Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)
For everyone (or maybe the one) asking why the DNS system exists, as the person who came up with the idea in the first place (or the idea of stealing it from the DNSbls ) I thought I would provide a link to the original discussion in which is was hashed out ( beaten to death) back in 2004: https://lists.gt.net/clamav/users/11106?do=post_view_threaded I thought the math was in this thread, but at some point the actual savings of being able to check for a new version with a UDP packet over a TCP/http HEAD command was calculated, and it was a significant amount of transfer, expensive at the time. I have to admit I've wondered if Cloudflare and the other CDN's meant it outlived it's usefullness, but it's a contribution I'm fairly proud of. -Chris On Tue, 3 Jul 2018, Joel Esler (jesler) wrote: > > > On Jul 2, 2018, at 1:17 PM, Reindl Harald >wrote: > > on a typical setup freshclam is running once or twice *daily* while a > webserver these days can spit out the same small static txt file many > thousands of times per seond with zero load > > > That is not the results we are seeing. There are a LARGE amount of people > that check for updates once or twice a day, yes. However, we have hundreds > of thousands of people that check for updates hundreds of times a day. We > haven't started concentrating on these people yet (our biggest offender is > one IP that checks 100,000+ times a day), but clearly that's excessive. We > publish approx 5-6 times a day. So, let's say you check 50 times a day > Clearly, that's enough. > > -- > Joel Esler > Sr. Manager > Open Source, Design, Web, and Education > Talos Group > http://www.talosintelligence.com > > --- Chris Candreva -- ch...@westnet.com -- http://www.westnet.com/~chris ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Problem compiling Clamav 0.98.1 on Solaris 10/x86 (fwd)
Should anyone ever search for this, the problem was solved by upgrading gcc to 4.8.1 On Fri, 31 Jan 2014, Christopher X. Candreva wrote: Under Solaris 10 x86, gcc 4.7.1, gnu ld 2.21.1 libclamav is failing to link. Here is an exerpt from the compile: make[4]: Entering directory `/home/chris/apps/mail/clamav-0.98.1/libclamav' CC unrar15.lo CC unrar.lo CC unrar20.lo CC unrarppm.lo CC unrarvm.lo CC unrarcmd.lo CC unrarfilter.lo CC unrarhlp.lo CCLD libclamunrar.la /usr/local/bin/ld: cannot find : No such file or directory /usr/local/bin/ld:../libclamunrar/libclamunrar.map: file format not recognized; treating as linker script /usr/local/bin/ld:../libclamunrar/libclamunrar.map:1: syntax error collect2: error: ld returned 1 exit status Has anyone else run into this ? == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] Problem compiling Clamav 0.98.1 on Solaris 10/x86 (fwd)
Under Solaris 10 x86, gcc 4.7.1, gnu ld 2.21.1 libclamav is failing to link. Here is an exerpt from the compile: make[4]: Entering directory `/home/chris/apps/mail/clamav-0.98.1/libclamav' CC unrar15.lo CC unrar.lo CC unrar20.lo CC unrarppm.lo CC unrarvm.lo CC unrarcmd.lo CC unrarfilter.lo CC unrarhlp.lo CCLD libclamunrar.la /usr/local/bin/ld: cannot find : No such file or directory /usr/local/bin/ld:../libclamunrar/libclamunrar.map: file format not recognized; treating as linker script /usr/local/bin/ld:../libclamunrar/libclamunrar.map:1: syntax error collect2: error: ld returned 1 exit status Has anyone else run into this ? == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] false positives
On Wed, 21 Aug 2013, Robert wrote: I've been hit by this also (started around 2:50pm today UK time). All the FP's are via the same MBL_349876. I've commented out the MBL lines in the /etc/clamav-unofficial-sigs.conf file and killed all MBL sigs for now. I had 10 different sigs in mbl.ndb that all were just matching :// == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Availability of virus pettern for solaris
On Tue, 18 Jun 2013, Joel Esler wrote: If I would have written back and said ClamAV's db includes detection for malware on all operating systems someone would have wrote back and said all operating systems? srsly? 4real? all? OK, who has some old Apple ][ boot sector viruses so we can actually claim all ? == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Problem compiling clamav-0.97.6 on Solaris 10
Solaris 10, gcc 4.6.3, Program.cc gives the folloing errors: .. CXXProgram.lo In file included from llvm/lib/System/Unix/Program.inc:34:0, from llvm/lib/System/Program.cpp:52: /usr/include/spawn.h:42:14: error: expected ',' or '...' before 'argv' /usr/include/spawn.h:50:14: error: expected ',' or '...' before 'argv' In file included from llvm/lib/System/Program.cpp:52:0: llvm/lib/System/Unix/Program.inc: In member function 'bool llvm::sys::Program::Execute(const llvm::sys::Path, const char**, const char**, const llvm::sys::Path**, unsigned int, std::string*)': llvm/lib/System/Unix/Program.inc:217:79: error: cannot convert 'char**' to 'char*' for argument '5' to 'int posix_spawn(pid_t*, const char*, const posix_spawn_file_actions_t*, const posix_spawnattr_t*, char*)' make[5]: *** [Program.lo] Error 1 make[5]: Leaving directory `/home/chris/apps/mail/clamav-0.97.6/libclamav/c++' make[4]: *** [all] Error 2 make[4]: Leaving directory `/home/chris/apps/mail/clamav-0.97.6/libclamav/c++' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/home/chris/apps/mail/clamav-0.97.6/libclamav' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/chris/apps/mail/clamav-0.97.6/libclamav' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/chris/apps/mail/clamav-0.97.6' make: *** [all] Error 2 == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Yet Another US Mirror Issue
On Wed, 14 Sep 2011, Dan wrote: At 7:44 AM -0500 9/14/2011, Noel Jones wrote: On 9/14/2011 2:29 AM, sys...@ra-schaal.de wrote: i made some changes to the firewall. if it works be now, please mail me as soon as possible. I started getting successful updates from 88.198.67.125 a couple hours after you posted this, and port 80 no longer shows closed from here. Still not workin from here: http://www.downforeveryoneorjustme.com/88.198.67.125 Says it's up. == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Yet Another US Mirror Issue
On Wed, 7 Sep 2011, Luca Gibelli wrote: If anyone can provide a CVD mirror in US, please contact me directly. We definitely need more capacity in the db.us.clamav.net RR. What sort of bandwidth do the mirrors use, as in what would be a typical burst or peak load - 5mbit/sec, 10mbit/sec, etc. == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] improving ClamAV private mirroring?
On Mon, 11 Jul 2011, James Ralston wrote: We are in a situation where we have multiple hosts that need to run ClamAV, but those hosts are highly restricted in what outbound Internet access they have. Thus, we need to run a local ClamAV mirror. I have one machine run freshclam, and use rsync to update all my other servers with the databases. The clamav user has to have ssl keys set up so it can ssh to the other servers without a password. Then, freshclam.conf has this: OnUpdateExecute /usr/local/sbin/ClamPush.sh ClamPush.sh is: #!/usr/bin/bash CLAMDIR=/usr/local/share/clamav RSYNC=/usr/local/bin/rsync cd $CLAMDIR for HOST in 'server1' 'server2' 'server3' do echo Updating $HOST:\n $RSYNC -avzr --delete . $HOST:$CLAMDIR echo Done with $HOST\n\n done == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] announcing ClamAV 0.97.1
On Thu, 9 Jun 2011, Luca Gibelli wrote: Dear ClamAV users, This is a bugfix release recommended for all users. Please refer to the ChangeLog file for details. Download : http://downloads.sourceforge.net/clamav/clamav-0.97.1.tar.gz FYI to any Solaris users, my compile failed on Solaris 10 x86, gcc 4.6.0 I've opened ticket 2921 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2921 == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] BC.PDF.Producer.JSHIP
On Wed, 19 Jan 2011, Roy McMorran wrote: The virus submission page won't let me upload my sample though - Result: This file is not detected by ClamAV. How can this be? I've just tried to submit a virus sample and am running into the same issue. Some testing shows that neither clamscan not clamdscan will flag it as a virus, either the .pdf itself or the message in mbox format. However, clamav-milter blocks it with this name. Is there an alternate way to get a sample to the team ? == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] BC.PDF.Producer.JSHIP
On Wed, 19 Jan 2011, Christopher X. Candreva wrote: On Wed, 19 Jan 2011, Roy McMorran wrote: The virus submission page won't let me upload my sample though - Result: This file is not detected by ClamAV. How can this be? I've just tried to submit a virus sample and am running into the same issue. I should clarify - a FALSE POSITIVE sample for BC.PDF.Producer.JSHIP Some testing shows that neither clamscan not clamdscan will flag it as a virus, either the .pdf itself or the message in mbox format. However, clamav-milter blocks it with this name. BC.PDF.Producer.JSHIP I'm guesing the web site passes it to clamscan/clamdscan, which says it's OK, and is why the web site tell us it's not recognized. Is there an alternate way to get a sample to the team ? == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] WARNINGS on startup - ignore, comment out or?
On Wed, 22 Dec 2010, Tomasz Kojm wrote: It said these were deprecated so I commented the two lines out and now no more warnings. However, was this a wise thing to do or have I misinterpreted the deprecating message? What would those who are more familiar with clamav advocating? Those options are no longer in use so it's safe to remove them from the config file. May I suggest for the future a --checkconfig option to clamd (and clamav-milter) that would parse the config file, report any such errors, and exit ? I'm seeing this more and more (apache and Nagios come to mind) and is a great way to find errors. == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] WARNINGS on startup - ignore, comment out or?
On Wed, 22 Dec 2010, Tomasz Kojm wrote: May I suggest for the future a --checkconfig option to clamd (and clamav-milter) that would parse the config file, report any such errors, and clamconf is already doing this. Thanks for reminding me about that ! == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] bytecode Rev 16 DoS
On Tue, 11 May 2010, Wolfgang Breyha wrote: Hi! Most of my clamd died today after freshclam updated to... bytecode.cld (version: 16, sigs: 3, f-level: 51, builder: nervous) What version of ClamAV are you running ? == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [Clamav-announce] problem with daily.cvd 10938
On Sat, 8 May 2010, G.W. Haywood wrote: http://www.mail-archive.com/clamav-de...@lists.clamav.net/msg03353.html I look forward to your patch. == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Latest daily.cld update causes segfault
On Fri, 7 May 2010, Toby Bryans wrote: The very latest update causes the following debug output. A quick search on twitter finds someone else with similar issues too. @40004be3ecf5208b0ff4 LibClamAV debug: Initialized 0.95.3 engine *** @40004be3ecf5208e388c LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** @40004be3ecf5208e3c74 LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** @40004be3ecf5208e5f9c LibClamAV Warning: *** Bug or not, intentional or not -- I would take this as a hint to update to the latest version. == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [Clamav-announce] problem with daily.cvd 10938
On Fri, 7 May 2010, G.W. Haywood wrote: Hi there, On Fri, 7 May 2010, Luca Gibelli wrote: We apologise for the inconvenience. http://www.mail-archive.com/clamav-users@lists.clamav.net/msg33265.html http://www.mail-archive.com/clamav-users@lists.clamav.net/msg34794.html == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Yet more clubbing of deceased equine.
On Fri, 23 Apr 2010, Simon Hobson wrote: So, it still runs the software it used to run ? Yes It's running software that is EOL ? Most definitely And Microsoft have sent it a poison pill ? No they haven't And is it hitting Microsoft's servers for full updates even when it should only be downloading little pieces, or nothing at all ? There's a difference between not providing any more updates and killing something off. There's a big difference between Using old software and Using old software that is causing a problem for someone else. == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
On Wed, 21 Apr 2010, lists wrote: Doesn't change a thing. If you threaten me with a course of action, if I fail to do something that is blackmail. It's nothing else. It does not matter if the product is free. Oh come on. If I tell you you'll get wet when if you go out in the rain without an umbrella, is that blackmail ? Old versions of Clam crashed on certain input. You were told when that input was comming. It's sounding like the Clam team would have been better off releaseing a too-large signature and going Whoops, I guess old versions can't handle this. You better upgrade, sorry ! By warning people and releaseing a known-bad signature with a message, somehow it's their fault now. == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
On Wed, 21 Apr 2010, Simon Hobson wrote: No, according to certain people on this list, you are a cretin, and incompetent to even handle the off switch of a computer. If you check the list archives - particular for threads (no subject) and Those EOL tweets you'll see that you are far from alone. Well hell, if we're going to degenerate to this level, I don't think you're a cretin, I think you're a commie freeloader who thinks the world owes you a living. Let's at least get the name-calling right. Homer: In case you missed it, that was sarcasam. Marge: Well, DUH. == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
On Wed, 21 Apr 2010, Simon Hobson wrote: No, according to certain people on this list, you are a cretin, and incompetent to even handle the off switch of a computer. If you check the list archives - particular for threads (no subject) and Those EOL tweets you'll see that you are far from alone. And sarcasam aside, there are other points of view. The one I've tried to make repeatedly is, like it or not this has been the MO of the Clam team for years. This is nothing new. What I find hard to believe is people installing software on their machines, that is reguarlly pulling data from an outside source, and evidently knowing nothing about the group producing it. For people running any supported distribution using packages, I blame the distro. If they are making the binaries available and claim support, they should be up on what is current. But for anyone running an EOL distro, I will put the blame squarely on their shoulders. If you choose, for whatever reasons, to continue to run an supported distro, then it is your responsibility to keep up on the software you have installed. Again, to me what the Clam team could or could not have done is Monday morning quarterbacking. Forget the last 6 months, where the hell have all of you been for the last 6 YEARS when it has come up time and time again that clamd will die in all sorts of weird manners. There are lots of other ways to run a project. This is the way the Clam team chooses to run theirs. It's their right, and the fact that a bunch of people decided to use their software in no way makes them beholden or obligated to you. If you don't like this RUN SOMETHING ELSE AND SHUT THE FUCK UP ALREADY. == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
On Wed, 21 Apr 2010, Eray Aslan wrote: Knowingly disabling running software on computers that is not your own is not acceptable. It is immoral, unethical and perhaps illegal. But that's not what happened. == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] illegal or not, make a valid argument (was no subject)
On Wed, 21 Apr 2010, Bill Landry wrote: Doesn't agree with the example you provided, is all I'm saying, not without notification via certified mail or personal delivery, which takes notification to a much higher standard and requirement then you have been trying to justify. The example I sited shows a guy who lost his building and spent 10 years trying to get things fixed. In the course a law was changed, so that NOW, in New York State in the USA, personal delivery of notification is required. If you would like to assume from this that you are safe in your particular locality, I can only hope you don't wake up in a pile of rubble. For me, the lesson I take is to always be aware of the laws in your locality. And the policies of the software you use. == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] illegal or not, make a valid argument (was no subject)
On Wed, 21 Apr 2010, Bill Landry wrote: For me, the lesson I take is to always be aware of the laws in your locality. And the policies of the software you use. Oh yeah, and I bet you read the public notifications in your local paper Be aware of the laws != read the public notifications in your local paper every day However, up until this law changed, I did monitor the announcements for the area my business is in, as it's in a redevelopment zone. And I just rent. Just to beat this example to death a little more: Port Chester was a rehabilitation zone at the time, so it's not like the condemnation was out of the blue. Obviously the law sucked, but this shouldn't have been a shock to anyone in the real estate industry either. Everyone had choices - move out of Port Chester where there isn't a rehab zone, move out of NY where public notice laws were saner, find a Real Estate attourny who has one of his clerks scan the papers every day and notify his clients if there is an issue (sort of like -- running Nagios) Again, I disagree with the Clam teams stance on when clamd should die, like I disagree with the sucky notification laws. But -- I CHOOSE to use the software anyway, like I chose to live in NY state. Make the choice, live with it. What I say is wrong is running software where you don't know the policies of the authors -- or living in a state where you don't know the laws. Doing so and getting bit by it is your own damn fault. One other quote comes to mind. During the PMRC trials, Al Gore asked Dee Snider if he thought it was reasonable to expect parents to listen to every album their kids bought. Dee's response, Being a parent is not a reasonable thing. It's very hard. I would say the same about running a mail server, and subscribing to the announce lists of all the software you run. == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
On Wed, 21 Apr 2010, Simon Hobson wrote: - It is a simple fact that the purpose of this update was to make running software break. I disagree with that statement because it's incomplete.. The purpose of this update was to make running software break WITH A DESCRIPTIVE ERROR . Important difference. The alternative being breaking with an incomprehensable hex ump. == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
On Thu, 22 Apr 2010, Steve Wray wrote: This is part of the attitude problem from many open source projects. They are (too often) run by technicians and programmers with no input from the business side. IMHO, open source projects don't have a business side. Opensource projects exist for the developers to get the software they need, faster, through colaboration with others. If anyone else finds it usefull that's an added bonus. But if no one other than the devs use it themselves, the project has fullfilled it's purpose. Adding business value is the job of the distros, or Apple if they include it, or myself as an ISP. That's why I said before I think the real let-down here are the distros that didn't do anything about it. Extreme ? Maybe, but that's why I use open-source, for getting best of breed, newest, breaking with history when needed. == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] EOL
On Sun, 18 Apr 2010, Simon Hobson wrote: And you can cut the crap about well you should have configured your system to not stop when ClamAV stopped - that's rubbish because it's already been made perfectly clear right at the start of one of these threads that the project team consider any configuration that doesn't break if ClamAV isn't working right to be broken. As the originator of those comments, you have misquoted me. The project team consider any CLAMD configuration -- not any MAIL configuration -- that doesn't break CLAMD if ClamAV isn't working right to be broken. Because of this, it has been recomended, repeatedly, for years, that mail systems be configured to deliver mail unfiltered if the milter fails. == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
On Fri, 16 Apr 2010, Giampaolo Tomassoni wrote: It is not something to do know, but instead something that could have been done introducing 0.96... Giampaolo: There are lots of things that COULD be done, but it is not the philosophy of the ClamAV project. As I said, the devs have made it clear in the past that they feel clamd should fail to run on any problem. They also, it seems to me, have made it clear they do not think people should run older versions, ever, for any reason. Therefor, this is my own statement and I don't want to put words in the devs mouth, but the clear message I get from them is if you aren't the type of admin who always installs the latest, then don't run Clamav. Period. It's not the right thing for you. And if it isn't their philosophy -- then IMHO it's the effective outcome, and the advice I would give anyone thinking of running it. If you don't want to install the latest when it comes out, pick something else. == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] What mental midget shut down my server?
On Fri, 16 Apr 2010, Gary MacKay wrote: OK, who's the mental midget that decided to just up and kill all installations of clamav ??? I am flooded today with calls that email servers are not working! Every d*(n one of them is the same thing. ClamAV just died. Stupid I have never heard of a program that just because I did not update it, it shuts down?? Even Microsoft does not do this!! This has got to be the stupidest thing ever OK, so the version is not updated and it is probably not catching all the viri that is should. SO WHAT That's my responsibility/fault. But don't go shutting everything down and killing corporate email all together!! Retards... A hollow voice says, Cretin. [1] 1) See http://webhome.idirect.com/~dswxyz/sol/xyzzy.html if you don't get the reference == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
On Fri, 16 Apr 2010, Giampaolo Tomassoni wrote: The ClamAV team have commanded old versions of its product to stop working. I would not describe what they did that way. Older versions of clamd were going to crash on signatures that newer versions would accept, and the devs have been prevented for at least 6 months from using that type of signature. They have posted since then for people to upgrade. When they did was publish this type of signature (has to do with length, greater than about 900bytes), where the signature itself is an error message, so when the program dumped the signature the error would be displayed. That's all, not a kill switch as such, but using a known bug to deliver a message, rather than have it just bomb out with a hex dump when they tried to use a larger signature. == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] llvm/jit CPU dependant
-- Forwarded message -- Date: Thu, 11 Mar 2010 15:25:43 -0500 (EST) From: Christopher X. Candreva ch...@westnet.com To: cla...@lists.clamav.net Subject: llvm/jit CPU dependant I just did a compile of 0.96rc1 on a Sparc server, and received this message: configure: error: Unsupported CPU for JIT: sparc, not building LLVM What's involved in adding support for a new CPU ? Hoefully not assembly code ? == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Compile error Solaris/Intel
Trying to compile on Solaris 10 i386, gcc 4.4.3 gives the following make all-recursive make[1]: Entering directory `/home/chris/apps/mail/clamav-0.96rc1' Making all in libltdl make[2]: Entering directory `/home/chris/apps/mail/clamav-0.96rc1/libltdl' make all-am make[3]: Entering directory `/home/chris/apps/mail/clamav-0.96rc1/libltdl' make[3]: Nothing to be done for `all-am'. make[3]: Leaving directory `/home/chris/apps/mail/clamav-0.96rc1/libltdl' make[2]: Leaving directory `/home/chris/apps/mail/clamav-0.96rc1/libltdl' Making all in libclamav make[2]: Entering directory `/home/chris/apps/mail/clamav-0.96rc1/libclamav' make all-recursive make[3]: Entering directory `/home/chris/apps/mail/clamav-0.96rc1/libclamav' Making all in c++ make[4]: Entering directory `/home/chris/apps/mail/clamav-0.96rc1/libclamav/c++' make all-am make[5]: Entering directory `/home/chris/apps/mail/clamav-0.96rc1/libclamav/c++' CXXAliasAnalysis.lo llvm/lib/Analysis/AliasAnalysis.cpp:99: error: expected ',' or '...' before numeric constant llvm/lib/Analysis/AliasAnalysis.cpp:99: error: prototype for 'llvm::AliasAnalysis::ModRefBehavior llvm::AliasAnalysis::getModRefBehavior(llvm::CallSite)' does not match any in class 'llvm::AliasAnalysis' ./llvm/include/llvm/Analysis/AliasAnalysis.h:202: error: candidates are: static llvm::AliasAnalysis::ModRefBehavior llvm::AliasAnalysis::getModRefBehavior(unsigned int) ./llvm/include/llvm/Analysis/AliasAnalysis.h:197: error: virtual llvm::AliasAnalysis::ModRefBehavior llvm::AliasAnalysis::getModRefBehavior(llvm::Function*, std::vectorllvm::AliasAnalysis::PointerAccessInfo, std::allocatorllvm::AliasAnalysis::PointerAccessInfo *) ./llvm/include/llvm/Analysis/AliasAnalysis.h:192: error: virtual llvm::AliasAnalysis::ModRefBehavior llvm::AliasAnalysis::getModRefBehavior(llvm::CallSite, std::vectorllvm::AliasAnalysis::PointerAccessInfo, std::allocatorllvm::AliasAnalysis::PointerAccessInfo *) llvm/lib/Analysis/AliasAnalysis.cpp:132: error: expected ',' or '...' before numeric constant llvm/lib/Analysis/AliasAnalysis.cpp:132: error: prototype for 'llvm::AliasAnalysis::ModRefResult llvm::AliasAnalysis::getModRefInfo(llvm::CallSite)' does not match any in class 'llvm::AliasAnalysis' ./llvm/include/llvm/Analysis/AliasAnalysis.h:281: error: candidates are: llvm::AliasAnalysis::ModRefResult llvm::AliasAnalysis::getModRefInfo(llvm::Instruction*, llvm::Value*, unsigned int) ./llvm/include/llvm/Analysis/AliasAnalysis.h:278: error: llvm::AliasAnalysis::ModRefResult llvm::AliasAnalysis::getModRefInfo(llvm::VAArgInst*, llvm::Value*, unsigned int) ./llvm/include/llvm/Analysis/AliasAnalysis.h:275: error: llvm::AliasAnalysis::ModRefResult llvm::AliasAnalysis::getModRefInfo(llvm::InvokeInst*, llvm::Value*, unsigned int) ./llvm/include/llvm/Analysis/AliasAnalysis.h:272: error: llvm::AliasAnalysis::ModRefResult llvm::AliasAnalysis::getModRefInfo(llvm::CallInst*, llvm::Value*, unsigned int) llvm/lib/Analysis/AliasAnalysis.cpp:86: error: llvm::AliasAnalysis::ModRefResult llvm::AliasAnalysis::getModRefInfo(llvm::StoreInst*, llvm::Value*, unsigned int) llvm/lib/Analysis/AliasAnalysis.cpp:80: error: llvm::AliasAnalysis::ModRefResult llvm::AliasAnalysis::getModRefInfo(llvm::LoadInst*, llvm::Value*, unsigned int) llvm/lib/Analysis/AliasAnalysis.cpp:68: error: virtual llvm::AliasAnalysis::ModRefResult llvm::AliasAnalysis::getModRefInfo(llvm::CallSite, llvm::CallSite) ./llvm/include/llvm/Analysis/AliasAnalysis.h:258: error: virtual llvm::AliasAnalysis::ModRefResult llvm::AliasAnalysis::getModRefInfo(llvm::CallSite, llvm::Value*, unsigned int) make[5]: *** [AliasAnalysis.lo] Error 1 make[5]: Leaving directory `/home/chris/apps/mail/clamav-0.96rc1/libclamav/c++' make[4]: *** [all] Error 2 make[4]: Leaving directory `/home/chris/apps/mail/clamav-0.96rc1/libclamav/c++' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/home/chris/apps/mail/clamav-0.96rc1/libclamav' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/chris/apps/mail/clamav-0.96rc1/libclamav' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/chris/apps/mail/clamav-0.96rc1' make: *** [all] Error 2 == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Compile error Solaris/Intel
On Thu, 11 Mar 2010, Török Edwin wrote: Solaris defines CS as 15, which causes an error when CS is used as a parameter/variable name. Please open a bugreport on bugs.clamav.net so we can track this. Bug #1878 openeed == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Extracting information from the new clamav-milter
I have started testing the new clamav-milter. We had been doing some specialized procvessing with the old one, and I am trying to see if we can do this with the new one. We reject (5xx) viruses in the initial connection. We use the postmaster notify feature, and feed those message to a script that logs To, From, Subject, and Date in an SQL database. This way our users or support can check later to see if a mail was rejected and why. I have not seen any easy way to extract this information from the logs the milter makes, even with verbose logging on. Is their an existing option that will let me extract this information ? == Chris Candreva -- ch...@westnet.com -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Stop it!
Yes, I know I am about to contradict myself. GESBBB wrote: Is there any reason you cannot read the documentation prior to installing a newer version? Anyone using a package manager will have the new software installed before they can read the documentation. On Fri, 3 Oct 2008, Colin Alston wrote: Is there any reason Clam are incapable of stabilising on a configuration format, or doing the many other things I suggested that other things abide by? It IS a 0.x release. Once he hit 1.x I'll be a lot less forgiving, but as long as we're at 0.x I expect this sort of thing -- and still think it's better than the next best alternative. However, there DOES need to be some sort of long-term goal of stability. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Stop it!
On Fri, 3 Oct 2008, Eric Rostetter wrote: Not true. I have a package manager installed on all my machines. But they do NOT do automatic updates... The above is only true of those who have a package manager installed and configured to do automatic upgrades. But you are on this mailing list, which means you know about the upgrade before you type yum update clamav (or the local equivalant). Now take the user for whom the only notice of an update is when they issue yum update and it lists clam* among the packages to update. He'll know about the change AFTER it's installed. As a big fan of the Unix programs should do a small job philosphy, I think a good overall solution would be a configuration file update utility for package managers. Maybe something along the lines of automake that can take old versions of a config file, along with some rules, and use it to build a current version. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Webinar Recording
On Tue, 9 Sep 2008, Andrew McGlashan wrote: It was hard enough finding a player that works in Windows. is there a better format? If you view the stream, it downloads a Java player that worked in Linux. Maybe they have a stand-alone java player that will let you play the downloaded file ? == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] announcing ClamAV 0.94rc1
On Thu, 21 Aug 2008, Henrik K wrote: Who cares if it scans 100ms or 20ms. I prefer features and stability more For those of us who use it as an incoming mail scanner (which I seem to recall being the primary focus of clam from statements on this list) it matters a great deal. The rate of scanning has to keep up with the rate of incoming mail, or you have an ever-growing backlog. Also, the time difference isn't just 100ms vs 20ms -- there are some OLE documents that in the past have taken minutes to scan. I think most of these problems are solved now, but I wouldn't want to add back any solution that increases the time. Further, signatures are one thing, but in a server environment you do not want code to be updated automatically. Code updates usually have to be rolled out, tested first on a test server, then put into production. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] announcing ClamAV 0.94rc1
On Mon, 18 Aug 2008, Brian Morrison wrote: FWIW it built quite happily on my RH9 (I know!) box with no changes needed to my spec file. As yet I have not actually installed and run the resulting rpms. Built and run here on Solaris 8. I have clamav-milter running on a test machine. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
On Mon, 11 Aug 2008, David F. Skoll wrote: S:220 smtp.example.net Go ahead C:MAIL FROM:[EMAIL PROTECTED] S:220 Sender OK C:RCPT TO:[EMAIL PROTECTED] S:451 Greylisted... try again later C:RCPT TO:[EMAIL PROTECTED] S:451 Greylisted... try again later C:DATA S:500 Need recipient first These same sites have problems when a primary mail server is having trouble, they never try the secondary, then complain we are 'rejecting' their mail. Not even that gets it fixed. Oh well. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] 0.93.2 segfaults on Solaris 8 Sparc
Just built and the resultant clamscan and clamav-milter both segfault when I attempt to run them. built with gcc 4.3.0 on Solaris 8 Sparc The last lines with --debug enabled are LibClamAV debug: Loading databases from /usr/local/share/clamav LibClamAV debug: in cli_cvdload() LibClamAV debug: in cli_tgzload() Segmentation Fault This was run with all third-party databases removed. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] 0.93.1 RC1
On Thu, 22 May 2008, [EMAIL PROTECTED] wrote: http://downloads.sourceforge.net/clamav/clamav-0.93rc1.tar.gz That's an old version -- 0.93rc1 not 0.93.1rc1 However, the initial message said that the new release candidate would be released SOON -- not that it has been released. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav-0.93 hang on FreeBsd 4.8
On Mon, 14 Apr 2008, Matthias Häker wrote: is there any change in the conf ? ort anything else i should look for ? Uhm, yes: * clamd: - NEW CONFIG FILE OPTIONS: MaxScanSize, MaxFileSize, MaxRecursion, MaxFiles - ** THE FOLLOWING OPTIONS ARE NO LONGER SUPPORTED **: MailMaxRecursion, ArchiveMaxFileSize, ArchiveMaxRecursion, ArchiveMaxFiles, ArchiveMaxCompressionRatio, ArchiveBlockMax == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] all my ClamAV daemons died last night
On Mon, 7 Apr 2008, Tilman Schmidt wrote: I have ClamAV running on several Linux mailservers. All of them stopped working last night with similar symptoms: In terms of the freshlcam failing, I had the same problem last night. However, I run freshclam on a separate machine from my mail servers. After a successfull update it rsyncs' the databases to my mail servers, so none of my clamd processes noticed the problem. Simple question: why did that happen? IMHO a failure to update the signatures, even if it persists for several hours, should not prevent the continued use of the scan service with the signatures it already Sounds like a bug to me, as freshclam is supposed to prevent this from happening. However, you probably also want a script that monitors you clamd/clamav-milter (or whatever else you use) processes to make sure they keep running, and restart them in case one dies. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] all my ClamAV daemons died last night
The same problem seems to have just happened again. For the past few hours my jobs has been returning errors . Before I post the details I'll put the question here -- is anyone else seeing mirror issues or should I be looking for a local problem ? These were the errors my regular job (freshclam --quiet) was returning: ERROR: getpatch: Can't download daily-6649.cdiff from db.us.clamav.net ERROR: Can't download daily.cvd from db.us.clamav.net ERROR: getpatch: Can't download daily-6649.cdiff from database.clamav.net ERROR: Can't download daily.cvd from database.clamav.net I did a freshclam -v whos output looked like this: Current working dir is /usr/local/share/clamav Max retries == 3 ClamAV update process started at Mon Apr 7 20:36:33 2008 Querying current.cvd.clamav.net TTL: 147 Software version from DNS: 0.92.1 main.cvd version from DNS: 46 main.cvd is up to date (version: 46, sigs: 231834, f-level: 26, builder: sven) daily.cvd version from DNS: 6654 Retrieving http://db.us.clamav.net/daily-6649.cdiff Ignoring mirror 64.186.240.114 (due to previous errors) Ignoring mirror 65.110.48.11 (due to previous errors) Ignoring mirror 128.121.60.235 (due to previous errors) Ignoring mirror 199.239.233.95 (due to previous errors) Ignoring mirror 209.8.40.140 (due to previous errors) WARNING: getpatch: Can't download daily-6649.cdiff from db.us.clamav.net Retrieving http://db.us.clamav.net/daily-6649.cdiff Ignoring mirror 209.8.40.140 (due to previous errors) Ignoring mirror 64.186.240.114 (due to previous errors) Ignoring mirror 65.110.48.11 (due to previous errors) Ignoring mirror 128.121.60.235 (due to previous errors) Ignoring mirror 199.239.233.95 (due to previous errors) And a lot more of the same However, I tried the URL's above with wget, and it downloaded the file. I interpreted the above to mean that freshclam was using the cached data in mirrors.dat to know not to try ANY mirror, but was still running -- and trying over and over but not actually doing anything. Since this had been going on for a few hours I renamed mirrors.dat and reran freshclam, whjich then downloaded the most recent updates: ClamAV update process started at Mon Apr 7 20:37:21 2008 main.cvd is up to date (version: 46, sigs: 231834, f-level: 26, builder: sven) nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from db.us.clamav.net (IP: 199.239.233.95) WARNING: getpatch: Can't download daily-6649.cdiff from db.us.clamav.net Downloading daily-6649.cdiff [100%] Downloading daily-6650.cdiff [100%] Downloading daily-6651.cdiff [100%] Downloading daily-6652.cdiff [100%] Downloading daily-6653.cdiff [100%] Downloading daily-6654.cdiff [100%] daily.cld updated (version: 6654, sigs: 13506, f-level: 26, builder: ccordes) Database updated (245340 signatures) from db.us.clamav.net (IP: 128.121.60.235) == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] all my ClamAV daemons died last night
On Mon, 7 Apr 2008, leonel wrote: the daemons of 1 server died to last night but that server had the freshclam as a daemon the other servers have the freshclam in the crontab I should say -- I'm not the one who had servers die last night, just errors, What I wanted to find out was anyone else seeing database errors again this afternoon/evening (call it Apr 7 5-9PM GMT-4:00 aka EDT :-) == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamd running full throttle
On Mon, 3 Mar 2008, Independent Edit wrote: Currently running ClamAV 0.90.3 on an OS X Server installation. You are running an outdated version. Current release is 0.92.1 There were many performance improvements since 0.90.x == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.92.1 anomaly
On Tue, 12 Feb 2008, shuttlebox wrote: I thought so since I had tried scanning with it and it worked but when I try to get the version info mine also segfaults. :-( Interesting -- yes, it does actually scan, just --version causes the segfault. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.92.1 anomaly
On Tue, 12 Feb 2008, shuttlebox wrote: Maybe you could also try the packages from Blastwave? http://www.blastwave.org/packages.php/clamav Wow, this is a switch -- don't we usually tell people they are better of compiling from source ? :-) Seriously, do you have a reason to think this particular version would work where our self-compiled versions don't ? == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.92.1 anomaly
On Tue, 12 Feb 2008, Randal, Phil wrote: clamscan --version behaves differently in 0.92.1 to 0.92 # clamscan --version ClamAV 0.92.1 I seem to have a bigger problem: [castor]:~/apps/mail/clamav-0.92.1/clamscan$ ./clamscan --version Segmentation Fault Solaris 8, gcc 4.2.2 == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] fc 6
On Fri, 7 Dec 2007, john wrote: am running fedora 6 Fedora 6 is end of life -- there aren't going to be updated packages for it. You can compile it youself from source, or upgrade to Fedora 7 or 8 == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
On Fri, 28 Sep 2007, Jon Wagoner - Red Cheetah wrote: Yes, I'm periodically doing scans of the full drive. I could just skip the mysql directory, but that seems pretty bad security practice. Why does it seem that way to you ? I don't think scanning raw mysql database files is going to give usefull results. Myy gut is that you should in fact exclude them. If a database has specific content that could contain a virus and be a problem (is used to store e-mail or downloadable files), then I would think the only real way to do it is to write something to extract that data and scan it outside of the DB file, each one separately -- as if they were individual files. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
On Fri, 28 Sep 2007, Jon Wagoner - Red Cheetah wrote: It appears clamav just does a substring match on the exclude, so it would be easy to hide viruses. E.g. If I excluded .MYD, then you could just have your virus named somevirus.MYD and it would not be caught. If I would not exclude *.MYD globally. However: I tried to exclude the mysql dir, then a user could have a virus hidden in /home/someuser/var/lib/mysql/my-virus-here. Users should not be able to write to that directory at all, it should be owned/group mysql. If someone did put a virus there you would probably have a bigger problem - namely that mysql had been hacked. Clamd is for scanning specific things, and I don't think mysql db files is one of them. Not that verifying the integrity of your mysql files isn't a good idea, but I think it will take more than clam to do it. Off the top of my head you would want to look for named files that don't belong. After that, a DB integrity check (a good idea anyway) would find other files pretending to be DB files, as they would fail. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
On Fri, 28 Sep 2007, Jon Wagoner - Red Cheetah wrote: hidden in /home/someuser/var/lib/mysql/my-virus-here. Users should not be able to write to that directory at all, it should be Take a closer look, that's not the real mysql directory, just a subdirectory under the users home folder that would match the exclude for the real /var/lib/mysql. --exclude-dir is listed as taking a regex, so if you --exlucde=^/var/lib/mysql/ You should be fine. I see now though -- if it was a simple substring (or if the current --help output is wrong) that would be a problem. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Scanning hardware devices fails
On Mon, 24 Sep 2007, [EMAIL PROTECTED] wrote: after a while I get this: /sys/devices/pci:00/:00:06.0/config: OK /sys/devices/pci:00/:00:06.0/:17:00.0/host1/sfp: OK /sys/devices/pci:00/:00:06.0/:17:00.0/host1/vpd: Empty file /sys/devices/pci:00/:00:06.0/:17:00.0/host1/optrom_ctl: Empty file /sys/devices/pci:00/:00:06.0/:17:00.0/host1/optrom: OK *** stack smashing detected ***: clamscan terminated Should I be excluding /sys/devices/pci.00:00 ? I don't want to exclude anything but I consistently get the error when I scan this dir. You should be excluding /sys and /dev at least, probably /proc too. You are scanning your hardware devices. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav 0.91.2 is out. Don't use it.
On Tue, 21 Aug 2007, John Rudd wrote: (filed as bug 631, but it's nothing new: CL_SCAN_STDOPT still doesn't include CL_SCAN_PHISHING_DOMAINLIST; that omission can cause crashing The bug is protected so I can't look at it. However, is it enough to add CL_SCAN_PHISHING_DOMAINLISt to the definition of CL_SCAN_STDOPT at line 100 of libclamav/clamav.h ? == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] latest worry-free version on solaris sparc?
On Thu, 16 Aug 2007, Dennis Peterson wrote: I am running clamav on various versions (5.8 - 5.10) of Solaris on Sparc and Intel and have no problems with stability. I've built everything from scratch except gcc. I'm very happy with it. I'm running clamav/clamav-milter 0.91.1 on Solaris 8 (5.8) on Sparc with no problems in stability. If anything the 0.91 series was MORE stable than the 0.8x was. I've built everything from source including gcc. (4.1.1) == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.91 - high load under solaris
On Tue, 17 Jul 2007, Tom Bombadil wrote: Is anybody else experience a much higher load with 0.91 compared to 0.90.3? Not seeing any higher load her, Solaris 8 on UltraSparc Using clamav-milter with direct access to libclamav however, not the tcp socket. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] My script for third party signature databases:
I thought this problem had been pretty well beaten to death when Sanesecurity added their mirrors. In any case I put the set of scripts/Makefile I use on my web site: http://www.westnet.com/~chris/Clamav/ These were not written for general distribution, so it is your responsibility to check all paths. They are all short enough, each does one small job. I have a work dir I run everything from. To initiate an update (by hand or from cron) just run make in your work dir. The Makefile runs a perl script for sanesecurity, and has an rsync rule directly for MSRBL-SPAM (I stopped using MSRBL-images). (And if someone knows how to make a rule always trigger without comparing it to an always changing log file I would love to hear it :-) GetAll.pl uses LWP::Simple to download Sanesecurity files only when they change. If any DB is updated, the database is checked, and the mklive.sh script uses rsync again to copy the DBs atomicly to the live location. The makefile invokes mklive.sh through sudo, this would may need to be changed for your environment. Finally, there is a simple cland-reload.pl script I wrote that connects to the socket and issues a RELOAD command. Hope this helps. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamscan extremly slow
On Mon, 18 Jun 2007, Peter Boosten wrote: clamdscan solved that issue, although I would have appreciated this effect *before* I upgraded to a newer release. This keeps comming up, perhaps it needs to be addressed in the docs. Could you tell us why you used clamscan instead of clamd/clamdscan in the first place ? I'm just a user, but to me it was obvious. Unfortunatley I can't even recall what documentation I used when I set this up a few years ago. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamscan extremly slow
On Mon, 18 Jun 2007, Peter Boosten wrote: I had some problems running clamd on one of the machines a long time ago, and with mimedefang running clamscan is the second option (which had worked until sometime ago). So I configured mimedefang for clamscan. Maybe it's time to ask the mimedefang people to either remove the clamscam option, or put a big NOT FOR PRODUCTION - FOR TESTING ONLY on it. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamscan extremly slow
On Mon, 18 Jun 2007, Eric Rostetter wrote: Anyway, my point is, your millage may vary. Don't try to impose your views on everyone else. Whoa here. Did you chime and and give a good way to use clamscan on production ? Every time this comes up the answer is don't do it. If that is the answer, then I would think taking steps to avoid this continually comming up would be a good thing. If it ISN'T the answer then lets hear the alternative. Otherwise I don't think I'm imposing MY view on anyway. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamscan extremly slow
On Mon, 18 Jun 2007, Chris wrote: [EMAIL PROTECTED] ~]$ clamdscan phish1.txt /home/chris/phish1.txt: Access denied. ERROR I can't figure out why I keep getting this Access denied error. Anyone with any ideas? Because you didn't RTFM. :-) clamdscan passes the file name to clamd, which tries to open it. clamd is normally running as an unprivledged user so unless the file is world readable (or readbale by the clamd process), you get that error Sent the file to STDIN and you solve the problem clamdscan - phish1.txt == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
On Fri, 1 Jun 2007, Noel Jones wrote: I seem to be having trouble with clamscan 0.91rc1 choking with the current daily.wmd file. It was working fine until the most recent db update. I don't have this problem, but I don't seem to have a daily.wmd file in my daily.inc either. I have daily.wdb and .zmd, but now .wmd == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
On Fri, 1 Jun 2007, Noel Jones wrote: fatfinger error on the name, I am referring to daily.wdb as the pasted session shows. Ah, sorry. Bleary-eyed error not catching it in the sesion. :-) Are you using 91rc1? It's very repeatable here. I have Yes, so far it has been running fine. My monitoring scripts haven't restarted it once. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] OT: Sanesecurity: new urls?
On Tue, 8 May 2007, Steve Basford wrote: (depending if you want the phishing sigs or the scam sigs) Main: http://www.sanesecurity.co.uk/clamav/phishsigs/ http://www.sanesecurity.co.uk/clamav/scamsigs/ The only problem is the lack of the final file-name in the URL. This breaks my perl script that used LWP::Simple to mirror the file, as it expects the file name to be the last part of the URL. If the script could be on the file name instead of the directory name it would be better. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Local socket unsafe
On Thu, 8 Mar 2007, CPTeam Hostmaster wrote: I get this in maillog whenever I start clamav-milter: -- Mar 8 00:45:01 ns1 sendmail[7399]: l27Mj1nM007399: Milter (clmilter): local socket name /var/run/clamav/clmilter.sock unsafe Mar 8 00:45:01 ns1 sendmail[7399]: l27Mj1nM007399: Milter (clmilter): to error state I have my socket set to /var/clamav/clmilter.sock /varr/clamav is owned by clamav.clamav, mode 775 I don't recall why I used /var/clamav instead of /var/run/clamav == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] msrbl sigs: rsync
On Mon, 5 Mar 2007, Dennis Peterson wrote: It makes a great deal of sense to move the files into the clam DB directory to insure an atomic operation. If clamd/clamav-milter should happen to reload with a half-copied file in the DB dir, it will likely stop running. Yah - I realized that after reviewing the suggestion. Too much focus on just one element of the entire problem. You can also use rsync to copy the file(s) from the download location to the clam directory on the same server. I believe rsync will make a temp file then mv it into place, plus it's an easy way to only update the files that changed. ie: rsync -av ./phish.ndb ./scam.ndb ./MSRBL-* /usr/local/share/clamav == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: first impressions on 0.90
On Fri, 16 Feb 2007, Stephen Gran wrote: What would be the point of having a socket ready before clamd is ready to do any work? Maybe I'm missing something. It would be something for other programs to connect to and wait for a response, instead of generating a socket does not exist error. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: first impressions on 0.90
On Fri, 16 Feb 2007, Stephen Gran wrote: It would be something for other programs to connect to and wait for a response, instead of generating a socket does not exist error. So that they could potentially wait around until their internal timeout, instead of immediately returning? That really doesn't seem all that much like a win to me. I'd rather that the calling application was allowed to make an immediate decision (defer this mail, etc) than get stuck waiting waiting on a reply for an indeterminate amount of time. How is this any different than any other time something connects to the socket and waits for a response, say when clamd is reloading it's database, or is under high load ? To me it's simply a consistant behavior. However I do think the other option of the parrent process not exiting until the socket is created is also a good idea, possibly better. Since this is the way clamav-milter works without the --external option it is also consistant. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Upgrade to .90?
On Thu, 15 Feb 2007, Dennis Peterson wrote: In my case the only difference from every previous build was to enable experimental. I have just one build script I've used for years. Try without experimental. I have a similar set-up (Sun Sparc Ultra 2s, Solaris 8, gcc 4.1.1) I was running 0.90rc3 with --enable-experimental and things were running, but when I upgraded to 0.90 itself clamav-milter would die within seconds. I backed down to rc3 and didn't get to try anything again until tonight. I've now tried 0.90 without --enable-experimental and it seems to be running OK. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Upgrade to .90?
On Fri, 16 Feb 2007, Steve Holdoway wrote: Have you patched 8.14.0. I had everything falling over until I did that... FWIW the problems I had were with 8.13.8 == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.90rc3 on Sparc Solaris 9
On Fri, 2 Feb 2007, Stephen Gran wrote: What breaks? I agree that at first glance it seems like an unnecessary include, but I'm curious what error you get. Here are the errors I get building rc3 with --enable-experimental gcc 4.1.1 binutils 2.17 gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./unrar -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/bin/include -O2 -mcpu=ultrasparc -pipe -DNDEBUG -MT entconv.lo -MD -MP -MF .deps/entconv.Tpo -c entconv.c -fPIC -DPIC -o .libs/entconv.o if /usr/local/bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./unrar -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/bin/include -O2 -mcpu=ultrasparc -pipe -DNDEBUG -MT dconf.lo -MD -MP -MF .deps/dconf.Tpo -c -o dconf.lo dconf.c; \ then mv -f .deps/dconf.Tpo .deps/dconf.Plo; else rm -f .deps/dconf.Tpo; exit 1; fi entconv.c: In function 'encoding_norm_readline': entconv.c:689: warning: passing argument 2 of 'iconv' from incompatible pointer type gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./unrar -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/bin/include -O2 -mcpu=ultrasparc -pipe -DNDEBUG -MT hashtab.lo -MD -MP -MF .deps/hashtab.Tpo -c hashtab.c -fPIC -DPIC -o .libs/hashtab.o hashtab.c:27:20: error: stdint.h: No such file or directory hashtab.c: In function 'hashtab_delete': hashtab.c:348: warning: passing argument 1 of 'free' discards qualifiers from pointer target type hashtab.c: In function 'hashtab_clear': hashtab.c:360: warning: passing argument 1 of 'free' discards qualifiers from pointer target type make[2]: *** [hashtab.lo] Error 1 == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Release-Date for 0.90 ??
On Thu, 1 Feb 2007, Arnaud Jacques wrote: Yeah, we all waiting for this new stable release :) I've been running 0.90rc2 here for a few months. IMHO it is more stable than the 0.88.x I was running previously. Just yeaterday I received a Bugzilla note from one I had submitted that it was fixed in 0.90rc3. I am taking that to mean we will see rc3 soon. Anyone who does want to try 0.90rc2 - be aware the config file format changes. All options now need an operand. So for example if you have Logtime in your clamd.conf , it has to become Logtime yes == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Release-Date for 0.90 ??
On Thu, 1 Feb 2007, Dennis Peterson wrote: 50-50 isn't bad. Can you share your configure params? Compiled fine on Solaris 8 Sparc, gcc 4.1.1, binutils 2.17 I configure with just ./configure --enable-milter == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: scan performance
On Fri, 26 Jan 2007, Helmut Schneider wrote: The 0.90rc2 release has greatly improved performance. OK. Could you define greatly improved? I'm quite happy with clamav but I use postfix/amavis with pre-queueing and therefore... :) It's been a while, but things that took minutes to scan now take seconds. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] scan performance
On Thu, 25 Jan 2007, Helmut Schneider wrote: I don't want to discuss about performance in general, I would just like to know if this is normal and/or if there is a way to tune up that process. I use 0.88.7 Yes, it is normal for 0.88.x The 0.90rc2 release has greatly improved performance. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Phishing, my webserver hacked
On Tue, 23 Jan 2007, Todd Lyons wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey, who's the guy who maintains the phishing sigs? They hacked my http://www.sanesecurity.com/clamav/ == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Should I submit...
On Wed, 17 Jan 2007, Sander Holthaus wrote: a very basic perl script which opens a listening socket and a shell? I found it after a hacker tried to gain entry. The script is nothing special (far from, 612 bytes) but I doubt people are actually using it for any legitimate means. BitDefender does recognize the file, but not any other AV. I would say yes. If nothing else, let the maintainers have it and make the decision. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Why does clam die on a malformed database ?
Is there a compelling reason for clam to die on a malformed database, instead of just ignoring the bad line and continuing with all the other sigs ? == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Why does clam die on a malformed database ?
On Sat, 30 Dec 2006, Sander Holthaus wrote: A malformed database points to: - - serious system malfunction - - security breach - - security breach / system malfunction between you and (or at) the database provider In my experience, it means a database maintainer who made a simple mistake in one line. There is no point in using a malformed database and could even spell disaster. (Imagine it starts generating FP's en masse, which could be a side effect of a corrupted database). Having clam die spells disaster. If you've set your system to tempfail on clam failure, you can't receive mail until it is fixed. If you accept mail unscanned, you could infect your users, start spreading viruses, and have a big clean-up job. How exactly is this better then a possibe false-positive, if a corrupted sig happens to match some valid piece of mail ? == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Why does clam die on a malformed database ?
On Sat, 30 Dec 2006, Bill Landry wrote: The MSRBL-Images.hdb database started showing up corrupted yesterday and This is not the only reason I ask, but the most recent. I have a script that checks that evidenly has a bug. I can either spend time fixing that, or fixing clam so it ignores the one line with an error and processes the rest of the file, and am trying to decide how best to spend time. Probably both in the end. It's a question of being brittle. Any small error in the databases stops clam dead. Hell, clam won't run if there is an empty db file ! I had wanted to leave a temporary db file around for things I wanted to block quickly, and leave it empty when there was nothing to block. Surprise -- that kills clam ! Why in the world should that happen ? I can see the arguements if the official, signed files are corrupt, but for exra added files, ignore the bad line, ignore just that FILE, but it makes no sense to me to die completely. Any mistake becomes fatal, for no good reason. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Why does clam die on a malformed database ?
On Sat, 30 Dec 2006, Tomasz Kojm wrote: Freshclam provides this and much more. Except the ability to operate from a given specific URL pointing to a file. If the only updates come from freshclam-verified sources it wouldn't be so bad. The problem comes up that other mechanisims are necessry for third party databases. I fully realize these aren't the clam teams problem. My question was not how to integrate third party dbs - the question was, is there a compelling reason to fail on a single corrupt line in a text database (or should have been, I didn't specify it wasn't the core db). And the anwsers I've had to that quesiton say, to me, that there isn't. So I am going to work on a patch to allow clam to continue. I will attempt to make it something that could go back to the main project with an option to turn on and off, but if it isn't accepted, so be it. This will work better for me -- and this is the beauty of open source. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Why does clam die on a malformed database ?
On Sat, 30 Dec 2006, Dennis Peterson wrote: There's no limitation for choosing a URL - you can put anything you like in the freshclam.conf file. Using the --config-file=FILE option of freshclam in The only option I see in man freshclam.conf is for a database mirror server name, not a URL. ( DatabaseMirror ) . If there is an option to specify a full URL I've missed it. available. It may be simple http. It is. However from the docs for setting up a mirror it would appear the structure and file names are hard-coded. Again, unless I've missed sometihng you can't use freshclam on say http://download.mirror.msrbl.com/MSRBL-SPAM.ndb -Chris == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Why does clam die on a malformed database ?
On Sun, 31 Dec 2006, Luca Gibelli wrote: How exactly is this better then a possibe false-positive, if a corrupted sig happens to match some valid piece of mail ? It's better to delay N emails rather than delete N emails. A false-positive won't delete the mail - it will cause an immediate error to the recipient so they know there is a problem. A delay in say a default sendmail configuraiton won't give any notice to the sender for 4 hours. I would consider the immediate feedback preferable, and most of my users do too. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Newbie-inquiry
On Tue, 19 Dec 2006, G.W. Haywood wrote: Has anyone else observed such large improvements? Yes. 0.8.x boggs down on some MIME types. The 0.9x RC's have been much faster. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Compiling Clamav-0.9RC2 on Solaris Intel
On Mon, 27 Nov 2006, Jonathan Armitage wrote: I have just tried to configure, make and install Clamav-0.9RC2 on a Dell PC running Solaris 10. I have previously done the same with various 0.8 versions I don't know if this is your issue, but if you have bash installed, try editing the first line of configure to use bash instead of sh. Sun now ships a bash in /bin/bash , I compiled my own and used that #!/usr/local/bin/bash == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav 0.92rc2 not updated with new virus db?
On Tue, 14 Nov 2006, zamri wrote: I assume the answer is yes. :) No, it probably means you didn't provide any of the information that was asked for -- what it found, your platform and OS, etc. Your premise that rc.2 isn't updated is wrong. There may be a language barrier causing this, but it does not appear that you understood what we were saying. I gave an example of a particular bug on a particular platform. If you aren't running Solaris on Sparc ,than this isn't the problem. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav 0.92rc2 not updated with new virus db?
On Fri, 10 Nov 2006, zamri wrote: I use clamav 0.90rc2 and my friend uses clamav 0.88.5 (the latest stable). Just now, after I ran freshclam, i run clamdscan for a worm. His could detect it as worm and mine didn't. Why is that? It would be helpful to state what platform and what worm. IE, I have an open bug report of a particular worm not being found on the Solaris/Sparc platform. See https://wwws.clamav.net/bugzilla/show_bug.cgi?id=89 == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav 0.92rc2 not updated with new virus db?
On Fri, 10 Nov 2006, Ken Jones wrote: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=89 Access Denied You are not authorized to access bug #89. I think the clam Bugzilla require you to have an account and be logged in to watch bugs. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav 0.92rc2 not updated with new virus db?
On Fri, 10 Nov 2006, Ken Jones wrote: I do have an account I even have open reported bugs that I am working on with the developers :) (ok, I've reported and they are trying to fix) Look man, I just use the bugzulla. I don't want to have to understand how it works. Ducks for cover . . . == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav 0.92rc2 not updated with new virus db?
On Fri, 10 Nov 2006, Dennis Peterson wrote: He scores! Thank you, I'll be here all week. Don't forget to tip your waitresses. I get the same login error, btw, and since I use Solaris exclusively, I'm interested. Look like it's been clasified as a security bug, so I'll let the devel people say what if anything they want to on the list. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs
On Thu, 9 Nov 2006, Daniel J McDonald wrote: My observation is that of all the modern packages ClamAV fails to install and run successfully and securely without operator intervention. I think that this should be refined to reference Fedora packages and perhaps not all of them. I don't use Fedora - I use Mandriva. And my experience has been that the RPMS provided by Mandriva do allow you to run out of the box with You've just hit the problem: Which distributions should the Clam Team be spending time on - Fedora, Mandriva, Ubuntu, SUSE - - - my favorite, your favorite ? This is not a unique complaint to Clam - I see similar problems on the MailMan list, and RedHat/Fedora again is a big source of complaints. As far as I know, across Linux, packages for distibutions are the responibility of the distro, not the project in question. Fedora is fairly well known for making changes to the default way that applications are set up, often moving things around (files, sockets, etc). I think what the OP is asking for misses this fact. When you install Clam from Fedora packages, basicly you need to get support from Fedora. Maybe you need a different distro, that keeps things in default locations. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Compiling rc2 on Solaris
On Tue, 7 Nov 2006, Tomasz Kojm wrote: Please report the problem to http://bugs.clamav.net Opened. Sorry, I just assumed it was Sun's problem. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs
On Tue, 7 Nov 2006, Jim Redman wrote: Your opinions, seem to be the prevalent attitude of the vocal members of this list - if you don't suffer, it wasn't worth it. I would disagree, in that I don't see it as suffering. Forgive me if I missed it, but what is your specific problem ? Perhaps we have different definitions of suffering. The only specific complaint I saw was the message Your version is outdated, and that seems to me to be a very simple English declarative sentence, with a simple solution. You are running an old version, get a new one. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Compiling rc2 on Solaris
I don't know if this helps anyone else, but on Solaris 8 I had to tell configure explicily to use bash instead of stock sun /bin/sh . It was generating an error on the check for the clamav user (looked like it was trying to run a program called clamav:: ) == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav-milter with Postfix
On Mon, Oct 23, 2006 at 05:53:30AM -0400, Gerard Seibert wrote: Anyway, we send out several times a week flyers to our customers. These mailings range from 750 to 2000 messages per run. To scan 2000 identical messages is insane, not to mention a total waste of system resources. Other than going to the expense of setting up a separate mail server, etc. I am looking for a way to circumvent this annoyance. To answer your original question: You scan outgoing mail for the same reason you scan incoming mail: To see if it has a virus. If you have otherwise restricted the ways your users can send mail (blocked port 25) -- if you even HAVE users -- this will alert you to infections on your network. I am assuming you want to know about infections on your network. As someone else pointed out, how you send your bulk mail will effect the next answer: If it is one message with many names, it is only scanned once. If it is individual messages (not as silly as it sounds, for VERP bounce-processing purposes) then you will need to see how to not have those scanned. IE, clamav-milter can have compiled-in addresses not to scan. If you know that those messages come from one IP only, and that machine won't ever be infected, you can whitelist there. All will depend on what you do. Personally, with linux free and hardware all over the place I would just set up sendmail/postfix/whatever on a separate machine for bulk mail, so bulk mailings can't ever effect regular mail. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] 0.90rc1 missing thing 0.88.5 catches
I have a sample of W97M.Lafool.U caught by 0.88.5 that 0.90rc1.1 says is clean. I also received an almost identical mail that both say is clean. The second I've submitted as a new virus sample. The first isn't taken, since the web form's 0.88.5 catches it. I assumed I had missed a config option, but I haven't found it. Anyone else seeing this or am I still missing something ? (Aside, it might be a good idea for the web form to put submitted samples through the current live and CVS/RC versions, as a bug check) == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.90rc1 missing thing 0.88.5 catches
On Sat, 21 Oct 2006, Christopher X. Candreva wrote: I have a sample of W97M.Lafool.U caught by 0.88.5 that 0.90rc1.1 says is clean. I also received an almost identical mail that both say is clean. Looks like this may be a word/unpacker problem on Solaris/Sparc, as it is properly detected on my Linux x86 system. I've just submitted bug 89 on this issue: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=89 == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html