Re: [Clamav-users] borked database
Tomasz Kojm wrote: On Fri, 19 Nov 2004 22:26:24 -0600 (CST) Damian Menscher [EMAIL PROTECTED] wrote: I guess it goes without saying (but I will anyway) that changing things in a way that doesn't cause clamdwatch.pl to fail would be greatly appreciated. (Imagine lots of scared little sysadmins trying Today's update was a special case. I'm guessing that's what the announce list and project news on the home page is for, no? That's what I look at when ever I see something unexpected, anyway. dp ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] borked database
On Fri, 19 Nov 2004 at 22:26:24 -0600, Damian Menscher wrote: On Sat, 20 Nov 2004, Tomasz Papszun wrote: On Fri, 19 Nov 2004 at 20:09:06 -0600, Damian Menscher wrote: Clamd didn't find the EICAR pattern. Your virus database(s) could be borked! Eicar-Test-Signature was moved to daily.cvd to let us update it later (because currently it causes FPs with some files), resulting in a short absence. I'm confused. If you have to change it, why not change main.cvd once, rather than changing main.cvd to remove it then again to put it back? We update main.cvd from time to time, not very often - to minimize mirrors'(and clients') network resources usage. As we were doing the update anyway, we moved the signature to daily.cvd even though an improved one wasn't ready yet - to not make another change of main.cvd only to replace one or a few signatures as it would be a thoughtless wastefulness. Moreover, the updated signature won't be put into main.cvd at once anyway, because newly created signatures aren't placed in main.cvd - they are placed in daily.cvd. Are we expected to check for updates to the daily.cvd more often than for updates to main.cvd? No. I guess it goes without saying (but I will anyway) that changing things in a way that doesn't cause clamdwatch.pl to fail would be greatly appreciated. That's the way we try to proceed (surprise, surprise!). (Imagine lots of scared little sysadmins trying to figure out what to do when they get emails about ClamAV being borked. ;) -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] borked database
On Fri, 19 Nov 2004 at 19:43:19 -0600, Damian Menscher wrote: Anyone care to tell us what just happened to the database? It got borked and fixed about 1/2 hour later. I'd check on the archive, but the info's pretty old I was updating both database files. What, exactly, was wrong? -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] borked database
On Sat, 20 Nov 2004, Tomasz Papszun wrote: On Fri, 19 Nov 2004 at 19:43:19 -0600, Damian Menscher wrote: Anyone care to tell us what just happened to the database? It got borked and fixed about 1/2 hour later. I'd check on the archive, but the info's pretty old I was updating both database files. What, exactly, was wrong? All my servers did this two times (15 minutes apart): Subject: Cron [EMAIL PROTECTED] /usr/local/sbin/clamdwatch.pl -q /etc/init.d/clamd condrestart Clamd didn't find the EICAR pattern. Your virus database(s) could be borked! Stopping clamd: [ OK ] Starting clamd: [ OK ] Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] borked database
On Fri, 19 Nov 2004 at 20:09:06 -0600, Damian Menscher wrote: On Sat, 20 Nov 2004, Tomasz Papszun wrote: [...] What, exactly, was wrong? All my servers did this two times (15 minutes apart): Subject: Cron [EMAIL PROTECTED] /usr/local/sbin/clamdwatch.pl -q /etc/init.d/clamd condrestart Clamd didn't find the EICAR pattern. Your virus database(s) could be borked! Stopping clamd: [ OK ] Starting clamd: [ OK ] Eicar-Test-Signature was moved to daily.cvd to let us update it later (because currently it causes FPs with some files), resulting in a short absence. I apologise for the disturbance. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] borked database
On Sat, 20 Nov 2004, Tomasz Papszun wrote: On Fri, 19 Nov 2004 at 20:09:06 -0600, Damian Menscher wrote: Clamd didn't find the EICAR pattern. Your virus database(s) could be borked! Eicar-Test-Signature was moved to daily.cvd to let us update it later (because currently it causes FPs with some files), resulting in a short absence. I'm confused. If you have to change it, why not change main.cvd once, rather than changing main.cvd to remove it then again to put it back? Are we expected to check for updates to the daily.cvd more often than for updates to main.cvd? I guess it goes without saying (but I will anyway) that changing things in a way that doesn't cause clamdwatch.pl to fail would be greatly appreciated. (Imagine lots of scared little sysadmins trying to figure out what to do when they get emails about ClamAV being borked. ;) Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] borked database
I think what happened was it was removed from main, and added to daily. Just a timing issue. On 11/19/2004 10:26 pm, Damian Menscher wrote: On Sat, 20 Nov 2004, Tomasz Papszun wrote: On Fri, 19 Nov 2004 at 20:09:06 -0600, Damian Menscher wrote: Clamd didn't find the EICAR pattern. Your virus database(s) could be borked! Eicar-Test-Signature was moved to daily.cvd to let us update it later (because currently it causes FPs with some files), resulting in a short absence. I'm confused. If you have to change it, why not change main.cvd once, rather than changing main.cvd to remove it then again to put it back? Are we expected to check for updates to the daily.cvd more often than for updates to main.cvd? I guess it goes without saying (but I will anyway) that changing things in a way that doesn't cause clamdwatch.pl to fail would be greatly appreciated. (Imagine lots of scared little sysadmins trying to figure out what to do when they get emails about ClamAV being borked. ;) Damian Menscher -- John Jolet Your On-Demand IT Department 512-762-0729 [EMAIL PROTECTED] www.jolet.net ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] borked database
On Fri, 19 Nov 2004 22:26:24 -0600 (CST) Damian Menscher [EMAIL PROTECTED] wrote: On Sat, 20 Nov 2004, Tomasz Papszun wrote: On Fri, 19 Nov 2004 at 20:09:06 -0600, Damian Menscher wrote: Clamd didn't find the EICAR pattern. Your virus database(s) could be borked! Eicar-Test-Signature was moved to daily.cvd to let us update it later(because currently it causes FPs with some files), resulting in a short absence. I'm confused. If you have to change it, why not change main.cvd once, rather than changing main.cvd to remove it then again to put it back? Because main.cvd only contains stable (and older than 2 weeks) signatures. I guess it goes without saying (but I will anyway) that changing things in a way that doesn't cause clamdwatch.pl to fail would be greatly appreciated. (Imagine lots of scared little sysadmins trying Today's update was a special case. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Sat Nov 20 07:54:28 CET 2004 pgp4rne0uBC1s.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users