Re: [clamav-users] ClamAV 0.103.2 security patch release
G.W. Haywood via clamav-users wrote: > Hi there, > > On Sat, 10 Apr 2021, Per Jessen wrote: >> G.W. Haywood wrote: >>> On Sat, 10 Apr 2021, Per Jessen wrote: >>> >>>> When I built $SUBJ just now, I see >>>> >>>> libclammspack.so.0 >>>> => >>>> /home/per/workspace/clamav-0.103.2/libclamav/.libs/libclammspack.so.0 >>> >>> Is this before 'make install'? >> >> Yes. See below. >> >>> After you install it I'd expect something more like >>> >>> # ldd `which clamd-0.103.2-allmatchstream` | grep libclammspack >>> libclammspack.so.0 => /usr/local/lib/libclammspack.so.0 >>> (0xb6734000) >> >> Ditto, and that's what I got with e.g. 102.1. > > You mean 0.103.2 doesn't behave like 0.102.1 in this regard? > If it does not, that sounds like one for the ClamAV Bugzilla. I'll doublecheck first, but I don't remember seeing this issue before. >> I don't normally do a "make install", I copy the libraries to the >> destination servers directly. I only need the libraries. > > Seems you're not a typical user. :) Yeah :-) Thanks, -- Per Jessen, Zürich (15.1°C) ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV 0.103.2 security patch release
Per Jessen wrote: > >> If this is after install, exactly how did you build it? > > I don't normally do a "make install", I copy the libraries to the > destination servers directly. I only need the libraries. Having just built and installed on another machine, this is what is causing my issue. -- Per Jessen, Zürich (15.4°C) ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV 0.103.2 security patch release
G.W. Haywood wrote: > Hi there, > > On Sat, 10 Apr 2021, Per Jessen wrote: > >> When I built $SUBJ just now, I see >> >> libclammspack.so.0 >> => >> /home/per/workspace/clamav-0.103.2/libclamav/.libs/libclammspack.so.0 >> >> ie. with a fixed path ? How do I avoid that? > > Is this before 'make install'? Yes. See below. > After you install it I'd expect something more like > > # ldd `which clamd-0.103.2-allmatchstream` | grep libclammspack > libclammspack.so.0 => /usr/local/lib/libclammspack.so.0 > (0xb6734000) Ditto, and that's what I got with e.g. 102.1. > If this is after install, exactly how did you build it? I don't normally do a "make install", I copy the libraries to the destination servers directly. I only need the libraries. > Not sure this should be on the development list. Agree. -- Per Jessen, Zürich (16.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Services Difference & Memory Utilization
G.W. Haywood via clamav-users wrote: > Hi there, > > On Sun, 13 Sep 2020, bobby via clamav-users wrote: > >> I noticed on my CentOS 8 machine, there are two different services >> listed: clamd@multi-user.service and system-clamd.slice. I don't >> have enough memory to run the first one, but only the second one >> (192M). Is clamd really running? What is the difference between >> these two services? I only have 2 GB of memory. Is there any way to >> run clamd? I get this error when I try to run it ... > > You *might* *just* *possibly* be able to run clamd on a system with > only 2G of RAM It _can_ be done, using cgroups to restrict the amount of memory used, but it'll be doing a bit of swapping. For email processing, we run clamd on virtual machines with slightly less than 3Gb memory, of which clamd takes up 1Gb. -- Per Jessen, Zürich (19.5°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] unable to build with --enable-libclamav-only
Michael Orlitzky via clamav-users wrote: > On 2/24/20 5:28 AM, Per Jessen wrote: >> I've just stumbled on this new config >> option - "--enable-libclamav-only ". However, I still get complaints >> about libcurl (for freshclam and clamdsubmit) ? >> > > I reported this already (bug is still private): > > https://bugzilla.clamav.net/show_bug.cgi?id=12494 > > It's just a bug in the build system, nothing exciting. Okay, thanks for letting me know. I guess it would be easy to update in configure.ac ? -- Per Jessen, Zürich (12.2°C) ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] unable to build with --enable-libclamav-only
I've just stumbled on this new config option - "--enable-libclamav-only ". However, I still get complaints about libcurl (for freshclam and clamdsubmit) ? This is my invocation: ./configure --prefix=/usr --enable-libclamav-only --with-dbdir=/var/lib/clamav --sysconfdir=/etc --mandir=/usr/share/man I must be missing something? -- Per Jessen, Zürich (15.5°C) ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] file not recognised by clamav, but by many others?
Al Varnell wrote: > The virus database is kept up to date with the help of the community. > If you find a new virus that ClamAV does not detect, please report the > suspicious file to the ClamAV team > <https://www.clamav.net/reports/malware>. Sure, I am well aware. I was just curious that such a relatively old virus is not identified by ClamAV. (nor by Sanesec signatures for that matter). -- Per Jessen, Zürich (0.1°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] file not recognised by clamav, but by many others?
A friend of mine sent me a windows executable that ClamAV had let through (back in 2016) - I had it scanned at https://www.virustotal.com : https://www.virustotal.com/de/file/8b6d6f3220f5423bce085a70949890ed5147b9ba06960ac5666b79611f92eb2f/analysis/1521538774/ ClamAV reports clean (also on my system), but it is recognised by many others. https://files.jessen.ch/materials-20161511_121132836553-doc.exe -- Per Jessen, Zürich (-0.2°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clam in a very low memory environment?
Thomas Cameron wrote: I am taking advantage of the free tier at Amazon (640M memory) to host my e-mail server. Naturally, my first move was to install SpamAssassin and ClamAV for mail filtering, but I got out of memory errors when starting Clam. Is anyone running Clam in a very low memory configuration? Is it do-able? Sure, my test-system nodes only have about 400M RAM. I use my own clam daemon, but the functionality is the same. -- Per Jessen, Zürich (5.6°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] How can I have clamd reject items that can't be scanned?
Peter Bradeen wrote: I see that there are ways to limit the level of archive that will be scanned as well as the size of the entities to be scanned. Is there a way for CLAMAV to then flag them as not allowed? Seem that if you can't scan it, it should be rejected. It's not about not being able to scan, it's about not wanting to scan. Regardless, clamav doesn't reject or approve mails, that's for your MTA to do. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] How can I have clamd reject items that can't be scanned?
Rob Sterenborg (lists) wrote: On Wed, 2011-11-09 at 10:31 +0100, Per Jessen wrote: Peter Bradeen wrote: I see that there are ways to limit the level of archive that will be scanned as well as the size of the entities to be scanned. Is there a way for CLAMAV to then flag them as not allowed? Seem that if you can't scan it, it should be rejected. It's not about not being able to scan, it's about not wanting to scan. Regardless, clamav doesn't reject or approve mails, that's for your MTA to do. If you use ClamAV as milter, it's up to ClamAV to tell the MTA what to do so I guess there's a task for ClamAV too.. Well, I guess it depends on your point of view. Personally I see the MTA doing the rejection, possibly based on information from elsewhere (DNS, blacklists, clamav, wherever). /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] How can I have clamd reject items that can't be scanned?
Simon Hobson wrote: Per Jessen wrote: It's not about not being able to scan, it's about not wanting to scan. Regardless, clamav doesn't reject or approve mails, that's for your MTA to do. If you use ClamAV as milter, it's up to ClamAV to tell the MTA what to do so I guess there's a task for ClamAV too.. Well, I guess it depends on your point of view. Personally I see the MTA doing the rejection, possibly based on information from elsewhere (DNS, blacklists, clamav, wherever). This is a rather pointless argument about semantics which doesn't answer the original question. I'll rephrase it for the pedants : I see that there are ways to limit the level of archive that will be scanned as well as the size of the entities to be scanned. Is there a way for CLAMAV to then flag them as not allowed? Oh, I see it works without modification. Is it possible for ClamAV to flag that the message should be rejected if it can't be scanned - seems a reasonable question to me. The OP started by saying there are ways to limit the level of archive that will be scanned as well as the size of the entities to be scanned, which are performance optimizing options one can use if desired. To which I commented that it's not about a message that can't be scanned, but whether your limits allow it to be scanned. Remove the limits, and everything is scanned (presumbly only limited by hardware resources). Nonetheless, it is actually an interesting question - should/does clamav return not-scanned-due-to-user-restriction in such cases? /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] lastest daily.cvd (10938) might cause an issue for clamd users who have not upgraded to libclamav 0.96
I'm running my own custom clamav daemon, and just now I ran into an issue when reloading the latest daily.cvd. cl_load() seems to be looking for a file named 'daily.ldb' - it isn't found, which causes a segfault. I don't yet know if this is purely my issue or if it might also affect clamd users, but I'm posting this just in case. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] lastest daily.cvd (10938) might cause an issue for clamd users who have not upgraded to libclamav 0.96
Per Jessen wrote: I'm running my own custom clamav daemon, and just now I ran into an issue when reloading the latest daily.cvd. cl_load() seems to be looking for a file named 'daily.ldb' - it isn't found, which causes a segfault. I don't yet know if this is purely my issue or if it might also affect clamd users, but I'm posting this just in case. See http://lurker.clamav.net/message/20100507.110656.573e90d7.en.html /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Latest daily.cld update causes segfault
Toby Bryans wrote: Thanks Luca, I obviously should have checked there in retrospect! It was posted 8 minutes after your posting, so checking there wouldn't have done you any good :-) /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Latest daily.cld update causes segfault
Toby Bryans wrote: On 7 May 2010 12:28, Per Jessen p...@computer.org wrote: Toby Bryans wrote: Thanks Luca, I obviously should have checked there in retrospect! It was posted 8 minutes after your posting, so checking there wouldn't have done you any good :-) :) I can confirm that the latest update definitely works, thanks all. I haven't yet received the announcement about the latest update though - obviously a lot of people are subscribed to the announcement list! Perhaps this sort of thing should be twittered (or some other broadcast media) as well? Personally, I don't use twitter, and the mailing list announcement is fully sufficient. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ClamAV Memory Usage
Gordan Bobic wrote: Hi, Can anyone explain why clamd 0.95.3 might use 190MB of RAM after 5 days of light usage (few hundred emails)? It is the single biggest process on my mail servers, and I'm not convinced it's size is reasonably justifiable. The database files under /var/lib/clamav use about 70MB. So, even assuming this is kept in memory at all times, where does the other 120MB come from? Maybe when the database is reloaded? I don't know clamd that well, but I suspect it'll probably have two copies of the database in core during reload. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] third party signatures are given preference ?
I use the official clamav databases plus third party signatures from sanesecurity to scan email for virus - when an email would potentially hit two signatures, it seems to prefer the third party over the official clamav sigs. Is this intentional or am I missing something? A recent example is Email.Trojan.GZC aka Sanesecurity.Malware.8825. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] freshclam - how to hard-code to specific IP?
W S wrote: Folks, Is there anyway to Hard-Code IP address for updating ClamAV db? I see this keep changing: % host database.clamav.net database.clamav.net is an alias for db.local.clamav.net. You could probably amend /etc/hosts with a permanent entry for 'database.clamav.net' pointing to whereever you want. Or you just update /etc/freshclam.conf to point to only only mirror. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Suggestion - make the source package available without the main.cvd database
Any chance of making the source package available without the current cvd databases? The current package is 24Mb, without the CVD it's only 3Mb. Just a suggestion, but it might just save some bandwidth. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] What's the benefit of having libiconv installed?
I'm was about to deploy libclamav* on some new machines, when I noticed that the libraries needed libiconv. The build-machine obviously had this library installed so it got selected automagically. Before I go and install libiconv on my new servers, I was just wondering what the advantage of it is in relation to clamav? It's obviously optional, and clamav sems to do quite well without it. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] freshclam logfile size
Am I the first person to suggest the default max logsize should be 0 instead of 1M (or some other arbitrary value) ? /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] freshclam complains about /etc/clamd.conf ?
I've just completed our upgrade to 0.92 - when I restarted freshclam, I got the following: ERROR: Parse error at line 37: Unknown option ScriptedUpdates. ERROR: Please edit the example config file /etc/clamd.conf. ERROR: Can't parse the config file /etc/clamd.conf I'm not using clamd - any reason why freshclam should complain about /etc/clamd.conf ? /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam complains about /etc/clamd.conf ?
Ismail M. Settenda wrote: Go edit the said file (/etc/clamd.conf) and comment out the line Example Then restart freshclam Wait - I didn't ask how to fix the problem. I'm more interested to know why freshclam complains about this _unused_ config-file when it has never done so before. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam complains about /etc/clamd.conf ?
Per Jessen wrote: Wait - I didn't ask how to fix the problem. I'm more interested to know why freshclam complains about this _unused_ config-file when it has never done so before. Please ignore - problem found and solved. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav gcc dependendencies ...
Török Edwin wrote: You don't need to upgrade to 4.1.2/4.2.x. gcc-3.4 can be nicely installed side-by-side with a 4.0.x/4.1.0 series gcc, all you need to do is: # apt-get install gcc-3.4 $ export CC=gcc-3.4 $ ./configure All our systems are frozen - no changes until mid-Jan. clamav is one of very few exceptions. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamav gcc dependendencies ...
I guess there was no other way than to make clamav dependent on gcc, but it sure is bad timing. Only a week before Christmas, most systems are frozen, people have already left for vacation etc. Updating clamav is within reason for us, but upgrading gcc too ... Was/is there absolutely no way of fixing this gcc problem in the clamav source? /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem with big mails
[EMAIL PROTECTED] wrote: Hey all; I'm running ClamAV 0.90.1 on FreeBSD 6.2. In front of this server I have 3 other, which gather traffic and run it through my ClamAV-server. Everything is running smothly, except some mails, that are large. Right now I have 4 mails on one of the servers that vary in size from 20MB to 60 MB. Virus-scanning anything bigger than 1-2Mb makes little sense. ANything as big as 20Mb, I would just skip without further consideration. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] scriptedupdates ignored if daily.inc exists
I upgraded my test-system to 0.90.1 without realising that freshclams default behaviour had changed to using the diff-method rather than downloading the full cvd file. WHen I found out a bit later, I updated freshclam.conf, but this seemed to have no effect. This turned out to be because I'd left the daily.inc directory. When I removed it, freshclam retrieved the daily cvd on the next attempt. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam stability as a daemon
G.W. Haywood wrote: I'm calling for those who run freshclam as a daemon and who don't see any problems with it to chip into this thread. How many of us are there? We're running freshclam as a daemon - probably for about 2 years, I'm not sure. AFAIK, we have not seen any stability problems, and I do not expect any either. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam stability as a daemon [was: DB Update email before actual update available?]
Dennis Peterson wrote: [60 lines snipped] I can only tell you from my experience with several years and many versions of ClamAV that I have found no advantage in any category to running freshclam as a daemon, and running it in cron gives me many options not otherwise available - not the least of which is I can run it at random intervals to help break up lockstep assaults on the servers it polls. As you know, I'm running freshclam as a daemon, and I'm curious as to what additional options (or even advantages) you get by running it under cron? And as an old school Unix admin who still believes in the mentoring responsibility of my position, I will make recommendations from time to time regarding best practices and I recommend if you run freshclam as a daemon that you monitor it and restart it if needed. Do you do that for ALL your daemon processes? As an old school mainframe sysprog, I don't monitor any of my daemon processes. (apart from *some* status-monitoring via SNMP). /Per Jessen, Zürich PS: even if you're an old school Unix admin, quoting only the relevant bits in your reply is still considered good netiquette. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] DB Update email before actual update available?
Dennis Peterson wrote: At some point you've got to trust someone/something. Who watches your daemon watcher? Who watches your OS? Who watches your power-supply? I run SPARC equipment - I have monitoring for all that and cpu temperature, too. There's a difference between proper monitoring and absurdity. Your strawman fails that. We run Intel equipment (mostly) and monitor all that too. Still, it sounds like you've decided to trust your daemon-watcher daemon? We do not use daemon-watchers simply because it's impossible to tell when to stop. If you trust your watcher, you might as well trust the daemons it watches. but I can guarantee freshclam can fail regularly (and has) when run as a daemon. Now that is WORRYING. Are the clamav developers listening in here? I can't verify Dennis' statement myself, but if freshclam can regularly fail, it must be looked into! Dennis, have you filed a bug-report or at least an enhancement request? It also examines the files freshclam has downloaded to a sandbox before they're deployed so that bad files don't replace good ones. That is a separate, unrelated issue - I do the same, but triggered by freshclams OnUpdateExecute procedure. Our requirements are for 5 9's reliability and system availability and that requires self-healing systems. If something can't heal itself I get paged and email. We use SMS, but the idea is the same. So what do you do when your freshclam dies or explodes from a memory leak or do you depend 100% on it never failing? For one thing, freshclam has never died nor exploded from a memory leak, nor is it a critical process. If freshclam fails to do an update within 15mins after we've received the clamav email-notification, a warning is raised. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: DB Update email before actual update available?
Dave Warren wrote: We run Intel equipment (mostly) and monitor all that too. Still, it sounds like you've decided to trust your daemon-watcher daemon? We do not use daemon-watchers simply because it's impossible to tell when to stop. If you trust your watcher, you might as well trust the daemons it watches. There is no reason that monitors can't monitor other monitors too, in the software world. I was assuming (perhaps wrongly) that we're not talking an N+1 high-availability environment where many processes monitor their peers by heartbeat etc. I don't count that kind of setup as daemon-watching. In the hardware world, an unnoticed overheat will result in the equipment going down, which would trigger whatever monitors that box to report failures. Certainly. Although I would monitor the temperature instead. Once the equipment is down, it's too late. We monitor datacenter/machine temperature as they are critical operating factors that must be maintained within certain boundaries. Anyway, this is way, way off-topic here - my apologies for keeping it going. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam stability as a daemon [was: DB Update
Daniel T. Staal wrote: Has anyone tried both? What happens if you try to run freshclam as a daemon and from cron? (Assuming you schedule them to run at different times, of course. If they both checked at the same time I would expect something to bork.) If they both ran at the same time, and the databases had been updated, I see significant potential for something to break. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] DB Update email before actual update available?
Dennis Peterson wrote: Per Jessen wrote: Jay Lee wrote: The point of the exercise it to run freshclam *only* when the update is published, not to run every x hours (or minutes) without knowing if there is an update. Looking at my options there... Why not just run freshclam as a daemon? Then you really need to have a daemon watcher to keep it going. At some point you've got to trust someone/something. Who watches your daemon watcher? Who watches your OS? Who watches your power-supply? Quis custodiet ipsos custodes? ... And it is actually used just a few seconds a day but as a daemon the resources it uses are fully committed 100% of the day. Given the very limited amount of resources it uses, I see no problem in that. At some point you just have to step back and take a simple approach, especially when it's a simple problem. Running freshclam IS a simple option, IMHO. Anything else is needs additional scripting, checks of this and that etc. - not a simple approach at all. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] DB Update email before actual update available?
Jay Lee wrote: The point of the exercise it to run freshclam *only* when the update is published, not to run every x hours (or minutes) without knowing if there is an update. Looking at my options there... Why not just run freshclam as a daemon? /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] DB Update email before actual update available?
Jay Lee wrote: I am attempting to write a script that will take action whenever an email from the [EMAIL PROTECTED] list is received. The script would run freshclam and grab the most recent update, thus giving me the most up to date version at all times without putting a heavy load on the ClamAV servers. The problem I am facing though is that freshclam can't see the new update. Using the latest 0.88.7 release, I was originally just running freshclam --quiet. I've since added --no-dns so that freshclam will go directly to the server instead of checking DNS (this shouldn't be a load problem since this is only getting executed when there actually is an update). However, my freshclam still seems to not find the most recent update. Has the most recent update made it your local mirror? What is the db-update process? Is it possible the email is being sent out before the file is accessible? I don't know the process, but I think so, yes. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] submit-to-publish time much too long for phishing
jef moskot wrote: On Wed, 29 Nov 2006, JamesDR wrote: ...if your users are being let down by the 'time it takes to get a phish sig' then isn't about time their network/mail admin looked into added levels of detection? I think the original point was that if Clam is going to scan for phishing at all, the response time might be too slow to be useful, given the frequency with which the content changes. That was exactly my point, yes. To be fair, I submitted another phishing sample yesterday, and had the update in about 5 hours, which is much more acceptable. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] submit-to-publish time much too long for phishing
Nigel Horne wrote: Use the experimental code, then. It does a good job at catching phishes that aren't even in the database. OK, that sounds interesting, I'll take a look. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] submit-to-publish time much too long for phishing
This is not really complaint, perhaps just an observation. On 25/11 around 1000CET I submitted a sample and again on 26/11 also around 1000 I submitted a second sample - both phishing. I've only just today around 1800CET received confirmation for both. This is respectively about 56 and 32 hours later. I understand it was on a weekend etc., but for ClamAVs phishing detection/protection to have any meaning/reason at all, the time from submit to publish needs to be a LOT shorter. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] submit-to-publish time much too long for phishing
Dennis Peterson wrote: I'm not aware of any systems that have been disabled or rendered useless be even the most aggressive phishing scheme. Nor am I. The best defense against phishing is and has always been education, fwiw. Doesn't that apply to virus too? Given the ease with which these can be defeated with other simple tools available to any good messaging server I could do with a couple of pointers (for server-based use). I don't mind they are given lower priority than correcting code errors, improving documentation, discovering and responding to truly destructive outbreaks, etc. As a matter of principle, maintaining the database of what ClamAV is supposed to detect must have the highest priority, IMHO. If not, everything else is pointless. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] submit-to-publish time much too long for phishing
Per Jessen wrote: The best defense against phishing is and has always been education, fwiw. Quick additional comment - I used to use the very same argument, but experience and age have taught me that people are stupid. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] submit-to-publish time much too long for phishing
Dennis Peterson wrote: And the point is you don't have to come to harm if a phishing pattern is not available. That depends on your expectations. If you're purely using it for your own personal protection, you're absolutely right. If you're using it as a service to others, whether employees or clients, it's a different story. My point is - when I've told someone I can protect them from phishing to some degree, ClamAV is letting me down by not delivering in time. I'd really like to repeat - I am most definitely NOT complaining. I just think the phishing detection of ClamAV is pointless when it's one to two days late. Given the ease with which these can be defeated with other simple tools available to any good messaging server I could do with a couple of pointers (for server-based use). The tools to create your own pattern files are included with ClamAV. Certainly, and that may be what we'll do anyway. But the whole strength of ClamAV is the collaboration of a large worlwide community, is it not? I don't mind they are given lower priority than correcting code errors, improving documentation, discovering and responding to truly destructive outbreaks, etc. As a matter of principle, maintaining the database of what ClamAV is supposed to detect must have the highest priority, IMHO. If not, everything else is pointless. I guess you could always ask for a refund if you're unhappy with the product. I think they're doing a hell of a good job. So do I. I've even contributed code myself. I am in no way unhappy with the product, and I shall continue to use it, but I AM a tad unhappy with the promises wrt phishing. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] submit-to-publish time much too long for phishing
Gerard Seibert wrote: however, I believe 'stupid' is too harsh. Perhaps - but a great deal more concise :-) /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] submit-to-publish time much too long for phishing
Dennis Peterson wrote: To blame ClamAV for letting you down is unkind and inaccurate. Perhaps you would care to state the purposes of ClamAVs phishing detection? Admittedly, I have not read up on it myself, but merely assumed it was to provide reasonable means of protection against phishing. And no, I don't class a signature that is 56 hours under way as reasonable. And in my opinion, submitting a sample should not be done to correct your problem - you should already have done that - the submission is a contribution to the community so others will benefit from the event you experienced. If this is the way it is supposed to work, perhaps it would appropriate to ask for a showing of hands - how many of the current sample contributors create their own signatures first, then submit a sample later? Personally, I think the community is more important. And there's really no reason to continue this. Do feel free not to. My point (again, not a complaint) is - the quality of the phishing signature collection is not currently sufficient to warrant using ClamAV as any means against phishing. The number phishing signatures collected is mostly irrelevant, whereas the speed with which a new signature can be published is not. /Per Jessen, Zürich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: To ClamAV Developers: donation question
Gerard Seibert wrote: On Wednesday November 08, 2006 at 11:16:21 (AM) Sergei Lavrov wrote: Some of the businesses I know do want to make donations. But is ClamAV able to issue invoice ? In other words, you are looking for a tax write off. No, it's got nothing to do with taxes - it's a matter of practicality; getting budget approval for a business expense is much easier than for charity. /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] OUTDATED?
According to freshclam, my installation (0.88.5) is outdated: Received signal: wake up ClamAV update process started at Sat Nov 4 11:42:24 2006 main.cvd is up to date (version: 41, sigs: 73809, f-level: 10, builder: tkojm) WARNING: Your ClamAV installation is OUTDATED! WARNING: Current functionality level = 9, recommended = 10 DON'T PANIC! Read http://www.clamav.net/faq.html daily.cvd is up to date (version: 2161, sigs: 1600, f-level: 9, builder: arnaud) However, the latest version is still 0.88.5 ? I'm also a little puzzled that the OnOutdatedExecute script isn't triggered, but it looks like that only happens when the DNS reports a newer software version. /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] let's all make a regular domation to ClamAV
Sergei Lavrov wrote: Dear ClamAV users, If you are using ClamAV in your business and you are happy about it, I would like to call upon you to make a regular donation to the ClamAV project. Those folks have spent great deal of time to provide us with timely virus updates and I hate to see they have to pay out of their own pockets for this great project. If all the users make a regular donation of as little as USD$60 a month (That's only $2 a day) to ClamAV, it will make a great difference. Of course, you can give more if you are able to. Don't just be a freeloader. I think it is entirely reasonable, but for a business to make donations, I think the ClamAV project needs to be able 1) issue invoices and 2) accept payment via non-paypal channels. Maybe even in EUR. /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Has anyone set up a local virus definitions server?
[EMAIL PROTECTED] wrote: OK, i am trying to do this with clamav 88.2. The problem i am having is clamav server does not have apache (or any web server running on it). The clamav server is OES-Linux server (novell distro based on SLES 9). I also have another OES-Linux server that is running a web server. So, when i change the freshclam.conf on the clamav server DatabaseDirectory to http://dnsaddress.here/folder (address of the other oes-linux server that is running apache2) and then try to run freshclam on the clamav server, i get this error: can't change dir to http://dnsaddress.here/folder;. Is this way even possible It's not possible - clamav does not deal with URLs, only with filesystem paths. it be a directory entry (like /srv/www/htdocs)? If it has to be in the form of /srv/www/htdocs, can it be a smb form (like smb://username:[EMAIL PROTECTED] to cvd's)? Any help is appreciated. Filesystem paths only, no URLs. /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.88.3 oops
Luca Gibelli wrote: Why isn't freshclam complaining? because there are no security issues associated with the new release. Instead of filling the logs with warnings, we give our users 2 days to perform the upgrade. Hi Luca, I still haven't seen any warning? /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.88.3 oops
Luca Gibelli wrote: Huh? I've checked the DNS record : 0.88.3:39:1579:1151933486:0 - which looks ok, right? Why isn't freshclam complaining? because there are no security issues associated with the new release. Instead of filling the logs with warnings, we give our users 2 days to perform the upgrade. The warning in freshclam in not meant as a replacement for clamav-announce@ . It's there just to annoy lazy sysadmins. Thanks for the info Luca. I wasn't aware of the importance of that bit in the TXT record. I have to admit to being one of those lazy, err ... busy, sysadmins. I find freshclams outdated warning very useful. /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.88.3 oops
Luca Gibelli wrote: http://sourceforge.net/project/showfiles.php?group_id=86638package_id=90197release_id=413754 seems like a glitch in SF's rss feed. I temporarily removed the download link. please follow the release notes link instead. I manually edited the download link in the RSS feed. For everyone's benefit, here is a direct link to 0.88.3: Is there any particular reason why freshclam is not making me aware of the new version? I use the OnOutdatedExecute option, but it hasn't been triggered. /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.88.3 oops
Stephen Gran wrote: On Mon, Jul 03, 2006 at 03:37:42PM +0200, Per Jessen said: Is there any particular reason why freshclam is not making me aware of the new version? I use the OnOutdatedExecute option, but it hasn't been triggered. I understand it will complain on Tuesday. Huh? I've checked the DNS record : 0.88.3:39:1579:1151933486:0 - which looks ok, right? Why isn't freshclam complaining? /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Progressive scan ?
Roman ZARAGOCI wrote: Maybe, it's not a clamav related question. Is it possible to do a progressive scan with clamdscan using a script or something else ? An incremental scan? For example, I would want to scan only new files added to homes directories or by checking the modification date of files. Sounds like you could do with a simple combination of clamav and the find command. /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: FAQ #13 - Can phishing be considered one kindof spam?
Sven Strickroth wrote: Hi, Per Jessen [EMAIL PROTECTED] schrieb im Newsbeitrag news:[EMAIL PROTECTED] Dennis Peterson wrote: Per Jessen wrote: It has always been possible to unpack the pattern files and remove the parts you don't like. The various parts are clearly marked. If you use the devel-version (or if the devel-version becomes the stable one), you can use the parameter --no-phishing... Thanks Sven - I'll definitely be trying that out. /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Quarantine for clamav ?
Roman ZARAGOCI wrote: I searched without any success archives talking about quarantine directory for clamav (not clamav-milter). I'm looking for this to store infected files in a directory so the administrator can see files which are infected and decide what to do. I would say that is more of a job for your mail-server, not clamav. /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] FAQ #13 - Can phishing be considered one kind of spam?
What's the current schedule for 0.90? And what are my options (for not having clamav consider phishing==virus) until then? I'm using libclamav programmatically - I don't suppose cl_scanfile() could be convinced to return CL_PHISHING when appropriate :-) /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: virus detected using clamscan but not with Mail::ClamAV perl module
Per Jessen wrote: OK, just tried that - it still reports clean. I'm just now upgrading the Mail::ClamAV module to 0.17 (from 0.11) - maybe that'll fix it. Yeah, 0.17 fixed it - thanks for the fast response. Sorry about wasting your time and bandwidth. /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] is there a way of telling when a particular signature was added to the db?
When an email is let through and it is later determined that it did contain a virus, I would like to be able to say the signature for the virus was added in db version so-and-so, which was active as of so-and-so. Now, the latter I can do, but where can I retrieve the info about when (or in which db-version) the signature was added? (using an API of course). thanks. /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] RE: Report Phishing attacks?
Samuel Benzaquen wrote: I can also say that they don't want to compete against commercial AV vendors as I have read here 2^32 times that we should use not _only_ clamav, but a list of AVs to improve the chances to catch malware. That you're being recommended not to only use ClamAV does not seem to imply that ClamAV is not competing with commercial vendors. In fact, what is the _primary_ advantage of ClamAV over [your favourite commercial AV product]? Price. ClamAV may not be competing for commercial gain, but it is certainly competing for the market. /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] OnUpdateExecute
This might have been more appropriate on the developer-list, I'm not sure - earlier this morning I saw OnUpdateExecute effectively hang up my freshclamd. I run a make off OnUpdateExecute to distribute the new databases etc., and somehow this process got stuck. OK, these things happen - but I hadn't expected it to also stop freshclam checking for new updates. I guess freshclam is waiting for it to finish before continuing - surely not the intentional behaviour? /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: OnUpdateExecute
Brian Morrison wrote: What command did you give it? It would make sense for whatever you do to include an in the script file you call to put the process you launch in the background. The command is: /usr/bin/make -C /var/lib/clamav/ | mail [EMAIL PROTECTED] Sticking an amphersand on the end might make some sense, but I'd still rather see freshclam use fork() instead of system() when it's running as a daemon. Here is a patch for clamav-0.83: http://jessen.ch/files/patch-clamav-0.83-freshclam-with-fork With this, freshclam will use a fork() for OnErrorExecute and OnUpdateExecute when it's running as a daemon - as commandline it'll still use system(). /Per Jessen, Zürich -- http://www.spamchek.co,uk/freetrial - sign up for your free 30-day trial now! ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] triggering a freshclam off the clamav-virusdb notify?
I've setup a freshclam that is triggered off the incoming notify for clamav-virusdb. For 722 at 0046CET today, I got the email, but freshclam did not load a new version. Version 722 wasn't downloaded till the hourly cronjob ran at 0102CET. Is that due to the DNS not being updated or the mirror or what? /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: triggering a freshclam off the clamav-virusdb notify?
Brian Morrison wrote: On Thu, 24 Feb 2005 09:09:23 +0100 in [EMAIL PROTECTED] Per Jessen [EMAIL PROTECTED] wrote: I've setup a freshclam that is triggered off the incoming notify for clamav-virusdb. For 722 at 0046CET today, I got the email, but freshclam did not load a new version. Version 722 wasn't downloaded till the hourly cronjob ran at 0102CET. Is that due to the DNS not being updated or the mirror or what? Since you are using a mirror I assume, you have to wait for the mirror to sync. That's what I suspect - I just thought perhaps the mirrors were actively (push) synchronised. And if the desired/current database version wasn't available at a mirror, I'd see a fallback to the next one? A delay of 16 minutes is hardly major though, Absolutely - I was just wondering - shouldn't the DNS check have been positive, i.e. indicated a new database? /etc/freshclam.conf: DNSDatabaseInfo current.cvd.clamav.net What I saw was this: 1) email says new version available. 2) freshclam tries DNS - DNS says no. /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: Re: triggering a freshclam off the clamav-virusdb notify?
Luca Gibelli wrote: This matter has been discussed _many_ times. In short: - the TTL of current.cvd.clamav.net is 900 secs - if you run freshclam (with DNSDatabaseInfo) more often than 900 secs, you just overload _your_ dns. Hardly overload, but I take your point. Calling freshclam when a new message from clamav-virusdb@ arrives is silly. OK, I'm beginning to realise that. I *was* concerned about the potential overload of servers, but I'd figured that the clamav-virusdb notification would take a while to propagate too, thereby spreading the load. Anyway, thanks for the clarification. /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamav-virusdb-xml ?
I haven't seen any mails from the XML-list since Feb4 - what's the story? Was I accidentally unsubscribed or is the list down? /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam and Cron
On Tue, 22 Feb 2005 09:53:13 -0600, [EMAIL PROTECTED] wrote: Freshclam via cron What sort of update intervals are people using, and can someone show me a working crontab entry? I've tried calling freshclam like this via a crontab entry 06 0 * * * /usr/local/bin/freshclam This is mine: From /etc/cron.d/clamav: 2 * * * * root /usr/bin/freshclam /Per Jessen -- http://www.spamchek.ch/freetrial - lassen Sie sich überzeugen - 30 Tage Kostenlos! ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: clamav-virusdb-xml ?
Luca Gibelli wrote: Hello Per Jessen, I haven't seen any mails from the XML-list since Feb4 - what's the story? Was I accidentally unsubscribed or is the list down? We sent a message announcing that we were taking down the service. We'll be providing a new (better, we hope) service by the end of the month[*]. Thanks, I obviously missed that one. /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html