to whitelist (whitelist_from_rcvd) yet still scan them for
viruses/malware? In other words, not make any decisions on whether it's
spam, but if a virus/malware is found, quarantine it?
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide:
https
?
The safebrowsing CVD gets updated way too much for cdiffs to really be
useful. Our safebrowsing database comes from Google's safebrowsing
database, which gets updated very frequently.
Thanks for the info. Just wanted to be sure it wasn't configured improperly.
Thanks,
Alex
Hi,
I'm running clamav-0.98.1 on fedora20 and was just wondering about
safebrowsing.cvd. I notice when freshclam runs, it always downloads an
entirely new version when there are any changes, instead of just the
differences, as it does with daily.cvd, for example. Is this normal?
Thanks,
Alex
just open daily.cld with a text editor and search for the
daily.pdb section near the bottom.
Thanks so much for your help.
Regards,
Alex
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support
in
daily.pdb as H:domain
It looks like I only have daily.cld. Can you explain what you mean here?
Thanks again,
Alex
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
Hi,
On Sat, Feb 1, 2014 at 5:32 AM, Al Varnell alvarn...@mac.com wrote:
On Jan 31, 2014, at 5:26 PM, Alex mysqlstud...@gmail.com wrote:
Hi,
I found another false-positive, this time with
Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring
out what domain within the email
legitimate mail isn't tagged for doing this.
Thanks again,
Alex
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
Hi,
I found another false-positive, this time with
Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring
out what domain within the email it thinks is spoofed.
I've pasted the email here:
http://pastebin.com/S7XkCg9a
Any ideas greatly appreciated.
Thanks,
Alex
Hi,
On Tue, Jan 21, 2014 at 2:15 PM, Charles Swiger cswi...@mac.com wrote:
On Jan 21, 2014, at 10:40 AM, Alex mysqlstud...@gmail.com wrote:
I received a number of messages on the 17th that were tagged incorrectly
with:
X-Amavis-Alert: INFECTED, message contains virus
-positive?
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
http://www.rezau.com/omb/ksif.uoxn?qvh
alex liveti
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
/downloads
Does anyone know what's going on with this domain? It doesn't look
like a domain thousands of my users would be including in their email
on Aug 7th, so I don't know whether the emails were really spam...
Hope this helps.
Regards,
Alex
___
Help us
Hi,
# sigtool --find-sigs MBL_303159 | sigtool --decode-sigs
Does anyone know what's going on with this domain? It doesn't look
like a domain thousands of my users would be including in their email
on Aug 7th, so I don't know whether the emails were really spam...
Hi Alex,
The problem I
: 12.425 sec (0 m 12 s)
I've also tried to add
Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net
to my local whiteliist file, /var/lib/clamav/mywhitelist.ign2 and it
still finds it. The domain is bestwesternsupply(.)com.
Thanks,
Alex
___
Help
of the domains within the rule. Is that possible?
If I were to disable this rule, would adding it as it is displayed
above to the ign2 file be the correct way? For some reason that
doesn't seem to work here.
Thanks,
Alex
___
Help us build a comprehensive ClamAV
, with 06/04/12 being the last
day checked. However, it also says it hasn't hosted malware in the
last 90 days. Am I missing something?
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
reading it correctly that the only way
to whitelist it is using its hash value?
That makes it tough to remember which is which, in case that's
necessary in the future.
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
Hi,
Can someone help me understand why the issue with securesites.net is,
and why this email was blocked because of it?
Hi Alex,
The domain was blocked by a Third Party ClamAV database produced by InetMsg.
I've removed the signature for them and it will be removed from the
mirrors
, northstate.net, is currently
blacklisted, but that wasn't tagged.
I've pasted the email here:
http://pastebin.com/raw.php?i=bWVn19ff
Can someone help me understand why the issue with securesites.net is,
and why this email was blocked because of it?
Thanks,
Alex
]
PUA.Script.PDF.EmbeddedJavaScript:0:0:255044462d*6f626a{-2}3c3c{-100}2f4a617661536372697074(20|28|3c)
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
?
No.
Awesome, thanks for your help.
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
some ideas to share on how to
resolve these permissions issues.
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
could explain to me the default
permissions for the relevant files, including any configuration files.
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
recommend a more suitable score?
Where is the score defined? From within amavisd?
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
.
I realize this may be a hardware issue, but does anyone have any ideas
how to determine what is really going on?
Is there a way to stress-test clamav on the new hardware, to try and
induce an error through high IO?
Thanks,
Alex
___
Help us build
it as spam and quarantine it, instead of just adding
such an insignificant score.
Thanks so much.
Best,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
people here that can tell me with
certainty that it is indeed the processor and I should replace it as
quickly as possible.
Thanks for any ideas.
Best,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net
,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
: INetMsg.SpamDomain-2w.lakecharmvila_com
TARGET TYPE: MAIL
OFFSET: *
DECODED SIGNATURE:
{CHAR_ALTERNATIVE:.|/|@| ||_}lakecharmvila.com{CHAR_ALTERNATIVE:'|| |/|=|_||
}
Thanks for any ideas.
Alex
___
Help us build a comprehensive ClamAV guide: visit http
this happens or be more tolerant of database problems, with
notifications of those problems, in the future?
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
there isn't anything wrong with the network.
I'm really stuck here. I hope someone has some ideas.
Thanks again,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
, it just dies.
Lots of fun. :-)
In my case, restarting does fix the problem.
Is there anything I should watch for, or do when it happens again? How
can I manually check the integrity of all the databases when it fails?
Thanks,
Alex
___
Help us build
the distinction is made as to
whether a message should be quarantined immediately?
Sure appreciate any ideas.
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
update.multivaccine.co.kr/setupa
Is that the correct way? I looked at the email itself, and not only is
it from a trusted sender, but it doesn't contain that URL in the
message. Am I missing something?
Thanks,
Alex
(one even had a subject
of Test).
There is only text/plain and text/html content types, so no binary attachments.
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
it catches quite a bit here.
I assumed they were safe. Is the general consensus that they are more
aggressive or experimental than should be acceptable on a production
box?
Thanks again,
Alex
___
Help us build a comprehensive ClamAV guide: visit http
, certainly not that a
signature ID had been re-purposed.
Thanks again,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
this email with that
reference.
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
:-)
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
-fwinnow.malware.47853 | sigtool --decode-sigs
ERROR: decodesig: Invalid or not supported signature format
TOKENS COUNT: 3
Isn't that the proper way to do this? Just running sigtool returns:
# e42724a855ce18d0890c15f2805769db:15872:winnow.malware.47853
Ideas greatly appreciated.
Thanks,
Alex
that it matches underconstruction.networksolutions.com. Is
it possible to make these signatures score a few points instead of
being a poison pill, and killing the email entirely?
Thanks again,
Alex
___
Help us build a comprehensive ClamAV guide: visit http
to consider that.
Thanks again,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
clamscan with the latest updates and it
still finds the zeus virus.
I'd like to submit this to someone to reduce this false positive, but
I really can't for privacy reasons. Is there something else I can do
to help?
Thanks,
Alex
___
Help us build
.4637
winnow.botnets.zu.zeus.4637:3:*:(2e|2f|40|20|3c)3230352e3137382e3138392e313239(27|22|20|2f|3d|3e|0a|0d)
How exactly is that calculated?
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net
Hi,
Great, thanks everyone for the information, and your efforts.
Best regards,
Alex
Are they still effective? Perhaps they are updated and I just haven't
found where the latest versions are?
I've discontinued using them because of the lack of activity. I've also shut
off SecuriteInfo
Hi,
Does anyone know if the vx.hdb SecuriteInfo db is still available, or
what its current status is? It seems to be unavailable from the
mirrors any longer?
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http
they are updated and I just haven't
found where the latest versions are?
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
of your clamconf -n?
You can find it here:
http://pastebin.com/aUjAWNya
I'm using gcc-2.96 and 2.4.31, so not even sure if you support it, but
it will be some time before I can upgrade.
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit
it.
I'm going to disable safebrowsing on the servers for now, and see if
we can better isolate the problem before I open a bug report -- I just
don't have the time to keep up with it.
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http
20th from that
information?
I'll keep an eye on it, and will report if it does consume a
substantial amount of memory again. Please do drop me a line if you'd
like me to evaluate or test something..
Thanks,
Alex
___
Help us build a comprehensive ClamAV
seconds at a time, with apparently three
instances running.
Is that 315MB an accurate representation, as reported by clamdtop, and
standard top?
Is the memory requirements dependent upon the number of signatures,
databases, or otherwise?
Thanks,
Alex
of
data when using rsync, and it forms the basis of my backup system
(using link-dest, too).
Thanks,
Alex
After the script is run, each database that has been updated is GPG
signature tested, then ClamAV integrity tested, and then rsynced into the
the ClamAV production directory. You
an
administrator that there was a problem when it actually happens, and
not through just a daily report?
How can I verify that clamd is actually using the full set of
databases I've downloaded?
Thanks again,
Alex
___
Help us build a comprehensive ClamAV
(that could not be retrieved) were collected from the
sanesecurity database page. Aren't they supposed to be used? I'd think
someone else would have found this problem?
On a similar note, this script can replace freshclam, correct?
Thanks,
Alex
___
Help us build
on
the other databases.
Why are some of the databases duplicated in the clamav root dir and
also in the unofficial-dbs/ss-dbs directory, such as
winnow_malware.hdb?
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http
body, could you send me a sample:
Attachment sent.
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
it to log through syslog, instead of to a
file directly?
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
of overhead) and for monitoring, so I don't have to
have another script that runs and watch a daemon or additional set of
log files.
Do you have any suggestions? Do you think it's necessary?
Thanks again for all your work!
Best regards,
Alex
___
Help us
, that explains it. I now understand. I hadn't realized that was the case.
Thanks again,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
there is a policy in place.
I think it's more likely that no one has reported it previously,
rather than not implementing it.
Thanks,
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
...
Thanks
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
on a production system? Why aren't
they in the default signatures included with the daily updates?
I've done some research on the best way to integrate it, but hoped
someone could point me to a current document that outlines how to do
this and help me answer some of my questions.
Thanks,
Alex
?
It also appears that libclamav.a, libclamunrar.a, and
libclamunrar_iface.a weren't built. Do these need a later c++ compiler
to build correctly?
What happened to the contrib directory, that had clamdwatch and a few
other programs in it, I believe?
Thanks,
Alex
need to call freshclam from cron on a
regular basis or start freshclam as a daemon and use the Checks
setting to configure how often it checks for updates.
Updating via freshclam as a daemon is definitely the way to go.
Thanks much for the information.
Best,
Alex
Where is this documented?
There's always been 2 ways to run freshclam:
- manually, either via the CLI or via cron
- as a daemon
Ugh, not sure how I missed that. Thanks for the info.
Best,
Alex
___
Help us build a comprehensive ClamAV guide
: 600 (10
min)).
I guess it is a little vague, because I don't understand what you mean
even here.
I assumed the database check was an integrity check, not an update check, right?
How does this parameter relate to freshclam in any way, particularly
for database updates?
Thanks,
Alex
automatically spawned periodically by clamd and there is
no need to automate this in cron?
Is it then necessary to somehow signal clamd to run freshclam?
In the past it has always been necessary to run it from cron, I believe.
Where is this documented?
Thanks,
Alex
DatabaseMirror entry in your freshclam.conf,
so that freshclam can first contact the local mirrors in Ukraine and then
fall back to database.clamav.net if necessary.
done
alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
On Wed, 08 Jul 2009 10:26:04 +0300
Török Edwin edwinto...@gmail.com wrote:
How much memory does clamd use on startup?
After how much time does memory usage increase to 589M?
it use 600 M on startup. then it increases it every day but calmdtop shows
always 589M.
right now it got
PID
: count1 used 589M
total 591M
alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
: version 51, sigs: 545035, built on Thu May 14 17:28:45 2009
daily.cld: version 9541, sigs: 40491, built on Tue Jul 7 20:31:53 2009
alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
and server AV to send
one out and back in that way - kind of a pain.
Thanks!
On Fri, Feb 6, 2009 at 7:51 AM, Noel Jones njo...@megan.vbhcs.org wrote:
Steve Basford wrote:
Alex Davidson wrote:
send myself EICAR test
virus strings but firstly only 3 of the 7 tests hit my mail server,
and secondly
appear at bootup?
I had wondered about running freshclam from /etc/rc.local but as a
test when I ran freshclam from the command line it said it couldn't
lock the database directory /var/lib/clamav and sure enough adding
freshclam to /etc/rc.local made no difference.
Thanks for any pointers.
Alex
Perfect! It's working now.
Thanks for such a prompt response.
Alex
On Thu, Feb 5, 2009 at 3:31 PM, Brandon Perry bperry.volat...@gmail.com wrote:
There is a major bug in the version you are running. If you enable the
volatile repo and upgrade clamav, you should be fine.
On Thu, Feb 5, 2009
I am running ClamAV tying into ASSP on Debian 4.
To test ClamAV I have tried using
http://www.aleph-tec.com/eicar/index.php to send myself EICAR test
virus strings but firstly only 3 of the 7 tests hit my mail server,
and secondly ClamAV doesn't detect anything, yet the next-level AV
detects it
Hi there? is not a viros is just a pape work just to take look at correcy and
send it bac to
please just test can i send t.
__
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html
hi there? iam haven a problem with one of 2 operating system UNIX and Linux.
the question is are this two the same or not is it possable to use the same
commad or are the difrent between them in commad?
Rgds
__
Sent from Yahoo!
or
as an external file to all the processes that will help prevent these
timing errors.
From previous posts to this list, the problem could be the same that I
have. With ScanArchive enabled, clamd dies immediately when scanning
a .zip file. With ScanArchive disabled, clamd has no problem.
Alex
enabled for as long as I can remember and this is
the first time that clamd has crashed from a zipped file.
Can anyone confirm this on your Solaris installation?
Thanks,
Alex
--
___
Help us build a comprehensive ClamAV guide: visit http
for the email parts
from a working directory and I also scan the email with
clamd/clamav-milter.
I will try disabling the scan from the clamd/clamav-milter combination
and see what happens.
Anyone else on Solaris with ScanArchive enabled having problems?
Alex
On Wed, 07 Mar 2007 18:15:54 -0800
Dennis Peterson [EMAIL PROTECTED] wrote:
Alex Moore wrote:
Has anyone seen 0.90.1's clamd die? I am running Solaris 9 SPARC.
The daemon had been running for several days. The mail server only
handles around 500 messages/day. So far, I have no clue
no problems.
Experimental code isn't enabled. I wonder what the difference is with
your setup?
Do you log clamd to a file and rotate the log with logadm?
Alex
--
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http
Just put this 2 lines in
sendmail.cf
#Input mail filters
O InputMailFilters=clmilter
Xclmilter, S=local:/var/run/clamav/clamav-milter.sock, F=R, T=S:4m;R:4m;E:4m
- Original Message -
From: Kaushal Shriyan [EMAIL PROTECTED]
To: clamav-users@lists.clamav.net
Sent: Wednesday, July 05,
I'm using clamav via a antispam tool named dspam. It has integrated
support for clamav via TCP.
When I asked why wasn't there socket support, I got this answer:
you can't stream over a unix socket, only tcp
Is that really the case?
Thanks,
Alex
I think the clamav only support network socket, not unix socket.
From the clamav.conf file:
# The daemon works in a local OR a network mode. Due to security reasons we
# recommend the local mode.
# Path to a local socket file the daemon will listen on.
# Default: disabled
#LocalSocket
On 5/24/06, aCaB [EMAIL PROTECTED] wrote:
Trog wrote:
I'd guess it unlikely that a legitimate spreadsheet would try and infect
a Workbook.
-trog
Sorry Trog,
Didn't notice you had already replied.
___
First I would like to say I've submitted files via the web interface with
the false positive using the method from the FAQ. I have a bunch of excel
files that won't get through because clam thinks it has this W97 macro
virus. We have had 3 commercial AV vendors analyze this file and they said
On 5/23/06, Kelson [EMAIL PROTECTED] wrote:
Jan Pieter Cornet wrote:
Maybe tons is slightly exaggerated? Out of approximately 10 million
emails today, our logs show one hit for XF.Sic.L, and then another hit
when that email was bounced because of the reject we gave.
If their customer is
On 5/23/06, Jan Pieter Cornet [EMAIL PROTECTED] wrote:
On Tue, May 23, 2006 at 02:06:05PM -0600, Alex Georgopoulos wrote:
Tons maybe a little exaggerated but like Kelson said the users keep
retrying
cause they don't get any notification that it is getting blocked so the
send
it again
On Wed, 26 Apr 2006 08:54:32 +0300, David Garrard [EMAIL PROTECTED]
wrote:
Hello;
I currently use ClamAV with MailScanner on a OpenBSD gateway. I want to
be able to generate a report detailing the following:
The total number of Viri found:
The tope 10 most frequent Viri
The top 10 users who
I've submit a virus three times using sendvirus form but still no
reaction. any of.
Should I do something else?
--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
___
http://lurker.clamav.net/list/clamav-users.html
by the
linker. But, as you have seen, things typically work if you combine the
two options for LDFLAGS. See man ld for linker options.
Glad to hear clamav is working now. Successful results from 'make
check' is essential to building GMP and MPFR.
Alex
want to change your directory organization, especially if you
have other programs that you want to build. I would use /opt/local as
--prefix
BTW, I rarely use LDFLAGS for the -R option. It should be LD_OPTIONS
for /usr/ccs/bin/ld; at least for clamav.
Alex
Dennis Peterson wrote:
Matt Fretwell wrote:
On Fri, 03 Mar 2006 16:43:24 -0800
Alex Gottschalk [EMAIL PROTECTED] wrote:
This check is causing our mail server to quarentine mail sent
from PHP via postfix. It looks like it's because PHP wants
to put CRLF on the MIME headers instead of bare
Jan Pieter Cornet wrote:
On Mon, Mar 06, 2006 at 12:20:11PM -0800, Alex Gottschalk wrote:
Replacing the CRLF with a bare LF in these headers causes Clamav to no
longer quarantine these mail messages.
I'm guessing something is doing double encoding tricks. When you
pass lines ending in CRLF
).
That said, I *would* sincerely like to thank everyone on this list for
their quick and helpful responses - I know quite a bit more about MIME
mail processing than I did before.
Cheers,
Alex
/--\
| Alex Gottschalk [EMAIL PROTECTED
/function.mail, it should be legal to put \r\n
characters as linefeeds in MIME headers.
Thanks,
Alex
/--\
| Alex Gottschalk [EMAIL PROTECTED] Desk: (415) 357-7635 |
| LetsTalk, Inc. -- IT Manager/Sysadmin Cell: (415) 517
.
Please let us know how things go.
Alex
___
http://lurker.clamav.net/list/clamav-users.html
Try this
O InputMailFilters=clmilter
Xclmilter, S=local:/var/run/clamav/clamav-milter.sock, F=R, T=S:4m;R:4m;E:4m
- Original Message -
From: ladha [EMAIL PROTECTED]
To: ClamAV users ML clamav-users@lists.clamav.net
Sent: Wednesday, June 08, 2005 8:13 AM
Subject: [Clamav-users] Error
: 0.46 MB
Time: 1.696 sec (0 m 1 s)
WebImmune detects them. Extra.dat at:
https://www.webimmune.net/GetExtra.asp?Analysis=1751630
I submitted sample to http://www.clamav.net/sendvirus.html
Alex
--
Alex Pleinerzeitform Internet Dienste
mailto:[EMAIL PROTECTED
101 - 200 of 288 matches
Mail list logo