Re[2]: [Declude.Virus] Second Scanner
Hello Terry, Sunday, June 5, 2005, 8:14:04 AM, you wrote: It took a reboot of both machines to fix the problem. On one I had 288 process running which fouls everything else up. Clam is SCANNER2 Any ideas? TF What did the runclamscan log report if anything? What kind of times TF are you seeing in it for the actual scanning? Nothing. Just shows the last virus that was caught right before the problem: 06-03-2005 23:44:37 0.2030,0.141,0.062 Worm.Mytob.CK 83 D23a50548011c8e81.SMD 73391 06-04-2005 00:44:08 0.1410,0.078,0.063 Worm.Mytob.BZ 83 D319849a0009e0bb9.SMD 69975 Scan times look very low, comparable to F-Prot. TF The only time I've had anything similar happen had to do with TF ownership of the files and folders. It seems to me I may have had to TF change the ownership of the virus folder but I don't recall now. The very first error in the Declude virus log indicates that clam didn't finish after 60 seconds so Declude is terminating. Then the other errors about renaming/moving files start showing up. Plus more timeout errors. On a side note, during this whole process I had a Sniffer update that failed to copy to my P:/ Drive. Clam is running on C:\, Spool is running on O:\ and runclamscan/runclamd are on P:\ The two machines that this happened on are very different. One Win2k vs. Win2k3, Imail 7.13 vs. Imail 8.15, both Declude 1.82 I can't find anything in the event or application logs that looks bad around this time either. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
TF What did the runclamscan log report if anything? What kind of times TF are you seeing in it for the actual scanning? I do have some weird log lines on one of the machines: 06-04-2005 13:48:35 0.4840,0.015,0.469 HTML.Phishing.Pay-39 65 0 06-04-2005 13:49:02 0.2660,0.031,0.235 Worm.SomeFool.P 64 0 06-04-2005 13:49:06 0.3280,0.046,0.266 Worm.Mytob.CK 62 0 06-04-2005 13:49:07 0.4840,0.047,0.437 Worm.Mytob.CK 105 De990167cd258.GSC,De99002de00b2b55f.SMD 0 06-04-2005 13:49:20 0.3750,0.079,0.296 Worm.SomeFool.P 64 0 06-04-2005 13:49:26 0.0630,0.031,0.032 Worm.Bagle.AU 62 0 06-04-2005 13:49:59 0.3590,0.125,0.219 Worm.Mytob.BT 62 0 These are about 20 lines before it quits. Also, I do see on both machines, there are files in my folder on P:\ along with runclamscan and runclamd. They have names like: dbeaf2~1_clam.txt dbeb03~1_clam.txt There are 57 on one box and 80 on another. Every time I click on of the files, I get a simple Access Denied error even though ALL clam processes are stopped and I'm running under a Domain Admin account. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
TF These exist because the scanner never completed and the files are TF owned by SYSTEM. You'll have to select them - right click - and TF change the owner to your Admin account so you can then change the TF permissions to delete them. So, it looks like the genesis of the problem is that clam started timing out. As I mentioned, a completely separate process that copies my Sniffer .snf file onto the same drive failed with a could not copy file error after this whole thing happened. Even though, it could read/delete a file on this volume. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
Hello Terry, Monday, June 6, 2005, 3:39:42 PM, you wrote: it looks like the genesis of the problem is that clam started timing out. TF It may be but I haven't been able to force it to happen so far. For TF me this is the first instance of this in more than one year. TF I am suspicious that it could be a Windows socket issue which is why TF I've changed the clamd.conf settings. Now, I have had socket issues. I'm accepting at a high rate from IMGate on the front end and delivering to an outbound PF box on the backend so I tend to have lots of sockets open to one IP. Forgive me if I'm naive, but what does a local virus scanner have to do with TCP/IP? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
Hello Terry, TF Normally the service establishes a socket - meaning a hole punched TF through the OS - to allow such communication to occur. However, for TF ClamD in the configuration file there is an option to bind the TF service to a specific IP address and a specific port assignment. For TF greater security 127.0.0.1 is the default address. But the service TF could be bound to another IP address. Think I get it. TF I don't know why this might solve stability problems on some TF versions of windows but that's the message in the conf and somethng TF I was advised to try from my forum posting. I have to be out of town starting Wednesday so I'm not doing anything now, but I'll try it too first thing next week. TF Since the error I was seeing in the ClamD log file was an error with TF accept() it seemed reasonable to me to try it. I took ownership of and checked the clamd log file and it looks like I have the same errors, but on both boxes it took less than 18 hours to have the problem: Jun 4 10:46:54 2005 - ERROR: accept() failed: Software caused connection abort Sat Jun 4 10:46:56 2005 - ERROR: accept() failed: Software caused connection abort Sat Jun 4 10:46:56 2005 - ERROR: accept() failed: Software caused connection abort This is exactly the time this machine blew up. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
Hello Scott, Friday, June 3, 2005, 10:48:47 PM, you wrote: SF One last ClamAV comment... SF I've added the command line switch --max-ratio 0 SF I've had some false positives on some .zip files that forced me to add the SF switch. Thanks for the info. I've been running clam now with Terry's runclamscan since last night on 2 machines. At one point on each machine started getting these errors in the Declude Virus file: 06/04/2005 14:06:54 Qed820cb43917 ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating. 06/04/2005 14:06:54 Qed820cb43917 WARNING: Couldn't remove .vir directory o:\spool\Ded820cb43917.vir\: SHARING VIOLATION. 06/04/2005 14:06:54 Qed820cb43917 Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool. Then, they balloon to ones like this: 06/04/2005 14:07:25 Qed87026a0076c30a ERROR: Could not move virus-infected E-mail! Code: 32 0 o:\spool\Ded87026a0076c30a.SMD L:\virustrap\Ded87026a0076c30a.SMD. Re-trying. 06/04/2005 14:07:26 Qed82035200bac2f1 ERROR: Could not move virus-infected E-mail! Code: 32 0 o:\spool\Ded82035200bac2f1.SMD L:\virustrap\Ded82035200bac2f1.SMD. Re-trying. 06/04/2005 14:07:26 Qed8402890066c2fa ERROR: Could not move virus-infected E-mail! Code: 32 0 o:\spool\Ded8402890066c2fa.SMD L:\virustrap\Ded8402890066c2fa.SMD. Re-trying. It took a reboot of both machines to fix the problem. On one I had 288 process running which fouls everything else up. Clam is SCANNER2 Any ideas? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.Virus] Second Scanner
Just out of curiosity, what declude version are you using? I have a related problem with my second scanner (bitdefender) and I am using declude beta. I am testing things now going back to the last non beta declude version 2.06 Luis -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Sábado, 04 de Junio de 2005 01:18 p.m. To: Declude.Virus@declude.com Subject: Re[2]: [Declude.Virus] Second Scanner Hello Scott, Friday, June 3, 2005, 10:48:47 PM, you wrote: SF One last ClamAV comment... SF I've added the command line switch --max-ratio 0 SF I've had some false positives on some .zip files that forced me to add the SF switch. Thanks for the info. I've been running clam now with Terry's runclamscan since last night on 2 machines. At one point on each machine started getting these errors in the Declude Virus file: 06/04/2005 14:06:54 Qed820cb43917 ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating. 06/04/2005 14:06:54 Qed820cb43917 WARNING: Couldn't remove .vir directory o:\spool\Ded820cb43917.vir\: SHARING VIOLATION. 06/04/2005 14:06:54 Qed820cb43917 Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool. Then, they balloon to ones like this: 06/04/2005 14:07:25 Qed87026a0076c30a ERROR: Could not move virus-infected E-mail! Code: 32 0 o:\spool\Ded87026a0076c30a.SMD L:\virustrap\Ded87026a0076c30a.SMD. Re-trying. 06/04/2005 14:07:26 Qed82035200bac2f1 ERROR: Could not move virus-infected E-mail! Code: 32 0 o:\spool\Ded82035200bac2f1.SMD L:\virustrap\Ded82035200bac2f1.SMD. Re-trying. 06/04/2005 14:07:26 Qed8402890066c2fa ERROR: Could not move virus-infected E-mail! Code: 32 0 o:\spool\Ded8402890066c2fa.SMD L:\virustrap\Ded8402890066c2fa.SMD. Re-trying. It took a reboot of both machines to fix the problem. On one I had 288 process running which fouls everything else up. Clam is SCANNER2 Any ideas? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.Virus] Second Scanner
I also use Terry's runclamscan with no issues. I have had rare email melt downs when I was running runclamd. I could never pin it firmly on anything. So I stopped the runclamd to see how it handles. - Original Message - From: David Sullivan [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Saturday, June 04, 2005 1:18 PM Subject: Re[2]: [Declude.Virus] Second Scanner Hello Scott, Friday, June 3, 2005, 10:48:47 PM, you wrote: SF One last ClamAV comment... SF I've added the command line switch --max-ratio 0 SF I've had some false positives on some .zip files that forced me to add the SF switch. Thanks for the info. I've been running clam now with Terry's runclamscan since last night on 2 machines. At one point on each machine started getting these errors in the Declude Virus file: 06/04/2005 14:06:54 Qed820cb43917 ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating. 06/04/2005 14:06:54 Qed820cb43917 WARNING: Couldn't remove .vir directory o:\spool\Ded820cb43917.vir\: SHARING VIOLATION. 06/04/2005 14:06:54 Qed820cb43917 Likely problem: An on-access scanner is interfering; disable or set not to scan subdirectories off of \IMail\spool. Then, they balloon to ones like this: 06/04/2005 14:07:25 Qed87026a0076c30a ERROR: Could not move virus-infected E-mail! Code: 32 0 o:\spool\Ded87026a0076c30a.SMD L:\virustrap\Ded87026a0076c30a.SMD. Re-trying. 06/04/2005 14:07:26 Qed82035200bac2f1 ERROR: Could not move virus-infected E-mail! Code: 32 0 o:\spool\Ded82035200bac2f1.SMD L:\virustrap\Ded82035200bac2f1.SMD. Re-trying. 06/04/2005 14:07:26 Qed8402890066c2fa ERROR: Could not move virus-infected E-mail! Code: 32 0 o:\spool\Ded8402890066c2fa.SMD L:\virustrap\Ded8402890066c2fa.SMD. Re-trying. It took a reboot of both machines to fix the problem. On one I had 288 process running which fouls everything else up. Clam is SCANNER2 Any ideas? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
Hello Terry, TF ClamAV - TF http://www.sosdg.org/clamav-win32/index.php TF Get my utilities: runclamd, runclamdscan TF http://www.smartbusiness.com/imail/declude/ TF Set up a scheduled task to periodically run freshclam to keep the TF database update. TF Works extremely well for us. Thanks, I'll give it a try. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.Virus] Second Scanner
I use ClamAV (with Runclamscan/Runclamd) as my second scanner and it works great. The only downside is it is a resource hog (but still worth it.) If and when you move to AV/JM 2.0.6.16, consider using the new directive EXITSCANONVIRUSDETECT. It has helped. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Friday, June 03, 2005 11:14 AM To: Terry Fritts Subject: Re[2]: [Declude.Virus] Second Scanner Hello Terry, TF ClamAV - TF http://www.sosdg.org/clamav-win32/index.php TF Get my utilities: runclamd, runclamdscan TF http://www.smartbusiness.com/imail/declude/ TF Set up a scheduled task to periodically run freshclam to keep the TF database update. TF Works extremely well for us. Thanks, I'll give it a try. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Second Scanner
Hello Terry, Friday, June 3, 2005, 3:26:33 PM, you wrote: How can I figure out if freshclam is grabbing the latest defs? TF I set up a scheduled task update_clamav to run every 2 hours or so: TF start in: c:\clamav-devel\bin\ TF run: freshclam.exe --quiet -l c:\clamav-devel\log\freshclam.log Works like a charm. TF Then I can check the freshclam.log file. Looks good. I have Rundclamd running as a service under LocalSystem. Should I set the startup type to Automatic or leave it at Manual? TF Mine is set to automatic. Done Now have clam setup as Scanner2. Am I to assume that anything showing up in the runclamscan.log is something that got by Fprot? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.Virus] Second Scanner
P.S. You can schedule freshclam often because it makes a DNS call to determine if there is a new version of the database, it will only download if that DNS result tells it to. Very efficient. I schedule freshclam every 15 minutes. - Original Message - From: David Sullivan [EMAIL PROTECTED] To: Terry Fritts Declude.Virus@declude.com Sent: Friday, June 03, 2005 11:14 AM Subject: Re[2]: [Declude.Virus] Second Scanner Hello Terry, TF ClamAV - TF http://www.sosdg.org/clamav-win32/index.php TF Get my utilities: runclamd, runclamdscan TF http://www.smartbusiness.com/imail/declude/ TF Set up a scheduled task to periodically run freshclam to keep the TF database update. TF Works extremely well for us. Thanks, I'll give it a try. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.Virus] Second Scanner
One other ClamAV tip. If you can afford the performance hit and can use PRESCAN OFF, clamav will be a very effective Phish blocker. - Original Message - From: David Sullivan [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Friday, June 03, 2005 3:20 PM Subject: Re[2]: [Declude.Virus] Second Scanner Hello Terry, Friday, June 3, 2005, 3:26:33 PM, you wrote: How can I figure out if freshclam is grabbing the latest defs? TF I set up a scheduled task update_clamav to run every 2 hours or so: TF start in: c:\clamav-devel\bin\ TF run: freshclam.exe --quiet -l c:\clamav-devel\log\freshclam.log Works like a charm. TF Then I can check the freshclam.log file. Looks good. I have Rundclamd running as a service under LocalSystem. Should I set the startup type to Automatic or leave it at Manual? TF Mine is set to automatic. Done Now have clam setup as Scanner2. Am I to assume that anything showing up in the runclamscan.log is something that got by Fprot? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.