Re: [Clamav-users] Fwd: clamav 0.65 remote DOS exploit
On Tue, 10 Feb 2004, russ wrote: r>This just came to the qmail-scanner list. Is this an issue for all users r>of the stable 0.65? This is unfortunately true. It was fixed in CVS five days after 0.65 came out: mbox.c: * Revision 1.11 2003/11/17 07:57:12 nigelhorne * Prevent buffer overflow in broken uuencoded files ChangeLog: Wed Nov 12 02:34:56 CET 2003 (tk) - * docs: included clamav-mirror-howto.pdf by Luca Gibelli * docs: included clamd+daemontools HOWTO by Jesse D. Guardiani * docs: included signatures.pdf V 0.65 misha --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Can't seem to get clamav-milter to scan mail
Hi! On Fri, 6 Feb 2004, Nigel Horne wrote: NH>On Friday 06 Feb 2004 12:08 am, Michael St. Laurent wrote: NH> NH>> > If you do a ps is clamav-milter running? NH>> NH>> Yes. ps -elf | grep clamav-milter returns: NH> NH>Nothing springs to mind, I'm sorry to say. NH> NH>So try this, enable debug and foreground in NH>clamav.conf and restart the milter *by hand* i.e. not through /sbin/service, NH>at the command line type: clamav-milter --max-children=10 -lo -q local:/var/run/clamav/clamav-milter.sock NH> NH>Then with any luck we'll be able to see what is or isn't happening. Probably sendmail.cf had not been rebuilt from .mc file. misha. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] TcpSocket and --quarantine-dir option
On Tue, 3 Feb 2004, [UTF-8] Kriе║tof Petr wrote: KP>I decided to switch from LocalSocket to TcpSocket on clamd server KP>for windows users can start testing windows client from their Win KP>workstations. KP> KP>But this option is exclusive with --quarantine-dir on clamav-milter. KP> KP>Is there some technical reason or clamav simply reach his design limit KP>and new features are patched 'head over heel' style? I've implemented this option to solve two things: a) To have quarantine b) To have mail files processed only after they completely came from the network. Without qurantine-dir I had to have very big timeout value in clamd and it did not save me from timeouts. My first implementation was able to scan over TCP socket but this could be done only with local files because I've used SCAN clamd command instead of STREAM. Nigel Horne said and I agreed that disabling TCP mode would make local-only limitation more clear for end-users. There are two ways to reimplement TCP mode with quarantine-dir: a) As this was done in my first version. Easy but not so good. b) Save file in quarantine, then use STREAM to send it to clamd. A little harder to implement and less efficient (clamd need to save this file before scanning to process nested elements). But this would allow to have milter and clamd on different servers. Also you can have two separate clamd running on the same server - one for milter and one for Windoze. misha. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Milter timeouts.
Hi! On Thu, 29 Jan 2004, Spike Ilacqua wrote: SI>Tomasz Kojm <[EMAIL PROTECTED]> wrote: SI>> Setup a big ThreadTimeout as a temporary work-around. SI> SI>How big is big? I tried 7200 and still saw lots of: SI> SI>Milter read(clamav): timeout before data read SI>Milter (clamav): init failed to open SI>Milter (clamav): to error state This seems to be sendmail timeout, not clamav-milter's one. So you should change something in milter definition in sendmail.mc to increase it, not in clamav config. But if you have these lines on _every_ mail being processed until you restart clamav-milter then you probaly found some bug in clamav-milter. Upgrade to latest CVS version and bugreport to Nigel Horne if it still present after upgrade. misha. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Segfault without trace?
On Thu, 18 Dec 2003, Odhiambo Washington wrote: OW>I am running clamav-devel-20031211. OW> OW>Is there anything else I need to provide to help with this situation? OW>Where do I look? At the latest CVS you do :) I believe this was fixed Dec 14 2003. misha. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter - runaway process problem
hi! On Tue, 16 Dec 2003, Mike Brodbelt wrote: MB>> Do you need to restart both clamav-milter and clamdscan, or only one of MB>> them? MB> MB>I restart both clamd and clamav-milter. Is restarting clamav-milter only makes no sense? MB>P.S. This is a dual processor box - any remote possibility of that MB>leading to a race condition somewhere? I'd have thought not, but MB>figured mentioning it can't do any harm. I believe there is noting on clamav what could depend on number of CPUs. But looking for some news in kernel mailing lists or simply upgrading kernel to latest stable release can help. The same, by the way, can be said of thread library. I understand clamav is not so bug free as kernel and libc are, but who knows... Today I had to ask one of our customers to disable his Norton Antivirus on Windoze because it prevented my program from creating a new file on a floppy. Creating, not writing to it I mean. Yes, a file with lengthy filename, but why it cares? Mysterious things sometimes happen in this world. misha. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter - runaway process problem
Hi! On Fri, 12 Dec 2003, Mike Brodbelt wrote: MB>Dec 12 07:16:35 castor clamav-milter[8758]: clean message from MB><[EMAIL PROTECTED]> MB>Dec 12 07:18:08 castor clamav-milter[8880]: clamfi_connect: connection MB>from castor.acu.ac.uk [194.81.120.81] MB>Dec 12 07:20:23 castor clamd[12601]: SelfCheck: Database status OK. MB>Dec 12 07:20:48 castor clamav-milter[9396]: clamfi_connect: connection MB>from web14421.mail.yahoo.com [216.136.174.201] MB>Dec 12 07:20:49 castor clamav-milter[9396]: clean message from MB><[EMAIL PROTECTED]> MB> MB> MB>All is fine at this point. At 7:20am, clamd runs a self-check. I am now MB>almost *certain* that the error condition is triggered by this MB>self-check, as I've never consciously seen a failure without an attached MB>self-check. Shortly after the self-check, it becomes apparent that MB>things are going wrong:- Look, two minutes before SelfCheck there is milter thread 8880 started, and I do not see when it finishes. Is something wrong with it? At the moment I have no ideas what is going wrong in your case, following is my clamav.conf, try to change your to be as close to it as possible, and recheck if you had installed libclamav after last rebuild. === clamav.conf === LogFile /tmp/clamd.log LogFileMaxSize 2M LogTime LogSyslog PidFile /var/run/clamd.pid LocalSocket /var/run/clamav/clamd FixStaleSocket StreamSaveToDisk ThreadTimeout 7200 MaxDirectoryRecursion 15 User clamav ScanMail === clamav.conf === I start clamd without any arguments and clamav-milter with following ones: --max-children=0 -l --quarantine-dir /var/quarantine --postmaster-only -o unix:/var/run/clamav/clam-milter MB> MB>Normally, each "connection from" message is followed by the scan result MB>- either "clean" or "virus found". The first odd thing in the logs is a MB>long list of connects with no scan results (positive or negative) after MB>them, then the max-children messages start. When I had similar behaviour, it was caused by clamd deaths. Normally, there are three clamd threads running + one per message being scanned. Sometimes, as of version 0.60, two threads of clamd died and only one left, doing periodical selfchecks. Then any process connecting to clamd would successfully connect but time out waiting for any response. I had not seen something like this since 0.65 released. It may be helpful if you try to run clamdscan on a file when milter begin to block and look if clamdscan hangs too. Don't forget that clamdscan can check only files accessible by user running clamd, not clamdscan. MB>At this point, AFAICT, every mail is slowed down by sendmail waiting for MB>the milter to time-out, and the system starts passing mail unscanned by MB>ClamAV. Soon after, the "private data not NULL" errors start. MB>It then accumulated processes until I notice, and kill and restart it. Do you need to restart both clamav-milter and clamdscan, or only one of them? MB>Something appears to have improved recently, beacuse with the 09122003 MB>CVS, although I still get the huge max-children numbers in the logs, I MB>don't actually seem to have hundreds of processes any more. I had switched that limit off for clamav-milter because at some point with 0.60 it seemed it was not working properly. MB>So, I think that the self-check is actually where it starts to go wrong, MB>and that clamd falls over somehow, which causes the milter to block and MB>time-out, and also means that it doesn't always exit cleanly (leading to MB>the not NULL errors). At the moment I do not see any way for self-check to break things... May be, switching to process based scanning would help? Try UseProcesses option in clamav.conf. misha. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter - runaway process problem
Hi! On Fri, 12 Dec 2003, Mike Brodbelt wrote: MB>>>Dec 11 14:08:33 castor clamav-milter[12303]: ClamAv: private data not NULL MB>>>Dec 11 14:08:33 castor clamav-milter[12301]: ClamAv: private data not NULL MB> MB>CVS snapshot from 9th December. MB>$ grep "private data" ./sendmail-8.12.10/libmilter/handler.c MB>"%s: private data not NULL", MB> Do you still have timeouts reported by clamd? Be sure you enable clamd logging either by LogFile or LogSyslog in clamav.conf. Do those log entries appear some time (up to 20min or even more) after clamd session times out, exactly one entry per timeout? Is this all happens with --quarantine-dir enabled? I mean --quarantine-dir, not --quarantine because these two optons do nearly the same for end user but in completely different ways. misha. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter - runaway process problem
On Tue, 9 Dec 2003, Mike Brodbelt wrote: MB>Just a quick note to point out that the problem with clamd blocking and MB>then clamav-milter spawning a ridiculous number of chils processes is MB>still not fixed in the CVS snapshot from today. I see this in the logs:- MB> MB>Dec 9 16:08:49 castor clamd[22701]: Self checking every 3600 seconds. MB>Dec 9 16:08:49 castor clamd[22701]: Timeout set to 180 seconds. MB>Dec 9 16:08:49 castor clamd[22701]: SelfCheck: Database status OK. MB>Dec 9 17:09:25 castor clamd[22701]: SelfCheck: Database status OK. MB>Dec 9 17:19:29 castor clamd[22701]: Session 3 stopped due to timeout. MB>Dec 9 17:19:31 castor clamd[22701]: Session 0 stopped due to timeout. MB>Dec 9 17:19:33 castor clamd[22701]: Session 2 stopped due to timeout. MB>Dec 9 17:19:40 castor clamd[22701]: Session 4 stopped due to timeout. MB>Dec 9 17:20:42 castor clamd[22701]: Session 1 stopped due to timeout. MB>Dec 9 17:22:30 castor clamd[22701]: Session 3 stopped due to timeout. MB>This behaviour has been going on ever since I first installed clamav - MB>just over 2 1/2 months ago. Does anyone know what causes it, and is MB>there any hope of a fix? Clamd+clamav-milter are quite unstable when clamd sessions are timed out. More timeouts, more unstability. Current default behavior of clamav-milter is to connect to clamd as soon as sendmail receives "mail from: <[EMAIL PROTECTED]>" from mail client. Some mail clients (dial-upers, spammers, overloaded mail hosts) may send a message for 2 hours and more... Having timeout of 180 sec is definitely too low for clamav-milter default mail scanning. You have two options: (1) increase this timeout to a big value. 7200 was not enough for me: I still had 1-2 timouts per 24 hours. (2) use option --quarantine-dir=/var/quarantine when starting clamav-milter. Then milter will pre-save message into a temporary file in that directory, and pass it to clamd only after it is really ready for scan. As a side effect :) infected messages will be left in that dir for your review. misha. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New version 0.65 with old problems
Hi! On Tue, 2 Dec 2003, [UTF-8] Kriе║tof Petr wrote: KP>The number of open files counted via 'lsof | grep clam | wc -l' KP>show astronomical values. KP> KP>I guess it goes wrong when some with slow connectivity try to send KP>really big email. The timeouts are reach, and everything goes to [EMAIL PROTECTED] Please upgrade to latest development version and try to run milter with --quarantine-dir=/var/quarantine option. You should create that dir writeable by clamav user at first of course. Then clamav-milter will store files in temporary folder and pass them to clamd only after sendmail got an end-of-message marker. I had that session timeouts even with 2 hour timeout in clamd until began to use this mode of scanning. misha. --- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter: is it possble to mark infected e-mail, but still deliver it to addressee ?
Hi! On Fri, 28 Nov 2003, Tommi Rintala wrote: TR>I hope that I didn't understand the original question wrong, but how about TR>installing amavis to work with clamav. It could inform the user that an TR>infected mail message was tried to be delivered, but was stopped (so no TR>actual delivery is done). TR> TR>Therefore the actual delivery is confirmed, but the contents (virus) is TR>not. Current clamav-milter can do this for you. misha. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
