Re: [Clamav-users] daily.wmd trouble with 0.91rc1
--- jef moskot [EMAIL PROTECTED] wrote: On Mon, 4 Jun 2007, Noel Jones wrote: BTW, I'm *very* impressed with the db load speed improvements in 0.91rc1. I agree. The load speed for 0.92 had me considering rolling back to 0.88, but 0.91rc1 is a tremendous improvement. Thanks for a great service. I had trouble with 0.90.2; amavisd-new was unable to scan files and my mail queue started to grow very quickly, so I went back to 0.90.1. I applied patches to close the security vulnerabilities published recently with CAB, CHM y PDF files. If someone is interested a source rpm is available. I would like to test 0.91, but I will be busy for the next two weeks. Regards, Jose __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
On 6/2/07, Bill Landry [EMAIL PROTECTED] wrote: Noel, I started seeing the same problem this evening with ClamAV 0.90.3. I finally had to recompile with --disable-experimental and everything has run fine here since. I wonder if you disable the experimental sections in the clamd.conf file if that will have any affect. Also, can you compile with experimental specifically disabled (--disable-experimental)? I've had the problem on my machine as well. CentOS 5.0. I have it compiled with --disable-experimental, though from Tomasz' post, it seems that this has no effect on the anti-phishing code. Same symptoms too.. Worked fine till the freshclam update, then started crashing all over.. I've reverted back to 0.90.3 for the time being. Good luck... Bill -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
On Sat, 2 Jun 2007 13:02:54 +0200 Tomasz Kojm [EMAIL PROTECTED] wrote: On Sat, 02 Jun 2007 00:22:48 -0500 Noel Jones [EMAIL PROTECTED] wrote: I recompiled clamav without --enable-experimental and still have the error. It's unclear if this flag does anything interesting right now since the anti-phishing code is enabled by default in this version. The anti-phishing code in 0.91rc1 cannot be disabled at compile time. The only way to disable this module is to add the following line to daily.inc/daily.cfg: PHISHING:0x0:17:17 Heh, ignore this low-level trick - you can disable the anti-phishing module just by switching off the option PhishingScanURLs. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Jun 4 23:42:28 CEST 2007 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
At 04:44 PM 6/4/2007, Tomasz Kojm wrote: On Sat, 2 Jun 2007 13:02:54 +0200 Tomasz Kojm [EMAIL PROTECTED] wrote: On Sat, 02 Jun 2007 00:22:48 -0500 Noel Jones [EMAIL PROTECTED] wrote: I recompiled clamav without --enable-experimental and still have the error. It's unclear if this flag does anything interesting right now since the anti-phishing code is enabled by default in this version. The anti-phishing code in 0.91rc1 cannot be disabled at compile time. The only way to disable this module is to add the following line to daily.inc/daily.cfg: PHISHING:0x0:17:17 Heh, ignore this low-level trick - you can disable the anti-phishing module just by switching off the option PhishingScanURLs. Yes, found that already (and the updated daily.wdb resolved the problem also) so it is not presently causing me any problems. Clamd and clamscan are back to running normally. Thanks. BTW, I'm *very* impressed with the db load speed improvements in 0.91rc1. With 0.90.2 clamscan would take ~15-20 seconds to scan small files, with 0.91rc1 it's down to less than 2 seconds. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
On Mon, 4 Jun 2007, Noel Jones wrote: BTW, I'm *very* impressed with the db load speed improvements in 0.91rc1. I agree. The load speed for 0.92 had me considering rolling back to 0.88, but 0.91rc1 is a tremendous improvement. Thanks for a great service. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
Noel Jones wrote the following on 6/1/2007 10:22 PM -0800: At 11:39 PM 6/1/2007, Dennis Peterson wrote: Noel Jones wrote: I'm running Solaris 10 x86 here and cannot duplicate your error. I moved the daily.wdb file to /tmp and clamd died. I restarted it with svcadm and it started and ran file. I then rsync'd daily.wdb from /tmp back to the working directory and it's still running. Thanks for trying Dennis... I should mention that I'm running FreeBSD 5.3 on this server. I recompiled clamav without --enable-experimental and still have the error. It's unclear if this flag does anything interesting right now since the anti-phishing code is enabled by default in this version. The error is very reproducible here, and definitely related to the anti-phishing code. Using clamscan --no-phishing-scan-urls email.txt prevents the core dumps. I strongly suspect setting clamd.conf PhishingScanURLs no would fix this too, at the expense of no longer detecting bogus URL phish. Noel, I started seeing the same problem this evening with ClamAV 0.90.3. I finally had to recompile with --disable-experimental and everything has run fine here since. I wonder if you disable the experimental sections in the clamd.conf file if that will have any affect. Also, can you compile with experimental specifically disabled (--disable-experimental)? Good luck... Bill ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
Noel Jones pisze: At 10:20 PM 6/1/2007, Christopher X. Candreva wrote: On Fri, 1 Jun 2007, Noel Jones wrote: fatfinger error on the name, I am referring to daily.wdb as the pasted session shows. Ah, sorry. Bleary-eyed error not catching it in the sesion. :-) Are you using 91rc1? It's very repeatable here. I have Yes, so far it has been running fine. My monitoring scripts haven't restarted it once. Ok, I've narrowed it down to the following TWO lines in daily.wdb: X:http.//www\.ebay\.co\.uk.+:.+emailpics.\.ebay\.com:14- X:http.//info.citibank.com.+:https.//offer.citibank.com:14- (I believe daily.wdb is a whitelist for the experimental antiphishing code. I'm not sure this file is used if you don't compile with --enable-experimental.) If *BOTH* these lines are present, clamscan coredumps when scanning an email with an html part. The email need not have URLs that reference the sites in the two rules. This is very repeatable with multiple email messages. clamscan still works properly on text files or email with no html. I have similar problem. After last update clamd began to die. fresclam.log ClamAV update process started at Sat Jun 2 01:23:01 2007 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.90.2 Recommended version: 0.90.3 DON'T PANIC! Read http://www.clamav.net/support/faq main.inc is up to date (version: 43, sigs: 104500, f-level: 14, builder: sven) Downloading daily-3337.cdiff [100%] daily.inc updated (version: 3337, sigs: 16524, f-level: 15, builder: sven) Database updated (121024 signatures) from database.clamav.net (IP: 195.95.205.245) Clamd successfully notified about the update. When I've removed these two lines from daily.wdb: X:http.//www\.ebay\.co\.uk.+:.+emailpics.\.ebay\.com:14- X:http.//info.citibank.com.+:https.//offer.citibank.com:14- everything began work as usual. Similary PhishingScanURLs no resolve problem. The worst in THIS problem is time that incident (I've been at a party, I've been drunk ;) and I've had no internet), because I was ready for problem when I compiled clam with experimental code. macka ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
On Sat, 02 Jun 2007 00:22:48 -0500 Noel Jones [EMAIL PROTECTED] wrote: I recompiled clamav without --enable-experimental and still have the error. It's unclear if this flag does anything interesting right now since the anti-phishing code is enabled by default in this version. The anti-phishing code in 0.91rc1 cannot be disabled at compile time. The only way to disable this module is to add the following line to daily.inc/daily.cfg: PHISHING:0x0:17:17 HTH, -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Sat Jun 2 12:54:40 CEST 2007 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
Noel Jones wrote: At 11:39 PM 6/1/2007, Dennis Peterson wrote: Noel Jones wrote: I'm running Solaris 10 x86 here and cannot duplicate your error. I moved the daily.wdb file to /tmp and clamd died. I restarted it with svcadm and it started and ran file. I then rsync'd daily.wdb from /tmp back to the working directory and it's still running. Thanks for trying Dennis... I should mention that I'm running FreeBSD 5.3 on this server. It died here today. No log message to indicate the nature of the failure. It started when I cleared it in svcadm. I'm a believer, now :) dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] daily.wmd trouble with 0.91rc1
I seem to be having trouble with clamscan 0.91rc1 choking with the current daily.wmd file. It was working fine until the most recent db update. # clamscan --version ClamAV 0.91rc1-exp/3337/Fri Jun 1 18:05:09 2007 # clamscan /tmp/email.txt Segmentation fault (core dumped) Now remove the current daily.wdb from daily.inc: # rm /var/db/clamav/daily.inc/daily.wdb # clamscan /tmp/tmp/email.txt /tmp/tmp/email.txt: OK clamd is also hung and unkillable. Anyone else having this problem? -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
On Fri, 1 Jun 2007, Noel Jones wrote: I seem to be having trouble with clamscan 0.91rc1 choking with the current daily.wmd file. It was working fine until the most recent db update. I don't have this problem, but I don't seem to have a daily.wmd file in my daily.inc either. I have daily.wdb and .zmd, but now .wmd == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
At 09:56 PM 6/1/2007, Christopher X. Candreva wrote: On Fri, 1 Jun 2007, Noel Jones wrote: I seem to be having trouble with clamscan 0.91rc1 choking with the current daily.wmd file. It was working fine until the most recent db update. I don't have this problem, but I don't seem to have a daily.wmd file in my daily.inc either. I have daily.wdb and .zmd, but now .wmd fatfinger error on the name, I am referring to daily.wdb as the pasted session shows. Are you using 91rc1? It's very repeatable here. I have re-downloaded daily.cvd and get the same error. # clamscan --version ClamAV 0.91rc1-exp/3337/Fri Jun 1 18:05:09 2007 # clamscan /tmp/email.txt Segmentation fault (core dumped) Now remove the current daily.wdb from daily.inc: # rm /var/db/clamav/daily.inc/daily.wdb # clamscan /tmp/tmp/email.txt /tmp/tmp/email.txt: OK clamd is also hung and unkillable. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
On Fri, 1 Jun 2007, Noel Jones wrote: fatfinger error on the name, I am referring to daily.wdb as the pasted session shows. Ah, sorry. Bleary-eyed error not catching it in the sesion. :-) Are you using 91rc1? It's very repeatable here. I have Yes, so far it has been running fine. My monitoring scripts haven't restarted it once. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
At 10:20 PM 6/1/2007, Christopher X. Candreva wrote: On Fri, 1 Jun 2007, Noel Jones wrote: fatfinger error on the name, I am referring to daily.wdb as the pasted session shows. Ah, sorry. Bleary-eyed error not catching it in the sesion. :-) Are you using 91rc1? It's very repeatable here. I have Yes, so far it has been running fine. My monitoring scripts haven't restarted it once. Ok, I've narrowed it down to the following TWO lines in daily.wdb: X:http.//www\.ebay\.co\.uk.+:.+emailpics.\.ebay\.com:14- X:http.//info.citibank.com.+:https.//offer.citibank.com:14- (I believe daily.wdb is a whitelist for the experimental antiphishing code. I'm not sure this file is used if you don't compile with --enable-experimental.) If *BOTH* these lines are present, clamscan coredumps when scanning an email with an html part. The email need not have URLs that reference the sites in the two rules. This is very repeatable with multiple email messages. clamscan still works properly on text files or email with no html. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
On Fri, 1 Jun 2007, Noel Jones wrote: Ok, I've narrowed it down to the following TWO lines in daily.wdb: X:http.//www\.ebay\.co\.uk.+:.+emailpics.\.ebay\.com:14- X:http.//info.citibank.com.+:https.//offer.citibank.com:14- I removed the files in the .inc directories and freshclam pulled down a new main.cvd and daily.cvd. Deleting daily.cvd stopped clamscan from dumping core for me. Quick and brainless, but the easiest move to make when in Panic Mode. Not ideal, obviously. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
At 10:48 PM 6/1/2007, jef moskot wrote: On Fri, 1 Jun 2007, Noel Jones wrote: Ok, I've narrowed it down to the following TWO lines in daily.wdb: X:http.//www\.ebay\.co\.uk.+:.+emailpics.\.ebay\.com:14- X:http.//info.citibank.com.+:https.//offer.citibank.com:14- I removed the files in the .inc directories and freshclam pulled down a new main.cvd and daily.cvd. Deleting daily.cvd stopped clamscan from dumping core for me. Quick and brainless, but the easiest move to make when in Panic Mode. Not ideal, obviously. So you're having this same problem? If you remove daily.cvd you won't be protected from a large number of current viruses; far from idea. I used sigtool -u to unpack daily.cvd, then hand-created a daily.inc directory with all the unpacked files, then hand-edited daily.wdb to remove the offending lines. Oh, and then moved daily.cvd out of the way. I've disabled freshclam for the night so my hand-crafted .wdb won't be overwritten, and will revisit this tomorrow. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
Noel Jones wrote: At 09:56 PM 6/1/2007, Christopher X. Candreva wrote: On Fri, 1 Jun 2007, Noel Jones wrote: I seem to be having trouble with clamscan 0.91rc1 choking with the current daily.wmd file. It was working fine until the most recent db update. I don't have this problem, but I don't seem to have a daily.wmd file in my daily.inc either. I have daily.wdb and .zmd, but now .wmd fatfinger error on the name, I am referring to daily.wdb as the pasted session shows. Are you using 91rc1? It's very repeatable here. I have re-downloaded daily.cvd and get the same error. # clamscan --version ClamAV 0.91rc1-exp/3337/Fri Jun 1 18:05:09 2007 # clamscan /tmp/email.txt Segmentation fault (core dumped) Now remove the current daily.wdb from daily.inc: # rm /var/db/clamav/daily.inc/daily.wdb # clamscan /tmp/tmp/email.txt /tmp/tmp/email.txt: OK clamd is also hung and unkillable. I'm running Solaris 10 x86 here and cannot duplicate your error. I moved the daily.wdb file to /tmp and clamd died. I restarted it with svcadm and it started and ran file. I then rsync'd daily.wdb from /tmp back to the working directory and it's still running. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
On Fri, 1 Jun 2007, Noel Jones wrote: So you're having this same problem? Yes, I was getting core dumps trying to clamscan. I used sigtool -u to unpack daily.cvd, then hand-created a daily.inc directory with all the unpacked files, then hand-edited daily.wdb to remove the offending lines. Oh, and then moved daily.cvd out of the way. Thanks, I hadn't messed around with unpacking signatures to know the best thing to do. I just went for the thing that stopped the core dumps ASAP! I've disabled freshclam for the night so my hand-crafted .wdb won't be overwritten, and will revisit this tomorrow. As will I. Thanks again! Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
At 11:39 PM 6/1/2007, Dennis Peterson wrote: Noel Jones wrote: I'm running Solaris 10 x86 here and cannot duplicate your error. I moved the daily.wdb file to /tmp and clamd died. I restarted it with svcadm and it started and ran file. I then rsync'd daily.wdb from /tmp back to the working directory and it's still running. Thanks for trying Dennis... I should mention that I'm running FreeBSD 5.3 on this server. I recompiled clamav without --enable-experimental and still have the error. It's unclear if this flag does anything interesting right now since the anti-phishing code is enabled by default in this version. The error is very reproducible here, and definitely related to the anti-phishing code. Using clamscan --no-phishing-scan-urls email.txt prevents the core dumps. I strongly suspect setting clamd.conf PhishingScanURLs no would fix this too, at the expense of no longer detecting bogus URL phish. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
