a test antivirus string which is used to trigger an AV alert.

full details at http://www.secnetopz.biz/research/SRT2003-11-11-1151.txt

Vendor Status   : Promptly attended to the issue. Patched
clamav-milter is available in clamav-devel-2003 and clamav-0.65

Bugtraq URL : To be assigned. 
Disclaimer
--
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories but can be obtained under contract.. Contact our sales 
department at [EMAIL PROTECTED] for further information on how to 
obtain proof of concept code.

--
Secure Network Operations, Inc. || http://www.secnetops.com
Embracing the future of technology, protecting you.


 



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] OpenBSD port

[Marc Balmer]

As clamav becomes more and more stable and as snapshots are available I 
wonder when the OpenBSD port gets updated?  Wouldn't it be nice if 
there were a clamav-latest port (for development and testing use) that 
fetches a clamav-latest.tar.gz file from the clamav server?

If the OpenBSD port lacks behind because of lack of time, I can surely 
help (we use clamav on OpenBSD in production environments, so we have 
an interested in having the latest, stablest version available.)

Regards,
Marc


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clamav milter suggestion

[Marc Balmer]

I peeked a little at clamav milter.  I think it can be made more stable 
if the reads() and writes() to sockets are done with a timeout set.  If 
clamd goes mad, it sometimes accepts() a connection, even reads the 
command but never responds.  If then your socket read or recv call has 
no timeout, the milter sits there and waits forever and if mail flows 
in at a reasonable speed the number of socket/file descriptors gets 
exhausted.  A simple setsockopt call can cure this situation.  Since we 
have that in our milter, we had not a single failure with the 
sendmail/smtp-vilter/clamd combination.

- Marc



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users