Re: [Clamav-users] Don't know what to do with infected files
sorry to bother you but I am new to ClamAV (on fedora core 6). I ran clamscan on my laptop and got a message telling me that I have 3 files infected. You might have some malware, but I doubt your system is infected. One is in my mail . I browed the FAQ and find a way supposed (by using ... Yes, everyone gets junk in their e-mail. Your system might not even be vulnerable to it, and it doesn't mean that the stuff has actually infected your system. But finding the specific message is a bit hard with ClamAV The second file infected is in my windows partition under the root directory (I got this result :media/hda2/pagefile.sys: Exploit.HTML.MHTRedir-8 FOUND). hda2 is my windows partition. Thisfile is 1.3G large (from what nautilus sees/says). Again is simply deleting enough ? I s it usually a windows file ? This is the Windows swap file. So you probably visited a site with an exploit, and some of your RAM holding that, happened to get swapped to disk. Or it could be a false-positive. Your Windows swap file is just temp storage while Windows is running, so anything in it junk. There is no need to disinfect it, as Windows will re-init it when it boots aqain. The third one is more confusing to me since it is a zipped file that I donwloaded from the US Samsung site when I tried to upgrade my Yepp 920 studio and firmware (mp3 player interface). The scan tells me that it is an oversized archive. Is there a way for clamAV to be sure of that (I The ZIP file may be corrupted. The exact ClamAV message would be helpful, but ClamAV has protection against ZIP bombs, which contain files with unrealistic compression ratios. ZIP bombs can take a really long time to scan, as the AV engine will decompress the file(s), which can decompress to 100x the original size (or more). So scanning a 50MB ZIP bomb, could involve scanning 5GB of data. There are settings in Clam to configure the unrealistic compression ratio setting. Tom ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Large extremely compressed text files and clamd / amavis-new
- Mark Hennessy [EMAIL PROTECTED] wrote: Dec 29 12:56:58 host /usr/local/sbin/amavisd[89023]: (89023-01) (!)do_uncompress: Error running decompressor /usr/bin/gzip -d on p001, exit 1 at (eval 68) line 562. Dec 29 12:57:14 host /usr/local/sbin/amavisd[89023]: (89023-01) (!)Decoding of p006 (ASCII text, with very long lines) failed, leaving it unpacked: do_ascii: timed out ... While there have been reports of long scanning times on big ZIP files containing text files, it seems that the above error is coming from Amavis, not ClamD. It does not look like the message is hitting clamd at all. I use Exiscan, not Amavis, but I know that some sites have to increase the Amavis timeout to 700 seconds, otherwise Amavis gives up too quickly. But since ClamD has a ZIP engine built-in, why do you want amavis to extra the files to temporary file, when clamd could scan the file in place? And what version of ClamAV are you running? 0.88.7 has improvements to the ZIP engine. 0.99.* is supposed to be much faster on ZIP files (but still too slow for some sites). Tom ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: clamav-users Digest, Vol 26, Issue 1
- ZhangFrank [EMAIL PROTECTED] wrote: Hello all, I installed Clamav-0.88.6 by pkg_add clamav-0.88.6.tbz in FreeBSD OS. After configured clamd.conf and freshclam.conf I run freshclam, but got a ERROR said /libexec/ld-elf.so.1:freshclam:Undefined symbol __h_errno I've installed clamav-0.88.6 on other FreeBSD machines before but never seen that Error. I'm wondering Why and How can I handle it. ... What version of FreeBSD? The ClamAV package was probably built for a different version, so it does not match the libc on your system. Tom ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ZIP files autodetected as virus
- Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem [EMAIL PROTECTED] wrote: Is their any way to tell Clamav to look at a file before it is considered a Virus? I got a call from a customer who said that Zip files are getting intercepted by clamav and are defaulting them as a virus. It depends on what you have configured ClamAV to do. You can configure ClamAV to: * Consider all password protected archives are infected (assume they are infected because they can't be checked) (ArchiveBlockEncrypted) * Consider all archives over a certain size to be infected. (ArchiveBlockMax) So what have you configured ClamAV to do? Good thing you run ClamAV too, as you are also using the root@ account to send (and probably) e-mail. That's generally a bad idea. I think ClamAV can detect most mail bombs, but you but should probably not rely on ClamAV as your only security against a complete server compromise. Tom ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Choosing best MaxThreads value for clamd?
- Daniel T. Staal [EMAIL PROTECTED] wrote: On Tue, November 28, 2006 10:53 pm, Tom Samplonius said: How do you choose the best MaxThreads value for a dedicated mail server? Should MaxThreads be each to double the number of cores, or something like that? What happens if MaxThreads is set too high? Too low? The main advice I've seen is that more is generally better, subject to the amount of RAM on your machine. Too low and mail will have to either wait to be checked until a thread is free, or be skipped. Too high and the machine will go into swap. (Which is a massive performance hit.) End result is the same for a mail processing system: less mail can go through your machine. Too low is generally less of a performance hit than too high. So the numbers of cores/processors seems to be mostly irrelevant. The amount of RAM you have available is the relevant number. Daniel T. Staal I don't know if that is accurate. clamd seems completely CPU bound. I also don't know why additional threads would use a lot of extra memory, as clamd seems to just stream data from the files it is caching. And I don't see it in practice either. clamd with MaxThreads uses about 50MB resident, and clamd with MaxThreads of 10 is about 48MB. The difference is so small, that is probably just local thread storage. But if MaxThreads is too high, the CPU(s) could spend far too much time task switching, and not enough time scanning. If you set MaxThreads too high for your machine, clamd will be very inefficient under heavy load. Tom ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Choosing best MaxThreads value for clamd?
How do you choose the best MaxThreads value for a dedicated mail server? Should MaxThreads be each to double the number of cores, or something like that? What happens if MaxThreads is set too high? Too low? Tom ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
