* Fajar A. Nugraha [EMAIL PROTECTED] [20040315 06:20]: wrote:
Michael Torrie wrote:
In another escalation of the arms war, the latest variant of
password-encrypted archive virus now distributes itself in an encrypted
rar file, and the password is an attached bitmap to eliminate
On Sat, 13 Mar 2004 13:48:58 -0700, Michael Torrie [EMAIL PROTECTED] wrote:
password-encrypted archive virus now distributes itself in an encrypted
rar file, and the password is an attached bitmap to eliminate the
How does it create this rar archive? Does this virus use rar
installed in
I am trying to run clamscan from a cron job. I have written a bash
script for that, which i attached below. I am sorry it is in german
language an not in polish.
The batch works fine when i start it from the command line. freshclam
returns 52, because it can't handle the Microsoft NTLM proxy
Sorry, though it was in the e-mail.
RH 9 Linux system running clamv v0.67
[EMAIL PROTECTED] root]# ls -l /dev/urandom
crwxr-xr-x1 root root 1, 9 Mar 9 17:22 /dev/urandom
wget http://heanet.dl.sourceforge.net/sourceforge/clamav/clamav-0.67.tar.gz
-Original Message-
clamdscan / ClamAV version devel-20040312
FreeBSD 4.9
I'm still seeing clamdscan processes hang every now and then. They
eventually exit but only after a VERY long time. 5+ minutes usually. (maybe
on the thread timeout value). I've checked our logs and it almost always
happens when the database
On Mar 14, 2004, at 10:56 PM, simon dcunha wrote:
Hi,
I have recently installed clamscan and is workin finebut i do have a
couple of queries and apprecite your help.
1) I need to check when my linux mail server which uses sendmail
recives
any infected mail can i check it with clamav so that it
I'm suddenly seeing this:
clamscan Notepad.exe
Notepad.exe: W32.Ladmar.A FOUND
when run against C:\WINDOWS\Notepad.exe on several Win98 workstations.
I don't see any recent updates that involve this virus, but I'm dubious
about whether multiple workstations really are infected with this. A
On Mon, Mar 15, 2004 at 10:01:00AM -0600, Keith Murphy wrote :
I'm suddenly seeing this:
clamscan Notepad.exe
Notepad.exe: W32.Ladmar.A FOUND
when run against C:\WINDOWS\Notepad.exe on several Win98 workstations.
I don't see any recent updates that involve this virus, but I'm dubious
On 3/15/04 10:35 AM, Trog [EMAIL PROTECTED] wrote:
It actually took 7 mins to reload the sig database - that is very
strange.
All threads are stopped *before* the Reading databases ... message.
All that happens after that is to reset the database statistics
structure and reload the sig
We just recently got
a message sent to us that's infected w/the [EMAIL PROTECTED] virus (that's what
norton/symantec calls it). For some reason, clamAV doesn't seem to be
catching this virus. I ran a saved copy of the message thru the online
clamAV @ http://www.gietl.com/test-clamav/and
it
anyway? I don't want to waste anyone's time if
this is something that's already being dealt with?
I run 0.67-1 in production but have also tried an mbox scan with
clamav-devel-20040315.
Cheers,
Stuart.
---
This SF.Net email is sponsored
Hi
One of our clients uses a multiple vendor AV solution (clam included) and
has found an interesting scenario. They get sent signature updates and
fixes from NAI which are sent as a non-passworded zip file. The zip file
typically contains a single binary file and a text readme type file.
I'm running clamscan / ClamAV version 0.67-1 on FreeBSD 4.9 (clamav
from ports collection), using clamd to scan incoming email for viruses.
I have seen some people on the list say that clamd will stop working
if the maximum logfile size is hit?
Is there anyone using newsyslog to rotate the
Sorted the problem out - it appears that clamscan will fork new
processes everytime it is called by the qmail scanner - I switched to
using clamdscan which uses the clamd daemon.
It has halved the original load to average of 1-3 ...
On Fri, 2004-03-12 at 23:47, Jeremy Kitchen wrote:
On Fri,
Hi
One of my user (and possibly another) received a mail with an attachment
Document.zip and password in a jpeg file. McAfee detected it as Bagle.N and
ClamAV website site detected it as Worm.Bagle.Gen-zippwd-2 . However, when I ran
clamscan on my Linux mail server with update 185, it doesn't
On Mon, 2004-03-15 at 14:06, Ling Ho wrote:
Anyone has this problem?
Try with --mbox
Cheers,
Mike
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo
On Mon, 15 Mar 2004, Martin A. Brooks wrote:
; Part of the text file is a boilerplate set of instructions on how to make
; an EICAR test file. Clam detects this signature and marks the file as
; being infected. NAI and Norton AV do not.
;
; I'm undecided as to which action is correct and
Has the Ladmar.A virus been merged as a different virus? The count went
down by 1 and Ladmar was removed. Any ideas?
--
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062
http://www.nsci.us/
Voice: (503) 293-7656
Fax: (503) 885-0770
--
On Mon, 15 Mar 2004 12:35:17 -0500
Kevin Hanser [EMAIL PROTECTED] wrote:
We just recently got a message sent to us that's infected w/the
[EMAIL PROTECTED] virus (that's what norton/symantec calls it). For
some reason, clamAV doesn't seem to be catching this virus. I ran a
saved copy of the
Been having problems lately. Using clamav-milter on Solaris 9 with version
0.67-1 (whatever the latest release is). It has been working brilliantly
for months. Recently, I started getting a mail.warning message: ClamAv:
Private data not NULL. After this starts, the thread count continues to
Which versions are you seeing this under?
I've tested notepad.exe from 98, ME, and XP Pro and show no virus result for
it.
It is possible that the files are indeed infected.
My suggestion before writing it off as an error on ClamAV's part, is to take
the win machine in question and perform a
From: Ling Ho [mailto:[EMAIL PROTECTED]
One of my user (and possibly another) received a mail with an attachment
Document.zip and password in a jpeg file. McAfee detected it as Bagle.N and
ClamAV website site detected it as Worm.Bagle.Gen-zippwd-2 . However, when
I ran
clamscan on my Linux mail
At 20:02 15/03/2004, you wrote:
Clam's behaviour is incorrect because the Eicar test file page
(http://www.eicar.org/anti_virus_test_file.htm) states:
Any anti-virus product that supports the test file should detect it in any
file providing that the file starts with the following 68 characters,
forgive me if this sounds silly.
I completely understand the problem with the password protected archives but
would like to make a suggestion.
Can we take confirmed protected zips and md5sum them and have that sum added
to av database?
Granted I dont really have any idea how the signature
Found that clamdscan/clamd was able to detect the virus. My amavis-new
setup was using clamscan, not clamd. Now that I changed to clamd, the
virus can be detected properly. I probably need to update the clamscan
myself, not rely on Fedora site.
Sorry for the earlier post.
Thanks
...
ling
Ling
On Monday 15 March 2004 9:49 pm, redragon wrote:
I completely understand the problem with the password protected archives
but would like to make a suggestion.
Can we take confirmed protected zips and md5sum them and have that sum
added to av database?
They are not the same each time.
I'd love to submit the sample :)
I just need some help in doing it, since I'm not sure exactly how to do
it. What I currently have is a MIME-encoded message that has the virus
attachment in it. Do I submit the entire message, or just the
attachment?
If someone could give me a quick submission
On Mon, 2004-03-15 at 20:20, [EMAIL PROTECTED] wrote:
Has the Ladmar.A virus been merged as a different virus? The count went
down by 1 and Ladmar was removed. Any ideas?
It was temporarily removed due to a false positive. You can keep track
of additions and removals by subscribing to
If someone could give me a quick submission howto for newbie
submitters,
that'd be great :)
Go here:
http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi
It's really self-explanitory after that.
--J(K)
---
This SF.Net email is sponsored
Hi
SOrry, didn't see this post before I post a reply to my own post.
The --mbox option seems to work for clamscan too.
Thanks Mike.
...
ling
Mike Cathey wrote:
On Mon, 2004-03-15 at 14:06, Ling Ho wrote:
Anyone has this problem?
Try with --mbox
Cheers,
Mike
On Mon, 2004-03-15 at 14:20, [EMAIL PROTECTED] wrote:
Has the Ladmar.A virus been merged as a different virus? The count went
down by 1 and Ladmar was removed. Any ideas?
It's been picking up false positives.
--
Daniel J McDonald [EMAIL PROTECTED]
Austin Energy
I was reading about the String module for iptables in Linux Journal over the
weekend and it occured to me that this could be used for scanning the LAN
for the presence of an infected system.
Does anyone know if such a tool exists? We're seeing *much* higher network
activity lately than in the
On Mon, 15 Mar 2004 20:02:49 + (GMT)
Andy Fiddaman [EMAIL PROTECTED] wrote:
On Mon, 15 Mar 2004, Martin A. Brooks wrote:
; Part of the text file is a boilerplate set of instructions on how
to make; an EICAR test file. Clam detects this signature and marks
the file as; being
On Monday 15 March 2004 10:46 pm, Michael St. Laurent wrote:
I was reading about the String module for iptables in Linux Journal over
the weekend and it occured to me that this could be used for scanning the
LAN for the presence of an infected system.
The String match in netfilter is not that
Denis De Messemacker wrote:
On Mon, Mar 15, 2004 at 10:01:00AM -0600, Keith Murphy wrote :
I'm suddenly seeing this:
clamscan Notepad.exe
Notepad.exe: W32.Ladmar.A FOUND
(...)
Please submit this executable in the web submission interface as 'false
virus'. Then we will process it
On Mon, 2004-03-15 at 15:49, redragon wrote:
forgive me if this sounds silly.
I completely understand the problem with the password protected archives but
would like to make a suggestion.
Can we take confirmed protected zips and md5sum them and have that sum added
to av database?
Nope.
On Mon, 2004-03-15 at 16:49, redragon wrote:
Granted I dont really have any idea how the signature
system works cause I just haven't had the time to pry
into it (one day!!) but is this a possibility for
detecting the password protected archives?
No. The md5sum of passworded zips would be
Would it be possible for posts to clamav-announce to be cross-posted
here please. I imagine I'm not the only one here that didn't know about
0.68.
Cross posting to the users list seems to be fairly common among other
projects (it makes sense that anyone on the users list is going to want
to
On Mon, 15 Mar 2004 14:45:27 -0600
Alex S Moore [EMAIL PROTECTED] wrote:
Been having problems lately. Using clamav-milter on Solaris 9 with
version 0.67-1 (whatever the latest release is). It has been working
brilliantly for months. Recently, I started getting a mail.warning
message:
use something like:
acidlab to detect scans,
or nessus/sara to activelly scan your network for particular vulnerabilities.
Michael St. Laurent said:
I was reading about the String module for iptables in Linux Journal over
the
weekend and it occured to me that this could be used for scanning
On Monday 15 March 2004 11:29 pm, Kevin Spicer wrote:
Would it be possible for posts to clamav-announce to be cross-posted
here please. I imagine I'm not the only one here that didn't know about
0.68.
I'm subscribed on clamav-announce as well as this list, and not only did I not
know about
Fajar A. Nugraha said:
An interesting fact on ChangeLog:
Thu Mar 11 21:50:32 CET 2004 (tk)
-
* libclamav: rar: added support for encrypted archive (Encrypted.RAR)
detection
To make an obvious statement.
Clamav should add encrypted compression
Tomasz Kojm [EMAIL PROTECTED] wrote on 12/03/2004 00:07:01:
On Thu, 11 Mar 2004 12:49:36 +1100
Jonathan Trott [EMAIL PROTECTED] wrote:
At the moment, if you put any virus inside an encrypted zip file,
clamav reports that there isn't a virus in there, which is a false
negative. Better
Ok,
I see now that .68 is out, and .70rc is out as well.
Right now I'm actually relying on the fact that clamscan coredumps on
some rar files and exits with a nice exit code as it crashes which seems
to have prevented some of the passing through of the new rar encrypted
viruses.
Would it
Edward W. Ray wrote:
Sorry, though it was in the e-mail.
RH 9 Linux system running clamv v0.67
[EMAIL PROTECTED] root]# ls -l /dev/urandom
crwxr-xr-x1 root root 1, 9 Mar 9 17:22 /dev/urandom
I can't say much about 0.67, but I know that I'm running the latest CVS
snapshot
Helmut Schneider wrote:
seems that the clamav Port (0.67-1) has problems with RAR Files (e.g.
Bagle.N):
To avoid missunderstandings, I know the file is pwd, but clamav does not recognize the virus within the archive (maybe a DB problem)...
Sometimes the signatures were created using the
Robert Blayzor wrote:
Having to run
freshclam on them all individually would seem like a waste. Suggestions?
Local mirror? Just have one primary freshclam download *.cvd to the root
directory of
your local webserver. Then setup other freshclams to point to that
webserver
(with
Alex S Moore wrote:
Help!
Since clamd's log isn't showing any problems, my gues is that it's
clamav-milter or
clamd's ScanMail problem.
clamav FAQ still states *
A rogue mail locks up clamd when scanned and stops it from responding.
What can I do?*
Disable the ScanMail directive in
On Mar 8, 2004, at 13:18, Doug Hardie wrote:
After a review of clamd/session.c and the developers forum archives I
know what the cause of my problem is, but not necessarily why. The
version that works (clamd / ClamAV version devel-20040209',
clamav-milter version '0.66m) does not use either
On Tue, 16 Mar 2004 09:32:37 +0700
Fajar A. Nugraha [EMAIL PROTECTED] wrote:
clamav FAQ still states *
A rogue mail locks up clamd when scanned and stops it from responding.
What can I do?*
Disable the ScanMail directive in clamav.conf. Our internal mail
scanner is still in high
I'm currently using clamav 0.67, and I'm seeing clamav taking a long time
scanning files with mostly 0xFFs.
Normally the time it takes to scan a file is not a problem but once a while we
receive a large mostly white picture, and instead of the usual minute or so
to scan a file, it takes 20+
On Mar 15, 2004, at 18:44, Doug Hardie wrote:
On Mar 8, 2004, at 13:18, Doug Hardie wrote:
After a review of clamd/session.c and the developers forum archives
I know what the cause of my problem is, but not necessarily why.
The version that works (clamd / ClamAV version devel-20040209',
* Bart Silverstrim [EMAIL PROTECTED] [20040316 01:46]: wrote:
I'm running clamscan / ClamAV version 0.67-1 on FreeBSD 4.9 (clamav
from ports collection), using clamd to scan incoming email for viruses.
I also run on FreeBSD 4.9-STABLE, but I have been running CVS code for
ages now.
Hi,
I have these RPMS installed .
# rpm -qa|grep clam
clamav-devel-0.67-1
clamav-0.67-1
Where is the sock file ?
I searched the whole system,no where i found socket file for clamav.
-Thanks
-Dilip
--
I was born intelligent education ruined me.
* Dilip M [EMAIL PROTECTED] [20040316 09:10]: wrote:
Hi,
I have these RPMS installed .
# rpm -qa|grep clam
clamav-devel-0.67-1
clamav-0.67-1
Where is the sock file ?
What is a sock file?
Do you have a file clamav.conf??
cheers
- wash
On Tue, 16 Mar 2004 09:11:40 +0300, Odhiambo Washington
[EMAIL PROTECTED] wrote:
* Dilip M [EMAIL PROTECTED] [20040316 09:10]: wrote:
Hi,
I have these RPMS installed .
# rpm -qa|grep clam
clamav-devel-0.67-1
clamav-0.67-1
Where is the sock file ?
What is a sock file?
Do you have a file
Dear Sir,
I have checked both points that u mentioned but did not find any of
them. I have conf file in /usr/local/etc/clamav.conf
In this file I have entry
LocalSocket /tmp/clamd
I also check the location of /var/run but did not find folder clamav. It
means installation did not create
i have:
clamav 0.70 + sendmail 8.12.11 ... both with milter
clamscan detects OK
clamav seems to work:
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 20612
/var/clamd/clamd-milter.sock
unix 2 [ ACC ] STREAM LISTENING
Dilip M wrote:
On Tue, 16 Mar 2004 09:11:40 +0300, Odhiambo Washington
[EMAIL PROTECTED] wrote:
I have these RPMS installed .
# rpm -qa|grep clam
clamav-devel-0.67-1
clamav-0.67-1
Where is the sock file ?
I'm talking about socket file ?
Is there a way to coonect to CLAM using socket ??
* Dilip M [EMAIL PROTECTED] [20040316 09:52]: wrote:
On Tue, 16 Mar 2004 09:11:40 +0300, Odhiambo Washington
[EMAIL PROTECTED] wrote:
* Dilip M [EMAIL PROTECTED] [20040316 09:10]: wrote:
Hi,
I have these RPMS installed .
# rpm -qa|grep clam
clamav-devel-0.67-1
clamav-0.67-1
Muhammad Kashif Muneer wrote:
Dear Sir,
I have checked both points that u mentioned but did not find any of
them. I have conf file in /usr/local/etc/clamav.conf
In this file I have entry
LocalSocket /tmp/clamd
I also check the location of /var/run but did not find folder clamav. It
means
61 matches
Mail list logo
