Re: [Clamav-users] How to find infected file
On December 23, 2007 at 10:49PM Robert Adams wrote: I am very curious to know why anybody wants to help someone that has such an adversarial attitude towards them. I understand that support is support and should help people when they are able to, but not everybody's attitude warrants that extra mile of help. Baz, keep paying those big bucks and remain a Windows-weenie. It does not appear to me as though you will ever get an answer that makes you happy until you have someone hold your hand throughout the entire process. Linux requires a knowlege of the O/S AND the distro - please learn some of the basics of both before you junp down others' throats when they (very patiently) try to help you. These people have spent much more than the month or so that you have put in to learn Linux. Please show them the respect they deserve, ESPECIALLY when they are offering you their assistance on a Sunday evening. Hopefully my next posting will not be in regards to some spoiled, arrogant pussy that expects other people to do all his work and thinking for him. Big buck, little bucks or no bucks, it makes no difference. Money is only relative. The problem resides with those who are either too lazy or stupid to RTFM. The number of winey-weeners is relatively proportionate to the number of users of both *.nix and Microsoft products, although it is usually easier to find documentation on Win32 based products. It is apparent that the OP does not know proper posting etiquette to begin with. The first response to his posting informed of of that; never-the-less, he choose to ignore it. At that point right there I would have dismissed his further inquiries. I usually ignore top posters out of habit anyway. If they chose to post in a non-traditional manner, why should I waste me time trying to assist them? The best response you can give to a poster like that is not to berate him, which only feeds his desire for attention, but rather to just ignore him completely until his attitude changes. -- Gerard A: Because it fouls the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? TOPIC: Posting Etiquette ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] How to find infected file
Hi there, On Mon, 24 Dec 2007 Baz wrote: I installed ClamAV and ran a scan on my entire system returning a report of one infected file. How do I find this file? I Did you accidentally press 'send' too soon? I'm sure you intended to tell us just what your system is and how you installed ClamAV on it; exactly what you did, and exactly what you saw, when you ran the scan process. Clearly without that information we will be at considerable disadvantage, any help that we can give will of necessity be couched in fairly general terms. Don't forget that there are people here who run ClamAV on a bewildering variety of combinations of hardware and software, for very much more than the odd scan of their system files. So here's some fairly general help. First, and probably most important, read everything you can find that might help you to help yourself. That's a common theme in the open source software world. If you want to optimize the help you get from lists like this one, here's something important you need to read soon: http://www.catb.org/~esr/faqs/smart-questions.html Second, there are lots of ways of finding the file which you seek, but of course the methods will depend on information that unfortunately wasn't provided with your question. I suspect that you ran 'clamscan' and you were rewarded with a _very_ large list of file names, to each of which was appended the four characters : OK, and at the end of the list was a summary, which is how you came by the information that one of the files is infected. On almost any computer system, the list of filenames on a full system scan would be so long that it scrolled most of the information that you were hoping for (that is, the names of any infected files) off the top of the screen so quickly you had no chance to read it. Am I right? Well, one way of stopping this from happening is to press 'CTRL-S' (that is, you hold down the 'CTRL' key and press the 'S' key once) which stops the text scrolling on most systems. Then to make it start scrolling again, press 'CTRL-Q'. You need to be quick, and fairly patient, to do it this way. You could avoid this problem by using your wits (also a common theme in the open source world) for example by piping output from your scan command through 'grep' - if you have a system which permits piping output and has 'grep' installed on it. If you haven't got 'grep' (already I can hear people asking What use is a system that doesn't have grep and can't pipe output? but never mind that for the moment:) then you could send the entire output of your scan to a file, and use a pager or a text editor to search for the rogue file. If you haven't got or can't use a pager or an editor for some reason, then maybe you'll be able to read the output over the Christmas break, or come back here with more information. Please be assured that what you want to do is trivially easy to do. Your next question is taking vague shape in my mind. It has to do with what the file is that you've found, and what you should do with it. For today, I've guessed as much as I'm prepared to guess, and I probably wouldn't have done that if it wasn't Christmas Eve. Compliments of the season to all. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] How to find infected file
I usually don't post but I just can't resist this insulting troll.. wasn't provided with your question. I suspect that you ran 'clamscan' and you were rewarded with a _very_ large list of file names, to each of which was appended the four characters : OK, and at the end of [...snip things about grep, editor and pager...] To make a really long story short; you mean something like: $ clamscan /home/username | grep -v : OK | less Of course, the OP would probably see a # instead of $ because he's logged in as root, not as a mortal user like he should, considering his experience. However, I'm not familiar with a clam.conf/clamscan.conf/whatever.conf file and I'm quite sure that it doesn't exist. There is of course the clamd.conf file that the OP might want to locate (hint) if he were using clamdscan instead of clamscan (OP: mind the little difference). But, then the OP would need an up-to-date locate database (hint). Ah wel, since it's almost Christmas eve (and before the OP starts trolling and top-posting again) these are the lines to find clamd.conf: (I haven't seen a recent distro that lacks these..) # updatedb # locate clamd.conf OP: - Don't tell us that you can't find updatedb, locate, grep and/or less. In that case, please go seek help elsewhere. This list is about ClamAV, not about learning to use Linux. - You need to cleanup your act if you want help. It's you who's insulting people that try to help you. If you can't use the help given, it might be you who's not competent enough to perform basic tasks. This would be your problem, not ours. - If you don't want to learn how to work with *nix and it's apps, please delete your Linux partition and stick with Windows as that would then be best for all of us (including you). Compliments of the season to all. Perhaps a bit early, but, merry Christmas to everyone! Grts, Rob ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Source code for test/clam.exe?
Hello, clamav comes with a sample virus (ClamAV-Test-File) for testing purposes. It's located in the clamav source tarball in the 'test' directory and named 'clam.exe'. I'd like to distribute it with a free software program I maintain, but I can't find the corresponding source code. Can someone point me to the source code for 'clam.exe'? Thanks! -- Tom Cort Systems Developer Vermont Department of Taxes ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Source code for test/clam.exe?
Cort, Tom wrote: Hello, clamav comes with a sample virus (ClamAV-Test-File) for testing purposes. It's located in the clamav source tarball in the 'test' directory and named 'clam.exe'. I'd like to distribute it with a free software program I maintain, but I can't find the corresponding source code. Can someone point me to the source code for 'clam.exe'? Thanks! -- Tom Cort Systems Developer Vermont Department of Taxes ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html Google for eicar Lyle ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] WGET Option Configuration
I have not been able to get freshclam working, I can not find a user agent string that will go through our firewall. At one time I had a wget command that worked, but I can not find the script any more. Do anyone know the command I need and can they forward to me. Thanks. _ Share life as it happens with the new Windows Live. http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_122007 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Email viruses almost non-existent?
In December 2006, we were running ClamAV 0.88.7, and there were still a fair number of real viruses being detected in inbound email. Now running 0.91.2 and 0.92, there seem to be only phishing attempts, and not even very many of them. In fact it seems that our log file shows almost as many (hourly) signature update messages as phish detections (much less real virus detections). Have other ClamAV users experienced a similar decline in email attacks? P.S. I haven't disabled anything in our local conf file, and I don't think there is any upstream AV. (Our domain's first level mail server runs on a dedicated machine at our Web provider, but doesn't run any AV there since it simply relays to our local gateway, where admin is easier.) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Email viruses almost non-existent?
Paul Kosinski wrote: In December 2006, we were running ClamAV 0.88.7, and there were still a fair number of real viruses being detected in inbound email. Now running 0.91.2 and 0.92, there seem to be only phishing attempts, and not even very many of them. In fact it seems that our log file shows almost as many (hourly) signature update messages as phish detections (much less real virus detections). Have other ClamAV users experienced a similar decline in email attacks? P.S. I haven't disabled anything in our local conf file, and I don't think there is any upstream AV. (Our domain's first level mail server runs on a dedicated machine at our Web provider, but doesn't run any AV there since it simply relays to our local gateway, where admin is easier.) You didn't provide any numbers, but it is no surprise you now see a lot of scams and phishing stuff as you weren't seeing those before. But the rate of old school viruses detected should remain approximately constant. On my servers the rate of old fashion viruses remains rather constant over time but a detailed view shows they come in waves possibly indicating re-infection of target machines. In many cases the payload of these viruses is a phishing and scam messaging bot. Consequently, phishing and scam messages, offering a real monetary return to the creator, are growing quickly. They are now the reason for the viruses. There are probably still viruses that are intended to simply trash the machine being distributed but that is no longer the norm. In fact those kinds of viruses would probably be of some value today at reducing the amount of other junk mail. It's often been suggested that a good bot killer virus would be a good thing for the Internet. I'm almost ready to agree. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] WGET Option Configuration
DBS Labs wrote: I have not been able to get freshclam working, I can not find a user agent string that will go through our firewall. At one time I had a wget command that worked, but I can not find the script any more. Well, if wget works, why not use wget's user-agent string? Do anyone know the command I need and can they forward to me. Thanks. $ wget http://database.clamav.net/daily.cvd --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Source code for test/clam.exe?
Cort, Tom wrote: Hello, clamav comes with a sample virus (ClamAV-Test-File) for testing purposes. It's located in the clamav source tarball in the 'test' directory and named 'clam.exe'. I'd like to distribute it with a free software program I maintain, but I can't find the corresponding source code. Can someone point me to the source code for 'clam.exe'? I've not looked into it because I have no Windows/DOS (the very thought of that gives me happy feet) to test it on, but what I understand from reading is the EICAR string is a complete DOS .com executable file. Remember those? The .exe version is a self-extracting archive made from the .com file. Test it by copying the EICAR string to a file named eicar.com. It should execute in a Windows cmd session and will only print a line of text saying it's printing part of the EICAR test string. Then archive the com file into a self-extracting archive which should produce a file with a .exe extension. You now have two executables that have the EICAR virus sample in them. Testing both files with ClamAV should return a report that the EICAR string was found in the com and exe files. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
