Re: [Clamav-users] "Cannot prepare for JIT..."
On Mon, 18 Oct 2010, Török Edwin wrote: Simply download the patch with a browser (or wget), and then apply it like this: patch -p1 Gotcha. "-p1" was the juju I needed to make it go. The patch apparently works fine. Viruses still being caught without the error message. Thanks very much! Jeffrey Moskot System Administrator j...@math.miami.edu___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] "Cannot prepare for JIT..."
On Mon, 18 Oct 2010, Török Edwin wrote: You can apply this patch (that will be in 0.96.4): http://git.clamav.net/gitweb?p=clamav-devel.git;a=blobdiff_plain;f=libclamav/bytecode_nojit.c;h=66d385d6a2b2f2f6afc4440a53ae87b9cae8c38b;hp=ec961a9d1bc6e3d274e664f9eb9afe4992f7757f;hb=670adde2bc4e4ba2f3b96c6ed551a3c8312693d9;hpb=cfe6b4a2163170ebf062db50c6fde8f818fe8a02 OK, I must admit that I have no idea what to do with that thing. I installed git on my (FreeBSD) machine, but it seems massive and complicated. Presumably, all I want to do is replace some text. All the docs seem to be operating at another level, imagining that I have some kind of huge code development system in place. It even tried to install a daemon. Is there a shortcut for using git that just makes the text changes in that small file without installing a giant infrastructure? Sorry for the n00bishness of the question. Jeffrey Moskot System Administrator j...@math.miami.edu___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] "Cannot prepare for JIT..."
Got this error about an hour ago when freshclam updated: "LibClamAV Warning: Cannot prepare for JIT, because it has already been converted to interpreter" The error also now appears every time clamscan runs, but it all seems to work. It's just annoying because it shows up in all the notifications I get from the mimedefang process and it messes up our text sorting. Note: I compile with --disable-llvm so this is probably normal behavior, but the error just showed up and I'd like a way to quiet it down. Thanks. Jeffrey Moskot System Administrator j...@math.miami.edu ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamscan fails from mimedefang with large third-party databases
On Sat, 24 Apr 2010, Török Edwin wrote: On 04/24/2010 11:08 AM, jef moskot wrote: I doubled the MX_MAX_RSS and MX_MAX_AS arguments in the startup script, and it seems to have taken care of the problem (which I was able to recreate, see below). What are these values btw? Here's the relevant section of the startup script: # Limit slave processes' resident-set size to this many kilobytes. Default # is unlimited. #MX_MAX_RSS=1 MX_MAX_RSS=15 # Limit total size of slave processes' memory space to this many kilobytes. # Default is unlimited. #MX_MAX_AS=3 MX_MAX_AS=40 The commented out values are the "default" non-default values. Nothing works if you try those. I bumped those up to 75000 and 20 and things had been running fine, until 0.96. Doubling those values has things humming along now. I have some patches to reduce memory usage of LLVM in clamav, which will probably be in 0.96.1. Cool, looking forward to testing the new version. It is not missing any functionality, it just runs a little slower when executing bytecode. Perfect. Thanks for all your help. Jeffrey Moskot System Administrator j...@math.miami.edu___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamscan fails from mimedefang with large third-party databases
On Sat, 24 Apr 2010, Török Edwin wrote: Does Mimedefang run clamscan under ulimit? (or is mimedefang itself constrained by some ulimits?) I doubled the MX_MAX_RSS and MX_MAX_AS arguments in the startup script, and it seems to have taken care of the problem (which I was able to recreate, see below). If 0.96 uses more memory than 0.95.3, then this would explain why the problem only occurred when upgrading to the new clam version. ...'make test' didn't have much to say... It is called 'make check'... Oops. Sorry about that. Here's the output of the --disable-llvm version: make check-TESTS PASS: check_clamav PASS: check_freshclam.sh PASS: check_sigtool.sh SKIP: check_unit_vg.sh PASS: check1_clamscan.sh PASS: check2_clamd.sh PASS: check3_clamd.sh PASS: check4_clamd.sh SKIP: check5_clamd_vg.sh SKIP: check6_clamd_vg.sh SKIP: check7_clamd_hg.sh SKIP: check8_clamd_hg.sh == All 7 tests passed (5 tests were not run) So, does this mean I'm missing out on some functionality, or just that the work will be done less efficiently? However, it's not quite a fair comparison, since the Sanesecurity signatures have been pared down since my first test. I'm going to add a couple more databases and see if I can get anything to break. I did this and it did break. Changing the mimedefang values I mentioned above unbroke it. So, ultimately, it looks like there were two problems. One was that mimedefang was memory-starved and the other was that making with --enable-llvm caused a whole lot of error messages, even when things seemed to be working otherwise. Both problems appear to be solved now. Thanks for all the help. Jeffrey Moskot System Administrator j...@math.miami.edu___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamscan fails from mimedefang with large third-party databases
On Thu, 22 Apr 2010, Török Edwin wrote: On 04/22/2010 01:02 PM, jef moskot wrote: LibClamAV Error: CRITICAL: fmap() failed LibClamAV Warning: fmap: map allocation failed LibClamAV Error: CRITICAL: fmap() failed LibClamAV Warning: fmap: map allocation failed LibClamAV Error: CRITICAL: fmap() failed ./Work/INPUTMBOX: local.sig.939.UNOFFICIAL FOUND === clamscanning from the command line doesn't seem to cause this problem. Try scanning the same file mimedefang scans. With Jason Bertoch's help, I was able to add a -d parameter to the mimedefang call, which forces it to leave its work directories hanging around. I grabbed some samples (clean and dirty) and was able to scan all of them from the command line without any noisy errors. I then rebuilt 0.96 using --disable-llvm in the configure. No scary warnings during compilation, although 'make test' didn't have much to say: # make test `test' is up to date. It's running on the system now, without any complaints so far. It's catching bad attachments, URLs, spam and such. However, it's not quite a fair comparison, since the Sanesecurity signatures have been pared down since my first test. I'm going to add a couple more databases and see if I can get anything to break. So, which is better (define "better" however you like)...running 0.95.3 normally or 0.96 with --disable-llvm? Jeffrey Moskot System Administrator j...@math.miami.edu___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamscan fails from mimedefang with large third-party databases
On Fri, 23 Apr 2010, Török Edwin wrote: Try writing a shell script that invokes clamscan and redirects stderr as above, then in mimedefang invoke your script (don't forget to chmod +x it). OK, I tried this 0.95.3 first, because it's working properly now and I don't want to introduce yet another variable. I just want to see if I can get the debug info written out somewhere. Shell script: --- #!/bin/csh /usr/local/bin/clamscan --phishing-scan-urls=no --debug 2>/tmp/clamscan-debug $1 --- Output in /tmp/clamscan-debug: --- --- SCAN SUMMARY --- Known viruses: 841232 Engine version: 0.95.3 Scanned directories: 0 Scanned files: 0 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 3.389 sec (0 m 3 s) --- Hmm. Something went wrong...from maillog: --- Apr 24 00:16:27 servername mimedefang.pl[16487]: Problem running virus scanner: code=56, category=swerr, action=tempfail Apr 24 00:16:31 servername sm-mta[16486]: o3O4GOa1016486: Milter: data, reject=451 4.3.0 Problem running virus-scanner --- man clamscan, code 56 says: --- Can't stat input file / directory. --- Maybe it has something to do with the order of parameter passing? Anyway, didn't make any progress there. Got some other things to try. Will report back. Jeffrey Moskot System Administrator j...@math.miami.edu___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamscan fails from mimedefang with large third-party databases
On Thu, 22 Apr 2010, Török Edwin wrote: Well you can add --debug 2>/tmp/clamscan-debug. That way it'll always go to a place you know (assuming mimedefangs allow the redirection). I don't want to go too far down the mimedefang-specific path, but I added this to the command line call in my mimedefang-filter file, and all it did was create an empty file at /tmp/clamscan-debug Here's the entry: $Features{'Virus:CLAMAV'} = '/usr/local/bin/clamscan --phishing-scan-urls=no --debug 2>/tmp/clamscan-debug'; I don't know if there's voodoo in this particular punctuation, but path slashes didn't need any backslashes in front of them. Should I try this all with --disable-llvm at configure time and see what happens? Jeffrey Moskot System Administrator j...@math.miami.edu___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamscan fails from mimedefang with large third-party databases
On Thu, 22 Apr 2010, Török Edwin wrote: You are running out of memory (or rather mmap()s). We have a bugreport about this, but we haven't figured how to fix it. Increasing the max number of mmaps FreeBSD allows won't fix it :( Yikes. Well, at least there's already an open report. Try scanning the same file mimedefang scans. It cleans up after itself, so I'm not sure exactly what's in the working directory that causes the trouble. We quarantine messages, however, and command-line scanning all the parts left in the quarantine doesn't produce any complaints, other than the infection detection message. Jeffrey Moskot System Administrator j...@math.miami.edu___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamscan fails from mimedefang with large third-party databases
On Thu, 22 Apr 2010, jef moskot wrote: Things ran smoothly for a little while without the larger databases... Hmm, looks like I spoke too soon. While it did catch bad messages, it barfed a little while doing so. A couple of examples... === libclamav JIT: Allocation failed when allocating new memory in the JIT ^[[0;1;31mlibclamav JIT: *** FATAL error encountered during bytecode generation ^[[0m./Work/INPUTMBOX: Sanesecurity.Junk.9210.UNOFFICIAL FOUND === libclamav JIT: Allocation failed when allocating new memory in the JIT ^[[0;1;31mlibclamav JIT: *** FATAL error encountered during bytecode generation ^[[0mLibClamAV Warning: fmap: map allocation failed LibClamAV Warning: fmap: map allocation failed LibClamAV Error: CRITICAL: fmap() failed LibClamAV Warning: fmap: map allocation failed LibClamAV Error: CRITICAL: fmap() failed LibClamAV Warning: fmap: map allocation failed LibClamAV Error: CRITICAL: fmap() failed ./Work/INPUTMBOX: local.sig.939.UNOFFICIAL FOUND === clamscanning from the command line doesn't seem to cause this problem. Maybe because it's doing something funky decoding mail messages when launched from mimedefang, as opposed to regular files sitting in a directory? Scanning mbox files from the command line doesn't seem to cause these errors. Jeffrey Moskot System Administrator j...@math.miami.edu ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] clamscan fails from mimedefang with large third-party databases
This might be a question for the mimedefang list, but I thought I'd try here first in case I'm missing something obviously related to clam. I've had 0.95.3 running since it came out with no problems, but 0.96 returns an error of 2 (which the man explains as "Some error(s) occured.") when mimedefang tries to run it with my default config. It's using clamscan, which works fine from the command line. If I go into my signature directory and move the largest of the databases away (SaneSecurity's "jurlbl.ndb", for example), it works fine. When I move them back, I get the error code 2 again. I didn't notice if specific databases were causing the problem, or if it was only when the total size topped a certain number. (I've rolled back for the moment and am not in a good position to experiment right now, but I can test that later if necessary.) I tried to add a "--debug", but I don't know where those messages go (yes, I know a question for the mimedefang guys) in that context. But, anyway, do you guys have any clever suggestions? Before you ask, I don't use clamdscan because I've never needed to, and it's been one less thing to go wrong, up until now anyway. I suppose I should note that I got a number of compiler warnings during the make (see thread: "0.96 compile warnings on FreeBSD 7.1"). Things ran smoothly for a little while without the larger databases, but I'd rather not leave the system up without the phish database and such. Jeffrey Moskot System Administrator j...@math.miami.edu ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] 0.96 compile warnings on FreeBSD 7.1
On Sat, 17 Apr 2010, Török Edwin wrote: Is g++ the same version too (i.e. does g++ -v shows 4.2.1 too?). Yep, same deal: # g++ --version g++ (GCC) 4.2.1 20070719 [FreeBSD] For the record, no checks failed, although some were skipped: make check-TESTS PASS: check_clamav PASS: check_freshclam.sh PASS: check_sigtool.sh SKIP: check_unit_vg.sh PASS: check1_clamscan.sh PASS: check2_clamd.sh PASS: check3_clamd.sh PASS: check4_clamd.sh SKIP: check5_clamd_vg.sh SKIP: check6_clamd_vg.sh SKIP: check7_clamd_hg.sh SKIP: check8_clamd_hg.sh == All 7 tests passed (5 tests were not run) Doing a ./configure --enable-check didn't seem to cause more checks to be done, but from what I've read, a few skipped tests seems normal. Jeffrey Moskot System Administrator j...@math.miami.edu___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] 0.96 compile warnings on FreeBSD 7.1
Hi, all. I was on vacation for a bit and then wanted to wait for the EOL storm to blow over. I never actually got any response to my original question, which got sidetracked by a discussion of the FreeBSD port system. At any rate, the original environment still applies: FreeBSD 7.1/amd64 with gcc 4.2.1 The warnings appear whether installing manually or with the port system. I suppose there is no surprise here, but if I ./configure --disable-llvm then all the original warnings do not appear during the make, but I get: ... CC libclamav_internal_utils_la-regexec.lo regex/regexec.c: In function 'cli_regexec': regex/regexec.c:159: warning: passing argument 2 of 'smatcher' discards qualifiers from pointer target type regex/regexec.c:161: warning: passing argument 2 of 'lmatcher' discards qualifiers from pointer target type CC libclamav_internal_utils_la-regfree.lo ... CC libclamav_internal_utils_nothreads_la-regexec.lo regex/regexec.c: In function 'cli_regexec': regex/regexec.c:159: warning: passing argument 2 of 'smatcher' discards qualifiers from pointer target type regex/regexec.c:161: warning: passing argument 2 of 'lmatcher' discards qualifiers from pointer target type CC libclamav_internal_utils_nothreads_la-regfree.lo ... I thought I should report it. I'm going to test the original version, with all the original warnings, beginning next week, and will report any weirdness I find. Jeffrey Moskot System Administrator j...@math.miami.edu ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] 0.96 compile warnings on FreeBSD 7.1
On Thu, 8 Apr 2010, Jerry wrote: Is there any specific reason that you are not using the version supplied in the ports system? If you're somewhat careless with updating, it can be very inconvenient to roll back to a previous version of the port if there's a problem. Also, many years ago, the port didn't work out of the box for me, so I've always done it this way. I tried switching to the port long ago and there was some kind of UID or protection issue which soured me on the process. Mostly, though, the manual method has always "just worked", so I didn't want to fix what ain't broke. For what it's worth, I ran into similar errors with the port: ... CXXBasicBlock.lo /bin/sh ./libtool --silent --tag=CXX --mode=compile c++ -DHAVE_CONFIG_H -I. -I./../.. -I./.. -I./../../ -I./llvm/include -I./llvm/include -D__STDC_LIMIT_MACROS -D__STDC_CONSTANT_MACROS -D_DEBUG -D_GNU_SOURCE -I/usr/local/include -Woverloaded-virtual -pedantic -Wno-long-long -Wall -W -Wno-unused-parameter -Wwrite-strings -Wno-missing-field-initializers -Wno-variadic-macros -fno-exceptions -O2 -fno-strict-aliasing -pipe -c -o BasicBlock.lo `test -f 'llvm/lib/VMCore/BasicBlock.cpp' || echo './'`llvm/lib/VMCore/BasicBlock.cpp CXXConstantFold.lo /bin/sh ./libtool --silent --tag=CXX --mode=compile c++ -DHAVE_CONFIG_H -I. -I./../.. -I./.. -I./../../ -I./llvm/include -I./llvm/include -D__STDC_LIMIT_MACROS -D__STDC_CONSTANT_MACROS -D_DEBUG -D_GNU_SOURCE -I/usr/local/include -Woverloaded-virtual -pedantic -Wno-long-long -Wall -W -Wno-unused-parameter -Wwrite-strings -Wno-missing-field-initializers -Wno-variadic-macros -fno-exceptions -O2 -fno-strict-aliasing -pipe -c -o ConstantFold.lo `test -f 'llvm/lib/VMCore/ConstantFold.cpp' || echo './'`llvm/lib/VMCore/ConstantFold.cpp CXXConstants.lo /bin/sh ./libtool --silent --tag=CXX --mode=compile c++ -DHAVE_CONFIG_H -I. -I./../.. -I./.. -I./../../ -I./llvm/include -I./llvm/include -D__STDC_LIMIT_MACROS -D__STDC_CONSTANT_MACROS -D_DEBUG -D_GNU_SOURCE -I/usr/local/include -Woverloaded-virtual -pedantic -Wno-long-long -Wall -W -Wno-unused-parameter -Wwrite-strings -Wno-missing-field-initializers -Wno-variadic-macros -fno-exceptions -O2 -fno-strict-aliasing -pipe -c -o Constants.lo `test -f 'llvm/lib/VMCore/Constants.cpp' || echo './'`llvm/lib/VMCore/Constants.cpp CXXCore.lo /bin/sh ./libtool --silent --tag=CXX --mode=compile c++ -DHAVE_CONFIG_H -I. -I./../.. -I./.. -I./../../ -I./llvm/include -I./llvm/include -D__STDC_LIMIT_MACROS -D__STDC_CONSTANT_MACROS -D_DEBUG -D_GNU_SOURCE -I/usr/local/include -Woverloaded-virtual -pedantic -Wno-long-long -Wall -W -Wno-unused-parameter -Wwrite-strings -Wno-missing-field-initializers -Wno-variadic-macros -fno-exceptions -O2 -fno-strict-aliasing -pipe -c -o Core.lo `test -f 'llvm/lib/VMCore/Core.cpp' || echo './'`llvm/lib/VMCore/Core.cpp CXXDominators.lo /bin/sh ./libtool --silent --tag=CXX --mode=compile c++ -DHAVE_CONFIG_H -I. -I./../.. -I./.. -I./../../ -I./llvm/include -I./llvm/include -D__STDC_LIMIT_MACROS -D__STDC_CONSTANT_MACROS -D_DEBUG -D_GNU_SOURCE -I/usr/local/include -Woverloaded-virtual -pedantic -Wno-long-long -Wall -W -Wno-unused-parameter -Wwrite-strings -Wno-missing-field-initializers -Wno-variadic-macros -fno-exceptions -O2 -fno-strict-aliasing -pipe -c -o Dominators.lo `test -f 'llvm/lib/VMCore/Dominators.cpp' || echo './'`llvm/lib/VMCore/Dominators.cpp CXXFunction.lo /bin/sh ./libtool --silent --tag=CXX --mode=compile c++ -DHAVE_CONFIG_H -I. -I./../.. -I./.. -I./../../ -I./llvm/include -I./llvm/include -D__STDC_LIMIT_MACROS -D__STDC_CONSTANT_MACROS -D_DEBUG -D_GNU_SOURCE -I/usr/local/include -Woverloaded-virtual -pedantic -Wno-long-long -Wall -W -Wno-unused-parameter -Wwrite-strings -Wno-missing-field-initializers -Wno-variadic-macros -fno-exceptions -O2 -fno-strict-aliasing -pipe -c -o Function.lo `test -f 'llvm/lib/VMCore/Function.cpp' || echo './'`llvm/lib/VMCore/Function.cpp llvm/lib/VMCore/Constants.cpp: In static member function 'static llvm::Constant* llvm::ConstantExpr::getAlignOf(const llvm::Type*)': llvm/lib/VMCore/Constants.cpp:1532: warning: missing sentinel in function call In file included from llvm/lib/VMCore/Function.cpp:367: ./llvm/include/llvm/Intrinsics.gen: In function 'const llvm::FunctionType* llvm::Intrinsic::getType(llvm::LLVMContext&, llvm::Intrinsic::ID, const llvm::Type**, unsigned int)': ./llvm/include/llvm/Intrinsics.gen:4503: warning: missing sentinel in function call ./llvm/include/llvm/Intrinsics.gen:4508: warning: missing sentinel in function call ./llvm/include/llvm/Intrinsics.gen:4513: warning: missing sentinel in function call ./llvm/include/llvm/Intrinsics.gen:4518: warning: missing sentinel in function call ./llvm/include/llvm/Intrinsics.gen:4523: warning: missing sentinel in function call ./llvm/include/llvm/Intrinsics.gen:4528: warning: missing sentinel in function call CXXGVMateria
Re: [Clamav-users] 0.96 compile warnings on FreeBSD 7.1
On Thu, 8 Apr 2010, Török Edwin wrote: Which compiler version are you using? If we can trust this query and response... # which gcc /usr/bin/gcc # gcc --version gcc (GCC) 4.2.1 20070719 [FreeBSD] Jeffrey Moskot System Administrator j...@math.miami.edu___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] 0.96 compile warnings on FreeBSD 7.1
This is on a FreeBSD 7.1/amd64 machine. I'll spare you the whole output of make, but there's a lot of this: ... CXXBasicBlock.lo CXXConstantFold.lo CXXConstants.lo llvm/lib/VMCore/Constants.cpp: In static member function 'static llvm::Constant* llvm::ConstantExpr::getAlignOf(const llvm::Type*)': llvm/lib/VMCore/Constants.cpp:1532: warning: missing sentinel in function call CXXCore.lo CXXDominators.lo CXXFunction.lo In file included from llvm/lib/VMCore/Function.cpp:367: ./llvm/include/llvm/Intrinsics.gen: In function 'const llvm::FunctionType* llvm::Intrinsic::getType(llvm::LLVMContext&, llvm::Intrinsic::ID, const llvm::Type**, unsigned int)': ./llvm/include/llvm/Intrinsics.gen:4503: warning: missing sentinel in function call ./llvm/include/llvm/Intrinsics.gen:4508: warning: missing sentinel in function call ./llvm/include/llvm/Intrinsics.gen:4513: warning: missing sentinel in function call ./llvm/include/llvm/Intrinsics.gen:4518: warning: missing sentinel in function call ./llvm/include/llvm/Intrinsics.gen:4523: warning: missing sentinel in function call ./llvm/include/llvm/Intrinsics.gen:4528: warning: missing sentinel in function call ./llvm/include/llvm/Intrinsics.gen:4675: warning: missing sentinel in function call ./llvm/include/llvm/Intrinsics.gen:4679: warning: missing sentinel in function call ./llvm/include/llvm/Intrinsics.gen:4683: warning: missing sentinel in function call ./llvm/include/llvm/Intrinsics.gen:4687: warning: missing sentinel in function call ./llvm/include/llvm/Intrinsics.gen:4694: warning: missing sentinel in function call ./llvm/include/llvm/Intrinsics.gen:4702: warning: missing sentinel in function call CXXGVMaterializer.lo CXXGlobals.lo CXXIRBuilder.lo CXXInlineAsm.lo CXXInstruction.lo CXXInstructions.lo llvm/lib/VMCore/Instructions.cpp: In function 'llvm::Instruction* createMalloc(llvm::Instruction*, llvm::BasicBlock*, const llvm::Type*, const llvm::Type*, llvm::Value*, llvm::Value*, llvm::Function*, const llvm::Twine&)': llvm/lib/VMCore/Instructions.cpp:502: warning: missing sentinel in function call llvm/lib/VMCore/Instructions.cpp: In function 'llvm::Instruction* createFree(llvm::Value*, llvm::Instruction*, llvm::BasicBlock*)':llvm/lib/VMCore/Instructions.cpp:574: warning: missing sentinel in function call CXXIntrinsicInst.lo CXXLLVMContext.lo CXXLLVMContextImpl.lo CXXLeakDetector.lo CXXMetadata.lo ... Anything to worry about? The make check had no failures, but a number of tests were skipped. I can provide more details if necessary. Jeffrey Moskot System Administrator j...@math.miami.edu ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Problems installing 0.95.3
On Sun, 8 Nov 2009, Török Edwin wrote: You should apply the patch with: patch -p1 Ah, thank you! The "-p1" was the necessary voodoo. It wasn't on the download page or on the Bug #1737 page, which is where you are directed for more information. I didn't think to look on the wiki. It might be worth moving that line up to the download page, just to be a bit more helpful. Thanks again. Jeffrey Moskot System Administrator j...@math.miami.edu___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Problems installing 0.95.3
Will a patched version of the installation package be made publically available? We don't have git installed and there are many system complaints when a patch attempt is made. (Maybe due to the "--git" option in the diff lines?) Installing git didn't make the error magically go away, and rather than starting a whole new line of investigation, I thought it'd be worthwhile to ask if a clean version will be available soon. Alternately, a "regular" patch file would presumably also do the job. I have no idea what "regular" would mean in this context. We use FreeBSD 7.1, so that colors my conception of what "regular" is, but other patches work fine. I apologize for my ignorance and/or if this is a stupid request. Jeffrey Moskot System Administrator j...@math.miami.edu ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] problem with clamscan --move
I know the syntax changed for most of the command line parameters, but I can't seem to get --move to work any more. Previously, I could do this: # clamscan --move /tmp testfile.zip ...and the file would be properly moved to /tmp if it's infected. That doesn't work any more, and adding the "=" doesn't help either. # clamscan --move=/tmp testfile.zip infectedtestfile.zip: Worm.Mimail.G FOUND ERROR: Can't move file testfile.zip Any suggestions? Jeffrey Moskot System Administrator j...@math.miami.edu ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] please remove - 27 emails and counting
On Sat, 21 Feb 2009, Matus UHLAR - fantomas wrote: > While not all MTAs add that info into the header, the recipient should > be able to find that out from queue IDs (if the ML doesn't use VERP for > list mail) or Received: headers, should have the copy of subscription > confirmation. And, finally, he should have to remember where he did > subscribe the list from! True, he should remember, but I just did a test and if the mail is sent to an alias on our sendmail system, the exact address is not listed in the header. Only the clam mailing list address is shown, which is not helpful. Maybe this is peculiar to our sendmail set-up, but in this case, the OP's original complaint (minus the profanity) wouldn't be entirely unreasonable. In this case, the mail unsub method can't work. If the unsub URL included the address information, it would solve this problem, and would certainly be a better plan than having the recipients flag the mailing list traffic as spam. Jeffrey Moskot System Administrator j...@math.miami.edu ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] please remove - 27 emails and counting
On Sat, 21 Feb 2009, Matus UHLAR - fantomas wrote: > Did you find the unsubscribe unsubscribe link? Neither the URL nor the mail reply work if you don't remember what email address you signed up with. I suppose it could be added to the message somewhere. A lot of lists will do that for you. I can see my address in the header, but that might not work if you signed up with an alias. It could be a long unused alias that's still forwarding, or a disposable email address. Or, y'know, the guy could just be an idiot. Either way, if the software can handle it, listing the sign-up address would be a nice feature. Jeffrey Moskot System Administrator j...@math.miami.edu ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] SubmitDetectionStats: Not enough recent data for submission
On Mon, 10 Nov 2008, Tomasz Kojm wrote: > At the moment it will report all signatures. If you think it could be > useful in your case, we can add an option to only report the official > sigs. It might be useful to continue collecting the Sanesecurity and MSRBL info from those who don't want to their local signatures reported. Would it make sense to have the option to exclude signatures that begin with the prefix LOCAL or something like that? Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] SubmitDetectionStats: Not enough recent data for submission
On Fri, 7 Nov 2008, Chris wrote: > For instance if I have a commonly reported signature, > Sanesecurity.Phishing.Cur.1266.UNOFFICIAL, is this reported or is it > only malware that is in the 'Official' ClamAv database reported? I'd like to know this as well, since we have a lot of custom signatures that wouldn't be interesting to the rest of the world and we might not want to make famous in any case. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
On Fri, 8 Aug 2008, David F. Skoll wrote: > G.W. Haywood wrote: > > You're making a rod for your own back if you accept bad mail. The > > sender will sell the recipients' addresses to all his spammer friends > > and you'll just get more of it. > > In my experience, spammers do not bother cleaning their address lists. My thought process has been that if we give feedback as to which messages made it past our defenses, we're essentially telling the spammers how to construct better spam. Then again, maybe no one is there to see the 550s these days and since (I agree with David) spammers don't seem to care if addresses are valid, they probably don't care if the spam gets there or not. As for why we quarantine in the first place, we roll our own clam signatures, some of which are a little dicey, so we like to be able to dig ourselves out of the problems we create for ourselves. As long as the volume isn't out of control (it isn't yet), it's better for us to accept the responsibility than to place it on the users who somehow managed to construct sentences that read like Mab Libs but are nonetheless valid. Perhaps clam is the wrong tool for that kind of thing, but it's just so convenient, that it's going to be hard to choose another method. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
On Thu, 7 Aug 2008, Henrik K wrote: > I use both, but MD is IMO more of a hobbyist tool... I didn't mean to spark a milter fight, but as the Subject line says, we're looking for the simplest thing out there. I'm replacing a simplistic perl script that just broke a message down, clamscanned it, and either passed it on for delivery or quarantined and notified. That's it. If MIMEDefang is "bare-bones", that actually sounds appealing. We're using a script that went EOL years ago, so we don't need state-of-the-art. Given our parameters, I'm still not sure if clamav-milter might be a quicker fix. But now that you've opened up the possibility of something initially simple with the ability to add complexity, I'm going to have to do some reading. If we're going to have to learn one new thing no matter what, maybe it should be something we can build on later. Thanks for the comments, guys, I'll be sure to report back. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Newbie question about creating clam signatures
On Thu, 7 Aug 2008, Brandon Perry wrote: > if the text is the same every time, you can just use an MD5 sum of the > text file in qeustion. If you want to key off specific parts of a text file, you can use "sigtool --hex-dump" to convert the text to hex and create your own signatures in a .db file. More info here: http://www.clamav.net/doc/latest/signatures.pdf Note that when using the hex-dump feature, you need to strip off the last byte (that is, the "0a"). The carriage return gets encoded when you enter text interactively, so you need to remove it. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
On Thu, 7 Aug 2008, Gerard wrote: > Depending on the quantity of emails your receive, you might very well > significantly reduce the load on your system by using one or perhaps a > few RBL's. There is no point, at least in opinion, of accepting mail > that is obviously SPAM. We definitely do that already. It's insane not to do that these days. We use a lot of different signatures from different sources with Clam and there's enough doubt about some of them that quarantining is preferred, and it's definitely saved us a few times. > The FreeBSD ports for ClamAV are usually up-to-date. Rarely is there > more than a day or two lapse between the release of a new version and > the release of it into the FBSD ports system. Using the ports system > would also make updating your ClamAV installation far easier. It's pretty easy to compile from source, but I can see the appeal. The only reason I'm sort of interested in the port at this point is that it seems to do a certain amount of work for you if you want to use the milter...but I'm quite content to continue compiling on my own, if I can just figure out what I'm supposed to do the first time. And if clamav-milter is really what I want. If it's not, then I don't need to change my clammerings at all. > You did not mention your MTA. Oops, sorry. We're married to sendmail at this point. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] simplest replacement for ancient amavis-perl
I've been using ClamAV happily for years, but we're finally moving to a modern server and our heavily modified amavis-perl script no longer works and is significantly difficult to debug that it makes sense to modernize. In the past, we've not dealt with clamd or any daemonized version of amavis, simply because we had the cycles to burn and there seemed to be no reason to use something that requires something else to babysit it, so despite years of experience with clam, I've never messed with clamd.conf and other such things. Currently, we accept all infected mail, and quietly quarantine it. We don't refuse it at SMTP connect, although I might be able to be convinced that that's a better idea. Still, I'd like to maintain the current behavior, since that's what everyone is used to. So, basically, all I need is a replacement for a perl script that throws a wad of text at clamscan and then either passes it on for normal delivery or stashes it away in a quarantine directory, with a note passed on to a local admin address in the latter case. Since amavis seems to have morphed into a monster with a million config options, links to SQL databases, and it's own separate milter that you need to run along with it(!), I was looking at clamav-milter, which looks simple and also comes with the benefit of a community I'm comfortable with. I can't find any decent documentation on it, however, (if I'm missing something obvious, please point me at it!) and it seems to jam mail at SMTP connection time rather than accepting and scanning later. I've found references to using it to quarantine messages, which would be perfect, but I haven't seen the docs to explain how to do that. Also I've found some explanations of how to compile clam to get the milter, but those were in connection with FreeBSD ports, and I don't like to have to wait until an update has been bundled before I can deploy it. Any advice would be welcome, including "STFU and RTFM", as long as you can point me to a decent manual. Thanks! Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] quarantine on specific from address
On Tue, 19 Feb 2008, Gomes, Rich wrote: > How do you run sigtool in interactive mode? Just type "sigtool --hex-dump" (without the quotes) at the command line. Whatever you type in will be converted into hex on the next line (although, again, it will also convert the linefeed, so strip off the last 0a before pasting). CTRL-C gets you out of it. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] quarantine on specific from address
On Tue, 19 Feb 2008, Brandon Perry wrote: > sigtool --hex-dump [EMAIL PROTECTED] | tee ~/mycustomsignature.db That didn't do anything for me either, and it doesn't address the issue of naming the signature in the database. Sometimes a good old-fashioned cut-and-paste is simpler than fun-with-pipes. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] quarantine on specific from address
On Tue, 19 Feb 2008, Gomes, Rich wrote: > So if I am going to trigger on one address (i.e. [EMAIL PROTECTED]) > my syntax will be: > > sigtool --hex-dump [EMAIL PROTECTED] > mycustomsignature.db That mght work, but the proper format is to have a name for the signature, so Clam knows what to call it when it sees it. Hmmm, actually that doesn't even create the .db file properly for me. I'd just use the magic of cut-and-paste. Use your favorite text editor to create the mycustomsignature.db file. Use sigtool in interactive mode to get the hex signature (being sure to cut off the last 0a, since it will be a line feed)...or use one of the available online hex translators. Then put the name you want to call the signature, an =, and then paste in the hex (with no spaces in there). Note that Clam doesn't fail gracefully when there are database errors, so make sure everything is working immediately after each change. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] quarantine on specific from address
On Tue, 19 Feb 2008, Gomes, Rich wrote: > I have a specific need to quarantine emails coming from a particular > email address. A quick hack would be to make a signature that includes the address, and some other identifying information from a mail header. Everything you need to know is here, although not documented as nicely as it could be: http://www.clamav.org/doc/latest/signatures.pdf Basically, you use "sigtool --hex-dump" to create hex signature of some text (in this case, the email address in question), and put that into a regular text file ending with the extension .db in your signature directory. (Make sure you chop off the 0a byte at the end.) The file format is very simple. Example: temp.email.signature=62696c6c7940626f622e636f6d (Whatever you want to call the signature on the left, an = sign, and then the hex sig on the right.) If you're going to leave it on for any length of time, you're should be at least slightly clever and not only have the address listed, but also some header info, to make sure you don't intercept messages TO that address or messages that simply contain that address. Info about wildcards is in the docs, if you need it. Make sure you reload the databases once you make the change, if you're using the clam daemon. Good luck. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Phishing feature defaults, naming, and 0.92
On Tue, 27 Nov 2007, Mark wrote: > Hmm, i'm just in the process of upgrading from 0.88.7 to 0.91.2 > (FreeBSD). "The difference in accuracy between what we were used to and > the newer version was so large that it fundamentally changed the nature > of the product," do you mean that in a bad way? It depends on how you used it before. If you'd used it as part of a scoring system, then you just need to weight phishing hits less than standard virus hits. If you previously rejected/quarantined/dropped messages based solely on whether they were positive hits, then you should turn off the anti-phishing checks (or at least not act directly upon them). The false positive rate for phishing is extremely high, relative to what you're used to, and can't be reasonably used as a sole determinant of deliverability. In short, you can't use Clam as a simple binary good/bad test with the anti-phishing stuff turned on. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Phishing feature defaults, naming, and 0.92
On Thu, 22 Nov 2007, Christoph Cordes wrote: > - after a new release ClamAV should mimic the behavior of the preceding > version by default unless it's a major release (.x0) or the user enabled > possible new features explicitly. furthermore the default behavior > should be as conservative as possible. Did i get this right? I think that's reasonable, especially since I haven't seen anyone touting any specific benefit of doing things otherwise. The debate has been mostly philosophical. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Phishing feature defaults, naming, and 0.92
On Mon, 19 Nov 2007, Dennis Peterson wrote: > Perhaps they should issue a warning or advisory against re-using the > config files from previous versions as this has the potential to > introduce surprises. The surprise would still exist if you use clamscan and not clamdscan. This config file talk is a distraction from the basic point that the software changed in an extremely significant way, without appropriate warning. It wasn't a COMPLETE surprise, if you read the docs, but the difference in accuracy between what we were used to and the newer version was so large that it fundamentally changed the nature of the product, and that wasn't made sufficiently clear. I agree that any installed software is ultimately the responsibility of the admin, but this change was unnecessarily jarring for no particularly good reason. Even if you want to take a political stand on the nature of documentation or config files, there's still very little actual benefit to the change in question. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Phishing feature defaults, naming, and 0.92
On Fri, 16 Nov 2007, rick pim wrote: > who on earth upgrades from one beta to another and uses the same > configfile??? If you're using clamscan, the config file doesn't enter into it, but the default behavior still changes. You need to pass a flag to turn off the phishing checks. I get the whole "expect surprises" argument, but some surprises are a lot more surprising than others. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Accurate subjects (was Re: PhishingScanURLs is dreadfully slow/CPU-intensive)
On Tue, 13 Nov 2007 Dennis Peterson wrote: > Even timid users need to edit the file as a minimum to disable the > "Example" line. Another point is that those who use clamscan (not the daemon) will have the default behavior changed more invisibly. You have to pass a parameter to disable the anti-phishing stuff, and clamscan users aren't used to making config changes to get the same behavior. It's not the end of the world, but it is a shock to the system when the behavior of a program changes so drastically. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Accurate subjects (was Re: PhishingScanURLs is dreadfully slow/CPU-intensive)
On Mon, 12 Nov 2007, Dennis Peterson wrote: > Even timid users need to edit the file as a minimum to disable the > "Example" line. Once there I'm certain they can then change the other > critical areas that require attention. >From my point of view, without the phishing code, you can pretty safely use Clam to divert messages with very nearly 100% accuracy, due to the signature-based scheme. With the phishing code enabled, a positive hit is now only suggestive of a bad message. You can't use it to block messages outright, which fundamentally changes the nature of the product. I might feel differently if Clam hadn't been idiot-proof for years, but since it's set such a high standard in the past, I think the phishing code (in its current state) muddies the waters and could easily make a new user lose confidence in the project. That said, I like the idea that Clam is experimenting with anti-phishing, but until the code lives up to Clam's previous block-and-forget standards, I don't think it's a good idea to make it a default. I suppose the benefit is that it helps with testing, and driving the point home to users that the phishing protection is not like the virus protection. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RFC: Recognize mbox format
On Mon, 8 Oct 2007, Joao S Veiga wrote: > To me, is more logical/easier/less annoying to explode the mboxes ONLY if > something is found in them instead of exploding all the mboxes to scan them > (in > 99.842% of the cases, they will be clean anyway). If you use the SaneSecurity signatures, it is actually extremely likely that you will find "infected" files in existing mailboxes. The signatures are terrific, but there is an unavoidable lag between the newest phishes and the updated sigs, moreso than in the standard anti-virus sigs. This is the case in my environment, anyway. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamscan extremly slow
On Mon, 18 Jun 2007, Eric Rostetter wrote: > I feel there are good reasons to run clamscan instead of another option, > and I feel that one can indeed do so if they have sufficient > resources... For perspective, in my environment we'd be talking about a database load time of less than a couple seconds. In a situation where mail volume is low, that's hardly detectable. Another issue is the lack of futzing around with config files, sockets, and many of the other questions that populate this list constantly. I'm not saying that's rocket science, but it's one less thing to worry about, and simplicity has value. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamscan extremly slow
On Mon, 18 Jun 2007, Dennis Peterson wrote: > Clamscan is a terrible tool to use in real time with email. I would recommend it for low volume servers with cycles to burn, given that the other option is a daemon that can potentially fail. Neither is entirely ideal, but we should take the wide variety of environments into account. Maybe the default recommendation should be clamdscan, but clamscan is not an unreasonable choice in certain circumstances. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
On Mon, 4 Jun 2007, Noel Jones wrote: > BTW, I'm *very* impressed with the db load speed improvements in > 0.91rc1. I agree. The load speed for 0.92 had me considering rolling back to 0.88, but 0.91rc1 is a tremendous improvement. Thanks for a great service. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
On Fri, 1 Jun 2007, Noel Jones wrote: > So you're having this same problem? Yes, I was getting core dumps trying to clamscan. > I used sigtool -u to unpack daily.cvd, then hand-created a daily.inc > directory with all the unpacked files, then hand-edited daily.wdb to > remove the offending lines. Oh, and then moved daily.cvd out of the > way. Thanks, I hadn't messed around with unpacking signatures to know the best thing to do. I just went for the thing that stopped the core dumps ASAP! > I've disabled freshclam for the night so my hand-crafted .wdb won't be > overwritten, and will revisit this tomorrow. As will I. Thanks again! Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
On Fri, 1 Jun 2007, Noel Jones wrote: > Ok, I've narrowed it down to the following TWO lines in daily.wdb: > X:http.//www\.ebay\.co\.uk.+:.+emailpics.\.ebay\.com:14- > X:http.//info.citibank.com.+:https.//offer.citibank.com:14- I removed the files in the .inc directories and freshclam pulled down a new main.cvd and daily.cvd. Deleting daily.cvd stopped clamscan from dumping core for me. Quick and brainless, but the easiest move to make when in Panic Mode. Not ideal, obviously. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: mailbox to maildir transform help
On Fri, 23 Mar 2007, Pascal Duchatelle wrote: > What I discovered this way is that thunderbird (at least the version I > had installed) never really erase the messages. This article should interest you: http://kb.mozillazine.org/Thunderbird_:_Tips_:_Compacting_Folders For what it's worth, I think Thunderbird's handling of this issue is just awful. It's very difficult to explain to end users that in the default configuarion, every so often they need to remember to do something counter-intuitive that makes their computer unusable for 20 minutes. Considering how badly Thunderbird begins malfunctioning when these files reach large sizes, there's really no excuse. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Does ClamAV scan the header?
On Sat, 3 Mar 2007, [ISO-8859-1] Leonardo Rodrigues Magalhães wrote: > This middle-software will get the email text, save in a file and ask > clamav to scan those files. If headers are saved as well, so clamav will > YES scan headers. If the software saves only body, then clamav will have > no access to the headers. Ah, of course! I've been thinking of things differently because I've recently been using clam to scan existing mailboxes in yet another hacky usage. Anyway, yes, excellent point. Completely wrong mailing list for this question. Sorry to bother you all. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Does ClamAV scan the header?
I was thinking of doing something hacky by having clam triggered by specific text in an X-header. I haven't made a signature based on a simple text string before, but it didn't look very difficult based on the docs. Aside from the basic poor design and misuse of tools involved, would there be any technical issues with this hack? Would it work? Any pitfalls to look out for? Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] submit-to-publish time much too long for phishing
On Wed, 29 Nov 2006, JamesDR wrote: > ...if your users are being let down by the 'time it takes to get a phish > sig' then isn't about time their network/mail admin looked into added > levels of detection? I think the original point was that if Clam is going to scan for phishing at all, the response time might be too slow to be useful, given the frequency with which the content changes. I haven't looked at our data closely enough to say whether or not this is true for our site, but it seems like it's worth looking into. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs
On Fri, 10 Nov 2006, Bart Silverstrim wrote: > On Nov 10, 2006, at 11:07 AM, jef moskot wrote: > > If some packages install without difficulty and others do not, then > > how about we work together to bring the less efficient packages in line > > with the more effective ones? > > Now see, that's a reasonably worded request, but see, he didn't do that. Couldn't we just pretend he did and move on from there? Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs
On Fri, 10 Nov 2006, Bart Silverstrim wrote: > What you're talking about is hassle...if it's too much hassle, you move > on to something else. That's fine and dandy. But there are many many > many people who are using, for example, ClamAV without throwing a fit > because there's too much in the conf file to set up. He didn't throw a fit, he suggested that if a package exists, it ought to work. I don't think that's unreasonable. Calling him lazy is obscuring and sidestepping the actual problem. It's also pointless, since if you've read the subject line, you already know that he's lazy. He's admitted it, hooray, you win. If some packages install without difficulty and others do not, then how about we work together to bring the less efficient packages in line with the more effective ones? Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
On Mon, 28 Aug 2006 [EMAIL PROTECTED] wrote: > I can see this working in a smaller environment although I still think > it is less then ideal... I think we all agree with that, but the world is a somewhat less than ideal place and there are some cases where such a tool is useful. Thanks to the original poster for sharing his work. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
On Mon, 28 Aug 2006 [EMAIL PROTECTED] wrote: > jef moskot wrote: > > Occasionally there are major virus flare-ups (and often there are phishing > > scams and such) that occur before an appropriate signature is in place. > When do you actually scan then? Do you scan when the email is retrieved by > the end user or do you just cron job something to go through all the boxes? I usually only do this manually in special instances, but then I don't have a huge number of mailboxes to go through. When it's a major outbreak (eg, something Microsoft has no patch for), I would consider it negligent not to try to eliminate as many copies of the virus as possible. I have a small script I modify to do the job of lifting the offending messages out of the mbox files. On a large scale, there's the obvious problem of modifying files that could be in use or files that the user could modifying during the stripping process. I can monitor these fairly easily in my environment, but on a larger scale, this would certainly be a much nastier problem. As to the question of whether or not the files have been accessed already, in the general case, I can get to the mailboxes before they are accessed by a majority of the users. Certainly a high enough percentage to make the task worth it. Again, though, this is due to our environment. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
On Sun, 27 Aug 2006, Bit Fuzzy wrote: > As for the situation, we've been using ClamAV for going on 3 years now, > and I have never (I repeat never) seen this occur. Occasionally there are major virus flare-ups (and often there are phishing scams and such) that occur before an appropriate signature is in place. In these instances, it's not unreasonable to try to clean out user inboxes before they have a chance to do something they shouldn't. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
On Thu, 2 Feb 2006, Steve Basford wrote: > Could you give me the signature names that match the false positives > please. Oh, duh. Of course. Looks like 2 completely different kinds of eBay communications both matched: Html.Phishing.Auction.Gen009.Sanesecurity.06020102 Thanks. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
The latest batch seems to include a number of false positives, so I had to revert. I don't want to submit private user data, but an example is the apparently legit report from eBay entitled "Changes to eBay User Agreement and Privacy Policy". Other issues include apparently legitimate communications between buyers and sellers. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] announce? was (v0.86.2 'OUTDATED' version check INCORRECT ... reports as OLDER than v0.86.1)
On Mon, 25 Jul 2005, Dennis Peterson wrote: > Christopher McCrory said: > > What are the chances of getting new version announcements to the 'users' > > list also? > Monitor your logs - you don't need anyone's help to learn there's a new > version. Just a cron entry that grep's -i "warning" pipe mailx root will > do the trick. I think the point is to decrease the number of "What's going on?" messages during each upgrade, not to keep attentive admins from noticing new updates. That's why he said "also"...because presumably we all get the announce list, but obviously enough people don't to cause a round of questions each update. I can certainly tolerate one duplicate update message from the Clam team if it will cut down on the same thread respawning every update. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav + Exim on FreeBSD
On Thu, 7 Jul 2005, Odhiambo Washington wrote: > Where is the new version of zlib, if you might know? I'm not sure that it's a new version of zlib, exactly, especially since the problem and the fix seem to be OS-specific. If you have FreeBSD 5.3 or 5.4, there are explicit instructions for what to do here: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:16.zlib.asc (Just throw that into your favorite browser.) You should also probably sign up to the FreeBSD security mailing list, which will bother you every few months with little patches like this. Sometimes they will apply to you, sometimes not. If you don't have FreeBSD 5.3 or 5.4, I don't think this most recent problem affects you. I'm sure someone will correct me if I'm wrong. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Clamav + Exim on FreeBSD
On Thu, 7 Jul 2005, jef moskot wrote: > It affects FreeBSD 5.4 and 5.4... Oops, that's 5.3 and 5.4. Sorry about that. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Clamav + Exim on FreeBSD
On Thu, 7 Jul 2005, Christopher X. Candreva wrote: > www.zlib.net is still showing 1.2.2 from Oct 3 2004 as the latest version. > Where is the version that was released yesterday ? It affects FreeBSD 5.4 and 5.4, so if you have 4.x, you might not have noticed. Full details here: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:16.zlib.asc Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Creating your own signatures
On Tue, 21 Jun 2005, jef moskot wrote: > On Sat, 18 Jun 2005, jef moskot wrote: > > If I forward the spam with the attached image to myself, clamscan picks > > it up. If I forward the image itself in a different message to myself, > > clamscan also detects it. > > > > However, if I clamscan the original mail file with the spam in it, > > clamscan doesn't see it. If I take shields down and mail the gif to > > myself, then clamscan the mail file, it doesn't find it. > > (Also if I scan the file directly, it detects it.) > > I just installed 0.86 and I'm still having this problem. I also tested it > with an .exe instead of a .gif and the problem is identical, so it's not > specifically an image thing. > > So, either it's unable to unpack the attachment and see it for what it is > (which is unlikely, since I can scan other mailboxes and detect viruses) > or for some odd reason it's not using my personal database when scanning > mailboxes, but it is using it when scanning regular files. > > Is it possible that it ignores additional .hdb files when scanning mboxes? Sorry to nag, but since there were never any responses on this topic and it's been a few weeks, I thought I'd ask again... For those of you with local .hdb databases, are they used properly when scanning mbox-format messages? I'm still having the problem of them being detected when the attachment is fed directly to clamscan, but not detected when clamscan tries to scan an mbox with the offending file in the mbox as an attachment. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Creating your own signatures
On Sat, 18 Jun 2005, jef moskot wrote: > If I forward the spam with the attached image to myself, clamscan picks > it up. If I forward the image itself in a different message to myself, > clamscan also detects it. > > However, if I clamscan the original mail file with the spam in it, > clamscan doesn't see it. If I take shields down and mail the gif to > myself, then clamscan the mail file, it doesn't find it. (Also if I scan the file directly, it detects it.) I just installed 0.86 and I'm still having this problem. I also tested it with an .exe instead of a .gif and the problem is identical, so it's not specifically an image thing. So, either it's unable to unpack the attachment and see it for what it is (which is unlikely, since I can scan other mailboxes and detect viruses) or for some odd reason it's not using my personal database when scanning mailboxes, but it is using it when scanning regular files. Is it possible that it ignores additional .hdb files when scanning mboxes? Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Creating your own signatures
I read your message and decided it sounded like something interesting to try to block spam, and I'm having the opposite problem. I did a "sigtool --md5 g1.gif > g1.hdb" and stuck the result in my definitions directory. When I scan the gif directly, it works: # clamscan g1.gif g1.gif: Spam.g1 FOUND To be technical, my mail glue thingy does a "clamscan --detect-broken", so: # clamscan --detect-broken g1.gif g1.gif: Spam.g1 FOUND Looks good. If I forward the spam with the attached image to myself, clamscan picks it up. If I forward the image itself in a different message to myself, clamscan also detects it. However, if I clamscan the original mail file with the spam in it, clamscan doesn't see it. If I take shields down and mail the gif to myself, then clamscan the mail file, it doesn't find it. It looks like the glue (amavis) picks the mail file apart then feeds each individual file to clamscan. (There is probably some double-duty going on with clamscan unzipping things that have already been unzipped and fed to it, but it's a low volume server, so if that's happening, I don't mind.) Anyway, that would explain why the gifs themselves are detected and why they are caught when mailed to the server, but not once they are already there. Have I turned off some option that tells clamscan to look at image files or something? Note that I'm not using clamdscan ever, so (from what I understand) the conf files shouldn't apply here. Is this a compile options I've missed or something? Sorry if this is a stupid question, but it's driving me nuts. (By the way, YES, other viruses are detected when I clamscan the mail files.) Also for reference: ClamAV 0.85.1/945/Sat Jun 18 05:51:33 2005 main.cvd is up to date (version: 32, sigs: 34720, f-level: 5, builder: tkojm) daily.cvd is up to date (version: 945, sigs: 1073, f-level: 5, builder: ccordes) Thanks! Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] How to use clamav-milter?
On Wed, 15 Jun 2005, Damian Menscher wrote: > clamav-milter works *only* as a plugin to sendmail. There will be a > line in your sendmail.mc that tells sendmail to send stuff to the > milter. This is exactly how amavis is working right now. > One could "simplify" by having procmail call clamdscan to do the virus > filtering, but then you don't get to reject them... This is an excellent point. OK, it looks like I'll just do a one-to-one replacement of amavis with clamav-milter and handle spam filtering completely independently. Thanks for the input, it was extremely helpful. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] How to use clamav-milter?
Out of curiosity, is clamav-milter necessary to use clamscan (not clamd) with sendmail and SpamAssassin? Right now, I use amavis between sendmail and clamscan but when I upgrade the system, I'd like to use SpamAssassin. I'd like to use the simplest setup possible, so if I'm going to be using SpamAssassin anyway and can do without amavis and clamav-milter, that would be ideal. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] How many False Positives with the "broken EXE" option?
On Fri, 3 Jun 2005, Jason Haar wrote: > I've always been too afraid to turn it on as I was concerned about any > assumptions made by the code might lead it to block otherwise valid > executables I wonder about that too, since it's not the default behavior. For what it's worth, I turned it on earlier this week and so far it's only blocked 2 files, both of them broken Netsky .pif files that ClamAV would not have otherwise picked up. Our server is pretty low volume, though. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] should Broken.Executable files be submitted?
I've got a couple .pif files that McAfee detects as W32/[EMAIL PROTECTED] and clamscan doesn't detect at all, in its default mode. If I use the --detect-broken option, they're picked up as Broken.Executable. Since --detect-broken is not the default behavior for clamscan, should these still be submitted at clamav.net or is --detect-broken reasonable enough that I should just turn it on? Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
On Mon, 16 May 2005, Matt Fretwell wrote: > Dennis Peterson wrote: > > The world experience is that Windows drones on dialups or cable/dsl > > are a major source of spam/viruses. > That is coming back to the dynamic elitist viewpoint. I agree with both of you, actually. In theory, of course, Matt is right. If you're doing everything properly, you shouldn't be punished. On the other hand, given a limited amount of time to mess with e-mail, blocking all dynamic traffic proves to be an incredibly effective, efficient, and accurate means of blocking spam. If you configure your error messages properly and have a decent exception policy, smart, competent people like Matt are going to be able to work around the system with a minimum of fuss while Dennis is still protected from those other 99.9% of users. A lot of idealism goes down the tubes when confronted with the real world, but there are compromises you can make that, while imperfect, get you to a place where everything functions reasonably. -jef ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] /var/tmp/clamav-partial hanging around
If I do the #24 testvirus test ( http://www.webmail.us/testvirus ), the mail is delivered properly (which is fine, because there's no virus in there), but I also get a little file in /var/tmp/clamav-partial named something like partialmsg### that doesn't go away. Inside the file is the data portion of the mail (I can provide a copy to anyone interested). Is this a minor Clam bug, or is something misconfigured on my side? The file and directory appear to be root:wheel. I've noticed that a similar thing happens (rarely) when large mail files are scanned. Sometimes all the compnent parts are left undeleted. Every few months, I can go in there and remove a couple directories and everything seems fine. I'm running 0.84, using amavis to pass the mail along to clamscan (not using clamd), using sendmail on FreeBSD 4.X. Thanks. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] test virus # 14 - my setup or something else?
On Thu, 24 Mar 2005, Sean Franklin wrote: > http://www.testvirus.org/ > Anyway, #14 got thru this time: > Test #14: Eicar virus sent in a Microsoft TNEF file (winmail.dat) I noticed the same thing this week. I believe, as Nigel mentioned, that the winmail.dat file is corrupt and cannot be read. I tried a number of different TNEF unpackers and none of them could open the file. I've contacted the site directly about the issue. The first message was ignored and the second one generated the following useless response: > The person who sent you this email sent it from Microsoft Outlook using > Rich Text format. Rich Text is a Microsoft proprietary format that can > only be opened by other Microsoft email programs. This person will need > to resend the email to you using HTML or Plain Text by changing their > option under Outlook^s ^Format^ menu while composing a new email. If you have a spare moment, maybe you could try contacting them as well, so they know it's not just one person asking. It is possible that the file can be read by some versions of Outlook, so I think it's worth following up on this. It could be that the file is intentionally corrupt, because Outlook can open it, but other unpackers can't, similar to the zip trick a while ago. Or it could just be a mistake at testvirus.org I'm happy to see that someone else is experiencing this problem, though. Well, I mean...you know what I mean. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] eicar within tnef
On Tue, 22 Mar 2005, Tomasz Kojm wrote: > ClamAV doesn't support the TNEF format. Hmm, good point. I also forgot to mention I'm using ClamAV 0.83, but I guess that's irrelevant. I use amavis to pass the files off to ClamAV and I haven't changed anything (purposely) with it, but prior to this week, it worked fine. I guess I'll pursue the issue with the testvirus guys to see if they've changed anything. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] eicar within tnef
Is anyone having trouble detecting Test #14 (the TNEF test) from http://www.webmail.us/testvirus ? I know there's been a lot of discussion about eicar detection with regards to Clam recently, and, to complicate the issue, I can't seem to unpack the winmail.dat file, so it could be that things have changed on their side. Perhaps they're taking advantage of some sort of weird exploit like the 0 byte zip thing. Or maybe my system is just screwy. Opinions? Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Re: Freshclam and Cron
On Tue, 22 Feb 2005, Cormack, Ken wrote: > > I can't understand why everyone runs this through cron when it doesn't > > eat much memory or cpu cycles when run as a daemon? > > I can think of lots of reasons. The way I look at it, if you need something in cron to periodically check that the freshclam daemon hasn't died, you might as well just configure the updates exactly as you'd like them with cron itself. I'd rather have something in cron anyway, as long as there's no major benefit to running the daemon. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
On Wed, 9 Feb 2005, Maxim Britov wrote: > > > P900\Beyonce Knowles - Crazy In Love (2).wav: Exploit.W32.MS05-002 FOUND > I don't know, but size is ~50-100KB. If they're tiny files, are you sure they're actually wavs? Maybe someone downloaded these things and instead of funky beats, they're full of Greek soldiers? Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RAR module failure
Is there an eicar sample wrapped up using this version of rar available? Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Phishing Questions
On Thu, 27 Jan 2005, Jim Maul wrote: > What if the plumber and the mechanic work on it together? ;) What if the electrician goes to night school to learn ornithology? ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav-milter man page description of --noreject
On Tue, 28 Dec 2004, Christopher X. Candreva wrote: > Pardon me if I'm confusing a discussion here with something from either > the spamassassin or SPAM-l lists, but every discussion I've read says > that returning a 550 at your gateway is the prefered method, as it > blocks actual bad stuff, while returning an error to the actual sender > of a false positive. I think the 550 is appropriate for spam, only because it is more likely that any given message identified as spam is actually a real message. No spam-blockers advertise over 99% accuracy, for example. On the other hand, virus false-positives are so rare that I don't personally think it is beneficial in the big picture to 550 them. I have the idea in my head that this is the most common way of looking at things, but I could be completely wrong. Just wanted to mention that the 550 thing is typically brought up in terms of spam, so it's likely that's where you heard that kind of talk. Given that the 550 goes back to the actual mail server that delivers the nasty payload (not a forged one), I can see the value of 550ing viruses too (I just don't do it). I do monitor the quarantine stats, however, just in case I see something strange. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Virus naming
On Sat, 18 Dec 2004, Nigel Horne wrote: > What tests do you have for false positives with RTBL? The good lists allow you to manually de-list yourself in a few seconds, so even if you take no other precautions, there should never be a case where a user can't send legit mail (unless their machine is compromised or something). The good lists also make so few mistakes that we haven't seen one in over a year of use. The bad lists can be quite problematic without extensive whitelisting and other backup systems. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Tue, 16 Nov 2004, Julian Mehnle wrote: > If people require machines as desperately as that to prevent themselves > from falling for fraud attempts... ...then they're pretty much behaving in the manner humanity always has and always will. > To those of you who argue that ClamAV should detect phishing attacks > even though tools like SpamAssassin are designed and inherently better > suited for doing that, I'd like to say that you will never really be > able to abandon SpamAssassin & Co. anyway. Again, I don't think that's what the ClamAV team is trying to accomplish here. They're just going after the most active phishing threats out there, not trying to completely prevent your system from any sort of unwanted e-mail (or even every possible phishing attack). I understand that you want your users to have the right to screw themselves, which I understand from a philosophical standpoint, despite the fact that I think it's terribly silly. But, you aren't demanding that everyone else be terribly silly, so I don't see any problem with your request. Given the way things have happened in the past, I wouldn't be surprised if this functionality were quietly added in the next CVS release while everyone keeps arguing about how many clicks it takes to make something a virus. The argument I DON'T think much of is the "slippery slope" argument, mostly for this reason...interspersed between all the discussion in this thread are tons of confirmation messages in my inbox, letting me know that ClamAV has nailed tons of phishing messages that wouldn't have otherwise been caught. Job well done. There are dozens (hundreds?) of new viruses and tronjans added to the database every week that most of our systems will never see, but no one complains about the resource hit those are making, because we all know that on the off-chance we ever get one of these rare beasts, we'd be very happy ClamAV was there to stop it. The argument that phishing attacks are a bunch of one-offs that you'll never see again is not backed up by my data. The very first anti-phishing signature added to the database got nabbed a few specimens just today. Maybe in a month they'll be gone forever, but such is the way of worm flare-ups these days as well. Despite all the hyperbole, what's really happened here is that a small amount of work (ie, a few signatures) has been done that will save a disproportiately huge amount of headaches in the sys admin community. There's no point in claiming the sky is falling, just yet, anyway. I think this is a worthwhile discussion to have, and philosophical ideals are important, but we should also take a peek at the real world from time to time as well. We should be watchful of any drastic turns in ClamAV development, but we haven't seen any of those yet. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishingandothersocial engineering attacks
On Mon, 15 Nov 2004, Bart Silverstrim wrote: > I think (julian's?) original problem was that he didn't see why a virus > scanner should shoulder the responsibility for every message that goes > out saying "Hey, click here for k3wl new deals on Mort Gage rat3s! > Yoove been approved!", when it's not a virus, it's something that is > enticing people who should know better to click on it for free crap and > more spam. That's not what's happening here. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks
On Mon, 15 Nov 2004, Bart Silverstrim wrote: > ...if you're going to start moving it into another direction, it may be > best to fork that and leave the original recipe alone until the new > direction... I think you're overstating what the ClamAV team is trying to accomplish here. Forget the "slippery slope" and look at what they're actually doing. > Some messages talk about using "real time scanning" on file > access...would that have use of scanning for phishing attacks on home > directory contents? No more than scanning for nearly everything else Clam scans for... > Personally I don't like the idea of protecting users from their own > stupidity... As a sys admin, this is part of my job. A large portion of my userbase is unsophisticated, and a philsophical argument about why they need to learn to protect themselves wouldn't fly with the boss. Again, I don't have any problem with Julian's basic premise, but I think this discussion has shown that we can't even agree on what "social engineering" means. Given that, maybe adding a flag that allows you to ignore signatures with certain prefixes makes sense, but I don't see the benefit of putting too much effort into being overly specific about the specific path a virus takes from unsolicited e-mail to user hard drive. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks
On Mon, 15 Nov 2004, Bart Silverstrim wrote: > I'd say leave it to the antispammers to hammer out, and to the people > who focus on bayes filters... In my case, if Clam has a chance to see the phishing e-mail, the anti-spam tactics have already failed. So, from my point of view, this is extra protection which would not otherwise have been offered. I'm not going to comment on the technical aspects of blocking these messages, except to say that I've always found the ClamAV team to be incredibly competent, and if they've chosen to take up this task, then they probably think they can do it effectively. > May be doing them a disservice if the signature mismatch a legit mail, > though. This is true of any pattern-matching system. > Bolting more functions to a program, extending it beyond the original > design, is a good way to start introducing problems and losing focus of > the project. I agree, but I think the basic usage of ClamAV is as a mailscanner, so this is hardly a stretch. For the same reason, I think your argument about scanning Word docs for phishiness being a waste is not really that persuasive. Also, in the big picture here, it looks like they're only adding very prevalent phishing schemes. This doesn't seem to be a proposed anti-spam solution or even a method for stamping out all phish traffic. The "slippery slope" argument is something to keep in mind, but it also shouldn't prevent simple no-brainer solutions to easily solved problems from being made available. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks
On Mon, 15 Nov 2004, Trog wrote: > For example, the last Bagle (or Bofra) outbreak simply sent an email to > it's target victims, who then have to click on a link to download the > Worm. According to your definition, that is a 'social' attack, and > should not be blocked. I was going to make this same point. I understand what Julian is trying to say, and I don't object to a ClamAV option that would allow him to receive all the unwanted garbage he wants, but I don't really buy his logic. He says some people might want to receive 419 scams and such, but some people might also want to receive viruses. Sys admins often make the call that people can't have free access to viruses, for the good of the community, and I see granting people easy access to spread malware (either accidentally or purposely) or encourage phishing falling into the same category. I appreciate the intellectual argument that ClamAV should remain "modular", but in basic practice, anyone who is preventing users from receiving all the viruses their inboxes can handle isn't doing them a disservice by closing off another malware avenue. The average admin is most likely very pleased with the ClamAV team's decision to block phishing attacks (or at least the incredibly prevelant ones). Personally, I don't think much of SpamCop, but I do see that as Julian's most compelling argument. I think that warrants a ClamAV option, but I also think it would be ill-advised to use it. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] zlib 1.2.2 released
Does this relate to any of the FreeBSD ports? http://www.freebsd.org/cgi/ports.cgi?query=zlib&stype=all Or is this a core OS thing? I haven't seen a security release from the FreeBSD team on this one yet... Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] specifying infected message in a mailbox
On Thu, 23 Sep 2004, Christopher X. Candreva wrote: > On Thu, 23 Sep 2004, jef moskot wrote: > > Is there any simple way to specify which particular message in a > > mailbox file is infected? > No. Would it be difficult for the ClamAV team to offer such output when doing a "clamscan --mbox"? Something like... infected.mbox: Eicar-Test-Signature FOUND in message #538 In any case, thanks for the help. I'm unfamiliar with procmail, so I found a little tool called mb2md which converts an mbox file into many individual mail files with a numbered extension (maildir format). clamscan hit on 2 of the numbers, so I removed those messages and all was well. A bit messy, but it did the job. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] specifying infected message in a mailbox
Is there any simple way to specify which particular message in a mailbox file is infected? I asked about this before and it was suggested that I use the --debug tag, but this generates a huge amount of data that I can't seem to pipe anywhere useful. And even if I could, that doesn't translate into a simple way to ID one message out of thousands. This has come about since upgrading to 0.80rc2, so thanks to the ClamAV team for allowing us all to catch more evil stuff. Your hard work is appreciated. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: [Clamav-announce] ClamAV shirts now available
On Sun, 5 Sep 2004, Luca Gibelli wrote: > SourceWear.com is selling some nice t-shirts and polo shirts > powered by ClamAV. Will you be making any with the old skool line-drawn clam logo? Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Tue, 10 Aug 2004, Damian Menscher wrote: > Anyone know if it's really feasible for us to obtain a mailserver that > can send out 2k emails to all (100,000?) users in a short (5-10 mins) > time? I haven't been following the whole discussion, but I thought this was mostly to provide support to "power users". I think the average small-time admin would be happy with the hourly updates. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
> Just curious, if clamav was running on the server, how did the infected > message get into the mbox in the first place? I've experienced this problem before when a new worm hits before Clam has can detect it. Usually no more than a few infected messages get through before Clam catches up. I'd be happy if the output more clearly identified the message in which the infection was discovered, even if it stopped after seeing the first one. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Ethics Question
On Thu, 10 Jun 2004, Nigel Horne wrote: > And just hope that the next person to dial in to the ISP who gets that > IP address from DHCP is the same person... If it's done immediately, then the chance of alerting the wrong machine is pretty small, isn't it? Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by the new InstallShield X. >From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Ethics Question
On Wed, 9 Jun 2004, Mitch (WebCob) wrote: > We are sending this notification as a public service. Please contact > your computer support person or visit one of the many PC Antivirus > providers. Many have free solutions to your problem. That does sound reasonable to me. I wonder if there isn't a technical reason why this might be a Bad Idea, though. For example, it used to be courteous to send an e-mail to a sender to let them know their computer was infected, but now trying to do things like that is a nuisance because it's highly unlikely that you're actually going to be contacting the original sender. Popping up a message on the machine with the proper IP number of the source of the infection sounds useful at best and harmless at worst...but is it really harmless? Could these popups interrupt running processes on poorly configured servers and such? Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Alias Database
On Mon, 10 May 2004, Kevin Spicer wrote: > My current thinking is to do it as automatically as possible, otherwise > I'll just get bored / occupied doing something else and not keep the > alias mapping up to date Not to dis your excellent work, but has anyone contacted the corporate anti-virus companies and offered to share names with them? I might be being totally naive here (and I do assume that the "majors" wouldn't like to let the world know about a free product that's better than what they're selling), but it couldn't hurt to ask, right? Even if we could just get one of the majors to include the ClamAV alias, then we wouldn't have to re-invent the wheel. I just can't think of an easy way to automate the process. I mean, at SOME point, some human has to make the link between Netsky and SomeFool. It can be done in the ClamAV update e-mails, but not if ClamAV discovers the virus first and doesn't know what the commercials are going to call it. I dunno, just throwing stuff out there. Again, no disrespect. You've done some great work creating that database. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Alias Database
On Sun, 9 May 2004, Kevin Spicer wrote: > I've put a little more work into my virus alias database (at > http://www.kevinspicer.co.uk) What's the suggested method for dealing with the ClamAV-calls-it- something-else problem? I know other AV authors have this same issue, but they tend to have websites that list the other aliases (unfortunately, they must feel threatened by the thought of letting others know there's a free solution out there, so they don't seem to list the ClamAV aliases). So, if I type in "Netsky", I don't see any ties to SomeFool. If I put in "SomeFool", I don't see any immediate reference to Netsky, but if I poke around a little, it becomes apparent that we're talking about the same thing. Not sure how it should be implemented, but it might make sense to highlight the alias differences in some way, particularly the very popular ones. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
Oops. Didn't mean to spam the world with this, but since I've already done it... > ...remember that enabling debug now also leaves the temporary files > around to aid (of course!) debugging. Where does it leave these files? Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
> > Is keeping a message counter feasible, given the design of the code? > It's perfectly feasable and I've just done it when you enable debug to help > you (look in the CVS code I've just committed - mbox.c version 1.66). However > please don't enable debug all the time, and remember that enabling debug > now also leaves the temporary files around to aid (of course!) debugging. > > Look for the "Deal with email number %d" messages. This is better than before, but the --debug option still generates an enormous amount of noise. Would it be possible to have a specific option that only explains which mailbox message the infected file is in? Trying to figure out which message is infected is certainly the next step once you've found an infected file, so I think this option would have a very broad appeal. Something like "clamscan -mbox -iN " would be great. Is this possible/reasonable? Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus names (any reference?)
On Wed, 14 Apr 2004, Bart Silverstrim wrote: > On Apr 13, 2004, at 7:16 PM, jef moskot wrote: > > Personally, I don't understand why this particular name has not been > > changed, given the prevalence of this worm. > Statistics being broken, it would create "transient" viruses that in > reality were just renamed, adds to the cruft of multiple names floating > around in lists and search engines, I'm only talking about the seriously ridiculous differently-named worms here. Let's say, for example, one we're all probably receiving (at least) a couple hundred of each day. (I don't even think there's another example in the ClamAV database.) The "broken statistics" argument is the only one I think carries any weight. I personally don't care about this one, and even if I did, it doesn't sound like anything that can't be fixed with a simple search and replace, but I understand how this could be a big deal for some of us. If you want to get rid of "cruft", eliminating "SomeFool" would be a good way to do it. Actually, I think it should have been done a long time ago, once it became obvious that this one's going to be with us for a long time. To me, the only question is: is the continuing confusion worse than the work necessary to change those databases? I don't suppose we actually have the data to answer that question. But, as I said before, if a new user who is considering using ClamAV checks to see if the worm that's currently slamming his server is detected by ClamAV and he does the most reasonable search possible, it's going to look like ClamAV doesn't do the job. If another crappy magazine reviews ClamAV, a hack writer could check the database and write "Ha, it doesn't even catch Netsky!". I think a concern with image is legitimate. Calling a well-known worm something else for no immediately obvious purpose (yes, it makes sense when you explain it to someone, but most users wouldn't get that on their own) makes the product seem a little dicey. It might make admins ask, "Should I put nonconformist software on my production server?" > A central repository of cross-references would probably be the best and > most resilient solution. I definitely agree, but that's a lot of work. I know I keep saying the same thing here (and I'll stop now, if nothing new is brought up), but this seems like a real no-brainer to me. It might be different if we weren't constantly getting questions on this list the whoel SomeFool/Netsky issue. I just don't understand why we're insisting on going against the grain on this one... Sorry to go on about this so much, because it really is a minor point, but it seems like we're being a little silly with this one. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
On Wed, 14 Apr 2004, Nigel Horne wrote: > On Wednesday 14 Apr 2004 12:58 am, jef moskot wrote: > > Is keeping a message counter feasible, given the design of the code? > It's perfectly feasable and I've just done it when you enable debug to help > you (look in the CVS code I've just committed - mbox.c version 1.66). This is great news! Thanks very much! Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
On Fri, 9 Apr 2004, Tomasz Kojm wrote: > jef moskot <[EMAIL PROTECTED]> wrote: > > Is there no way to get Clam to report which message the infected file > > (or at least the FIRST infected file) is in? > You may try with clamscan -m --debug Could you give some tips on how to use that to figure out which message is being referred to? For example, I have a mail file with just one message in it (which is infected) and the output is quite noisy. I've attached it below. When scanning a mailbox with 1000 messages in it, it's quite difficult to make anything of this output without knowing exactly what to look for. Also, piping the output to a file doesn't seem to work, so even if there's some flag to grep for, it's difficult to manage. Is keeping a message counter feasible, given the design of the code? Jeffrey Moskot System Administrator [EMAIL PROTECTED] SCAN OUTPUT (names have been changed to protect the innocent and not): #: clamscan -m --debug malware.1 LibClamAV debug: Loading databases from /usr/local/share/clamav LibClamAV debug: Loading /usr/local/share/clamav/main.cvd LibClamAV debug: /usr/local/share/clamav/main.cvd: CVD file detected LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 1b99fa97eec06a4e2946d2c53d63f2c1 LibClamAV debug: Decoded signature: 1b99fa97eec06a4e2946d2c53d63f2c1 LibClamAV debug: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /var/tmp//5be97e661849fdd0/COPYING LibClamAV debug: Unpacking /var/tmp//5be97e661849fdd0/viruses.db LibClamAV debug: Loading databases from /var/tmp//5be97e661849fdd0 LibClamAV debug: Loading /var/tmp//5be97e661849fdd0/viruses.db LibClamAV debug: Initializing trie. LibClamAV debug: Loading /usr/local/share/clamav/daily.cvd LibClamAV debug: /usr/local/share/clamav/daily.cvd: CVD file detected LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = ac07fb36367c36f62aebaf42ff53c273 LibClamAV debug: Decoded signature: ac07fb36367c36f62aebaf42ff53c273 LibClamAV debug: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /var/tmp//2c1156fb087c6d13/COPYING LibClamAV debug: Unpacking /var/tmp//2c1156fb087c6d13/viruses.db2 LibClamAV debug: Loading databases from /var/tmp//2c1156fb087c6d13 LibClamAV debug: Loading /var/tmp//2c1156fb087c6d13/viruses.db2 LibClamAV debug: Recognized MBox file LibClamAV debug: Starting cli_scanmail() LibClamAV debug: in mbox() LibClamAV debug: Deal with header From [EMAIL PROTECTED] Thu Apr 8 11:18:31 2004 LibClamAV debug: parseEmailHeader 'From [EMAIL PROTECTED] Thu Apr 8 11:18:31 2004' LibClamAV debug: parseMimeHeader: cmd='From [EMAIL PROTECTED] Thu Apr 8 11', arg='18:31 2004' LibClamAV debug: Deal with header Return-Path: <[EMAIL PROTECTED]> LibClamAV debug: parseEmailHeader 'Return-Path: <[EMAIL PROTECTED]>' LibClamAV debug: parseMimeHeader: cmd='Return-Path', arg=' <[EMAIL PROTECTED]>' LibClamAV debug: Deal with header Received: from virus.relay.com (virus.relay.com [XXX.XXX.XXX.XXX]) LibClamAV debug: parseEmailHeader 'Received: from virus.relay.com (virus.relay.com [XXX.XXX.XXX.XXX])' LibClamAV debug: parseMimeHeader: cmd='Received', arg=' from virus.relay.com (virus.relay.com [XXX.XXX.XXX.XXX])' LibClamAV debug: Discarding unwanted argument 'by virus.destination.com (8.12.8p1/8.12.8av) with SMTP id i38FIVa7017841' LibClamAV debug: Discarding unwanted argument 'for <[EMAIL PROTECTED]>' LibClamAV debug: Discarding unwanted argument 'Thu, 8 Apr 2004 11' LibClamAV debug: Discarding unwanted argument '18' LibClamAV debug: Discarding unwanted argument '31 -0400 (EDT)' LibClamAV debug: Discarding unwanted argument '(envelope-from [EMAIL PROTECTED])' LibClamAV debug: Deal with header Date: Thu, 8 Apr 2004 11:18:31 -0400 (EDT) LibClamAV debug: parseEmailHeader 'Date: Thu, 8 Apr 2004 11:18:31 -0400 (EDT)' LibClamAV debug: parseMimeHeader: cmd='Date', arg=' Thu, 8 Apr 2004 11:18:31 -0400 (EDT)' LibClamAV debug: Deal with header Message-Id: <[EMAIL PROTECTED]> LibClamAV debug: parseEmailHeader 'Message-Id: <[EMAIL PROTECTED]>' LibClamAV debug: parseMimeHeader: cmd='Message-Id', arg=' <[EMAIL PROTECTED]>' LibClamAV debug: Deal with header Received: (qmail 7 invoked by alias); 8 Apr 2004 15:22:58 - LibClamAV debug: parseEmailHeader 'Received: (qmail 7 invoked by alias); 8 Apr 2004 15:22:58 -' LibClamAV debug: parseMimeHeader: cmd='Received', arg=' (qmail 7 invoked by alias); 8 Apr 2004 15:22:58 -' LibClamAV debug: Deal with header Delivered-To: [EMAIL PROTECTED] LibClamAV debug: parseEmailHeader 'Delivered-To: [EMAIL PROTECTED]' LibClamAV debug: parseMimeHeader: cmd='D
Re: [Clamav-users] virus names (any reference?)
On Wed, 14 Apr 2004, Antony Stone wrote: > The problem here is that it's only possible to measure "prevalence" once > there's been quite a lot of it under the old name... I agree with this in principle, but I think this is a special case. There's no denying that this is one of the most "popular" differently-named worms ClamAV has ever dealt with. I think it deserves re-examination at this point, as it continues to be an issue. Other viruses/worms have been renamed in the past, and while I recognize that there'd be issues with renaming this one at this time, NOT renaming it continues to create nuisances. My personal take on the situation is that renaming would eliminate more issues than it would create, although I could be completely wrong. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus names (any reference?)
On Wed, 14 Apr 2004, Jesper Juhl wrote: > I've been working on a website to allow users to do exactely that, but > due to being overworked and various other issues it has not progressed > as fast as I had hoped - still working on it when I have a chance > though, so expect something like that in the future. I think if the website just said "What we call 'SomeFool' others call 'Netsky'," 95% of all questions would be covered. Personally, I don't understand why this particular name has not been changed, given the prevalence of this worm. A comprehensive web site would certainly be a nice feature, but I think it's really overkill while resources are limited. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Cleaning MBOX files?
Is there no way to get Clam to report which message the infected file (or at least the FIRST infected file) is in? Or does that add too much overhead? Someone once suggested turning verbose mode on, but that still didn't help to pin down specific messages. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users