Re: [clamav-users] ClamAV 1.0.X for EPEL 7 & 8
On 4/29/24 03:14, Marc wrote: > >> >> With the help of John Sullivan and Sérgio M. Basto we have gotten the >> Fedora ClamAV 1.0.X package in shape to be built for EPEL 7 and 8. We >> have a COPR available now with builds of 1.0.6 ready for testing here: >> > > Hi Orion, I wrote Sergio a few months ago about implementing ip/port lookups > dynamically. Did some of this find its way into these updates? I'm not exactly sure what you are referring to. Have you filed an issue at bugzilla.redhat.com? That's the best way to track things. -- Orion Poplawski he/him/his - surely the least important thing about me Manager of IT Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] ClamAV 1.0.X for EPEL 7 & 8
On 4/29/24 03:03, Ben Argyle wrote: > I'd be extremely grateful if you could consider EPEL 9 as well, please! EPEL 9 already has ClamAV 1.0.5, with 1.0.6 on its way: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-25c9732d41 > -Original Message- > From: clamav-users On Behalf Of Orion > Poplawski via clamav-users > Sent: 27 April 2024 01:06 > To: ClamAV users ML > Cc: Orion Poplawski > Subject: [clamav-users] ClamAV 1.0.X for EPEL 7 & 8 > > With the help of John Sullivan and Sérgio M. Basto we have gotten the > Fedora ClamAV 1.0.X package in shape to be built for EPEL 7 and 8. We > have a COPR available now with builds of 1.0.6 ready for testing here: > > https://copr.fedorainfracloud.org/coprs/g/clamav/clamav-1.0/ > > We will likely push this to EPEL proper just after RHEL 8.10 is > released, presumably in May. But testing and feedback of the COPR > builds before that would be welcome. > > Orion > > -- > Orion Poplawski > he/him/his - surely the least important thing about me > IT Systems Manager 720-772-5637 > NWRA, Boulder/CoRA Office FAX: 303-415-9702 > 3380 Mitchell Lane or...@nwra.com > Boulder, CO 80301 https://www.nwra.com/ -- Orion Poplawski he/him/his - surely the least important thing about me Manager of IT Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[clamav-users] ClamAV 1.0.X for EPEL 7 & 8
With the help of John Sullivan and Sérgio M. Basto we have gotten the Fedora ClamAV 1.0.X package in shape to be built for EPEL 7 and 8. We have a COPR available now with builds of 1.0.6 ready for testing here: https://copr.fedorainfracloud.org/coprs/g/clamav/clamav-1.0/ We will likely push this to EPEL proper just after RHEL 8.10 is released, presumably in May. But testing and feedback of the COPR builds before that would be welcome. Orion -- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] linux distribution including clamav-1.0.1
On 3/7/23 10:48, kumar bava via clamav-users wrote: Hi, please help me with the below question, thank you We have been using clamav-0.103.6 and would like to upgrade to the new LTS release(1.0.x). However, I can not find clamav-1.0.1 in EPEL distribution. Our systems are based on rhel7. So far , we have been able to install clamav-0.103.x from the EPEL repo and would like to do the same for the new LTS track(1.0.x) if it's possible. What are the possible installation options? I've been looking into things and I think we will be able to update clamav in EL7 and EL8 to 1.0.X once 0.103.X goes EOL. We're basically just waiting on one issue to get resolved at the moment: https://github.com/Cisco-Talos/clamav/issues/842 We will probably provide a COPR repo for early adopters once that issue is resolved. -- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] ClamAV & Fedora 37 - Long Initialization Time at Boot
ce - clamd scanner (scan) daemon. -- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[clamav-users] Future support of clamav in EPEL7 and EPEL8
I'm one of the maintainers of the clamav package in Fedora and Fedora EPEL. I believe that the EPEL packages are currently one of the primary sources for users of clamav on RHEL based distributions. We were recently asked about the future of support for clamav in EL7 in particular[1] since https://docs.clamav.net/faq/faq-eol.html states that the 0.103.X release series will go EOL on Sep-14 2023. This is prior to the EOL date for EL7 of Jun-30 2024, and much before the EOL date for EL8 of May 31, 2029. (See https://access.redhat.com/support/policy/updates/errata) This email is to start a discussion of what will happen with clamav support in EPEL7 and EPEL8. In particular, to inform everyone that it will be impossible to build clamav 1.X in EPEL7 and EPEL8 due to lack of rust support. Fedora packaging policies prohibit the downloading of files from the internet during builds, and the rust/rpm versions in EL7/EL8 are too old to support the current Fedora rust ecosystem. Perhaps this will not be an issue and people can simply start using the RPMs provided by clamav upstream. We might be able to provide a version of the Fedora EPEL clamav RPMs via COPR[2], as COPR does not have the restrictions on internet downloads. However, it won't have the "EPEL" appellation. I am hopeful that we will be able to provide clamav 1.X in EPEL9. [1] - https://bugzilla.redhat.com/show_bug.cgi?id=2170297#c3 [2] - https://copr.fedorainfracloud.org/ -- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Testing for Big Endian Architectures
On 1/6/23 14:29, Scott Kitterman via clamav-users wrote: On Thursday, January 5, 2023 8:51:27 AM EST Scott Kitterman via clamav-users wrote: We finally have Clamav 1.0.0 in Debian Unstable. Unfortunately, unit tests fail on all big endian archs (shown in the PowerPC build log [1] - it's the same tests failing on all of them). Does upstream testing include big endian? Does anyone have suggestions on how to fix it? I have access to hardware to test fixes if there are patches. Scott K [1] https://buildd.debian.org/status/fetch.php?pkg=clamav=powerpc=1.0. 0%2Bdfsg-4=1672878929=0 My Debian collaborator Sebastian Siewior confirmed there are endianness issues in libclamav/pe.c. We have a patch we're testing which we will submit upstream to fix this. Scott K There is this: https://github.com/Cisco-Talos/clamav/issues/759 which perhaps are the same failures you are seeing? A patch would be appreciated. -- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[clamav-users] clamscan on truncated file reports infection
Our filtering proxy is hitting on the following URL: https://ardownload2.adobe.com/pub/adobe/reader/win/AcrobatDC/2200320263/AcroRdrDCUpd2200320263_MUI.msp *INFECTED* * *DENIED* Virus or bad content detected. Win.Ransomware.Razy-9978545-0 The strange thing is, if I run clamscan on the full file, it reports OK. But if I scan on a truncated version (say just the first 16MB) it reports as infected. Although I guess this is a result of it being larger than the maximum file scan size. I've reported the FP to the clamav.net website. clamav-0.103.7-1.el7.x86_64 -- Orion Poplawski IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] ClamAV on RHEL9 with FIPS enabled
On 10/24/22 11:03, Hoevenaar, Jeffrey (GE Aerospace, US) via clamav-users wrote: Hello, It would appear ClamAV will not run on RHEL9 with FIPS enabled. Has anyone else seen this issue? Known issue: https://github.com/Cisco-Talos/clamav/issues/564 which it seems you have already found. -- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[clamav-users] How often can I run cvdupdate?
We're starting to run clamav on more local hosts and were starting to see rate limiting messages. So I've setup a local private mirror with cvdupdate in each of our offices. However now I'm starting to see warnings like: Received signal: wake up ClamAV update process started at Wed May 25 07:26:29 2022 daily database available for update (local version: 26551, remote version: 26552) WARNING: downloadFile: file not found: https://MIRROR/daily-26552.cdiff WARNING: downloadPatch: Can't download daily-26552.cdiff from https://MIRROR/daily-26552.cdiff WARNING: downloadFile: file not found: https://MIRROR/daily-26552.cdiff WARNING: downloadPatch: Can't download daily-26552.cdiff from https://MIRROR/daily-26552.cdiff WARNING: downloadFile: file not found: https://MIRROR/daily-26552.cdiff WARNING: downloadPatch: Can't download daily-26552.cdiff from https://MIRROR/daily-26552.cdiff The database server doesn't have the latest patch for the daily database (version 26552). The server will likely have updated if you check again in a few hours. main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr) bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2) which then get reported by logwatch. The mirror updated a bit later: 2022-05-25 08:15:21 AM - INFO: Downloaded daily-26552.cdiff 2022-05-25 08:16:22 AM - INFO: Downloaded daily.cvd. Version: 26552 I'm running cvdupdate at the recommended 4 hour interval. Can I run it more often? Although I suppose there always may be an interval between when a client might see the new version and the mirror downloads it, so I may just have to exclude these types of warnings from logwatch. -- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[clamav-users] DNS server out of date
# dig +short @ns1e.clamav.net. current.cvd.clamav.net. txt "0.103.6:62:26552:1653485340:1:90:49192:333" No response from: # dig +short @ns2a.clamav.net. current.cvd.clamav.net. txt Out of date: # dig +short @ns4a.clamav.net. current.cvd.clamav.net. txt "0.103.6:62:26546:1652981340:1:90:49192:333" -- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Cannot ignore BC.Gif.Exploit.Agent-1425366.Agent
Looks like "BC.Gif.Exploit-1425366" finally did the trick. Thanks. Is this kind of thing documented anywhere? On 7/21/21 12:33 PM, eric-l...@truenet.com wrote: > Orion, > > Did you keep .Agent at the end of the whitelist? > It should just be BC.Gif.Exploit.Agent-1425366. > > I scanned the tar balls at gnome.org and didn't find anything though, but > maybe you got it from somewhere else. > > Sincerely, > > Eric Tykwinski > TrueNet, Inc. > P: 610-429-8300 > > -Original Message- > From: clamav-users On Behalf Of Orion > Poplawski via clamav-users > Sent: Wednesday, July 21, 2021 1:48 PM > To: ClamAV users ML > Cc: Orion Poplawski > Subject: [clamav-users] Cannot ignore BC.Gif.Exploit.Agent-1425366.Agent > > clamav is reporting BC.Gif.Exploit.Agent-1425366.Agent for a gif inside of the > gdk-pixbuf2 tarball. I've tried adding it do our local whitelist.ign2 file, > but that doesn't appear to take effect. Any way to ignore this definition? > > Thanks, > Orion > > -- > Orion Poplawski > IT Systems Manager 720-772-5637 > NWRA, Boulder/CoRA Office FAX: 303-415-9702 > 3380 Mitchell Lane or...@nwra.com > Boulder, CO 80301 https://www.nwra.com/ > > > -- Orion Poplawski IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Cannot ignore BC.Gif.Exploit.Agent-1425366.Agent
clamav is reporting BC.Gif.Exploit.Agent-1425366.Agent for a gif inside of the gdk-pixbuf2 tarball. I've tried adding it do our local whitelist.ign2 file, but that doesn't appear to take effect. Any way to ignore this definition? Thanks, Orion -- Orion Poplawski IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Urlhaus.Malware.364328-9787819-0
Lilia - Thanks for the update. We are still seeing the following get blocked though: Virus Urlhaus.Malware.364328-9787819-0: https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.33.2-an+fx.xpi?filehash=sha256%3A5c3a5ef6f5b5475895053238026360020d6793b05541d20032ea9dd1c9cae451 This is with today's update. Orion On 2/8/21 10:39 AM, Lilia Gonzalez Medina wrote: Hi Orion, Apologies for taking too long to respond. After some tests I was able to reproduce the FPs and target type 3 LDB signatures for Urlhaus have been updated and published and should not alert on legitimate files anymore. Please update your ClamAV database and if you still have some issues please let me know. Best regards, Lilia Gonzalez Malware Research Team Cisco Talos On Tue, Jan 12, 2021 at 12:54 PM Orion Poplawski <mailto:or...@nwra.com>> wrote: Lilia - Odd, I see it: # https_proxy= curl -o ublock_origin-1.32.4-an+fx.xpi 'https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc <https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc>' # clamscan ublock_origin-1.32.4-an+fx.xpi ublock_origin-1.32.4-an+fx.xpi: Urlhaus.Malware.364328-9787819-0 FOUND # clamscan --version ClamAV 0.103.0/26046/Mon Jan 11 05:34:14 2021 # clamscan urlhaus-filter-online.txt urlhaus-filter-online.txt: Urlhaus.Malware.364328-9787819-0 FOUND --- SCAN SUMMARY --- Known viruses: 8799521 Engine version: 0.103.0 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.29 MB Data read: 0.14 MB (ratio 2.11:1) Time: 21.911 sec (0 m 21 s) Start Date: 2021:01:12 10:37:52 End Date: 2021:01:12 10:38:14 Other URLs: Virus Urlhaus.Malware.364328-9787819-0: https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>: 2 Time(s) https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt <https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt>: 2 Time(s) https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/14db9cf6ad7bfff32779d68d12b869e6f7e8ec1a/urlhaus-filter-online.txt <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/14db9cf6ad7bfff32779d68d12b869e6f7e8ec1a/urlhaus-filter-online.txt>: 1 Time(s) https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt>: 1 Time(s) https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt>: 1 Time(s) https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt>: 1 Time(s) https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/14db9cf6ad7bfff32779d68d12b869e6f7e8ec1a/urlhaus-filter-online.txt <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/14db9cf6ad7bfff32779d68d12b869e6f7e8ec1a/urlhaus-filter-online.txt>: 1 Time(s) https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt>: 1 Time(s) I've attached copies. Orion On 1/8/21 9:18 PM, Lilia Gonzalez Medina wrote: > Orion, I haven't been able to reproduce the FP with > https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc <https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc>. > > <https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc <https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc>> > > If you could send me the file that alerts with > Urlhaus.Malware.364328-9787819-0 I could look into it. > > Best regards, > > Lilia Gonzalez > Malware Research Team > Cisco Talos > > On Thu, Jan 7, 2021 at 12:00 PM Orion Poplawski mailto:or...@nwra.com>
Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0
Lilia - Virus database is updated daily and updated last night. Still seeing one this morning: Virus Urlhaus.Malware.364328-9787819-0: https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc: 1 Time(s) Though that is a different signature. Orion On 1/7/21 7:56 AM, Lilia Gonzalez Medina wrote: > Hi Orion! > > Those NBD signatures were updated at the beginning of the week and should not > FP anymore. Please update your ClamAV db and let us know if the issue > persists. > > Best regards, > > Lilia Gonzalez > Malware Research Team > Cisco Talos > > > On Wed, Jan 6, 2021 at 4:59 PM Orion Poplawski <mailto:or...@nwra.com>> wrote: > > Lilia - > > Thanks for the response. We're seeing some others getting triggered as > well: > > Virus Urlhaus.Malware.490516-9766015-0: > 10.21.2.5 > https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>: 2 > Time(s) > 10.21.2.5 > > https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt > > <https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt>: > 2 Time(s) > 10.21.2.5 > > https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt > > <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt>: > 1 Time(s) > 10.21.2.5 > > https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt > > <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt>: > 1 Time(s) > 10.21.2.5 > > https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt > > <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt>: > 1 Time(s) > > Virus Urlhaus.Malware.161756-8797115-0: > 10.10.20.7 > > https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc > > <https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc>: > 1 Time(s) > 10.11.1.3 > > https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc > > <https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc>: > 1 Time(s) > > > Orion > > On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote: > > Hi Orion! > > > > Thank you for reporting this. URLhaus is a partner that generates a > list of > > ClamAV signatures to target malicious URLs. Signature > > Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML > > files, which is why it is alerting on the URLs you mentioned. We found > these > > FPs some weeks ago and added an extra check on new ClamAV signatures to > > prevent them from alerting on legitimate URLhaus content. We are > currently > > updating older ClamAV signatures to ensure they don't FP on > non-malicious > > HTML files. > > > > Best regards, > > > > Lilia Gonzalez > > Malware Research Team > > Cisco Talos > > > > On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski <mailto:or...@nwra.com> > > <mailto:or...@nwra.com <mailto:or...@nwra.com>>> wrote: > > > > Can anyone give me some details about the > Urlhaus.Malware.452652-9766253-0 > > signature? We're seeing following URLs trigger it: > > > > https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt> > > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>> > > > > https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt > > <https:
Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0
Lilia - Thanks for the response. We're seeing some others getting triggered as well: Virus Urlhaus.Malware.490516-9766015-0: 10.21.2.5 https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt: 2 Time(s) 10.21.2.5 https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt: 2 Time(s) 10.21.2.5 https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt: 1 Time(s) 10.21.2.5 https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt: 1 Time(s) 10.21.2.5 https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt: 1 Time(s) Virus Urlhaus.Malware.161756-8797115-0: 10.10.20.7 https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc: 1 Time(s) 10.11.1.3 https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc: 1 Time(s) Orion On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote: > Hi Orion! > > Thank you for reporting this. URLhaus is a partner that generates a list of > ClamAV signatures to target malicious URLs. Signature > Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML > files, which is why it is alerting on the URLs you mentioned. We found these > FPs some weeks ago and added an extra check on new ClamAV signatures to > prevent them from alerting on legitimate URLhaus content. We are currently > updating older ClamAV signatures to ensure they don't FP on non-malicious > HTML files. > > Best regards, > > Lilia Gonzalez > Malware Research Team > Cisco Talos > > On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski <mailto:or...@nwra.com>> wrote: > > Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0 > signature? We're seeing following URLs trigger it: > > https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt> > > https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt > > <https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt> > > https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt > > <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt> > > https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt > > <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt> > > https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt > > <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt> > > Which seems to be the online update URLs for the urlhaus filter. Does > ClamAV > deem urlhaus a bad actor? > > Thanks, > Orion > > -- > Orion Poplawski > Manager of NWRA Technical Systems 720-772-5637 > NWRA, Boulder/CoRA Office FAX: 303-415-9702 > 3380 Mitchell Lane or...@nwra.com > <mailto:or...@nwra.com> > Boulder, CO 80301 https://www.nwra.com/ > <https://www.nwra.com/> > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > https://lists.clamav.net/mailman/listinfo/clamav-users > <https://lists.clamav.net/mailman/listinfo/clamav-users> > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > <https://github.com/vrtadmin/clamav-faq> > > http://www.clamav.net/contact.html#ml > <http://www.clamav.net/contact.html#ml> > > > _______ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0
So that is a apparently a malicious site as determined by Urlhaus and is on their filter list. But how is it useful as a ClamAV signature? You are not going to be filtering URLs with ClamAV, right? And now it's blocking these emails because it contains this string. Orion On 12/23/20 11:26 AM, eric-l...@truenet.com wrote: > Here's the signature decoded: > # sigtool --find-sig Urlhaus.Malware.452652-9766253-0 | sigtool --decode-sig > VIRUS NAME: Urlhaus.Malware.452652-9766253-0 > FUNCTIONALITY LEVEL: >=48 > TARGET TYPE: HTML > OFFSET: * > DECODED SIGNATURE: > aboveandbelow.com.au/cgi-bin/http:/sites/b4q7eajmmm2moxgkq/ > > Sincerely, > > Eric Tykwinski > TrueNet, Inc. > P: 610-429-8300 > > -Original Message- > From: clamav-users On Behalf Of > Orion Poplawski > Sent: Wednesday, December 23, 2020 1:11 PM > To: ClamAV users ML > Subject: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0 > > Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0 > signature? We're seeing following URLs trigger it: > > https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt > https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-fil > ter-online.txt > https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d > 5d2e877e120/urlhaus-filter-online.txt > https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-onl > ine.txt > https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.tx > t > > Which seems to be the online update URLs for the urlhaus filter. Does > ClamAV deem urlhaus a bad actor? > > Thanks, > Orion > > -- > Orion Poplawski > Manager of NWRA Technical Systems 720-772-5637 > NWRA, Boulder/CoRA Office FAX: 303-415-9702 > 3380 Mitchell Lane or...@nwra.com > Boulder, CO 80301 https://www.nwra.com/ > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Question about Urlhaus.Malware.452652-9766253-0
Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0 signature? We're seeing following URLs trigger it: https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt Which seems to be the online update URLs for the urlhaus filter. Does ClamAV deem urlhaus a bad actor? Thanks, Orion -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] /etc/clam.d/scan.conf
On 10/2/20 12:47 AM, Micah Snyder (micasnyd) via clamav-users wrote: On Wed, 30 Sep 2020 5:12 AM, G.W. Haywood via clamav-users wrote: On Wed, 30 Sep 2020, Carlos André via clamav-users wrote: Maybe I missed some configuration in /etc/clamd.d/scan.conf that enables that information. I've never personally seen a file called 'scan.conf' on any system with ClamAV installed on it. You don't get one if you install from the source as distributed by Cisco/Talos on the ClamAV Website, so I know that you must have installed from some distribution's package or other. Perhaps you can tell us a little more about your system and about how you obtained ClamAV, and - perhaps more importantly - why. I think " /etc/clamd.d/scan.conf " is Fedora's equivalent of clamd.conf. It's obnoxious that they've gone and renamed it, but it should function the same. It is the equivalent. One of the original maintainers of clamav on Fedora was a strong believer in over-engineered designs. That said - it does give you the flexibility of fairly easily running multiple instances of clamd on a system with different configurations. I've thought about dropping it, but I think the Fedora and EPEL users are pretty used to it at this point. -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.103.0 released!
On 9/15/20 12:22 PM, Arjen de Korte via clamav-users wrote:
ClamAV 0.103.0 builds (and runs) fine most of the time, but I do see
(infrequent) failing checks on the build servers for openSUSE. This
could be a race condition in the tests and might depend on the number of
cores or CPU of the buildserver it runs on.
One thing that does concern me slightly, is the number of -Wformat
warning in the tests, for example
[ 166s] In file included from check_clamav.c:11:
[ 166s] check_clamav.c: In function 'diff_file_mem':
[ 166s] check_clamav.c:1267:26: warning: format '%d' expects argument
of type 'int', but argument 5 has type 'size_t' {aka 'long unsigned
int'} [-Wformat=]
[ 166s] 1267 | ck_assert_msg(!!buf, "unable to malloc buffer: %d",
len);
[ 166s] | ^
~~~
[ 166s] | |
[ 166s] |
size_t {aka long unsigned int}
[ 166s] check_clamav.c:1267:53: note: format string is defined here
[ 166s] 1267 | ck_assert_msg(!!buf, "unable to malloc buffer: %d",
len);
[ 166s] | ~^
[ 166s] | |
[ 166s] | int
[ 166s] | %ld
There are many more which could potentially be an issue.
The Fedora build fails because we build with -Werror=format-security:
gcc -DHAVE_CONFIG_H -I. -I.. -I../libclammspack -I.. -I../libclamav
-I../libclamav -I../libclamunrar_iface -pthread -I/usr/include/json-c
-DSRCDIR=\"/home/orion/fedora/clamav/clamav-0.103.0/unit_tests\"
-DOBJDIR=\"/home/orion/fedora/clamav/clamav-0.103.0/unit_tests\"
-I/usr/include/libprelude -I/usr/include/libxml2 -O2 -flto=auto
-ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1
-m64 -mtune=generic -fasynchronous-unwind-tables
-fstack-clash-protection -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
-D_FILE_OFFSET_BITS=64 -c -o check_clamav-check_jsnorm.o `test -f
'check_jsnorm.c' || echo './'`check_jsnorm.c
In file included from check_jsnorm.c:32:
check_jsnorm.c: In function 'tokenizer_test':
check_jsnorm.c:250:57: error: format not a string literal and no format
arguments [-Werror=format-security]
250 | ck_assert_msg("failed to open output file: %s", filename);
| ^~~~
In this case it appears that the ck_assert_msg() call is missing the
condition check. I've filed
https://github.com/Cisco-Talos/clamav-devel/pull/138 with I think the
proper fix.
Orion
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 https://www.nwra.com/
smime.p7s
Description: S/MIME Cryptographic Signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV - What does the “clamd@scan” service do by default?
danger, and my advice would be to rebuild it from scratch. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- *Eduardo Lúcio* LightBase Consultoria em Software Público eduardo.lu...@lightbase.com.br <mailto:eduardo.lu...@lightbase.com.br> *+55-61-3347-1949 - http://brlight.org <http://brlight.org/> - Brasil-DF* ** /*Software livre! Abrace essa idéia!*/** */"Aqueles que negam liberdade aos outros não a merecem para si mesmos."/* */Abraham Lincoln /* -- *Eduardo Lúcio* LightBase Consultoria em Software Público eduardo.lu...@lightbase.com.br <mailto:eduardo.lu...@lightbase.com.br> *+55-61-3347-1949 - http://brlight.org <http://brlight.org/> - Brasil-DF* ** /*Software livre! Abrace essa idéia!*/** */"Aqueles que negam liberdade aos outros não a merecem para si mesmos."/* */Abraham Lincoln /* -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV - What does the “clamd@scan” service do by default?
On 1/25/20 5:34 PM, Eduardo Lúcio Amorim Costa via clamav-users wrote: I have been researching ClamAV to understand what the "clamd@scan" service does by default in case of finding threats. So far I have not been able to get a satisfactory and clear answer (forums, documentations, etc)... *QUESTION:* What does the "clamav@scan" service do by default if it finds threats? The clamd@scan service runs clamd with the configuration file /etc/clamd.d/scan.conf. See that file for details. *FURTHER QUESTION:* I would like ClamAV to have the "classic" behavior of an antivirus engine, that is, remove threats automatically. If he doesn't do this by default what should I do to make him do it? Consult "man clamd.conf" and the comments in /etc/clamd.d/scan.conf for your options. -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] EPEL Centos8 clamav maintainer
On 12/20/19 9:17 AM, Chris Conn wrote: Hello, Is there anyone who knows how I can contact the EPEL clamav maintainer for CentOS 8? Strangely there seems to be some missing systemd files and the package dependancies do not work the same as in Centos7, so I don't know if this is by design or some sort of bug. In any case, I there seems to be no way to start the daemon via systemd. Maybe I am doing something fundamentally wrong, but under Centos7 it is clearly more intuitive. Thanks in advance, Chris https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL But it should the same as before: systemctl start clamd@scan -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] SelfCheck: Database modification detected. Forcing reload.
freshclam-sleep is Fedora's method of automatically updating the signatures. If you want to update it your way, feel free to disable it. BTW - you don't need to shutdown clamd to update the signatures. On 11/13/19 7:17 PM, Cliff Hayes via clamav-users wrote: I have more information. Turns out there is a cron job I was unaware of. freshclam-sleep is running every 3 hours. Apparently, freshclam-sleep does something that freshclam doesn't and causes a database update. Do I need to run freshclam and freshclam-sleep? Can I turn off the freshclam-sleep cron job or should I use freshclam-sleep instead of freshclam in my daily 3am maintenance script? On 11/13/2019 7:24 PM, Cliff Hayes via clamav-users wrote: Hello clamd mailing list, I recently installed clamav version 0.101.4-1.fc30 on Fedora 30. A new situation I have never seen has started. Every day around 5am clamd causes a problem. I traced it to this in logs: SelfCheck: Database modification detected. Forcing reload. I have a daily cron job that runs around 3am that: - shuts down clamd - runs freshclam - starts clamd I see several of these log entries after the above daily cron between 3am and 5am: SelfCheck: Database status OK. So, since the Database is OK 99.9% of the time, why is it suddenly not OK at 5am? There are no cron jobs scheduled for 5am. Thanks in advance ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Use of clamav-daemon.socket? (0.102.0)
On 11/9/19 2:46 AM, Frans de Boer wrote: LS, I use several machines and found that most of the time the use of the 'clamav-daemon.socket' file only leads to a startup failure of clamd. Why is this file file in the first place? I ask this because clamd is already creating the socket - that is, when the socket was not created earlier. In my current configurations, I just disabled the clamav-clamonacc.socket file without problem. So, what is it's intended use? --- Frans. In the abstract, systemd .socket units are intended to avoid startup load and/or consuming resources for services that do not run all the time. They are generally only useful to services that start up quickly. I started looking at the possibility of shipping it with the Fedora package but decided that clamd does not meet these expectations. It has a very long startup time and so systems almost always what it started immediately so that it can respond quickly when needed. I would recommend just dropping it. -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Lots of Generic rule hits recently
We are starting to see a bunch of these being flagged. Anyone else seeing issues with these? *INFECTED*: * Txt.Packed.Generic-6840866-0 : https://cdn.onesignal.com/sdks/OneSignalSDK.js: 92 Time(s) * Txt.Trojan.Generic-6840302-0 : https://hangouts.google.com/_/scs/chat-static/_/js/k=chat.smh.en.Pu8_ikyrPm4.O/am=DA/rt=j/d=0/rs=AGNGyv2FSIx8mcoyNzukHwmnstRopshqqw/m=b: 155 Time(s) https://hangouts.google.com/_/scs/chat-static/_/js/k=chat.smh.en.ZL7Y8mnXONE.O/am=DA/rt=j/d=0/rs=AGNGyv0AhpaCmrTZe_SDBFjUBXZmXaBYEA/m=b: 120 Time(s) https://docs.google.com/static/drawings/client/js/2549037362-editor_ita.js: 1 Time(s) https://docs.google.com/static/presentation/client/js/2865291726-editor_js_prod_ita.js: 1 Time(s) https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.Qyhlf-E27OQ.O/m=gapi_iframes,googleapis_client,iframes_styles_slide_menu,plusone/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_77KcTN4WVhdQMqIfKBMTqlRW8yg/cb=gapi.loaded_0: 5 Time(s) https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.Qyhlf-E27OQ.O/m=gapi_iframes,gapi_iframes_style_common/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_77KcTN4WVhdQMqIfKBMTqlRW8yg/cb=gapi.loaded_0: 1 Time(s) * Win.Trojan.Generic-6840770-0 : http://2.au.download.windowsupdate.com/c/msdownload/update/software/defu/2019/02/am_delta_680ce842d92a7839abe55fd13955eb08f21c9aaa.exe: 4 Time(s) -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Problem with /usr/share/clamav/freshclam-sleep
On 12/30/18 7:24 PM, Bill Maidment wrote: Hi I have just updated clamav to 0.101.0 from EPEL and I got the following error. Maybe this is a one-off. Anyone else seeing this? Or do I have a configuration issue? Cheers Bill -Original message- From:(Cron Daemon) Sent: Monday 31st December 2018 12:21 To: Bill Maidment Subject: Cron root@giggs2 /usr/share/clamav/freshclam-sleep *** Error in `/usr/bin/freshclam': double free or corruption (fasttop): 0x55576db83f00 *** === Backtrace: = /lib64/libc.so.6(+0x81489)[0x7f2259390489] ... We've had one other report of such a crash after updating to 0.101.0 - but the user hadn't seen it since. If you can get a backtrace with debug info that might be helpful. -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] WARNING: Local version: 0.99.4 Recommended version: 0.100.0
On 06/18/2018 08:17 PM, Jobst Schmalenbach wrote: > Hi > > Receiving the message: WARNING: Local version: 0.99.4 Recommended version: > 0.100.0 > ... > Listing epel shows: > > clamav-0.99.4-1.el6.i686.rpm 2018-03-02 17:32 > 4.4M > clamav-0.99.4-1.el6.x86_64.rpm2018-03-02 17:32 > 4.3M > clamav-db-0.99.4-1.el6.x86_64.rpm 2018-03-02 17:32 > 155M > clamav-devel-0.99.4-1.el6.i686.rpm2018-03-02 17:32 > 23K > clamav-devel-0.99.4-1.el6.x86_64.rpm 2018-03-02 17:32 > 23K > clamav-milter-0.99.4-1.el6.x86_64.rpm 2018-03-02 17:32 > 90K > clamav-unofficial-sigs-3.7.1-7.el6.noarch.rpm 2014-08-08 21:57 > 39K > > > How can I get this updated? yum --enablerepo=epel-testing upgrade clam\* I believe we're waiting for a bugfix to prevent crashed on some third-party rules before pushing to stable. -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV installation error ClamAV 0.100.0
On 04/20/2018 08:48 AM, Robert Huth wrote: > Hello, > > 1. I am not able to install ClamAV 0.100.0. I have installed epel v7 with > no issue. When i use the following command "yum install ClamAV" (File name) > the installation starts and then list errors as it verifies the dependency. > The errors seems to start after I receive the notification Finished > Dependency Resolution. It looks as if it is looking for a previous version > of ClamAV. > > Example: > Error Package; ClamAV-lib-0.99.4- 4 el7.x86_64 (epel) > Requires: libpcre.so.1 () (64bit) > > Error Package; ClamAV-0.99.4- 4 el7.x86_64 (epel) > Requires: system > > Error Package; ClamAV-lib-0.99.4- 4 el7.x86_64 (epel > Requires: libpcre.so.6 (GLIBC_2.15) (64bit) > > Error Package; ClamAV-0.99.4- 4 el7.x86_64 (epel > Requires: libpcre.so.6 (GLIBC_2.15) (64bit) > > etc > > > 2. The laptop will also not be allow to connected to other networks or the > internet once it is approved for processing information. This will be a > standalone PC. Is there any solution such as a CD/ DVD that can be used to > download and transfer the definitions to the PC? If so what is the process > for getting updated definitions. > > > System Configuration > One standalone laptop > Running Windows 10 (Host OS) > VMWare Pro 14 with RHEL 6.9 install as the guest > Clam AV version used is ClamAV 0.100.0 There are many things that don't make sense here. You say you have a RHEL 6.9 install, but the package versions listed above are "el7" and you mention "epel v7" - so that's inconsistent. You would want epel 6 instead. Also, in Fedora EPEL, the clamav packagages are named "clamav" not "ClamAV", so I don't know what repo you've configured as "epel", but it does not appear to be Fedore EPEL. Finally, clamav is still 0.99.4-1 in Fedora EPEL. Not sure when it will be updated to 0.100. As for definition updates, it would just be a matter of transferring the definitions in /var/lib/clamav from an updated system to the standalone one. -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Errors connecting to mirrors
Shouldn't matter - the resolved dns name isn't going to affect the http
request. So that seems like a server configuration error on that mirror.
On 04/05/2018 04:40 PM, Dennis Peterson wrote:
> Since db.us.clamav.net is a round robin resolving to db.us.big.clamav.net,
> another round robin, try the actual server hostname to dl a known file. The
> specific diff files come and go and may not be on a particular mirror server.
> The following worked for me - I send the output to /dev/null to save time.
>
> curl --resolve db.us.big.clamav.net:80:72.21.91.8
> http://db.us.big.clamav.net/bytecode.cvd 2>&1 >/dev/null
>
> dp
>
>
> On 4/5/18 2:56 PM, Orion Poplawski wrote:
>> On 03/30/2018 09:48 AM, Orion Poplawski wrote:
>>> And still having persistent problems with 72.21.91.8 as reported here:
>>> https://bugzilla.clamav.net/show_bug.cgi?id=12068
>>>
>> And it is still not there:
>>
>> # curl --resolve db.us.clamav.net:80:72.21.91.8
>> http://db.us.clamav.net/daily-24447.cdiff
>>
>> > "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;>
>> http://www.w3.org/1999/xhtml; xml:lang="en" lang="en">
>>
>> 404 - Not Found
>>
>>
>> 404 - Not Found
>>
>>
>>
>> Nor any other db files...
>>
>> Feel like I'm shouting into the void with this
>>
>>
>> Here's a little test script:
>>
>> host db.us.clamav.net |
>> awk '/address/ { print $4 }' |
>> while read ip;
>> do echo Trying $ip;
>> curl --resolve db.us.clamav.net:80:$ip -w 'result=%{http_code}\n\n' -o
>> /dev/null http://db.us.clamav.net/daily-24447.cdiff;
>> done
>>
>> Output:
>>
>>
>> Trying 74.115.25.14
>> % Total % Received % Xferd Average Speed Time Time Time
>> Current
>> Dload Upload Total Spent Left
>> Speed
>> 0 0 0 0 0 0 0 0 --:--:-- 0:02:07 --:--:--
>> 0result=000
>>
>> curl: (7) Failed connect to db.us.clamav.net:80; Connection timed out
>> Trying 200.236.31.1
>> % Total % Received % Xferd Average Speed Time Time Time
>> Current
>> Dload Upload Total Spent Left
>> Speed
>> 100 12309 100 12309 0 0 37220 0 --:--:-- --:--:-- --:--:--
>> 37300
>> result=200
>>
>> Trying 72.21.91.8
>> % Total % Received % Xferd Average Speed Time Time Time
>> Current
>> Dload Upload Total Spent Left
>> Speed
>> 100 345 100 345 0 0 6873 0 --:--:-- --:--:-- --:--:--
>> 6900
>> result=404
>>
>> Trying 146.112.59.53
>> % Total % Received % Xferd Average Speed Time Time Time
>> Current
>> Dload Upload Total Spent Left
>> Speed
>> 100 12309 100 12309 0 0 43418 0 --:--:-- --:--:-- --:--:--
>> 43494
>> result=200
>>
>> Trying 198.148.78.4
>> % Total % Received % Xferd Average Speed Time Time Time
>> Current
>> Dload Upload Total Spent Left
>> Speed
>> 100 12309 100 12309 0 0 91546 0 --:--:-- --:--:-- --:--:--
>> 91858
>> result=200
>>
>> Trying 150.214.142.197
>> % Total % Received % Xferd Average Speed Time Time Time
>> Current
>> Dload Upload Total Spent Left
>> Speed
>> 100 12309 100 12309 0 0 18416 0 --:--:-- --:--:-- --:--:--
>> 18399
>> result=200
>>
>> Trying 204.130.133.50
>> % Total % Received % Xferd Average Speed Time Time Time
>> Current
>> Dload Upload Total Spent Left
>> Speed
>> 100 12309 100 12309 0 0 230k 0 --:--:-- --:--:-- --:--:--
>> 231k
>> result=200
>>
>> Trying 12.167.151.1
>> % Total % Received % Xferd Average Speed Time Time Time
>> Current
>> Dload Upload Total Spent Left
>> Speed
>> 100 12309 100 12309 0 0 88046 0 --:--:-- --:--:-- --:--:--
>> 88553
>> result=200
>>
>> Trying 155.98.64.87
>> % Total % Received % Xferd Average Speed Time Time Time
>> Current
>>
Re: [clamav-users] Errors connecting to mirrors
On 03/30/2018 09:48 AM, Orion Poplawski wrote:
>
> And still having persistent problems with 72.21.91.8 as reported here:
> https://bugzilla.clamav.net/show_bug.cgi?id=12068
>
And it is still not there:
# curl --resolve db.us.clamav.net:80:72.21.91.8
http://db.us.clamav.net/daily-24447.cdiff
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;>
http://www.w3.org/1999/xhtml; xml:lang="en" lang="en">
404 - Not Found
404 - Not Found
Nor any other db files...
Feel like I'm shouting into the void with this
Here's a little test script:
host db.us.clamav.net |
awk '/address/ { print $4 }' |
while read ip;
do echo Trying $ip;
curl --resolve db.us.clamav.net:80:$ip -w 'result=%{http_code}\n\n' -o
/dev/null http://db.us.clamav.net/daily-24447.cdiff;
done
Output:
Trying 74.115.25.14
% Total% Received % Xferd Average Speed TimeTime Time Current
Dload Upload Total SpentLeft Speed
0 00 00 0 0 0 --:--:-- 0:02:07 --:--:--
0result=000
curl: (7) Failed connect to db.us.clamav.net:80; Connection timed out
Trying 200.236.31.1
% Total% Received % Xferd Average Speed TimeTime Time Current
Dload Upload Total SpentLeft Speed
100 12309 100 123090 0 37220 0 --:--:-- --:--:-- --:--:-- 37300
result=200
Trying 72.21.91.8
% Total% Received % Xferd Average Speed TimeTime Time Current
Dload Upload Total SpentLeft Speed
100 345 100 3450 0 6873 0 --:--:-- --:--:-- --:--:-- 6900
result=404
Trying 146.112.59.53
% Total% Received % Xferd Average Speed TimeTime Time Current
Dload Upload Total SpentLeft Speed
100 12309 100 123090 0 43418 0 --:--:-- --:--:-- --:--:-- 43494
result=200
Trying 198.148.78.4
% Total% Received % Xferd Average Speed TimeTime Time Current
Dload Upload Total SpentLeft Speed
100 12309 100 123090 0 91546 0 --:--:-- --:--:-- --:--:-- 91858
result=200
Trying 150.214.142.197
% Total% Received % Xferd Average Speed TimeTime Time Current
Dload Upload Total SpentLeft Speed
100 12309 100 123090 0 18416 0 --:--:-- --:--:-- --:--:-- 18399
result=200
Trying 204.130.133.50
% Total% Received % Xferd Average Speed TimeTime Time Current
Dload Upload Total SpentLeft Speed
100 12309 100 123090 0 230k 0 --:--:-- --:--:-- --:--:-- 231k
result=200
Trying 12.167.151.1
% Total% Received % Xferd Average Speed TimeTime Time Current
Dload Upload Total SpentLeft Speed
100 12309 100 123090 0 88046 0 --:--:-- --:--:-- --:--:-- 88553
result=200
Trying 155.98.64.87
% Total% Received % Xferd Average Speed TimeTime Time Current
Dload Upload Total SpentLeft Speed
100 12309 100 123090 0 67394 0 --:--:-- --:--:-- --:--:-- 67262
result=200
Trying 12.167.151.2
% Total% Received % Xferd Average Speed TimeTime Time Current
Dload Upload Total SpentLeft Speed
100 12309 100 123090 0 85108 0 --:--:-- --:--:-- --:--:-- 85479
result=200
So looks like 74.115.25.14 is bad too.
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 https://www.nwra.com/
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Errors connecting to mirrors
It does not appear to be ignoring the TTL, but the TTL appears to be 60. freshclam seems to wait for 5 seconds between attempts so the 3 attempts to download will fall within the TTL of the DNS results. Sample squidclient mgr:ipcache entry: HostnameFlg lstrefTTL N(b) db.us.clamav.net 5 55 9( 0) 72.21.91.8-OK I think this doesn't affect freshclam normally because it sends a DNS request for each attempt, and the nameserver appears to rotate the names for each request. Just to pass it on - balance_on_multiple_ip appears not to be functional in squid anymore: https://bugs.squid-cache.org/show_bug.cgi?id=4691 and for a fairly good reason I suppose, but does work against freshclam. At this point I'd like to increase the 5 second delay between download attempts (to allow the DNS cache to expire) but that appears to be hard coded. And still having persistent problems with 72.21.91.8 as reported here: https://bugzilla.clamav.net/show_bug.cgi?id=12068 On 03/28/2018 05:50 PM, Dennis Peterson wrote: > If your proxy ignores the TTL for the mirrors then quite likely things will > grind to a halt for you. All the mirrors are in round-robin dns pools. > > dp > > On 3/27/18 4:32 PM, Orion Poplawski wrote: >> On 03/27/2018 05:21 PM, Al Varnell wrote: >>> Using the same IP each time with failure will also cause mirrors.dat to >>> temporarily block that IP's use for some period of time. That will require >>> you to trash mirrors.dat and allow it to be rebuilt at the next check. >>> >>> -Al- >> I don't think mirrors.dat comes into play here as the proxy is doing the dns >> lookup, not freshclam. >> >>> On Tue, Mar 27, 2018 at 03:40 PM, Orion Poplawski wrote: >>>> On 03/27/2018 03:13 PM, Orion Poplawski wrote: >>>>> Thanks for the response. >>>>> >>>>> I ended up switching freshclam to use our proxy servers and increasing the >>>>> ConnectTimeout to 60 seconds. This has helped a bit, but I still get the >>>>> occasional issue. Latest was trying to get daily-24426.cdiff from >>>>> 72.21.91.8 >>>>> around Tue Mar 27 13:31:14 2018 PDT. These are annoying because they >>>>> generate >>>>> emails. >>>> This was exacerbated by squid continuing to use the same IP address for the >>>> connection each time freshclam retried the download. I'm trying enabling >>>> http://www.squid-cache.org/Doc/config/balance_on_multiple_ip/ >>>> <http://www.squid-cache.org/Doc/config/balance_on_multiple_ip/> to see if >>>> that >>>> helps. >>> >>> >>> >>> ___ >>> clamav-users mailing list >>> clamav-users@lists.clamav.net >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >>> >> > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Errors connecting to mirrors
On 03/27/2018 05:21 PM, Al Varnell wrote: > Using the same IP each time with failure will also cause mirrors.dat to > temporarily block that IP's use for some period of time. That will require > you to trash mirrors.dat and allow it to be rebuilt at the next check. > > -Al- I don't think mirrors.dat comes into play here as the proxy is doing the dns lookup, not freshclam. > > On Tue, Mar 27, 2018 at 03:40 PM, Orion Poplawski wrote: >> On 03/27/2018 03:13 PM, Orion Poplawski wrote: >>> Thanks for the response. >>> >>> I ended up switching freshclam to use our proxy servers and increasing the >>> ConnectTimeout to 60 seconds. This has helped a bit, but I still get the >>> occasional issue. Latest was trying to get daily-24426.cdiff from >>> 72.21.91.8 >>> around Tue Mar 27 13:31:14 2018 PDT. These are annoying because they >>> generate >>> emails. >> >> This was exacerbated by squid continuing to use the same IP address for the >> connection each time freshclam retried the download. I'm trying enabling >> http://www.squid-cache.org/Doc/config/balance_on_multiple_ip/ >> <http://www.squid-cache.org/Doc/config/balance_on_multiple_ip/> to see if >> that >> helps. > > > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Errors connecting to mirrors
On 03/27/2018 03:13 PM, Orion Poplawski wrote: > Thanks for the response. > > I ended up switching freshclam to use our proxy servers and increasing the > ConnectTimeout to 60 seconds. This has helped a bit, but I still get the > occasional issue. Latest was trying to get daily-24426.cdiff from 72.21.91.8 > around Tue Mar 27 13:31:14 2018 PDT. These are annoying because they generate > emails. This was exacerbated by squid continuing to use the same IP address for the connection each time freshclam retried the download. I'm trying enabling http://www.squid-cache.org/Doc/config/balance_on_multiple_ip/ to see if that helps. -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Errors connecting to mirrors
Thanks for the response. I ended up switching freshclam to use our proxy servers and increasing the ConnectTimeout to 60 seconds. This has helped a bit, but I still get the occasional issue. Latest was trying to get daily-24426.cdiff from 72.21.91.8 around Tue Mar 27 13:31:14 2018 PDT. These are annoying because they generate emails. Some other failures: ClamAV update process started at Tue Mar 27 08:27:30 2018 PDT nonblock_connect: connect timing out (60 secs) Can't connect to port 80 of host db.us.clamav.net (IP: 74.115.25.14) WARNING: getfile: daily-24425.cdiff not found on db.us.clamav.net (IP: 72.21.91.8) ClamAV update process started at Mon Mar 26 23:27:29 2018 PDT nonblock_connect: connect timing out (60 secs) Can't connect to port 80 of host db.us.clamav.net (IP: 74.115.25.14) So 72.21.91.8 and 74.115.25.14 seem to come up a bit. Filed https://bugzilla.clamav.net/show_bug.cgi?id=12068 On 03/23/2018 10:23 AM, Thomas McCourt (tmccourt) wrote: > If you are seeing mirror errors, enter a Bugzilla ticket. > Please provide the mirror that is causing an issue, so I can investigate it. > If it is your mirror that is having an issue, provide more information or > also create a ticket and specifically state it is a mirror YOU maintain and > what seems to be the issue- > > > Thank you, > > > > Tom McCourt | Talos: Open Source Team| tmcco...@cisco.com > > > > > On 3/23/18, 11:47 AM, "clamav-users on behalf of Orion Poplawski" > <clamav-users-boun...@lists.clamav.net on behalf of or...@nwra.com> wrote: > > It seems like in the last month or so I'm seeing more timeouts connecting > to > the clamav DB mirrors. Is anyone else seeing this? I have a bit of a > strange > mirror setup so it might just be my configuration. > > Thanks. > > -- > Orion Poplawski > Manager of NWRA Technical Systems 720-772-5637 > NWRA, Boulder/CoRA Office FAX: 303-415-9702 > 3380 Mitchell Lane or...@nwra.com > Boulder, CO 80301 https://www.nwra.com/ > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Errors connecting to mirrors
It seems like in the last month or so I'm seeing more timeouts connecting to the clamav DB mirrors. Is anyone else seeing this? I have a bit of a strange mirror setup so it might just be my configuration. Thanks. -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Difference in ClamAV libs when installing from YUM repo & building from Source
Yes, see https://src.fedoraproject.org/rpms/clamav/blob/master/f/clamav.spec#_73 See https://src.fedoraproject.org/rpms/clamav/blob/master/f/clamav.spec#_358 for the build recipe. On 03/23/2018 05:21 AM, Ravi wrote: > Hi Reindl, > > Does that mean rar libs are removed when posting to the repo? And also can > some one share how the ClamAV source is built and posted to the repo? > > Thanks > Ravi > > On Fri, Mar 23, 2018 at 3:57 PM, Reindl Harald <h.rei...@thelounge.net> > wrote: > >> because unrar is a forbidden item >> https://fedoraproject.org/wiki/Licensing:Unrar?rd=Licensing/Unrar >> >> >> Am 23.03.2018 um 10:30 schrieb Ravi: >> >>> When installing ClamAV from yum repo(yum install clamav), we see that that >>> only 1 lib exist i.e libclamav.so in /usr/lib64. But when we build from >>> ClamAV source we see 3 libs(libclamav.so, >>> libclamunrar.so,libclamunrar_iface.so) in /usr/local/lib64. >>> Why such a difference? >>> >>> Questions. >>> >>> 1. How do we just get only one lib when building from ClamAV Source? >>> 2. When building from ClamAV source JIT support seems not enabled, how to >>> get same since YUM repo installed ClamAV has JIT support present. Debug >>> log >>> as below >>>LibClamAV debug: bytecode: JIT disabled >>>LibClamAV debug: Cannot prepare for JIT, LLVM is not compiled or >>> not >>> linked >>> >> > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Source for virus definitions?
Thaks for that. Took me a bit to realize I had to unpack the .ppam file to find the match. I'm still curious to know why that file got marked as bad. If there is a specific cause for concern - or just that it is a 'suspicious' set of macros as olevba shows: | Suspicious | Kill | May delete a file | Suspicious | Chr | May attempt to obfuscate specific || | strings (use option --deobf to || | deobfuscate) | Suspicious | Open | May open a file | Suspicious | shell| May run an executable file or a syste || | command On 01/30/2018 05:17 PM, Al Varnell wrote: > It's an MD5 hash/file size match: > > sigtool -fDoc.Dropper.Agent-6384732-0 > [daily.hsb] > cb501b0f7d2a700c06ec6733c71558bf:772096:Doc.Dropper.Agent-6384732-0:73 > > -Al- > ClamXAV User > > On Tue, Jan 30, 2018 at 08:50 AM, Orion Poplawski wrote: >> How can I determine what exactly is triggering a match? >> >> $ clamscan IguanaTex_v1_55.ppam >> IguanaTex_v1_55.ppam: Doc.Dropper.Agent-6384732-0 FOUND >> >> I'd like to know what exactly was matched, but I'm not being able to find >> where the source for the virus definitions are. > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Source for virus definitions?
How can I determine what exactly is triggering a match? $ clamscan IguanaTex_v1_55.ppam IguanaTex_v1_55.ppam: Doc.Dropper.Agent-6384732-0 FOUND I'd like to know what exactly was matched, but I'm not being able to find where the source for the virus definitions are. -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Html.Exploit.CVE_2017_8747-6336227-0 false positives
Html.Exploit.CVE_2017_8747-6336227-0 is triggering on the following content: https://ow1.res.office365.com/owamail/20180105.04/scripts/owa.mail.js https://display.ugc.bazaarvoice.com/static/BonTon/BTN/93/6060_4_0/en_US/stylesheets/screen.css https://display.ugc.bazaarvoice.com/static/Lenovo/main_site/528/8923/en_US/stylesheets/screen.css -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[Clamav-users] Strange syslog messages from clamav-milter
I'm periodically seeing the following syslogd messages: Apr 6 09:23:37 earth rvard.edu n_children = 1 Received: PORT 50143 Connecting to local port 50143 clamfi_abort pthread_cond_broadcast n_children = 0 clamfi_close clamfi_connect: connection from pc-68-118-183-26.will.ct.charter.com [68.118.183.26] clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 Received: PORT 30713 Connecting to local port 30713 clamfi_abort pthread_cond_broadcast n_children = 0 clamfi_close clamfi_connect: connection from sprocket.Colorado.EDU [128.138.240.72] clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 Received: PORT 1109 Connecting to local port 1109 clamfi_envrcpt: [EMAIL PROTECTED] clamfi_header clamfi_header clamfi_header clamfi_header clamfi_header clamfi_header clamfi_header clamfi_header clamfi_header clamfi_header clamfi_header clamfi_eoh clamfi_envbody: 112 bytes clamfi_eom clamfi_eom: read stream: OK pthread_cond_broadcast n_children = 0 clamfi_close clamfi_connect: connection from mxjab.ysource1.com [64.251.8.12] clamfi_envfrom: [EMAIL PROTECTED] n_chi These were broadcast to all users like this: Message from [EMAIL PROTECTED] at Mon Apr 5 02:06:31 2004 ... wind [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: [EMAIL PROTECTED] n_children = 2 clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: [EMAIL PROTECTED] n_children = 1 clamfi_envfrom: xsucc until I commented out the following from syslogd.conf: #*.emerg* This happens with versions 0.67 and above. I think it may have started with 0.67, though I'm not sure. Any help on stopping these would be greatly appreciated. - Orion -- Orion Poplawski System Administrator 303-415-9701 x222 Colorado Research Associates/NWRA FAX: 303-415-9702 3380 Mitchell Lane, Boulder CO 80301 http://www.co-ra.com --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] write failure to clamd
I found a couple posts in the archive about the following messages appearing with 0.70-rc: Mar 28 07:55:53 earth clamav-milter[953]: write failure to clamd Mar 28 07:55:53 earth sendmail[18248]: i2SEqA0C018248: Milter: data, reject=451 4.7.1 Please try again later I had the same problem, regardless of message size, and downgraded to 0.67. Does 0.68 have the same issue? Is there a fix in the works for 0.70? I really like the encrypted archive support in 0.70 as we're seeing lots of those viruses, but I can't have it blocking legitimate email. Thanks for the great software! - Orion -- Orion Poplawski System Administrator 303-415-9701 x222 Colorado Research Associates/NWRA FAX: 303-415-9702 3380 Mitchell Lane, Boulder CO 80301 http://www.co-ra.com --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] write failure to clamd
Todd Lyons wrote: On Fri, 2004-04-02 at 09:40, Orion Poplawski wrote: Mar 28 07:55:53 earth clamav-milter[953]: write failure to clamd Mar 28 07:55:53 earth sendmail[18248]: i2SEqA0C018248: Milter: data, reject=451 4.7.1 Please try again later I had the same problem, regardless of message size, and downgraded to 0.67. That's a generic error message. Did you do the obvious and try restarting clamd? Sorry, forgot to mention: the system works fine in general. This message only occurs with a few specific incoming emails. Unfortunately, I don't have a copy of one yet. -- Orion Poplawski System Administrator 303-415-9701 x222 Colorado Research Associates/NWRA FAX: 303-415-9702 3380 Mitchell Lane, Boulder CO 80301 http://www.co-ra.com --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamav-milter dies after database update.
This doesn't happen all the time, but about once a week. Running clamav 0.67. clamav/clamav-update.log.1:ClamAV update process started at Sat Mar 6 04:03:23 2004 clamav/clamd.log.2:Sat Mar 6 04:10:13 2004 - Reading databases from /var/lib/clamav clamav/clamd.log.2:Sat Mar 6 04:10:13 2004 - Database correctly reloaded (20388 viruses) clamav/clamd.log.2:Sat Mar 6 04:26:25 2004 - SelfCheck: Database status OK. clamav/clamd.log.2:Sat Mar 6 04:40:33 2004 - Session 0 stopped due to timeout. clamav/clamd.log.2:Sat Mar 6 04:40:34 2004 - Session 1 stopped due to timeout. clamav/clamd.log.2:Sat Mar 6 04:40:35 2004 - Session 2 stopped due to timeout. clamav/clamd.log.2:Sat Mar 6 04:40:36 2004 - Session 3 stopped due to timeout. clamav/clamd.log.2:Sat Mar 6 04:40:37 2004 - Session 4 stopped due to timeout. clamav/clamd.log.2:Sat Mar 6 04:40:38 2004 - Session 5 stopped due to timeout. Mar 6 04:09:17 earth sendmail[23420]: i26B5Fkq023420: Milter (clmilter): timeout before d ata read Mar 6 04:09:17 earth sendmail[23420]: i26B5Fkq023420: Milter (clmilter): to error state If there is any additional logging I can enable that might be a help, let me know. -- Orion Poplawski System Administrator 303-415-9701 x222 Colorado Research Associates/NWRA FAX: 303-415-9702 3380 Mitchell Lane, Boulder CO 80301 http://www.co-ra.com --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamav-milter dies after reaching max-thread count
Noticed that clamav-milter wasn't running and then found the following in the logs. I'm running clamd 0.65 and clamav-milter 0.60p. I'm afraid I don't have much other information. Jan 29 04:46:18 earth clamav-milter[983]: hit max-children limit (20 = 20): waiting for some to exit Jan 29 04:46:18 earth clamav-milter[983]: clamfi_connect: connection from [62.113.89.162] [62.113.89.162] Jan 29 04:46:19 earth clamav-milter[983]: hit max-children limit (20 = 20): waiting for some to exit Jan 29 04:46:19 earth clamav-milter[983]: hit max-children limit (20 = 20): waiting for some to exit Jan 29 04:46:34 earth clamav-milter[983]: clamfi_connect: connection from [62.113.89.162] [62.113.89.162] Jan 29 04:46:34 earth clamav-milter[983]: hit max-children limit (20 = 20): waiting for some to exit Jan 29 04:46:41 earth clamav-milter[983]: clamfi_connect: connection from escom-gw.customer.0rbitel.net [195.24.44.213] Jan 29 04:46:41 earth clamav-milter[983]: hit max-children limit (20 = 20): waiting for some to exit Jan 29 04:47:18 earth clamav-milter[983]: Timeout waiting for a child to die Jan 29 04:47:34 earth clamav-milter[983]: Timeout waiting for a child to die Jan 29 04:47:41 earth clamav-milter[983]: Timeout waiting for a child to die Jan 29 04:47:44 earth clamav-milter[983]: clamfi_connect: connection from 82-36-32-123.cable.ubr03.smal.blueyonder.co.uk [82.36.32.123] Jan 29 04:47:45 earth clamav-milter[983]: hit max-children limit (24 = 20): waiting for some to exit Jan 29 04:48:23 earth clamav-milter[983]: clamfi_connect: connection from 217-165-200.adsl.tele2.no [193.217.165.200] Jan 29 04:48:23 earth clamav-milter[983]: hit max-children limit (24 = 20): waiting for some to exit Jan 29 04:48:25 earth clamav-milter[983]: clamfi_connect: connection from [62.117.66.66] [62.117.66.66] Jan 29 04:48:26 earth clamav-milter[983]: hit max-children limit (24 = 20): waiting for some to exit Jan 29 04:48:32 earth clamav-milter[983]: clamfi_connect: connection from ellada.com.ua [193.138.84.106] Jan 29 04:48:37 earth clamav-milter[983]: clamfi_connect: connection from [62.117.66.66] [62.117.66.66] Jan 29 04:48:37 earth clamav-milter[983]: hit max-children limit (24 = 20): waiting for some to exit Jan 29 04:48:42 earth clamav-milter[983]: clamfi_connect: connection from [62.32.51.198] [62.32.51.198] Jan 29 04:48:44 earth clamav-milter[983]: hit max-children limit (24 = 20): waiting for some to exit Jan 29 04:48:45 earth clamav-milter[983]: Timeout waiting for a child to die Jan 29 04:48:47 earth clamav-milter[983]: hit max-children limit (25 = 20): waiting for some to exit Jan 29 04:48:48 earth clamav-milter[983]: clamfi_connect: connection from [62.117.66.66] [62.117.66.66] Jan 29 04:48:48 earth clamav-milter[983]: hit max-children limit (25 = 20): waiting for some to exit Jan 29 04:48:58 earth clamav-milter[983]: clamfi_connect: connection from ds81-30-200-53.ufanet.ru [81.30.200.53] Jan 29 04:48:59 earth clamav-milter[983]: hit max-children limit (25 = 20): waiting for some to exit Jan 29 04:49:00 earth clamav-milter[983]: clamfi_connect: connection from ellada.com.ua [193.138.84.106] Jan 29 04:49:04 earth clamav-milter[983]: hit max-children limit (25 = 20): waiting for some to exit Jan 29 04:49:09 earth clamav-milter[983]: clamfi_connect: connection from [62.117.66.66] [62.117.66.66] Jan 29 04:49:09 earth clamav-milter[983]: hit max-children limit (25 = 20): waiting for some to exit Jan 29 04:49:11 earth clamav-milter[983]: clamfi_connect: connection from ds81-30-200-53.ufanet.ru [81.30.200.53] Jan 29 04:49:12 earth clamav-milter[983]: hit max-children limit (25 = 20): waiting for some to exit Jan 29 04:49:12 earth clamav-milter[983]: clamfi_connect: connection from [62.32.51.198] [62.32.51.198] Jan 29 04:49:13 earth clamav-milter[983]: hit max-children limit (25 = 20): waiting for some to exit Jan 29 04:49:20 earth clamav-milter[983]: clamfi_connect: connection from [64.243.77.136] [64.243.77.136] Jan 29 04:49:20 earth clamav-milter[983]: hit max-children limit (25 = 20): waiting for some to exit Jan 29 04:49:23 earth clamav-milter[983]: Timeout waiting for a child to die Jan 29 04:49:25 earth clamav-milter[983]: clamfi_connect: connection from [62.32.51.198] [62.32.51.198] Jan 29 04:49:26 earth clamav-milter[983]: Timeout waiting for a child to die Jan 29 04:49:26 earth clamav-milter[983]: hit max-children limit (27 = 20): waiting for some to exit Jan 29 04:49:37 earth sendmail[17144]: i0TBnbQU017144: Milter (clmilter): error connecting to filter: Connection refused by /var/run/clamav/clamav-milter.sock -- Orion Poplawski System Administrator 303-415-9701 x222 Colorado Research Associates/NWRA FAX: 303-415-9702 3380 Mitchell Lane, Boulder CO 80301 http://www.co-ra.com --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See
Re: [Clamav-users] clamav-milter dies after reaching max-thread count
[EMAIL PROTECTED] wrote: That is due to hi traffic of SCO virus. Increase max-children in CLAMAV_FLAGS of clamav-milter . Try with 40 I understand why it hit the limit, and I'm happy to increase it. But, I posit that clamav-milter shouldn't *crash* because of it. -- Orion Poplawski System Administrator 303-415-9701 x222 Colorado Research Associates/NWRA FAX: 303-415-9702 3380 Mitchell Lane, Boulder CO 80301 http://www.co-ra.com --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamav snapshot rpms
I've put the contents of a src.rpm that I've been using to build rpms of the latest snapshots to ftp://ftp.cora.nwra.com/software/linux/clamav. Hope people find it useful. Note that it uses /var/lib/clamav for the databases and /var/run/clamav for socket and pid file. -- Orion Poplawski System Administrator 303-415-9701 x222 Colorado Research Associates/NWRA FAX: 303-415-9702 3380 Mitchell Lane, Boulder CO 80301 http://www.co-ra.com --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Bug in clamav-milter
Found a bug in today's snapshot of clamav-milter. The following patch fixes. --- clamav-milter.c.orig2003-10-03 11:25:03.0 -0600 +++ clamav-milter.c 2003-10-03 11:17:31.0 -0600 @@ -483,7 +483,7 @@ * is set in the config file */ if((max_children == 0) ((cpt = cfgopt(copt, MaxThreads)) != NULL)) - max_children = atoi(cpt-strarg); + max_children = cpt-numarg; /* * Get the outgoing socket details - the way to talk to clamd -- Orion Poplawski System Administrator 303-415-9701 x222 Colorado Research Associates/NWRA FAX: 303-415-9702 3380 Mitchell Lane, Boulder CO 80301 http://www.co-ra.com --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
