Paul Boven wrote:
How about only trying every word in the mail-body as a key to try,
instead of brute-forcing? The virus(-writer) cannot afford to fudge the
password in the mail-body: One would hope that the subset of users that
is clever enough to reconstruct the password, yet stupid enough
David Uzzell said:
Ok I have a qmail mail server which upto a couple of days ago was
working 100% and doing very well.
Then a couple of days ago it just started with this error,
clamuko: corrupt or unknown clamd scanner error or
memory/resource/perms problem - exit status 2
System
On Tue, 2 Mar 2004, jef moskot wrote:
For some reason, my system is allowing Worm.Bagle.F-zippwd files
through...
For what it's worth, this seems to be an issue with amavis. By default,
it doesn't scan the body of the message. If/when I get I fix, I'll post
it here so all other dinosaurs can
I tried to install clamav + clamav-milter for sendmail with following
command:
# ./configure --enable-milter
# make
but i get following error...
In file included from clamav-milter.c:376:
/usr/include/malloc.h:3:2: #error malloc.h has been replaced by
stdlib.h
*** Error code 1
Stop in
(please don't top-post!)
Nigel Kukard schrieb:
On Wed, Mar 03, 2004 at 12:42:48AM +0100, Thomas Lamy wrote:
Nigel Kukard schrieb:
Anyone seen this...
3843 ?S 0:00 clamd
3846 ?S 0:01 \_ clamd
3847 ?S 0:03 \_ clamd
when i cat the /proc/3843/status
Andrew Keuhs schrieb:
Clamd will not start now.. i am using version .67
It was working fine last week... we had a power outage... now when I run /usr/sbin/clamd as root... it goes to next line but nothing is started... Where would I look for errors? I see it has no verbose setting... So i have
On Tue, Mar 02, 2004 at 09:38:11PM -0800, Shawn Tayler wrote:
On Tue, 2 Mar 2004 17:07:53 +0100 Erik Corry [EMAIL PROTECTED] exclaimed:
The question is how much of a problem it really is. Are users
really that dumb?
What I'm wondering is whether the encrypted version of the
virus
That's got my vote - can the core team give some indication of options being
considered and what general direction we'll go here?
Thanks.
m/
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Andy Dills
Sent: Tuesday, March 02, 2004 11:05 PM
To: [EMAIL
But...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Chris
Meadors
Sent: Tuesday, March 02, 2004 11:44 PM
To: [EMAIL PROTECTED]
Subject: Re: [Clamav-users] Password-protected .zip file viruses
Paul Boven wrote:
How about only trying every word
Jesper Juhl wrote:
What I'm thinking is; Would it be feasible to add an option to attempt to
brute-force-crack the passwords on zip files when scanning them?
Yes, it would slow down scanning immensely, and there's *no* way it should
ever be a default option, but zip file passwords are /resonably/
On Wed, 03 Mar 2004 at 2:47:50 -0500, jef moskot wrote:
On Tue, 2 Mar 2004, jef moskot wrote:
For some reason, my system is allowing Worm.Bagle.F-zippwd files
through...
For what it's worth, this seems to be an issue with amavis. By default,
it doesn't scan the body of the message.
- Original Message -
From: Thomas Lamy [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 03, 2004 3:18 AM
Subject: Re: [Clamav-users] Clamd will NOT start
Andrew Keuhs schrieb:
Clamd will not start now.. i am using version .67
It was working fine last week... we had
Andrew Keuhs schrieb:
- Original Message -
From: Thomas Lamy [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 03, 2004 3:18 AM
Subject: Re: [Clamav-users] Clamd will NOT start
Andrew Keuhs schrieb:
Clamd will not start now.. i am using version .67
It was working fine
Galactic wrote:
Ok, just upgraded my web server and all to RHE and Plesk 7 using qmail
from my RH9 box. I had clam on the old box and it was working great,
so I go to install it on my RHE box and I dont see it listed as a
supported install.
Will ClamAV be available for RHE and if so, where
Hi,
I'm using clamav 0.67 on Debian Woody.
When I run 'clamdscan file1'. I get the message it contains the virus
Worm.Gibe.F FOUND.
When I run 'clamdscan file1'. I get the file is OK.
What could be wrong?
-- Marc
---
SF.Net is sponsored
FreshClam wrote:
Hi, I downloaded the Red Hat package from
http://crash.fce.vutbr.cz/crash-hat/1/clamav/. When I try installing it on
e-smith 6.0 with Red Hat 7.3, I get the following error:
[EMAIL PROTECTED] src]# rpm -Uvh clamav-0.67-1.i386.rpm
error: failed dependencies:
On Wed, 03 Mar 2004 at 11:18:15 +0100, Marc Cuypers wrote:
Hi,
I'm using clamav 0.67 on Debian Woody.
When I run 'clamdscan file1'. I get the message it contains the virus
Worm.Gibe.F FOUND.
When I run 'clamdscan file1'. I get the file is OK.
What could be wrong?
?! The commands
On Wed, 2004-03-03 at 10:18, Marc Cuypers wrote:
Hi,
I'm using clamav 0.67 on Debian Woody.
When I run 'clamdscan file1'. I get the message it contains the virus
Worm.Gibe.F FOUND.
When I run 'clamdscan file1'. I get the file is OK.
When you run the same command twice? Or you've made
On Wed, 03 Mar 2004 10:45:34 +0700
Fajar A. Nugraha [EMAIL PROTECTED] wrote:
Thomas Seifert wrote:
clamscan used the new dir (its default directory) and didn't use
the path given in clamav.conf!?
I believe clamscan don't read clamav.conf at all; It uses hard-coded
compiled
On Wed, 3 Mar 2004 02:10:44 +0100
Rembrandt [EMAIL PROTECTED] wrote:
I've 3 little questions but at first I'm sorry couse I dosn't check
the archives. :o)
1.
Is it possible to improve the BSD-support? Like on-acces-scanning and
co?
The CVS version supports on-access scanning under
-Original Message-
From: [EMAIL PROTECTED] [mailto:clamav-users-
[EMAIL PROTECTED] On Behalf Of Jesper Juhl
Sent: 3. marts 2004 02:55
To: [EMAIL PROTECTED]
Subject: Re: [Clamav-users] Password-protected .zip file viruses
What I'm thinking is; Would it be feasible to add an option
Tomasz Papszun wrote:
On Wed, 03 Mar 2004 at 11:18:15 +0100, Marc Cuypers wrote:
Hi,
I'm using clamav 0.67 on Debian Woody.
When I run 'clamdscan file1'. I get the message it contains the virus
Worm.Gibe.F FOUND.
When I run 'clamdscan file1'. I get the file is OK.
What could be wrong?
?!
Nigel Kukard schrieb:
Anyone seen this...
3843 ?S 0:00 clamd
3846 ?S 0:01 \_ clamd
3847 ?S 0:03 \_ clamd
when i cat the /proc/3843/status file...
Name: clamd
State: S (sleeping)
Tgid: 3843
Pid:3843
PPid: 1
TracerPid:
when using clamav as milter for sendmail I cannot query the returncode of
clamav. So a password-protected zipfile is passing the milter and from the header
X-Virus-Scanned: clamd / ClamAV version 0.67, clamav-milter version 0.66n it
looks like the file is clean, while in fact it just could not
[EMAIL PROTECTED] etc]# freshclam
ClamAV update process started at Wed Mar 3 11:56:30 2004
Reading CVD header (main.cvd): OK
main.cvd is up to date (version: 21, sigs: 20094, f-level: 1, builder:
tkojm)
Reading CVD header (daily.cvd): OK
Downloading daily.cvd [*]
daily.cvd updated (version: 158,
On Wednesday 03 Mar 2004 11:08 am, peter pilsl wrote:
Is there any way to persuade the milter to block password-protected
zip-files ?
I do not feel that is the job of anti-virus software.
peter
--
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK. ICQ#20252325
[EMAIL
Nigel Horne wrote:
Is there any way to persuade the milter to block password-protected
zip-files ?
I do not feel that is the job of anti-virus software.
It should be implementation dependant, a security policy may want to
allow only datas parsed by the anti-virus with a no virus here
Trog wrote:
On Wed, 2004-03-03 at 11:29, Andrzej Zawadzki wrote:
#NotifyClamd [/optional/config/file/path]
NotifyClamd /etc/rc.d/init.d/clamd reload
Whats this rubbish?
------
? Isn't this needed?
Clamd knows about new bases from freshclam anyway?
--
Andrzej
On Wednesday 03 March 2004 11:26 am, Nigel Horne wrote:
On Wednesday 03 Mar 2004 11:08 am, peter pilsl wrote:
Is there any way to persuade the milter to block password-protected
zip-files ?
I do not feel that is the job of anti-virus software.
Indeed. Password-protected zip files are
On Wed, 2004-03-03 at 02:28, Rembrandt wrote:
I know guys wich are working as administrators at a newspaper.
They make backups.. yes..
But they make it only for 1 week (couse there's too much data).
So they're able to restore all files wich changed since date X.
But what's about a virii wich
On Wed, 2004-03-03 at 11:57, Andrzej Zawadzki wrote:
Trog wrote:
On Wed, 2004-03-03 at 11:29, Andrzej Zawadzki wrote:
#NotifyClamd [/optional/config/file/path]
NotifyClamd /etc/rc.d/init.d/clamd reload
Whats this rubbish?
------
? Isn't
Hello Nagy,
I'm reasonably sure that is is something to do with my
configuration. As the eicar.zip test file also slips
through.
to rehash,
My config
Clamav 0.67, mimedefang 2.39, sendmail 8.12.10,
the problem is always base64 encoded zip files, get
through.
Any help, will result in my life
Trog wrote:
[cut]
Question: In what way does the arguments supplied to the configuration
option NotifyClamd (i.e. /etc/rc.d/init.d/clamd reload) relate to the
specification of the argument to the configuration option NofityClamd
(i.e. /optional/config/file/path).
Answer: They don't.
something
On Wed, 3 Mar 2004, Tomasz Papszun wrote:
Our signatures Worm.Bagle.F-zippwd* are based on the real contents of
mail messages (stream of characters as they are), while amavisd-new (and
probably amavis) divide messages to parts and decode them separately,
hence ClamAV doesn't get the original
Hi all,
I'm running clamav 0.67-1 release on debian.
I'm using clamscan with --mbox option in way to catch signature
mime-encoded,
but I will prefer to use clamdscan (much faster of course).
Is it planned to develop a --mbox option for clamdscan ?
Best regards,
José.
On Wed, 3 Mar 2004, Antony Stone wrote:
I agree that anti-virus software should look for viruses and either reply
virus found or virus not found. The latter is not, of course, the same
as saying no virus present.
Yes, but in the same way you might get a Can't open file, no permissions
Hello all ClamAv users,
first time on the list so please excuse any dumb questions ;-)
I'm running Exim with a call to a script that runs all emails through 2 AV
scanners, the ClamAv part of the script is:
/usr/bin/clamdscan --stdout $1 /tmp/antivir$$.log
ERR=$?
if [ $ERR 0 ] ; then
.
.
I
On Wed, 2004-03-03 at 13:18, José THOMAS wrote:
Hi all,
I'm running clamav 0.67-1 release on debian.
I'm using clamscan with --mbox option in way to catch signature
mime-encoded,
but I will prefer to use clamdscan (much faster of course).
Is it planned to develop a --mbox option for
There used to be a utility, way back in my OS/2 days, I think it was called
Stripper or something like that. It removed the HTML crap from files
leaving only the plain text...
Shawn
On Wed, 03 Mar 2004 07:43:35 + Chris Meadors [EMAIL PROTECTED]
exclaimed:
Good point. That should take
Thanks a lot.
José
Le 3 mars 04, à 14:40, Trog a écrit :
On Wed, 2004-03-03 at 13:18, José THOMAS wrote:
Hi all,
I'm running clamav 0.67-1 release on debian.
I'm using clamscan with --mbox option in way to catch signature
mime-encoded,
but I will prefer to use clamdscan (much faster of course).
On 03 Mar 2004 07:55:00 +
[EMAIL PROTECTED] (Kevin Spicer) wrote:
On Wed, 2004-03-03 at 02:28, Rembrandt wrote:
I know guys wich are working as administrators at a newspaper.
They make backups.. yes..
But they make it only for 1 week (couse there's too much data).
So they're able to
On Wed, 03 Mar 2004 at 7:50:34 -0500, jef moskot wrote:
On Wed, 3 Mar 2004, Tomasz Papszun wrote:
Our signatures Worm.Bagle.F-zippwd* are based on the real contents of
mail messages (stream of characters as they are), while amavisd-new (and
probably amavis) divide messages to parts and
[I received a message saying that my previous post was not acceptable, so I
will try again.]
I've seen this error both on the latest build and on the stable .67 version
System is running Solaris 8. Sendmail has been compiled to use milters and
is currently running with vbs-filter.
I ran
Hey There!
I've got a problem with viri on *.zip attachments in e-mails!
when I scan file.zip by hand clamscan find virus, but e-mail with this infected files
in atachment can go (IT IS NOT STOPED!)
Why? What have I wrog configured?
[EMAIL PROTECTED] ~]$/usr/local/bin/clamscan freaky.zip
Hi again :-) ,
anybody out there knowing how to implement german language notfication
emails?
Thx
Regards
Rudi
---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps Web services for Linux with
a free DVD
Christopher X. Candreva wrote:
I agree that anti-virus software should look for viruses and either reply
virus found or virus not found. The latter is not, of course, the same
as saying no virus present.
Yes, but in the same way you might get a Can't open file, no permissions
error, a
Hi All,
We are getting hammered by Worm.Bagle.F-zippwd-3 and clamav isn't
picking it up.
I understand that qmail-scanner breaks apart the message so that clamav
can not pick up the signature (and I'll look into fixing that) but the
zip file itself is NOT password protected. Winzip and unzip
On Wed, 3 Mar 2004 14:18:44 +0100
Jos THOMAS [EMAIL PROTECTED] wrote:
Hi all,
I'm running clamav 0.67-1 release on debian.
I'm using clamscan with --mbox option in way to catch signature
mime-encoded,
but I will prefer to use clamdscan (much faster of course).
Is it planned to develop
my virus signatures dropped from 20831 to 20346, is there only one server
I should be pointing to for updates? Are the db servers always going to
be this much out of date?
thanks,
- Nick
ClamAV update process started at Sun Feb 29 00:00:01 2004
main.cvd is up to date (version: 19,
I just received a few e-mails which were detected as Worm.Bagle.F-zippwd-5
but when I extracted the files, some of them were identified as
Worm.Bagle.I instead of Worm.Bagle.F.
Is this a problem with the signature or a double infected file (or can
you tell me how to find out for myself?) ?
I
I have been reading on the archives about the various forms of Bagle
that have been going around. My users have been getting pounded by it.
We use MailScanner + SpamAssassin + ClamAv to do our scanning, but
MailScanner only passes the attachment to clamav to get scanned. I have
seen that there
:
Worm.Bagle.F-zippwd-3 FOUND
The message has been quarantined as:
/var/amavisd/quarantine/virus-20040303-082055-01279-08
Good work and Thanks!
Thanks to the clamav folks as well. They have been working hard to stay
ahead of this.
L. A. Duerksen
Technical Manager
Futureware Distributing, Inc
OpenBSD
[EMAIL PROTECTED] schrieb:
my virus signatures dropped from 20831 to 20346, is there only one server
I should be pointing to for updates? Are the db servers always going to
be this much out of date?
thanks,
- Nick
They're not out of date (as one can see from the db versions or the
Rick Macdougall schrieb:
Hi All,
We are getting hammered by Worm.Bagle.F-zippwd-3 and clamav isn't
picking it up.
I understand that qmail-scanner breaks apart the message so that clamav
can not pick up the signature (and I'll look into fixing that) but the
zip file itself is NOT password
Thomas Seifert schrieb:
Tomasz Kojm wrote:
I believe clamscan don't read clamav.conf at all; It uses hard-coded
compiled settings.
I might be wrong :)
You're right - it doesn't depend on clamav.conf at all.
May I suggest a change then please?
Either name it clamd.conf to describe for what
On Wednesday 03 March 2004 2:45 pm, [EMAIL PROTECTED] wrote:
my virus signatures dropped from 20831 to 20346, is there only one server
I should be pointing to for updates? Are the db servers always going to
be this much out of date?
They're not out of date - a lot of duplicates were dropped
Hello,
I apologies for creating more work for the clamav virus listers. It is
encrypted but I can see the archive with unzip -l and winzip, I just
can't unzip it without the password.
Sigh... So how does Trend's pc-cillian detect it in the password
protected zip file?
Rick
Trog wrote:
On
I second this. The amount of mail I'm getting from the list has
gotten to the point where I want to use the web interface to look
at things (like I do with the Linux-390 list - lots of traffic there
too).
And this is with me getting the digests... Ta muchly...
Rod
-Original Message-
From: [EMAIL PROTECTED] [mailto:clamav-users-
[EMAIL PROTECTED] On Behalf Of Andy Fiddaman
Sent: 3. marts 2004 15:51
To: [EMAIL PROTECTED]
Subject: [Clamav-users] Worm.Bagle.F-zippwd-5..
I just received a few e-mails which were detected as
On Wed, 03 Mar 2004 at 8:45:07 -0600, [EMAIL PROTECTED] wrote:
[...]
ClamAV update process started at Sun Feb 29 00:00:01 2004
^
ClamAV update process started at Mon Mar 1 00:00:01 2004
^
Again
Clam did not seem to pick up (Win32/Bagle.gen.zip) (W32/Bagle.h!pwdzip)
([EMAIL PROTECTED]). I'm guessing an update for this has not been
established?
---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps Web
On Tuesday 02 March 2004 09:29 pm, Jim Gifford wrote:
Here is what I see on my system, maybe it's something in the kernel your
using. I'm using 2.6.3
Name: clamd
State: S (sleeping)
SleepAVG: 0%
Tgid: 751
Pid:751
PPid: 1
TracerPid: 0
Uid:0 0 0
Dear all
What does it mean when one gets this message in your clamd.log file,
repeatedly:
Main thread: database reloading (waiting).
When clamd goes in this state, I see multiple processes open for the milter,
and sendmail grinds to a near-halt.
Please help.
Jaap Scholten
---
Outgoing mail
Hi
A non-technical colleague of mine has been testing ClamAV. Using clam 0.67
and current signature files, he has been using this page to try clam out:
http://www.declude.com/tools/mailsend.html
From all of the tests listed there, the following are not picked up by clam:
eicarspacegap,
On Wed, 03 Mar 2004 09:12:45 -0500
Betsy Schwartz [EMAIL PROTECTED] wrote:
[I received a message saying that my previous post was not acceptable, so
I will try again.]
I've seen this error both on the latest build and on the stable .67
version
/usr/local/lib/libgmp.so
MailScanner users need to upgrade to MailScanner 4.28.4 (just out), which
can block password-protected .zip files.
Cheers,
Phil
-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
-Original Message-
From: [EMAIL PROTECTED]
On Wednesday 03 March 2004 3:47 pm, Martin A. Brooks wrote:
Hi
A non-technical colleague of mine has been testing ClamAV. Using clam 0.67
and current signature files, he has been using this page to try clam out:
http://www.declude.com/tools/mailsend.html
From all of the tests listed
I'm using ClamAV 0.67-1, currently using Unix sockets.
I'm not too familiar with UNIX sockets, but I'm comfortable with TCP sockets
and communication. Is clamd any more/less reliable when running over TCP?
I started clamd briefly using TCP and was able to connect and PING it, but I
can't get it
Rudolf Kliemstein wrote:
anybody out there knowing how to implement german language notfication
emails?
Clamav scanner (e.g clamscan, clamd, and clamdscan) by itself does not
implement notification emails.
Mail integrator (MailScanner, Amavis, exiscan, clamav-milter, etc.) does
that for you.
Thomas Lamy wrote:
May I suggest a change then please?
Either name it clamd.conf to describe for what its used
It's already called clamd.conf, and the documentation and manpages are
up-to-date.
Eh? Really? Which version is that?
The latest CVS snapshot still calls it clamav.conf.
Although the
On Mar 3, 2004, at 11:06 AM, Antony Stone wrote:
As far as I'm aware, all of these tests do not actually involve
viruses (or
even the Eicar test virus) - therefore you wouldn't expect an
Anti-Virus
program to be triggered by them. They are tests of other things to
do with
email which a mail
does the clamav db pickup on Netsky or any of the variants? I've had
acouple emails that are auto replies from other AV software forwarding
infected emails back to the spoofed address which is us that make it threw
clamav but get picked up by amavis.
Jesper Juhl [EMAIL PROTECTED] wrote:
What I'm thinking is; Would it be feasible to add an option to
attempt to brute-force-crack the passwords on zip files when scanning
them?
It shouldn't be necessary to go through a brute force crack. Every
instance of this virus has the password in the
I know this was a topic of discussion, but searching the archives I did
not find a final resolution.
Can clamscan/clamd be configured to produce an error when it cannot
successfully uncompress a file?
I am using Clamav and qmail-scanner to analyze email. The email-gateway
is allowing many
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Matthew Trent schrieb:
| On Tuesday 02 March 2004 09:29 pm, Jim Gifford wrote:
|
|Here is what I see on my system, maybe it's something in the kernel your
|using. I'm using 2.6.3
|
|Name: clamd
|State: S (sleeping)
|SleepAVG: 0%
|Tgid: 751
Hanford, Seth schrieb:
I'm using ClamAV 0.67-1, currently using Unix sockets.
I'm not too familiar with UNIX sockets, but I'm comfortable with TCP sockets
and communication. Is clamd any more/less reliable when running over TCP?
I started clamd briefly using TCP and was able to connect and PING
On Wednesday 03 March 2004 4:29 pm, [EMAIL PROTECTED] wrote:
does the clamav db pickup on Netsky or any of the variants?
ClamAV calls it Worm.SomeFool.variant
I think we're up to variant F at present.
Antony.
--
I want to build a machine that will be proud of me.
- Danny Hillis, creator
Less than an hour after our users started getting a new virus pretending to
be from their mail administrator, Clam started picking it up as
Worm.Bagle.Gen-1 Congrats !
However, there seems to be a password protected zip version of virus too.
Since this is a new virus, does it come under the
You have to configure clamd with
#LocalSocket /var/run/clamav/clamd.ctl
TCPSocket 3310
TCPAddr 127.0.0.1
and restart it to make it listen to a TCP socket. Clamd uses a UNIX _or_
a TCP socket, not both at the same time.
Right, I should've been more clear. I set the TCPAddr and TCPSocket,
On Wed, 03 Mar 2004 at 12:36:56 -0500, Christopher X. Candreva wrote:
Less than an hour after our users started getting a new virus pretending to
be from their mail administrator, Clam started picking it up as
Worm.Bagle.Gen-1 Congrats !
However, there seems to be a password protected zip
I'm not sure on the status of clamav and its ability to block the new
encrypted-zip-bagle variant(s?), but through the grapevine, we've heard of
a fairly simple way of stopping all of these. I don't have all the
details, but it seems the archives are actually flagged as zip 1.0,
whereas most
Fajar A. Nugraha schrieb:
Thomas Lamy wrote:
May I suggest a change then please?
Either name it clamd.conf to describe for what its used
It's already called clamd.conf, and the documentation and manpages are
up-to-date.
Eh? Really? Which version is that?
The latest CVS snapshot still calls it
Tomasz Papszun said:
WE ASK USERS TO NOT SUBMIT naked zip files IF their contents is DETECTED
as infected by ClamAV AFTER UNZIPPING. It's a utter waste of our time,
which results in delays in processing really significant samples!
Why not add this on the web submittal nag screen?
Luke Computer
On Wed, Mar 03, 2004 at 11:11:19AM -0500, Derek J. Balling wrote:
On Mar 3, 2004, at 11:06 AM, Antony Stone wrote:
As far as I'm aware, all of these tests do not actually involve
viruses (or
even the Eicar test virus) - therefore you wouldn't expect an
Anti-Virus
program to be
Hi,
I assume you mean upgrading ClamAV to ClamAV-0.67-1?
Your answer is ambigious, you could be referring to MailScanner.
--
CU, Nick
*Draft beer, not people*
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial
Like many clamav users, I have found clamav to not be effective against
the latest crop of password zip viruses.
I have made a rudimentary patch (clean patch) against clamav 0.67 to
mark all zip files containing password-protected (and hence unscannable)
files as a virus type
I'm running clamAV 0.67 - amavis new with this config:
LogFileMaxSize 100M
LogTime
PidFile /var/run/clamd.pid
LocalSocket /tmp/clamd
FixStaleSocket
MaxConnectionQueueLength 30
StreamSaveToDisk
StreamMaxLength 10M
MaxThreads 10
MaxDirectoryRecursion 15
User amavis
AllowSupplementaryGroups
ScanMail
MailScanner[16052]: Filetype Checks: Allowing
i23Jqixu016730 msg-16052-4.txt
Mar 3 20:52:59 dask-xp MailScanner[16052]: Virus Scanning completed at 2663
bytes per second
Mar 3 20:52:59 dask-xp MailScanner[16052]: Saved entire message to
/var/spool/quarantine/20040303/i23Jqixu016730
Mar 3 20:52:59 dask
On Wed, 3 Mar 2004 11:28:03 +0100
[EMAIL PROTECTED] (Tomasz Kojm) wrote:
On Wed, 3 Mar 2004 02:10:44 +0100
Rembrandt [EMAIL PROTECTED] wrote:
I've 3 little questions but at first I'm sorry couse I dosn't check
the archives. :o)
1.
Is it possible to improve the BSD-support? Like
Hi,
Just discussed a bit here and usually this virus will send the zip
password in clear text inside the e-mail. Woudn't be a way to try every word
in the e-mail to try to crack the zip, then unzip it and virus-scan the
content ?
Just my 2 cents...
Andre Courchesne - Consultant
Hi,
Quick question. By default, clamav sends an email to the sender, receiver
and the postmaster. How do i change the [EMAIL PROTECTED] to
another address?
Thanks
-=Raul=-
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free
In libclamav/scanners.c around line 424 add between the free(buff);
and the return ret;:
if(files == 1) {
cli_dbgmsg(Zip - empty zip file!\n);
*virname = Empty.Zip;
ret = CL_VIRUS;
}
That section of code will now look like this:
free(buff);
if(files == 1) {
On Wed, 2004-03-03 at 20:57, Grzesiek Staleczyk wrote:
MailScanner users need to upgrade to MailScanner 4.28.4 (just out), which
can block password-protected .zip files.
RP MailScanner users need to upgrade to MailScanner 4.28.4 (just out), which
RP can block password-protected .zip files.
Hi,
Because of my silliness earlier on, I've been scouring the net in hopes
I could find something that might help catch the new nasties inside the
zip files.
Don't know if this is of any help but here it is anyways.
Regards,
Rick
FYI - this is from the NANOG list. It may help some with
On Wed, 2004-03-03 at 14:07, Rembrandt wrote:
Ok...
Wich parts are GPLed?
Could you give me a list?
If I've a list I'm sure I'm able to find coders to replace the GPLed
source with BSDed source. :)
I know that the ZZIP library is LPGLed.
What's wrong with GPL? (Specifically why is this a
clamav sends an email to...
Nobody. That's the job of your MTA and filter package. I'm using postfix and
amavis-new, what are you using?
You can likely just change the line for postmaster in /etc/aliases, and run
newaliases.
JohnV
-Original Message-
From: Raul Elizondo [mailto:[EMAIL
On Wed, 2004-03-03 at 15:24, John Madden wrote:
Thus
I've come to the conclusion that ultimately nothing short of
quarantining all password zip files will work for very long.
I agree. I can think of no legitimate need for password-protecting zip
files and sending them through email that
On Wed, 3 Mar 2004, Raul Elizondo wrote:
Hi,
Quick question. By default, clamav sends an email to the sender, receiver
and the postmaster. How do i change the [EMAIL PROTECTED] to
another address?
Clam does not send any emails. It only scans files and detects virii.
What is sending the
Noel Jones wrote:
At 02:37 PM 3/3/04, DamDam wrote:
I'm running clamAV 0.67 - amavis new with this config:
BUT when I send (to me) this mail with no modification it isn't
detected, and just this virus (SomeFool,Bagle etc are successfully
deleted) pass! (I receive the mail with the virus). I
Sorry, when i said clamav sends an email to, well, you know what i
meant. But the thing here is.. where do i change all these notify options?
I am new on this clamav thing, and works great! But i cant find any
documentation about how to handle these messages (...yet).
Any hint or help would
1 - 100 of 124 matches
Mail list logo