Re: [Clamav-users] Worm.Sober.U not being recognized
Kevin W. Gagel wrote: I'm seeing the same thing here. My uvscan sees sober but since I restarted the server this morning at 10am there have been zero detections of anything from clamd at all. Only seven detections from uvscan over the same time period. Strange. No problem here - we're using clamd as a backend to amavisd-new and Sober.U is found with ClamAV 0.87/1182/Mon Nov 21 20:43:47 2005 (GMT +0100). Ralph -- Ralph [EMAIL PROTECTED] | ..Text processing has made it possible Bayerischer Rundfunk...HA-Multimedia | to right-justify any idea, even one Rundfunkplatz 180300 München | .which cannot be justified on any other Tl:089.5900.16023..Fx:089.5900.16240 | ..grounds. -- J. Finnegan, USC pgpTZ4X4inMsw.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
We also use Clamd with amavisd-new ClamAV 0.87.1/1183/Tue Nov 22 10:19:57 2005 Got the first message with it at 21:26 / 21/11/2005 localtime ( netherlands ) Ralph Angenendt wrote: Kevin W. Gagel wrote: I'm seeing the same thing here. My uvscan sees sober but since I restarted the server this morning at 10am there have been zero detections of anything from clamd at all. Only seven detections from uvscan over the same time period. Strange. No problem here - we're using clamd as a backend to amavisd-new and Sober.U is found with ClamAV 0.87/1182/Mon Nov 21 20:43:47 2005 (GMT +0100). Ralph ___ http://lurker.clamav.net/list/clamav-users.html -- Met vriendelijke groet, Richard Pijnenburg PremiumXS B.V. Bouwerij 4 1185 XX Amstelveen T: 020 386 84 05 F: 020 386 84 04 G: 06 47 92 85 28 E: [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
Pete 'Wolfy' Hanson wrote: Running clamscan --detect-broken finds the message, and generates no errors, but clamav-milter does not find the message when it comes in. clamd.logshows: Nov 21 14:08:18 paz clamav-milter[26450]: [ID 788897 local7.notice] jALM6n0R027652: clean message from [EMAIL PROTECTED] We've been detecting Worm.Sober.U here for a little over 2 hours (with daily.cvd 1182). If clamscan finds it, but clamav-milter doesn't, maybe for some reason clamd didn't load the updated database? Try restarting clamd and/or clamav-mitler (I've never used the milter, so I'm not sure what's necessary) and see if that does it. -- Kelson Vibber SpeedGate Communications www.speed.net ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
On 11/21/05, Kelson [EMAIL PROTECTED] wrote: We've been detecting Worm.Sober.U here for a little over 2 hours (with daily.cvd 1182). If clamscan finds it, but clamav-milter doesn't, maybe for some reason clamd didn't load the updated database? Try restarting clamd and/or clamav-mitler (I've never used the milter, so I'm not sure what's necessary) and see if that does it. I've already tried a couple of restarts to no avail. -- Pete Hanson http://www.well.com/user/wolfy http://www.fotolog.net/wolfy ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
Pete 'Wolfy' Hanson wrote: On 11/21/05, Kelson [EMAIL PROTECTED] wrote: We've been detecting Worm.Sober.U here for a little over 2 hours (with daily.cvd 1182). If clamscan finds it, but clamav-milter doesn't, maybe for some reason clamd didn't load the updated database? Try restarting clamd and/or clamav-mitler (I've never used the milter, so I'm not sure what's necessary) and see if that does it. I've already tried a couple of restarts to no avail. -- Pete Hanson http://www.well.com/user/wolfy http://www.fotolog.net/wolfy ___ http://lurker.clamav.net/list/clamav-users.html We are seeing the same issue here. We picked it up a little over 3 hours ago. clamd just seems not to detect it. I have tested using clamscan and it does find it, but if I switch our filter to use clamscan the load is outrageous. We have been able to add rawbody rules to our spam filters that score them high enough to stop them at the filter, but clamd does not seem to be detecting it. ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Worm.Sober.U not being recognized
Pete wrote: On 11/21/05, Kelson [EMAIL PROTECTED] wrote: We've been detecting Worm.Sober.U here for a little over 2 hours (with daily.cvd 1182). If clamscan finds it, but clamav-milter doesn't, maybe for some reason clamd didn't load the updated database? Try restarting clamd and/or clamav-mitler (I've never used the milter, so I'm not sure what's necessary) and see if that does it. I've already tried a couple of restarts to no avail. What are your clamd and clamav-milter options? -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
On 11/21/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: What are your clamd and clamav-milter options? /usr/local/sbin/clamav-milter --headers --pidfile=/var/clamav/clamav- milter.pid --quiet /var/clamav/clamav-milter.sock No clamd since we aren't running with --external. which has worked well for a long time. -- Pete Hanson http://www.well.com/user/wolfy http://www.fotolog.net/wolfy ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
Pete 'Wolfy' Hanson wrote: On 11/21/05, Kelson [EMAIL PROTECTED] wrote: We've been detecting Worm.Sober.U here for a little over 2 hours (with daily.cvd 1182). If clamscan finds it, but clamav-milter doesn't, maybe for some reason clamd didn't load the updated database? Try restarting clamd and/or clamav-mitler (I've never used the milter, so I'm not sure what's necessary) and see if that does it. Does your freshclam send a signal to clamd to reload the new patterns? If not, you'll have to do that yourself Also note that although wonderful ClamAV is one of the few AVs that are currently detecting Sober.U - there are already some variants that even it can't catch. Looks like the prats are having a let's release 100 different variants today party :-( -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
On Mon, 21 Nov 2005 14:04:43 -0900 Pete 'Wolfy' Hanson [EMAIL PROTECTED] wrote: On 11/21/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: What are your clamd and clamav-milter options? /usr/local/sbin/clamav-milter --headers --pidfile=/var/clamav/clamav- milter.pid --quiet /var/clamav/clamav-milter.sock No clamd since we aren't running with --external. which has worked well for a long time. Please post your clamd.conf file. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Nov 22 00:07:53 CET 2005 signature.asc Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
On 11/21/05, Tomasz Kojm [EMAIL PROTECTED] wrote: Please post your clamd.conf file. LogFileMaxSize 0 LogTime LogClean LogSyslog LogFacility LOG_LOCAL7 PidFile /var/clamav/clamd.pid TemporaryDirectory /tmp FixStaleSocket TCPSocket 3310 TCPAddr 127.0.0.1 http://127.0.0.1 MaxConnectionQueueLength 20 StreamMaxLength 2M MaxThreads 151 ReadTimeout 60 MaxDirectoryRecursion 1 SelfCheck 1800 User clamav ScanOLE2 ScanMail ScanHTML ScanArchive ArchiveMaxFileSize 1M ArchiveMaxRecursion 1 ArchiveMaxFiles 25 ArchiveMaxCompressionRatio 200 -- Pete Hanson http://www.well.com/user/wolfy http://www.fotolog.net/wolfy ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
On Mon, 21 Nov 2005 14:10:07 -0900 Pete 'Wolfy' Hanson [EMAIL PROTECTED] wrote: MaxDirectoryRecursion 1 You should be more careful when changing the config options. With the current MaxDirectoryRecursion setting in your setup clamd/clamav-milter will fail to detect a lot of malware. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Nov 22 00:19:16 CET 2005 signature.asc Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
Pete 'Wolfy' Hanson wrote: On 11/21/05, Kelson [EMAIL PROTECTED] wrote: We've been detecting Worm.Sober.U here for a little over 2 hours (with daily.cvd 1182). If clamscan finds it, but clamav-milter doesn't, maybe for some reason clamd didn't load the updated database? Try restarting clamd and/or clamav-mitler (I've never used the milter, so I'm not sure what's necessary) and see if that does it. I've already tried a couple of restarts to no avail. I'm seeing the same thing here. My uvscan sees sober but since I restarted the server this morning at 10am there have been zero detections of anything from clamd at all. Only seven detections from uvscan over the same time period. = Kevin W. Gagel Network Administrator Information Technology Services (250) 562-2131 local 448 My Blog: http://mail.cnc.bc.ca/blogs/gagel --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca --- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
On 11/21/05, Tomasz Kojm [EMAIL PROTECTED] wrote: MaxDirectoryRecursion 1 You should be more careful when changing the config options. With the current MaxDirectoryRecursion setting in your setup clamd/clamav-milter will fail to detect a lot of malware. Maybe, but it doesn't seem to have anything to do with the problem at hand. -- Pete Hanson http://www.well.com/user/wolfy http://www.fotolog.net/wolfy ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
I'm seeing the same thing here. My uvscan sees sober but since I restarted the server this morning at 10am there have been zero detections of anything from clamd at all. Only seven detections from uvscan over the same time period. FWIW, we're detecting other viruses and worms - but Worm.Sober.U is slipping through in large quantities. I can stop it elsewhere, but would rather have ClamAV handle it like it should. -- Pete Hanson http://www.well.com/user/wolfy http://www.fotolog.net/wolfy ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
I'm seeing the same thing here. My uvscan sees sober but since I restarted the server this morning at 10am there have been zero detections of anything from clamd at all. Only seven detections from uvscan over the same time period. FWIW, we're detecting other viruses and worms - but Worm.Sober.U is slipping through in large quantities. I can stop it elsewhere, but would rather have ClamAV handle it like it should. Same here Pete. I'm just confirming what your seeing... = Kevin W. Gagel Network Administrator Information Technology Services (250) 562-2131 local 448 My Blog: http://mail.cnc.bc.ca/blogs/gagel --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca --- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
Kevin W. Gagel wrote: Pete 'Wolfy' Hanson wrote: On 11/21/05, Kelson [EMAIL PROTECTED] wrote: We've been detecting Worm.Sober.U here for a little over 2 hours (with daily.cvd 1182). If clamscan finds it, but clamav-milter doesn't, maybe for some reason clamd didn't load the updated database? Try restarting clamd and/or clamav-mitler (I've never used the milter, so I'm not sure what's necessary) and see if that does it. I've already tried a couple of restarts to no avail. I'm seeing the same thing here. My uvscan sees sober but since I restarted the server this morning at 10am there have been zero detections of anything from clamd at all. Only seven detections from uvscan over the same time period. I'm using qmail-scanner / clamdscan. Since updating to daily.cvd 1182, Sober.U are being detected effectively. Before, they were getting through (and also through outdated ClamWin clients). JT ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
On Mon, 21 Nov 2005 14:39:58 -0900 Pete 'Wolfy' Hanson [EMAIL PROTECTED] wrote: On 11/21/05, Tomasz Kojm [EMAIL PROTECTED] wrote: MaxDirectoryRecursion 1 You should be more careful when changing the config options. With the current MaxDirectoryRecursion setting in your setup clamd/clamav-milter will fail to detect a lot of malware. Maybe, but it doesn't seem to have anything to do with the problem at hand. Not true. Anyway, I suspect your situation is now even worse. If you have enabled DisableDefaultScanOptions (a nasty option that will be removed in the next major release) as suggested in another post your clamd/clamav-milter will fail to detect all malware in compressed executables because your config file misses the ScanPE option. I would suggest using the following config in your case (it's based on the one you have sent here): LogFileMaxSize 0 LogTime LogClean LogSyslog LogFacility LOG_LOCAL7 PidFile /var/clamav/clamd.pid TemporaryDirectory /tmp FixStaleSocket TCPSocket 3310 TCPAddr 127.0.0.1 MaxConnectionQueueLength 20 StreamMaxLength 2M MaxThreads 30 ReadTimeout 60 MaxDirectoryRecursion 10 SelfCheck 1800 User clamav ArchiveMaxFileSize 1M ArchiveMaxRecursion 8 ArchiveMaxFiles 1000 ArchiveMaxCompressionRatio 250 -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Nov 22 00:41:58 CET 2005 signature.asc Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html