Re: [clamav-users] Many false positives: MBL_312128 / MBL_303159
On Tue, Aug 07, 2012 at 03:00:15PM -0400, Bowie Bailey wrote: On 8/7/2012 2:46 PM, Matt Olney wrote: We've heard similar complaints on IRC. It looks like downloads may be broken from MBL. You'll have to work with them to address the issue. My last download was 3 hours ago. I don't see a problem from here. Also, I do not see the problematic rules in the current MBL database. After last update of this morning the problem is solved. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] how to release 16K FPs from quarantine?
postfix + clamsmtpd + clam Received a bad sig from MBL. stef the clamsmtpd guy says it was clam that quarantined, not his software. I installed amavisd to try to use amavisd-release, but it's not working. Is there any clam tool to release from quarantine? thanks Len ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] how to release 16K FPs from quarantine?
On Wed, 8 Aug 2012 15:17:03 +0200 Len Conrad lcon...@go2france.com wrote: Is there any clam tool to release from quarantine? Surely it was postfix that actually quarantined these messages? -- Brian Morrison ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] how to release 16K FPs from quarantine?
On 08/08/2012 9:17 AM, Len Conrad wrote: postfix + clamsmtpd + clam Received a bad sig from MBL. stef the clamsmtpd guy says it was clam that quarantined, not his software. I installed amavisd to try to use amavisd-release, but it's not working. Is there any clam tool to release from quarantine? Hi, Clamav does not do any quarantining. Maybe ask on the clamsmtpd mailing list. Regards, Rick ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] how to release 16K FPs from quarantine?
-- Original Message -- From: Rick Macdougall ri...@ummm-beer.com Reply-To: ClamAV users ML clamav-users@lists.clamav.net Date: Wed, 08 Aug 2012 09:20:18 -0400 On 08/08/2012 9:17 AM, Len Conrad wrote: postfix + clamsmtpd + clam Received a bad sig from MBL. stef the clamsmtpd guy says it was clam that quarantined, not his software. I installed amavisd to try to use amavisd-release, but it's not working. Is there any clam tool to release from quarantine? Hi, Clamav does not do any quarantining. Maybe ask on the clamsmtpd mailing list. Stef of clamsmtpd said it would take custom software to release quarantine msgs. amavis-release doesn't like it: #amavisd-release virus.dyFYrx Invalid quarantine ID: virus.dyFYrx amavisd-release version 1.51 Usage: $ amavisd-release mail_file [secret_id [alt_recip1 alt_recip2 ...]] or to read request lines from stdin: $ amavisd-release - Len ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] how to release 16K FPs from quarantine?
-- Original Message -- From: Noel Jones njo...@megan.vbhcs.org Reply-To: ClamAV users ML clamav-users@lists.clamav.net Date: Wed, 08 Aug 2012 09:13:20 -0500 On 8/8/2012 9:02 AM, Len Conrad wrote: -- Original Message -- From: Rick Macdougall ri...@ummm-beer.com Reply-To: ClamAV users ML clamav-users@lists.clamav.net Date: Wed, 08 Aug 2012 09:20:18 -0400 On 08/08/2012 9:17 AM, Len Conrad wrote: postfix + clamsmtpd + clam Received a bad sig from MBL. stef the clamsmtpd guy says it was clam that quarantined, not his software. I installed amavisd to try to use amavisd-release, but it's not working. Is there any clam tool to release from quarantine? Hi, Clamav does not do any quarantining. Maybe ask on the clamsmtpd mailing list. Stef of clamsmtpd said it would take custom software to release quarantine msgs. amavis-release doesn't like it: #amavisd-release virus.dyFYrx Invalid quarantine ID: virus.dyFYrx amavisd-release version 1.51 Usage: $ amavisd-release mail_file [secret_id [alt_recip1 alt_recip2 ...]] or to read request lines from stdin: $ amavisd-release - Len What software put the mail in quarantine? What's in the mail log? Aug 7 08:13:22 mx1.hctc.net/mx1.hctc.net clamd[60202]: /var/virus/clamsmtpd.qIdg8l: MBL_303159.UNOFFICIAL FOUND Aug 7 08:13:22 mx1.hctc.net/mx1.hctc.net clamsmtpd: 3EA221: from=bounce-tjmhmbzlppwckzzhcljkpcrdpjjmllrjbhsppztjsplchbptz...@email.carepackages.com, to=x...@xxx.net, status=VIRUS:MBL_303159.UNOFFICIAL which file the msg is quarantined as is not logged. the quarantined msgs are stored to /var/virus/ and the filenames are like: -rwxrwxrwx 1 vscan vscan 12180 Aug 7 13:58 virus.Ywa18d -rwxrwxrwx 1 vscan vscan 14021 Aug 7 13:58 virus.6kExcB -rwxrwxrwx 1 vscan vscan 35554 Aug 7 13:58 virus.bhGcDz -rwxrwxrwx 1 vscan vscan 18245 Aug 7 13:58 virus.6AGMaP -rwxrwxrwx 1 vscan vscan 6759 Aug 7 13:58 virus.Ki5mSG -rwxrwxrwx 1 vscan vscan 9688 Aug 7 13:58 virus.DTOlT1 -rwxrwxrwx 1 vscan vscan 10608 Aug 7 13:58 virus.NoTzGF -rwxrwxrwx 1 vscan vscan 74853 Aug 7 13:58 virus.IaJbkv -rwxrwxrwx 1 vscan vscan 2346 Aug 7 13:58 virus.33y2uG -rwxrwxrwx 1 vscan vscan 10147 Aug 7 13:58 virus.ePW2g2 -rwxrwxrwx 1 vscan vscan 12675 Aug 7 13:58 virus.vXs0k3 -rwxrwxrwx 1 vscan vscan 57334 Aug 7 13:58 virus.bDZwAB -rwxrwxrwx 1 vscan vscan 9262 Aug 7 13:58 virus.jJGgkI -rwxrwxrwx 1 vscan vscan 17457 Aug 7 13:58 virus.ad8lZW in trying to get amavisd-release to work, I changed permissions and owner:group, brutally. in amavisd-release, there is a file name filtering which rejects: sub release_file($$$@) { my($sock,$mail_file,$secret_id,@alt_recips) = @_; my($fn_path,$fn_prefix,$mail_id,$fn_suffix,$part_tag); local($1,$2,$3,$4); $part_tag = $1 if $mail_file =~ s/ \[ ( [^\]]* ) \] \z//xs; if ($mail_file =~ m{^ ([^/].*/)? ([A-Z0-9][A-Z0-9._-]*[_-])? ([A-Z0-9][A-Z0-9_+-]{10,14}[A-Z0-9]) (\.gz)? \z}xsi) { ($fn_path,$fn_prefix,$mail_id,$fn_suffix) = ($1,$2,$3,$4); } elsif ($mail_file =~ m{^ ([^/].*/)? () ([A-Za-z0-9$._=+-]+?) (\.gz)?\z}xs){ ($fn_path,$fn_prefix,$mail_id,$fn_suffix) = ($1,$2,$3,$4); # old style } else { usage(Invalid quarantine ID: $mail_file); } eg: amavisd-release virus.dyFYrx Invalid quarantine ID: virus.dyFYrx Len Len ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] how to release 16K FPs from quarantine?
On 8/8/2012 11:22 AM, Len Conrad wrote: What software put the mail in quarantine? What's in the mail log? Aug 7 08:13:22 mx1.hctc.net/mx1.hctc.net clamd[60202]: /var/virus/clamsmtpd.qIdg8l: MBL_303159.UNOFFICIAL FOUND Aug 7 08:13:22 mx1.hctc.net/mx1.hctc.net clamsmtpd: 3EA221: from=bounce-tjmhmbzlppwckzzhcljkpcrdpjjmllrjbhsppztjsplchbptz...@email.carepackages.com, to=x...@xxx.net, status=VIRUS:MBL_303159.UNOFFICIAL which file the msg is quarantined as is not logged. the quarantined msgs are stored to /var/virus/ and the filenames are like: -rwxrwxrwx 1 vscan vscan 12180 Aug 7 13:58 virus.Ywa18d OK, so the quarantine file is created by clamsmtp. in trying to get amavisd-release to work, I changed permissions and owner:group, brutally. in amavisd-release, there is a file name filtering which rejects: amavisd-release expects the message to be in the specific quarantine format used by amavisd-new. I would expect it to fail spectacularly on foreign files. Stef of clamsmtpd said it would take custom software to release quarantine msgs. That sounds grim. I wonder about the purpose of a quarantine that can't be released. Regardless, since clamsmtp created the quarantine, it seems that's the place to start looking for a release mechanism. Surely someone else has encountered this. As a last-ditch effort, if you put a couple of quarantine files in a pastebin, *maybe* someone here (or clamsmtp, or postfix-users, since this is getting OT for this list) can give a hand. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Corrupt ClamAV virus DB files
On Aug 8, 2012, at 12:59 PM, Steve Brazill yu...@sbcglobal.net wrote: Our firm has a scheduled replication of the ClamAV database files, which more often than not, appear to be corrupt upon receipt. Though this error message has been posted by others previously, I have not seen a definitive answer/solution, and is usually discounted as an issue with 'bad memory'. clamscan: LibClamAV Error: Can't load /var/clamav/daily.cvd: Can't verify database integrity ERROR: Can't verify database integrity ERROR: Can't verify database integrity The most recent example occurred today, with the daily version 15231 (3:45AM aprox) being corrupt, but the subsequent release of 15232 (9AM aprox) being successful. The replication process, which only retrieves updated files, is obtaining the daily file from: http://db.local.clamav.net/daily.cvd Are the multiple releases of the daily file due to actual updates to virus instances, or identification of corrupt source files on the website ? There are normally several incremental updates daily. Since there are over 140 mirror servers world-wide and you would normally be rotating to a different one of maybe half a dozen servers in your area, it could be that the two databases came from different servers. It's important to identify the IP address of any server that is consistently corrupt. Sent from Janet's iPad -Al- -- Al Varnell Mountain View, CA, USA ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml