[Clamav-users] Trying to debug...
Hello, I'm running 0.91.2 on solaris9 with amavisd-new I have maybe some problem with clamav : yesterday I saw some FakeTube mail that was not detected. I did some work on it and I saw that : - if I did a clamdscan on a mail containing the FakeTube clamav found the mail - if I sent the mail content to amavais clamav found the mail clean - if I check the preceding mail again with clamdscan (on the file containing the mail) clamav found the FakeTube. Clamav still see some virusses... I checked again with the option to keep temporary files, and to my surprise the directories for both scan had the same content. I wanted to do deeper check, and I saw that there was a debug option. I compiled clamav with --enable-debug in the configuration But when I set Debug to true, there is no more output in the log file. Well... I believe I'm missing something... f.g. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Email malware type detection and amavis
Hello again, I had a problem of not detecting Email.Faketube on our configuration, using clamav with amavisd-new. I finally found that the problem seems to be the following : - when I directly scan the email file, clamav finds that it's an email file which correspond to type 4 in the signature database. - when amavisd-new calls clamd, it just gives the inside of the mail, which does not correspond to type 4 in the signature database, and than Email.Faketube is NOT detected. I have added a simple signature file replacing the email type with anyfile type (0), and than the Faketube is detected. I wonder what is to be done there : - should amavisd-new send the original file and not the parts to clamav (that's an amavis problem). - should clamav change the type of the signature ? - should I build local data base for all the Email type signatures ? f.g. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Email malware type detection and amavis
Steve Basford [EMAIL PROTECTED] Date: Tue, 28 Aug 2007 11:45:09 BST Subject: Re: [Clamav-users] Email malware type detection and amavis Frederic Goudal wrote: - when amavisd-new calls clamd, it just gives the inside of the mail, which does not correspond to type 4 in the signature database, and than Email.Faketub e is NOT detected. I have added a simple signature file replacing the email typ e with anyfile type (0), and than Hi Frederic, All Type 4 sigs (official ClamAV and Third-Party: SaneSecurity, MSRBL etc) will need the following setup, in order to be detected: http://www.mail-archive.com/[EMAIL PROTECTED]/msg08752.html There's a lot more info in various other amavis-user, so take a look there :) Thanks ! f.g. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem with clamd hanging
Tomasz Kojm [EMAIL PROTECTED] Date: Tue, 25 Jan 2005 18:09:59 +0100 Subject: Re: [Clamav-users] Problem with clamd hanging On Tue, 25 Jan 2005 17:48:08 +0100 [EMAIL PROTECTED] wrote: Trog [EMAIL PROTECTED] Thats normal behaviour. A gdb backtrace of each thread when it is hanging is the most helpful thing at the moment. Ok, so I did not use gdb as gdb core dump (maybe because I compiled clamav with sun cc). I used dbx and here is the backtrace : I can send you the email that was scanned. =[1] __zzip_find_disk_trailer(fd = 12, filesize = 31981, trailer = 0xfeb7b29e, io = 0xff30c2b0), line 289 in zzip-zip.c This is a known problem when using Sun's cc. Recompile with gcc. After 24hours with 0.81rc1 compiled with gcc I have not seen any hang-up. That's really better. f.g. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Problem with clamd hanging
Tomasz Kojm [EMAIL PROTECTED] Date: Tue, 25 Jan 2005 18:09:59 +0100 Subject: Re: [Clamav-users] Problem with clamd hanging --===1361425311== Content-Type: multipart/signed; protocol=application/pgp-signature; micalg=pgp-sha1; boundary=Signature=_Tue__25_Jan_2005_18_09_59_+0100__WOiO7nH5vqSnS4f --Signature=_Tue__25_Jan_2005_18_09_59_+0100__WOiO7nH5vqSnS4f Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 7bit On Tue, 25 Jan 2005 17:48:08 +0100 [EMAIL PROTECTED] wrote: Trog [EMAIL PROTECTED] Thats normal behaviour. A gdb backtrace of each thread when it is hanging is the most helpful thing at the moment. Ok, so I did not use gdb as gdb core dump (maybe because I compiled clamav with sun cc). I used dbx and here is the backtrace : I can send you the email that was scanned. =[1] __zzip_find_disk_trailer(fd = 12, filesize = 31981, trailer = 0xfeb7b29e, io = 0xff30c2b0), line 289 in zzip-zip.c This is a known problem when using Sun's cc. Recompile with gcc. I've done it... It works now for this file. THansk. Maybe it could be mentionned somewhere (or maybe I have not seen it). f.g. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Problem with clamd hanging
Shaun Bugler [EMAIL PROTECTED] Date: Tue, 25 Jan 2005 10:26:07 +0200 Subject: Re: [Clamav-users] Problem with clamd hanging It's rather a SESSION related bug. See my yesterday's post on a temporary workaround for this problem. This fix was related to clamav-milter right? We don't use it, don't have the milter package installed at all (built own rpm from source), so should we install the milter package(with the fix) to fix the clamd bug? In your case it's rather a zlib problem. Make sure you have installed the new version properly - by default its Makefile only installs the static library. Tried on 1 box that had the problem. Compiled zlib 1.2.2-1 from source, with shared libraries. This morning it happened again Is there anything else we can try or check to try solve this? thanks, shaun bugler PS: you say its a zlib problem, what specifically is this problem? I have tried with 0.81rc1 + zlib 1.2.2 and still hang several times this night. f.g. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Problem with clamd hanging
Trog [EMAIL PROTECTED] Date: Tue, 25 Jan 2005 11:27:01 GMT Subject: Re: [Clamav-users] Problem with clamd hanging On Tue, 2005-01-25 at 12:22 +0100, [EMAIL PROTECTED] wrote: =20 Btw I did a truss a few days ago on the hanging process and it was stoppe= d in an accept syscall. =20 Thats normal behaviour. A gdb backtrace of each thread when it is hanging is the most helpful thing at the moment. I just checked, and the problem is that clamd no more hangs but disapear. So it may crash. The problem is that it does run with / as current dir but not as uid root. So it can't core dumps. I'm wondering what I can do... f.g. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Problem with clamd hanging
Tomasz Kojm [EMAIL PROTECTED] Date: Tue, 25 Jan 2005 11:46:21 +0100 Subject: Re: [Clamav-users] Problem with clamd hanging --===0580729670== Content-Type: multipart/signed; protocol=application/pgp-signature; micalg=pgp-sha1; boundary=Signature=_Tue__25_Jan_2005_11_46_21_+0100_blOhG=eoymkvrdcT --Signature=_Tue__25_Jan_2005_11_46_21_+0100_blOhG=eoymkvrdcT Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 7bit On Tue, 25 Jan 2005 10:00:13 +0100 [EMAIL PROTECTED] wrote: I have tried with 0.81rc1 + zlib 1.2.2 and still hang several times this night. We can't help you unless you provide some useful information (backtraces, etc.). I'll do that, but for now you just asked me to try zlib 1.2.2 and 0.81rc1. I'll try to see the backtrace. Btw I did a truss a few days ago on the hanging process and it was stopped in an accept syscall. f.g. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Problem with clamd hanging
Hello, I'm running clamd (clamav 0.80) on a solaris 9 server in front of amavisd 2.2.1 with a local unix socket. About 2 hours after we start clamd it stops accepting requests. The daemon is running, there is non special message either in amavis log or clamd log. It does not work either with clamdscan with a connection refused message. I have not seen any thing about such problem in the mailing-list archive. f.g. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Problem with clamd hanging
Trog [EMAIL PROTECTED] Date: Fri, 21 Jan 2005 16:16:51 GMT Subject: Re: [Clamav-users] Problem with clamd hanging On Fri, 2005-01-21 at 11:36 +0100, [EMAIL PROTECTED] wrote: =20 Hello, =20 I'm running clamd (clamav 0.80) on a solaris 9 server in front of amavisd= =20 2.2.1 with a local unix socket. =20 About 2 hours after we start clamd it stops accepting requests. The daemo= n is=20 running, there is non special message either in amavis log or clamd log. =20 It does not work either with clamdscan with a connection refused message.= I=20 have not seen any thing about such problem in the mailing-list archive. Check which version of zlib you are using, install 1.2.2. Then I suggest you try version 0.81rc1 THanks. I'm using 1.2.1 I'll try 1.2.2 monday, than the 0.81 if it does not work. f.g. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users