[clamav-users] ClamAv updates not being published properly?

2014-05-28 Thread Randal, Phil 
Latest from clamav-virusdb announcements:


ClamAV database updated (28 May 2014 04-17 -0400): daily.cvd



Yet freshclam says (with and without -no-dns)


# freshclam
ClamAV update process started at Wed May 28 09:33:52 2014
main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
daily.cld is up to date (version: 19037, sigs: 970172, f-level: 63, builder: 
neo)
bytecode.cld is up to date (version: 241, sigs: 46, f-level: 63, builder: 
dgoddard)



Cheers,



Phil

--
Phil Randal
Infrastructure Engineer
Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT
Tel: 01432 260415 | Email: 
phil.ran...@hoopleltd.co.ukmailto:phil.ran...@hoopleltd.co.uk

Hoople Ltd, Registered in England and Wales No. 7556595
Registered office: Plough Lane, Hereford, HR4 0LE

Any opinion expressed in this e-mail or any attached files are those of the 
individual and not necessarily those of Hoople Ltd. You should be aware that 
Hoople Ltd. monitors its email service. This e-mail and any attached files are 
confidential and intended solely for the use of the addressee. This 
communication may contain material protected by law from being passed on. If 
you are not the intended recipient and have received this e-mail in error, you 
are advised that any use, dissemination, forwarding, printing or copying of 
this e-mail is strictly prohibited. If you have received this e-mail in error 
please contact the sender immediately and destroy all copies of it.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] ClamAv updates not being published properly?

2014-05-28 Thread Randal, Phil 
Oops, left off the latest version of patterns - 19041, allegedly, yet we're 
stuck on 19037.

Cheers,

Phil

-Original Message-
From: clamav-users-boun...@lists.clamav.net 
[mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Randal, Phil
Sent: 28 May 2014 09:35
To: Clamav-Users (clamav-users@lists.clamav.net)
Subject: [clamav-users] ClamAv updates not being published properly?

Latest from clamav-virusdb announcements:


ClamAV database updated (28 May 2014 04-17 -0400): daily.cvd



Yet freshclam says (with and without -no-dns)


# freshclam
ClamAV update process started at Wed May 28 09:33:52 2014 main.cvd is up to 
date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cld is up to 
date (version: 19037, sigs: 970172, f-level: 63, builder: neo) bytecode.cld is 
up to date (version: 241, sigs: 46, f-level: 63, builder: dgoddard)



Cheers,



Phil

--
Phil Randal
Infrastructure Engineer
Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT
Tel: 01432 260415 | Email: 
phil.ran...@hoopleltd.co.ukmailto:phil.ran...@hoopleltd.co.uk

Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: 
Plough Lane, Hereford, HR4 0LE

Any opinion expressed in this e-mail or any attached files are those of the 
individual and not necessarily those of Hoople Ltd. You should be aware that 
Hoople Ltd. monitors its email service. This e-mail and any attached files are 
confidential and intended solely for the use of the addressee. This 
communication may contain material protected by law from being passed on. If 
you are not the intended recipient and have received this e-mail in error, you 
are advised that any use, dissemination, forwarding, printing or copying of 
this e-mail is strictly prohibited. If you have received this e-mail in error 
please contact the sender immediately and destroy all copies of it.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] CentOS 5.6 and clamav 0.97.4

2012-04-13 Thread Randal, Phil 
There are packages in the rpmforge (aka repoforge) yum repository.

Cheers,

Phil
--
Phil Randal
Infrastructure Engineer
Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT
Tel: 01432 260415 | Email: phil.ran...@hoopleltd.co.uk


-Original Message-
From: clamav-users-boun...@lists.clamav.net 
[mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Trixi D. Bubemyre
Sent: 12 April 2012 21:56
To: clamav-users@lists.clamav.net
Subject: [clamav-users] CentOS 5.6 and clamav 0.97.4

Is clamav 0.97.4 supported for CentOS 5.6? I do not find it listed among the 
supported linux platforms.
Thanks.




___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net 
http://www.clamav.net/support/ml
“Any opinion expressed in this e-mail or any attached files are those of the 
individual and not necessarily those of Hoople Ltd. You should be aware that 
Hoople Ltd. monitors its email service. This e-mail and any attached files are 
confidential and intended solely for the use of the addressee. This 
communication may contain material protected by law from being passed on. If 
you are not the intended recipient and have received this e-mail in error, you 
are advised that any use, dissemination, forwarding, printing or copying of 
this e-mail is strictly prohibited. If you have received this e-mail in error 
please contact the sender immediately and destroy all copies of it.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Mirrors not being updated!!!!

2010-07-07 Thread Randal, Phil 
It is fixed now.

Cheers,

Phil

--
Phil Randal | Networks Engineer
NHS Herefordshire  Herefordshire Council  | Deputy Chief Executive's
Office | I.C.T. Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.
-Original Message-
From: clamav-users-boun...@lists.clamav.net
[mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Randal, Phil
Sent: 07 July 2010 11:11
To: clamav-users@lists.clamav.net
Subject: [Clamav-users] Mirrors not being updated

Hi folks,

 

Anyone else having problems updating patterns?

 

The clamav-virusdb mailing list says:

 

ClamAV database updated (07 Jul 2010 05-56 -0400): daily.cvd

Version: 11333

 

Yet clamav.net, DNS, and the mirrors say we're still at 11330.

 

Not good!

 

Phil

--
Phil Randal | Networks Engineer
NHS Herefordshire  Herefordshire Council  | Deputy Chief Executive's
Office | I.C.T. Services Division Thorn Office Centre, Rotherwas,
Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshire.gov.uk 

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.
You should be aware that Herefordshire Council monitors its email
service.
This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Any opinion expressed in this e-mail or any attached files are those of the 
individual and not necessarily those of Herefordshire Council.
You should be aware that Herefordshire Council monitors its email service.
This e-mail and any attached files are confidential and intended solely for the 
use of the addressee. This communication may contain material protected by law 
from being passed on. If you are not the intended recipient and have received 
this e-mail in error, you are advised that any use, dissemination, forwarding, 
printing or copying of this e-mail is strictly prohibited. If you have received 
this e-mail in error please contact the sender immediately and destroy all 
copies of it.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamd memory usage (Solved)

2010-04-22 Thread Randal, Phil 
Francis Stevens wrote:
 Chris wrote:
 I've misplaced the original post I made so I can't reply to it,
 however I'd like to make a note for the archives what the problem is
 and to thank Steve Basford and Edwin for the their help in finding
 it. Seems like I had both a main.cvd and main.cld. I removed the
 main.cld file and all is back to the way it should be.
 
 Chris
 
 I was interested in this thread and so checked my clam folder on
 seeing this. I've got a main.cld file and no main.cvd have I got a
 problem (everything seems to be working correctly)?  
 
 FAS

Having one of main.cld or main.cvd is fine, having both is the problem.

Same's true of daily.cld and daily.cvd.

If you have both, delete the .cld file and then run freshclam to make
sure you're up to date.

Cheers,

Phil

-- 
Phil Randal | Networks Engineer
NHS Herefordshire  Herefordshire Council  | Deputy Chief Executive's
Office | I.C.T. Services Division Thorn Office Centre, Rotherwas,
Hereford, HR2 6JT Tel: 01432 260160
email: pran...@herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council. 

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error
please contact the sender immediately and destroy all copies of it.
Any opinion expressed in this e-mail or any attached files are those of the 
individual and not necessarily those of Herefordshire Council.
You should be aware that Herefordshire Council monitors its email service.
This e-mail and any attached files are confidential and intended solely for the 
use of the addressee. This communication may contain material protected by law 
from being passed on. If you are not the intended recipient and have received 
this e-mail in error, you are advised that any use, dissemination, forwarding, 
printing or copying of this e-mail is strictly prohibited. If you have received 
this e-mail in error please contact the sender immediately and destroy all 
copies of it.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] vscan-clamav samba with new redHat 5.5

2010-04-15 Thread Randal, Phil 
That looks like the same issue we've got wth clamd 0.96 and MailScanner: 

http://thread.gmane.org/gmane.mail.virus.mailscanner/74234

Cheers,

Phil


--
Phil Randal | Networks Engineer
NHS Herefordshire  Herefordshire Council  | Deputy Chief Executive's Office | 
I.C.T. Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of the 
individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely for the 
use of the addressee. This communication may contain material protected by law 
from being passed on. If you are not the intended recipient and have received 
this e-mail in error, you are advised that any use, dissemination, forwarding, 
printing or copying of this e-mail is strictly prohibited. If you have received 
this e-mail in error please contact the sender immediately and destroy all 
copies of it.

-Original Message-
From: clamav-users-boun...@lists.clamav.net 
[mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Philippe Camps
Sent: 15 April 2010 15:19
To: clamav-users@lists.clamav.net
Subject: Re: [Clamav-users] vscan-clamav samba with new redHat 5.5

I reboot the server with the new kernel, and then rebuild the vscan-clamav.so 
module and upgrade clamav.0.95.3 to clamav.0.96.
I have no errors when I start clamav.
I put the debug yes in clamd.conf.

I put a file test.txt in my samba share folder, and I notice always the same 
error:

/Apr 15 15:10:16 spinel clamd[23749]: THRMGR: queue (bulk) crossed low 
threshold - signaling Apr 15 15:10:17 spinel smbd_vscan-clamav[29088]: INFO: 
File . is a directory! Not scanned!
Apr 15 15:10:17 spinel smbd_vscan-clamav[29088]: INFO: file .// was not 
modified - not scanned Apr 15 15:10:39 spinel smbd_vscan-clamav[29088]: INFO: 
File . is a directory! Not scanned!
Apr 15 15:10:39 spinel smbd_vscan-clamav[29088]: INFO: file .// was not 
modified - not scanned Apr 15 15:10:39 spinel smbd_vscan-clamav[29088]: INFO: 
File . is a directory! Not scanned!
Apr 15 15:10:39 spinel smbd_vscan-clamav[29088]: INFO: file .// was not 
modified - not scanned Apr 15 15:10:40 spinel smbd_vscan-clamav[29088]: INFO: 
File . is a directory! Not scanned!
Apr 15 15:10:40 spinel smbd_vscan-clamav[29088]: INFO: file .// was not 
modified - not scanned Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: 
File . is a directory! Not scanned!
Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: file .// was not 
modified - not scanned Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: 
File . is a directory! Not scanned!
Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: file .// was not 
modified - not scanned Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: 
File test.txt not found! Not scanned!
Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: File . is a directory! 
Not scanned!
Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: file .// was not 
modified - not scanned Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: 
File . is a directory! Not scanned!
Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: file .// was not 
modified - not scanned Apr 15 15:11:04 spinel smbd_vscan-clamav[29088]: INFO: 
Scanning file : 
'.//test.txt'
Apr 15 15:11:04 spinel clamd[23749]: Received POLLIN|POLLHUP on fd 4 Apr 15 
15:11:04 spinel clamd[23749]: Received POLLIN|POLLHUP on fd 4 Apr 15 15:11:04 
spinel clamd[23749]: Got new connection, FD 9 Apr 15 15:11:04 spinel 
clamd[23749]: Got new connection, FD 9 Apr 15 15:11:04 spinel clamd[23749]: 
Received POLLIN|POLLHUP on fd 5 Apr 15 15:11:04 spinel clamd[23749]: Received 
POLLIN|POLLHUP on fd 5 Apr 15 15:11:04 spinel clamd[23749]: fds_poll_recv: 
timeout after 5 seconds Apr 15 15:11:04 spinel clamd[23749]: fds_poll_recv: 
timeout after 5 seconds Apr 15 15:11:04 spinel clamd[23749]: Received 
POLLIN|POLLHUP on fd 9 Apr 15 15:11:04 spinel clamd[23749]: Received 
POLLIN|POLLHUP on fd 9 Apr 15 15:11:04 spinel clamd[23749]: got command SCAN 
.//test.txt (16, 5), argument: .//test.txt Apr 15 15:11:04 spinel clamd[23749]: 
got command SCAN .//test.txt (16, 5), argument: .//test.txt Apr 15 15:11:04 
spinel clamd[23749]: mode - MODE_WAITREPLY Apr 15 15:11:04 spinel 
clamd[23749]: mode - MODE_WAITREPLY Apr 15 15:11:04 spinel clamd[23749]: 
Breaking command loop, mode is no longer MODE_COMMAND Apr 15 15:11:04 spinel 
clamd[23749]: Breaking command loop, mode is no longer MODE_COMMAND Apr 15 
15:11:04 spinel clamd[23749]: Consumed entire command Apr 15 15:11:04 spinel 
clamd[23749]: Consumed entire command Apr 15 15:11:04 spinel clamd[23749]: 
Number of file descriptors polled: 
1 fds
Apr 15 15:11:04 spinel clamd[23749]: Number of file descriptors polled: 
1 fds
Apr 15 15:11:04 spinel clamd[23749]: fds_poll_recv: timeout after 600 seconds 
Apr 15 15:11:04 spinel clamd[23749]: fds_poll_recv: timeout after

Re: [Clamav-users] APER

2009-10-22 Thread Randal, Phil 
Check out Julian Field's ScamNailer:

http://www.scamnailer.info/

18/10/2009 - New scamnailer.ndb ClamAV signature database is now
available from http://www.mailscanner.eu/scamnailer.ndb. This is updated
very frequently. Do not download it more than once per hour!

Cheers,

Phil

--
Phil Randal | Networks Engineer
NHS Herefordshire  Herefordshire Council  | Deputy Chief Executive's
Office | I.C.T. Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.

-Original Message-
From: clamav-users-boun...@lists.clamav.net
[mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of John Rudd
Sent: 22 October 2009 15:03
To: ClamAV users ML
Subject: [Clamav-users] APER

Hope I haven't missed this one being discussed... but ...

APER is a project hosted at Google Code (Anti-Phishing Email Reply) that
tracks From, Reply-to, and Body URLs that match known phishing attacks.
There are a few examples for how to use it ... but I was
wondering:

Has anyone turned this into a regularly updated set of ClamAV
signatures?

I've been tasked with implementing it, and I'd love to be able to just
plug it into my existing regiment of ClamAV signatures (I currently use
MBL, MSRBL, and some (but not all) of the signatures hosted at Sane
Security).
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Any opinion expressed in this e-mail or any attached files are those of the 
individual and not necessarily those of Herefordshire Council.
You should be aware that Herefordshire Council monitors its email service.
This e-mail and any attached files are confidential and intended solely for the 
use of the addressee. This communication may contain material protected by law 
from being passed on. If you are not the intended recipient and have received 
this e-mail in error, you are advised that any use, dissemination, forwarding, 
printing or copying of this e-mail is strictly prohibited. If you have received 
this e-mail in error please contact the sender immediately and destroy all 
copies of it.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] [Fwd: Advance Warning: End of Life Announcement:ClamAV 0.94.x]

2009-10-08 Thread Randal, Phil 
On the subject of 0.94.x's end-of-life, will the ClamAV developers
please work with the folks at VirusTotal to ensure that VirusTotal runs
ClamAV 0.95.x.

It is still on 0.94.x.

Cheers,

Phil

P.S. This has come up on the list before, but was never resolved. 


--
Phil Randal | Networks Engineer
NHS Herefordshire  Herefordshire Council  | Deputy Chief Executive's
Office | I.C.T. Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.

-Original Message-
From: clamav-users-boun...@lists.clamav.net
[mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Steve
Basford
Sent: 07 October 2009 20:50
To: ClamAV users ML
Subject: [Clamav-users] [Fwd: Advance Warning: End of Life
Announcement:ClamAV 0.94.x]


 Original Message 
Subject:Advance Warning: End of Life Announcement: ClamAV 0.94.x
Date:   Wed, 07 Oct 2009 20:47:57 +0100
From:   Steve Basford steveb_cla...@sanesecurity.com
To: sanesecur...@freelists.org, sanesecurity_annou...@freelists.org



Hi All,

While this message doesn't impact people until 15 April 2010, I thought
I'd re-post to give people plenty of time to look at their upgrade
plans.

In fact, when v0.95.3 is released.. some of the Sanesecurity, InetMsg
and Winnow signatures will be using features of the 0.95.3 engine that
will improve your scanning speed/memory usage.. however they won't be
compatible with pre-0.95.3 engines, ie. the new signatures will be
ignored by the pre-0.95.3 engines.

Bill, Tom and myself are thrashing out the details of how we move our
signatures over to the new format, as smoothly as possible and while
we'll try to support pre-0.95.3  engines for a short while after 0.95.3
is released, at some point, support will be dropped for  pre-0.95.3
engines *on some of the signature databases*.
 
*More news on these changes after/when 0.95.3 is released*.

Cheers,

Steve
Sanesecurity

= original message ==

Author: *Luca Gibelli mailto:nore...@clamav.net
*Date: * 2009-10-06 15:36  +100
*To: *clamav-announce mailto:clamav-annou...@lists.clamav.net
*Subject: *[Clamav-announce] End of Life Announcement: ClamAV 0.94.x

Dear ClamAV users,

all ClamAV releases older than 0.95 are affected by a bug in freshclam
which prevents incremental updates from working with signatures longer
than 980 bytes.

You can find more details on this issue on our bugzilla:
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1395

This bug affects our ability to distribute complex signatures (e.g.
logical signatures) with incremental updates.

So far we haven't released any signatures which exceed this limit.
Before we do we want as many users as possible to upgrade to the latest
version of ClamAV.

Starting from 15 April 2010 our CVD will contain a special signature
which disables all clamd installations older than 0.95 - that is to say
older than 1 year.
This move is needed to push more people to upgrade to 0.95 .
We would like to keep on supporting all old versions of our engine, but
unfortunately this is no longer possible without causing a disservice to
people running a recent release of ClamAV.
The traffic generated by a full CVD download, as opposed to an
incremental update, cannot be sustained by our mirrors.

We plan to start releasing signatures which exceed the 980 bytes limit
on May 2010.

We recommend that you always run the latest version of ClamAV to get
optimal protection, reliability and performance.

This message will be sent every two months to remind you to upgrade all
of your ClamAV installations in time.


Thanks for your cooperation,


Best regards


-- 
Luca Gibelli (luca _at_ clamav.net)   ClamAV, a GPL anti-virus
toolkit

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Any opinion expressed in this e-mail or any attached files are those of the 
individual and not necessarily those of Herefordshire Council.
You should be aware that Herefordshire Council monitors its email service.
This e-mail and any attached files are confidential and intended solely for the 
use of the addressee. This communication may contain material protected by law 
from being passed on. If you are not the intended recipient and have received 
this e-mail in error, you are

Re: [Clamav-users] Missing option on freshclam 0.95?

2009-04-02 Thread Randal, Phil 
aCaB wrote:
 Charles Gregory wrote:
 Oh, and FTR, I could not find a change log or version notes on
 the main clamav website, or I could have answered this question
 myself A link in the left-side menu would be nice. :)
 
 It's not that hard...
 http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog
 
 
 -aCaB

Or, from the main site, the Download / Sources page leads you there.

Cheers,

Phil

-- 
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council. 

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error
please contact the sender immediately and destroy all copies of it.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Once again, daily updates being announced but nowhere to be found

2009-02-19 Thread Randal, Phil 
Still stuck - DNS and mirror says 9002, yet 9009 has been announced.

Cheers,

Phil

--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.

-Original Message-
From: clamav-users-boun...@lists.clamav.net
[mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Randal, Phil
Sent: 18 February 2009 17:31
To: ClamAV users ML
Subject: [Clamav-users] Once again,daily updates being announced but
nowhere to be found

Just a heads up.

DNS is still reporting 9002, which seems to be the latest on mirrors,
yet 9005 has been announced.

Cheers,

Phil

--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] please remove

2009-02-19 Thread Randal, Phil 
Francesco Peeters wrote:
 Seeing this list is clearly an OPT-IN affair, those rules are mostly
 irrelevant, and - as stated - the required info *is* provided... 
 
 Having said that, I do think it would be a good idea to expose the
 unsubscribe link in the footer, even though nobody will read it
 anyway...  ;)  
 
 --FP
 ___
 Help us build a comprehensive ClamAV guide: visit
 http://wiki.clamav.net http://www.clamav.net/support/ml 

 

The above page would be a good place to put unsubscribe instructions,
too.

Cheers,

Phil 

-- 
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council. 

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error
please contact the sender immediately and destroy all copies of it.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] Once again, daily updates being announced but nowhere to be found

2009-02-18 Thread Randal, Phil 
Just a heads up.

DNS is still reporting 9002, which seems to be the latest on mirrors,
yet 9005 has been announced.

Cheers,

Phil

--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] OK, what's up?

2009-02-17 Thread Randal, Phil 
No 8996, 8997, 0r 8998

clamav tweeted Daily CVD 8998 (sigs: 13223; new: 15) on 16 Feb 2009
22-40 -0500 but no sign.

No message on web page, no tweet explaining difficulties, or anything.

Arrrggghhh...

Phil

--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Where's daily update 8996?

2009-02-17 Thread Randal, Phil 
Luca Gibelli wrote:
 Hello Randal,
 
 A quick nudge of the ClamAV team.
 
 Christoph Cordes announced update 8996 at 16:51GMT (or thereabouts),
 but there's no sign of it on mirrors...
 
 we have experienced some connectivity problems between the server
 where the CVD are created and the server which distributes them to
 the mirrors.  
 
 The situation has improved now, but there are still some occasional
 outages. 
 We are monitoring the situation.
 
 Regards,

Thanks Luca,

it's all working fine now.

Cheers,

Phil

-- 
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council. 

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error
please contact the sender immediately and destroy all copies of it.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] Where's daily update 8996?

2009-02-16 Thread Randal, Phil 
A quick nudge of the ClamAV team.

Christoph Cordes announced update 8996 at 16:51GMT (or thereabouts), but
there's no sign of it on mirrors...

Cheers,

Phil

--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: pran...@herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Twitter

2008-12-11 Thread Randal, Phil 
Nigel Horne wrote:
 McDonald, Dan wrote:
 
 how about:
 Daily CVD 8721 (sigs: 32788, new: 1) at 04 Dec 2008 13-26 +
 
 Thank you for your suggestion. It's a great idea so we've made the
 change! 
 
 -Nigel

And now you've sorted out twittering, how about fixing the
clamav-virusdb mailing list?  There have been no emails to it since
December 8th.

See http://news.gmane.org/gmane.comp.security.virus.clamav.virusdb

Cheers,

Phil
-- 
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: [EMAIL PROTECTED]

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council. 

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error
please contact the sender immediately and destroy all copies of it.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Announcing ClamAV 0.94.1 RC1

2008-10-16 Thread Randal, Phil 
Steve Basford wrote:
 For details of the new features please refer to the Changelog. For an
 overview please refer to
 http://www.clamav.net/press/0.94.1-WhatsNew.pdf. 
 
 
 Nigel, does the stats sent... only send information regarding ClamAV
 default signatures (when detected)... or does this also include
 detections by Third-Party signature names, such as MSRBL, MBL and
 Sanesecurity ones?   
 
 Cheers,
 
 Steve
 Sanesecurity
 
 ___
 Help us build a comprehensive ClamAV guide: visit
 http://wiki.clamav.net http://www.clamav.net/support/ml 

I haven't had the time to check the source code.

How does it send it?  What protocol and port, to which servers?

Anything that firewall admins will need to be aware of?

Cheers,

Phil
-- 
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: [EMAIL PROTECTED]

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council. 

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error
please contact the sender immediately and destroy all copies of it.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Announcing ClamAV 0.94.1 RC1

2008-10-16 Thread Randal, Phil 
Tomasz Kojm wrote:
 On Thu, 16 Oct 2008 13:43:12 +0100
 Randal, Phil [EMAIL PROTECTED] wrote:
 
 I haven't had the time to check the source code.
 
 How does it send it?  What protocol and port, to which servers?
 
 Anything that firewall admins will need to be aware of?
 
 It sends information about a file name, malware name and time to
 stats.clamav.net using HTTP (POST) port 80. 
 
 HTH,

Fabulous, thanks very much for the rapid reply.

Phil

-- 
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: [EMAIL PROTECTED]

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council. 

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error
please contact the sender immediately and destroy all copies of it.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Scanning performance issues on some files

2008-09-16 Thread Randal, Phil 
[EMAIL PROTECTED] wrote:
 Hi,
 
 
 
 For a couple of days now, I have some performance issues with clamav.
 I use clamav on my email server to scan incoming traffic. I faced the
 problem yesterday with the Trojan.Agent-49425 before clamav was
 considering it as a virus.  The scanning time of this 35KB zipped
 file was 16444.5 ms, once considered as a virus it was taking 50.531
 ms to scan it.
 Today I face the same problem with an email containing a zipped file
 with the virus Email.Trojan-14. It's a 32KB file and clamdscan take
 15s to scan it. I'm currently using clamav 0.94.  I really don't know
 what to do to fix this issue.   
 
 
 
 Thanks for your help.

This problem is also being discussed on the MailScanner mailing list.
It's been affecting us here since Friday.

Fortunately my email relays can cope with the extra load.

Cheers,

Phil

-- 
Phil Randal
Networks Engineer
Herefordshire Council
Hereford, UK
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] [0.0] Re: simplest replacement for ancient amavis-perl

2008-08-12 Thread Randal, Phil 
This is what I have in my milter-greylist's greylist.conf.

The google entries are accurate as of a week or so ago, taken from their
SPF record. 

list broken mta addr {   \
12.5.136.141/32\ # Southwest Airlines (unique sender)
12.5.136.142/32\ # Southwest Airlines
12.5.136.143/32\ # Southwest Airlines
12.5.136.144/32\ # Southwest Airlines
12.107.209.244/32  \ # kernel.org (unique sender)
12.107.209.250/32  \ # sourceware.org (unique sender)
63.82.37.110/32\ # SLmail
63.169.44.143/32   \ # Southwest Airlines
63.169.44.144/32   \ # Southwest Airlines
64.7.153.18/32 \ # sentex.ca (common pool)
64.12.136.0/24 \ # AOL (common pool)
64.12.137.0/24 \ # AOL
64.12.138.0/24 \ # AOL
64.18.0.0/20   \ # google
64.124.204.39  \ # moveon.org (unique sender)
64.125.132.254/32  \ # collab.net (unique sender)
64.233.160.0/19\ # google
66.94.237.16/28\ # Yahoo Groups servers (common pool)
66.94.237.32/28\ # Yahoo Groups servers (common pool)
66.94.237.48/30\ # Yahoo Groups servers (common pool)
66.100.210.82/32   \ # Groupwise?
66.102.0.0/20  \ # google
66.135.192.0/19\ # Ebay
66.162.216.166/32  \ # Groupwise?
66.206.22.82/32\ # Plexor
66.206.22.83/32\ # Plexor
66.206.22.84/32\ # Plexor
66.206.22.85/32\ # Plexor
66.218.66.0/23 \ # Yahoo Groups servers (common pool)
66.218.67.0/23 \ # Yahoo Groups servers (common pool)
66.218.68.0/23 \ # Yahoo Groups servers (common pool)
66.218.69.0/23 \ # Yahoo Groups servers (common pool)
66.249.80.0/20 \ # google
66.27.51.218/32\ # ljbtc.com (Groupwise)
72.14.192.0/18 \ # google
74.125.0.0/16  \ # google
152.163.225.0/24   \ # AOL
194.245.101.88/32  \ # Joker.com
195.235.39.19/32   \ # Tid InfoMail Exchanger v2.20
195.238.2.0/24 \ # skynet.be (wierd retry pattern, common
pool)
195.238.3.0/24 \ # skynet.be
195.46.220.208/32  \ # mgn.net
195.46.220.209/32  \ # mgn.net
195.46.220.210/32  \ # mgn.net
195.46.220.211/32  \ # mgn.net
195.46.220.221/32  \ # mgn.net
195.46.220.222/32  \ # mgn.net
195.238.2.0/24 \ # skynet.be (wierd retry pattern)
195.238.3.0/24 \ # skynet.be
204.107.120.10/32  \ # Ameritrade (no retry)
205.188.0.0/16 \ # AOL
205.206.231.0/24   \ # SecurityFocus.com (unique sender)
207.115.63.0/24\ # Prodigy - retries continually
207.126.144.0  \ # google
207.171.168.0/24   \ # Amazon.com
207.171.180.0/24   \ # Amazon.com
207.171.187.0/24   \ # Amazon.com
207.171.188.0/24   \ # Amazon.com
207.171.190.0/24   \ # Amazon.com
209.85.128.0/17\ # google
209.132.176.174/32 \ # sourceware.org mailing lists (unique
sender)
211.29.132.0/24\ # optusnet.com.au (wierd retry pattern)
213.136.52.31/32   \ # Mysql.com (unique sender)
216.33.244.0/24\ # Ebay
216.239.32.0/19\ # google
217.158.50.178/32  \ # AXKit mailing list (unique sender)
}

Cheers,

Phil

--
Phil Randal
Networks Engineer
Herefordshire Council
Hereford, UK

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charles
Gregory
Sent: 12 August 2008 12:58
To: ClamAV users ML
Subject: Re: [Clamav-users] [0.0] Re: simplest replacement for ancient
amavis-perl

On Mon, 11 Aug 2008, Dennis Peterson wrote:
 . A problem I've seen with greylisting is the round-robin MTA
pool.
 Each is told in turn to come back later and if the pool is large it 
 can take a long time to cycle through all of them.

I don't suppose anyone has a list of these available for a whitelist
or avoid greylisting? Preferably a list of IP's not domains?

- Charles

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] ClamAV updates - where is 7421?

2008-06-10 Thread Randal, Phil 
Last pattern posted to clamav-virusdb was:

ClamAV database updated (10 Jun 2008 14-18 +): daily.cvd
Version: 7421

Yet the DNS, clamav homepage, and mirrors still say 7417.

What gives?

Cheers,

Phil

--
Phil Randal
Networks Engineer
Herefordshire Council
Hereford, UK

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] ClamAV 0.92.1 anomaly

2008-02-12 Thread Randal, Phil 
I wrote earlier that

 clamscan --version behaves differently in 0.92.1 to 0.92
 
 # clamscan --version
 ClamAV 0.92.1
 
 # clamscan --version
 ClamAV 0.92/5785/Tue Feb 12 10:41:10 2008

It looks like the checkin to fix bug 699
(https://wwws.clamav.net/bugzilla/show_bug.cgi?id=699) has broken
things.

Cheers,

Phil
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] ClamAV 0.92.1 anomaly

2008-02-12 Thread Randal, Phil 
clamscan --version behaves differently in 0.92.1 to 0.92

# clamscan --version
ClamAV 0.92.1

# clamscan --version
ClamAV 0.92/5785/Tue Feb 12 10:41:10 2008

Can we have the old behaviour back please?

Phil

--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Instability and Modern Anti-Virus Software

2008-01-02 Thread Randal, Phil 
[EMAIL PROTECTED] wrote:
 There is an article on eWeek.com today concerning instability in AV
 software due to the impossibility of adequately testing updates when
 releasing them as quickly as they are needed
 (www.eweek.com/article2/0,1895,2240656,00.asp?kc=EWKNLINF010208STR3).
 

Just to force the point home, NcAfee yesterday released datfile 5197
yesterday which erroneously detected JS/Exploit-BO virus on sites like
ESPN and Friendster.

They've since released dat 5198 to fix the problem.

The problem of false positives from bad patterns or heuristics is, IMHO,
a good reason for never doing on-demand full scans of filesystems.

Cheers,

Phil
-- 
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Recent viruses

2007-10-25 Thread Randal, Phil 
Do you give risk assessments of each and every virus caught, then?

That would be a complete waste of time.

But, just to let you know the risks we're talking about here:

eCard stuff:  emails containing either a link to a website pushing
Trojans onto the PCs of those stupid enough to visit; or a .zip
attachment containing a Trojan.  The risk?  Malware on your PC, data
harvesting, turning PC into a spambot, etc.

The phishing ones usually contain links to fake bank sites in an attempt
to harvest people's usernames and passwords, and thence their money.
The risk is of your staff being fleeced, quickly followed by legal
action by them against management for failure in their duty of care for
their employees (by not blocking these phishing emails they are aiding
and abetting the criminals).

And if you really have to argue the case individually for each and every
virus pattern in your antivirus products' databases, you should start
seeking a new job right now.

Cheers,

Phil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gomes, Rich
Sent: 25 October 2007 18:20
To: ClamAV users ML
Subject: Re: [Clamav-users] Recent viruses

Dennis,
Thanks for the reply. I understand all of what you are saying,
having worked as a sysadmin for many years now. My issue is that even
with most vendors using different naming conventions, they are usually
cross-reference in any technical info that is out there. I can't find
any data on these messages and would like to know what other malware
names they match up to so I can present it to management. At this point
I can't even give a risk assessment.


Rich

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dennis
Peterson
Sent: Thursday, October 25, 2007 12:54 PM
To: ClamAV users ML
Subject: Re: [Clamav-users] Recent viruses

Gomes, Rich wrote:
 I received some emails yesterday matching the following:
 
 Infected messages:
 Email.Ecard-28: 2 Message(s)
 Email.Phishing.RB-1804: 2 Message(s)
 Email.Phishing.RB-1806: 2 Message(s)
 
 
 I think these are ClamAV-specific names, how can I find out more
detailed info on each one? I do not see them anywhere on the web.
 
 
 Any help would be greatly appreciated.

There are no naming standards and it doesn't look like any initiative to
create one is going anywhere. The problem is each AV vendor has to call
it something (I actually don't agree with this, but sexy names sell
product). So what do you call a virus you've not seen before? I suppose
you could submit it to all the other vendors' 
systems to see if they have a name for it and adopt that, but then
that's a lot of work and there are no returns. And what if you are the
first to discover it? You can't wait around for a committee to come up
with a name so you call it something and release the update. As you
know, within a day all the vendors will have discovered that same virus
and will also go through this same drill.

If you think about it, vendor A using vendor B's names is an admission
that vendor A was not the first to discover it, and that means vendor B
is going to look better in reviews.

My bottom line is, I really don't care what they're called. A simple
serial number would be fine with me. The names mean more to the popular
press than anyone else on the planet because they make great headlines.
A name that is also the date discovered would be even better as I could
voluntarily remove any old virus patterns I think are obsolete. This
addresses another issue - AV vendors get a big plus for showing they
have a bizzillion patterns in their database. I don't care - if that
represents something that was an issue in 1987 it is not a problem for
me today. Get rid of it.

How to get more detail? You can translate (they're hex encoded) the
record for the the virus name and read what the pattern is. This is
especially true for the phishing and text based viruses. Less useful
for viruses found in executable files.

One final point: phishing and scam mails will not necessarily have a
corresponding identity with other vendors. They may not provide phishing
and scam protection, for one thing, and for another the manner of
detecting them is entirely arbitrary. Vendor A might look for embedded
URL's in the message where vendor B might look for repeating misspelled
words or unusual phrasing in the same message. In other words there is
no guarantee of a match with any other vendor.

dp
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamav needs 3 minutes to start

2007-06-27 Thread Randal, Phil 
Conrad Zane Minnaar wrote:

 Le mercredi 27 juin 2007 15:09, Schramm e.K. [ Deutschland ] a écrit :
  Dear clamav-users-list,
 
  like the subject sounds have i some problems
  with clamav.
 
  Known bug. Already corrected in version 0.91 rc2.
 
 I don't know if it is really fixed. I have posted a request 
 concerning this issue earlier this week. I am running
 versions 0.99.2 and 0.99.3 and clamd is taking ages to
 start. I will admit it does not take 3 minutes, but it is
 causing a major problem, because it causes the startup of 
 clamav-milter to break.
 
 Any suggestions?
 
 -Conrad-

Yes, check your version numbers...

I guess you mean 0.90.2 and 0.90.3.

It is definitely fixed in 0.91rc2.

Cheers,

Phil

--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Terrible performance with 0.90.2

2007-04-24 Thread Randal, Phil 
[EMAIL PROTECTED] wrote:
 Michael Heiming wrote:
 René Berber wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 Michael Heiming wrote:
 
 Tests show pretty bad performance with 0.90.2 and clamscan. Running
 Mailscanner it seems not trivial to switch to clamd,
 
 It is trivial, just change lib/clamav-wrapper and
 lib/MailScanner/SweepViruses.pm; I include my changes at the end.
 
 Rene,
 
 indeed this looks pretty much straight forward. Could you send me the
 patches as attachment, seems they got garbled in the mail?
 
 It seems the version of my clamav-wrapper is different (MS 4.54.6-1),
 could you please send me your patched version completely?
 
 Best regards

The appropriate course of action is for you to upgrade to MailScanner 4.58.9.

You're running a version which is well out of date.

Phil

-- 
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Release-Date for 0.90 ??

2007-02-01 Thread Randal, Phil 
Christopher X. Candreva wrote

 I've been running 0.90rc2 here for a few months. IMHO it is 
 more stable than 
 the 0.88.x I was running previously.
 
 Just yeaterday I received a Bugzilla note from one I had 
 submitted that it 
 was fixed in 0.90rc3. I am taking that to mean we will see rc3 soon.

0.90rc3 has just been released.

Cheers,

Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Trojan Peacomm?

2007-01-25 Thread Randal, Phil 
Galactic wrote:

 Seems it is already in the DB as something else,
 Trojan.Downloader-6xx.
 Norton was stripping the file from my email so I couldn't
 read the headers
 on it. Not sure why it was slipping past ClamAV however. When
 I tried to
 upload these 3 files postcard.exe, Full Clip.exe, and
 Greeting Card.exe the
 submission engine said that they exist in the DB as the
 Trojan.downloader-6xx.. 
 
 Norton is seeing them as [EMAIL PROTECTED] and Trojan.Peacomm. As far as
 running freshclam, had been doing that manually ever couple
 of hours for the
 past two days to be sure that this little bugger wouldn't get through.
 
 Franklyn

It's worth checking http://cme.mitre.org/ in cases like this, and
http://isc.sans.org/ , which is pretty good at following outbreaks.

This particular trojan is CME-711.

If you have a virus sample you're not detecting locally, try submitting
it to http://virusscan.jotti.org and http://www.virustotal.com .  Those
sites will tell you who is detecting it as what, and will forward
samples to the vendors of the antivirus tools they use.

Cheers,

Phil
-- 
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] libclamav saying DB is old, can't detect virus

2007-01-23 Thread Randal, Phil 
Not detected here either, nor by ClamAV at http://virusscan.jotti.org

 Scan taken on 23 Jan 2007 14:57:25 (GMT)
AntiVir Found nothing
ArcaVir Found Trojan.Door.Mirc-based
Avast   Found Win32:Trojan-gen. {VC}
AVG Antivirus Found HideExec.G, IRC/BackDoor.Flood
BitDefender Found Trojan.Hidewindows.C, Backdoor.IRC.Zapchast.GJ,
Backdoor.IRC.Zapchast.LK
ClamAV  Found nothing
Dr.Web  Found Tool.HideApp, Program.mIRC.603
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Backdoor.IRC.Zapchast,
Backdoor.Win32.mIRC-based
FortinetFound nothing
Kaspersky Anti-Virus Found Backdoor.IRC.Zapchast,
Backdoor.Win32.mIRC-based
NOD32   Found IRC/Flood.CP, probably a variant of IRC/Zapchast.J
(probable variant)
Norman Virus Control Found Zapchast.ACA
VirusBuster Found IRC.Flood.BU
VBA32   Found Backdoor.IRC.Zapchast#13, BackDoor.IRC.based,
Backdoor.IRC.Zapchast#36 

Yet over at http://www.virustotal.com:

AntiVir 7.3.0.2601.23.2007  no virus found
Authentium  4.93.8  01.22.2007  no virus found
Avast   4.7.936.0   01.23.2007  Win32:Trojan-gen. {VC}
AVG 386 01.23.2007  IRC/BackDoor.Flood
BitDefender 7.2 01.23.2007  Trojan.Hidewindows.C
CAT-QuickHeal   9.0001.22.2007  no virus found
ClamAV  devel-20060426  01.23.2007  Trojan.IRC.Zapchast-11
DrWeb   4.3301.23.2007  no virus found
eSafe   7.0.14.001.23.2007  VBS.Chode911.2
eTrust-InoculateIT  23.73.120   01.23.2007  no virus found
eTrust-Vet  30.3.3344   01.23.2007  no virus found
Ewido   4.0 01.23.2007  no virus found
Fortinet2.82.0.001.23.2007  Misc/Hidewindow
F-Prot  3.16f   01.22.2007  no virus found
F-Prot4 4.2.1.2901.22.2007  no virus found
Ikarus  T3.1.0.27   01.23.2007  Backdoor.IRC.Zapchast
Kaspersky   4.0.2.2401.23.2007  Backdoor.IRC.Zapchast
McAfee  494601.22.2007  no virus found
Microsoft   1.1904  01.23.2007  Trojan:Win32/HideWindows.C
NOD32v2 199901.23.2007  IRC/Flood.CP
Norman  5.80.02 01.23.2007  Zapchast.ACA
Panda   9.0.0.4 01.23.2007  no virus found
Prevx1  V2  01.23.2007  Covert.Sys.Exec
Sophos  4.13.0  01.20.2007  no virus found
Sunbelt 2.2.907.0   01.22.2007  IRC.Backdoor.Trojan
TheHacker   6.0.3.154   01.22.2007  no virus found
UNA 1.8301.22.2007  Trojan.Win32.Hidewindows.E2AC
VBA32   3.11.2  01.22.2007  Backdoor.IRC.Zapchast#13
VirusBuster 4.3.19:901.23.2007  IRC.Flood.BU

Strange...

Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Roy Carin
 Sent: 23 January 2007 13:15
 To: ClamAV users ML
 Subject: Re: [Clamav-users] libclamav saying DB is old, can't 
 detect virus
 
 On 01/23/2007 05:00 AM, Andy wrote:
  Andy ([EMAIL PROTECTED]) wrote:
  Hey,
 
  I'm having some trouble with a virus that got past clamav.
 
  Log is pasted below, but I seem to have two problems:
 
  1) libclamav is saying my database is old when it isn't
  
  update...
  
  I didn't want to stop clamav on a production system but on comparing
  the filesizes to another clamav installation I noticed they were
  different.
  
  So even though it shows it reading the right files:
  
  LibClamAV debug: Loading databases from /var/lib/clamav
  LibClamAV debug: Loading /var/lib/clamav/daily.cvd
  
  And even though I restarted freshclam and it looked like it 
 had updated:
   
  mx tmp # ls -l /var/lib/clamav/daily.cvd
  -rw-rw-r-- 1 clamav clamav 752606 Jan 23 09:41 
 /var/lib/clamav/daily.cvd
  
  ... it obviously hadn't.  I deleted the current database 
 and restarted
  freshclam.  It got a new set of files which were different 
 to old ones,
  and had no problem detecting the virus.  
  
  I'm still confused to what caused this though so I can stop 
 it happening
  again.  I'm also still worried it couldn't scan that .exe 
 file, yet by just
  upgrading the DB it can somehow magically do it now?
  
  Andy.
  
 
 I'm afraid that I don't have any advice for you, but I can 
 say that I'm 
 having a similar problem.
 
 I received a link to a postcard.exe file in a spam message:
 Size: 678849
 MD5sum: 8372e0dcd2ccf5e5247f098e818c5e46
 Site: http://www.newfriendsonline.com/videos/postcard.exe
 
 Virustotal.com says this about the file:
 ClamAVdevel-20060426/20070123 found [Trojan.IRC.Zapchast-11]
 
 So someone's version of clamav can detect the trojan; however, my 
 installation of clamav (0.88.7) always says the file is clean--even 
 after I've just run freshclam.
 
 I even submitted the file to clamav.net a couple of days ago, but my 
 clamscan still doesn't detect the file.
 
 -- 
 
 
 Send instant messages to your online friends 
 http://au.messenger.yahoo.com 
 ___
 Help us build a comprehensive ClamAV guide: visit

RE: [Clamav-users] Longer writeup on new viruses that Clam has de tected?

2007-01-19 Thread Randal, Phil 
There were two or three variants of that Trojan (not strictly a virus)
spammed out on the 18th, with one or more variants pushed out a day
later (sample submitted, still waiting for the updated patterns for
that).

Trojan-downloader.647 was one of the variants.

If you keep your eye on whatever virus alert messages you produce it
should be pretty obvious which ClamAV name relates to malware in the
news.

It's not a trivial task to produce a dictionary of malware
cross-referencing all the vendors' pet names for them, and I for one
would rather the effort went into catching the malware rather than
naming it.

Cheers,

Phil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kelly Jones
Sent: Saturday, January 20, 2007 1:26 AM
To: clamav-users@lists.clamav.net
Subject: [Clamav-users] Longer writeup on new viruses that Clam has
detected?

My users sometimes forward me news stories on new viruses. I want to
reassure them that Clam is catching this virus, but I'm not quite sure
how.

Example: a user sent me a story on a virus that I'm pretty sure is
Trojan.Downloader-647, but I couldn't find a web-page describing this
virus. Is there such a thing?

Basically, I'm looking for a short Symantec-like writeup (or even a
link to Symantec's writeup) saying things like:

This virus was first detected 18 Jan 2006.

The subject lines for this virus are: A killer at 11, he's free at
21..., U.S. Secretary of State Condoleezza Rice has kicked..., 230
dead as storm batters Europe, Naked teens attack home director,
etc.

The virus contains an attachment called Full Story.exe

That sort of thing.

It would also be nice to type in a virus subject and see all Clam
signatures/viruses matching that subject (I realize some viruses have
random subjects, but many/most do have a finite list of subjects or at
least adhere to a pattern).

Any thoughts?

-- 
We're just a Bunch Of Regular Guys, a collective group that's trying
to understand and assimilate technology. We feel that resistance to
new ideas and technology is unwise and ultimately futile.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Which wiki?

2006-11-12 Thread Randal, Phil 
I'd recommend pmwiki.

Phil

___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] I-Worm/Generic.RX undetected

2006-09-20 Thread Randal, Phil 
Daniel Hertanu wrote:

 Yesterday I received 3 emails in which the local antivirus (AVG for 
 Windows, Free edition) has detected a virus named 
 I-Worm/Generic.RX. The email server is a sendmail with
 clamav-milter. Having a look into the log 
 file I discovered that clamav-milter declared the emails as clean.
 Freshclam is executed daily, so the virus database is updated. 
 As this virus name is not listed in Clamav virus database, 
 I'm wondering if there is known under a different name,
 and, if so, why it was not detected. 
 Any idea would be much appreciated. Thank you.
 
 Daniel

The standard rule is to submit any sample raw email to each of

http://virusscan.jotti.org/

http://www.virustotal.com/

http://www.clamav.net/sendvirus.html

That way you're doing a service to the whole internet community (as well
as finding out which scanners pick it up already).

Cheers,

Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Scan Signature

2006-08-18 Thread Randal, Phil 
Diego Lorenzo - OJC said

 Hello, folks!
 
 I´m needing to mark all incoming and outgoing e-mails with a 
 virus scanned message, kindda This e-mail was scanned by 
 Clamav (or Amavis), something like that. Is there any flag I 
 can set it? It is really in Clamav configuration file I can do that?
 
 Regards,
 
 Diego Lorenzo  

And the virus spammers get wise and add a this message was scanned by
footer to their infected emails.

Such disclaimers are worthless.

Cheers,

Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Questions about ClamAV

2006-07-05 Thread Randal, Phil 
 Dear all,
 1) I am going to use the anti-virus in a closed network, and 
 connection to
 the Internet is not possible. How can ClamAV be updated 
 manully without
 accessing the Internet? Can freshclam be deactivated? And 
 will there be
 any effect on the signature update if freshclam is deactivated?

manually copy the database files from a connected machine to one not
connected.  run an internal database mirror.
 
 2) There is a large number of end users within the closed 
 network. Are mass
 installation and update possible? Are remote installation and update
 possible? If yes, how can they be done?

search the list archives

 3) What is the actual virus database update frequency?

Whenever an update is available.  can be several times a day.

When your (legally worthless) disclaimer and sig are longer than the
content of your email, you need to learn some net etiquette before
people will take you seriously and not treat you with contempt.

Cheers,

Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Footnote messages

2006-06-16 Thread Randal, Phil 
Fernando Azevedo asked:

 I'm running a pretty stable server with clamav 0.88.2 on top of qmail
 with simscan. I'm checking all messages (incoming and 
 outgoing) and I'd
 like to append a small footnote with a disclaimer and also with some
 (free) advertisement stating that the message has gone through ClamAV
 and is clean of any known viruses. Is this possible in ClamAV?

Consider this simple scenario:

I'm Mr mega-trojan distributor, and I've decided that a good new social
engineering trick is to include a footer on each of my spammed
trojanised emails.

Do I need to explain in any detail or have you figured it yet?

Such footers are at best misleading, at worst lulling people into a
false sense of confidence.

Cheers,

Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

This email has been scanned by Phil's Antivirus (tm), and found to be
virus-free.  Yeah, right...  ;-)
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] dreaded Can't query current.cvd.clamav.net m essage

2006-06-16 Thread Randal, Phil 
Pat Masterson wrote:

 I just installed clamav-0.88.2 on a solaris 9 system. when running
 freshclam I get this:
 
 [EMAIL PROTECTED] [170]: /usr/local/bin/freshclam --datadir=/home/clamav -v
 Current working dir is /home/clamav
 Max retries == 3
 ClamAV update process started at Fri Jun 16 10:18:50 2006
 SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES
 See the FAQ at http://www.clamav.net/faq.html for an explanation.
 Querying current.cvd.clamav.net
 ERROR: Can't query current.cvd.clamav.net
 WARNING: Invalid DNS reply. Falling back to HTTP mode.
 ^C
 
 But I can get the TXT records OK:
 
 [EMAIL PROTECTED] [171]: host -t txt current.cvd.clamav.net
 current.cvd.clamav.net descriptive text 0.88.2:39:1546:1150468141:1
 
 
 And DNS resolution is fine:
 
 [EMAIL PROTECTED] [172]: nslookup www.ibm.com
 .
 .
 Non-authoritative answer:
 Name:www.ibm.com.cs186.net
 Address:  129.42.34.212
 Aliases:  www.ibm.com
 
 
 Any ideas for me? Thanks.  -Pat

http://www.clamav.net/faq.html says this:

20.  What does SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES mean?


The ClamAV package requires the GMP library to verify the digital
signature of the virus database. When building ClamAV you need the GMP
library and its headers: if you are using Debian just run apt-get
install libgmp3-dev, if you are using an RPM based distribution install
the gmp-devel package. You'll need to rerun ./configure and recompile
ClamAV. 

24.  I get this error when running freshclam: ERROR: Connection with ???
failed . What shall I do? 

Either your dns servers are not working or you are blocking port 53/tcp.
You should manually check that you can resolve hostnames with:
$ host database.clamav.net
If it doesn't work, check your dns settings in /etc/resolv.conf.
If it works, check that you can receive dns answers longer than 512
bytes, e.g. check that your firewall is not blocking packets which
originate from port 53/tcp. An easy way to find it out is:
$ host db.us.clamav.net
$ dig @ns1.clamav.net db.us.clamav.net

Cheers,

Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] updated: PSCM - RPM package (clamav, postfix, spamassassin, mailscanner or amavisd-new)

2006-05-09 Thread Randal, Phil 
I'd keep well clear of this until PSCM is updated to use MailScanner
4.53.8.

4.53.6 had a major bug in the phishing detection code which could cause
MailScanner to loop.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Robert Isaac
 Sent: 09 May 2006 16:37
 To: 'ClamAV users ML'
 Subject: RE: [Clamav-users] updated: PSCM - RPM package 
 (clamav, postfix, spamassassin, mailscanner or amavisd-new)
 
 Is there a similar rpm for sendmail?
 
 Bob 
 
 ___
 Robert Isaac
 Director/Web Admin
 
 www.volvoclub.org.uk
 
 Please include all previous text with reply
 All messages are scanned with an antivirus scanner.
  
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Janet Bindner
 Sent: 09 May 2006 06:18
 To: clamav-users@lists.clamav.net
 Subject: [Clamav-users] updated: PSCM - RPM package (clamav,
 postfix,spamassassin, mailscanner or amavisd-new) 
 
 Hi all,
   I have updated PSCM. The latest RPM package
 contains:
 
 * Clamav: 0.88.2
 * MailScanner: 4.53.6-1
 * SpamAssassin: 3.1.1
 * Postfix: 2.2.10
 * Amavisd-new-2.4.0
 
 
 http://m-net.arbornet.org/~pscm/index.html
 
 //
 PSCM integrats postfix, spamassassin, clamav and 
 mailscanner/amavisd-new.
 This should help to eliminate the hassle of installing and 
 making these
 applications work together.
 
 PSCM comes in 2 flavors:
 
1. Postfix, SpamAssassin, ClamAV and MailScanner
2. Postfix, SpamAssassin, ClamAV and Amavisd-new
 //
 
 Cheers,
 Janet
 
 Send instant messages to your online friends 
 http://uk.messenger.yahoo.com
 ___
 http://lurker.clamav.net/list/clamav-users.html
 
 
 ___
 http://lurker.clamav.net/list/clamav-users.html
 
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] updated: PSCM - RPM package (clamav, postfix, spamassassin, mailscanner or amavisd-new)

2006-05-09 Thread Randal, Phil 
Robert Isaac wrote:

 4.53.7 is the latest version, it came out a few days after 4.53.6

Check http://www.sng.ecs.soton.ac.uk/mailscanner/downloads.shtml for
yourself if you don't believe me!

Cheers,

Phil

Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] submiting form

2006-03-17 Thread Randal, Phil 
It's always worth submitting samples to http://www.virustotal.com and
http://virusscan.jotti.org as well.

They forward to the ClamAV team and other antivirus vendors.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Alex Gavriloff
 Sent: 17 March 2006 08:54
 To: clamav-users@lists.clamav.net
 Subject: [Clamav-users] submiting form
 
 
 I've submit a virus three times using sendvirus form but still no  
 reaction. any of.
 Should I do something else?
 
 
 -- 
 Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
 
 ___
 http://lurker.clamav.net/list/clamav-users.html
 
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Zafi worm misidentified as Trojan.Downloader.Small-1004

2006-02-03 Thread Randal, Phil 
Don't know when this started happening, but ClamAV is misidentifying the
Zafi worm as Trojan.Downloader.Small-1004.

From a MailScanner notification:

Sender: [EMAIL PROTECTED] IP Address: 85.98.131.226
 Recipient: [EMAIL PROTECTED] (changed to protect the innocent)
   Subject: Fw:  Merry Christmas!
 MessageID: k139qE5t016812
Quarantine: /var/spool/MailScanner/quarantine/20060203/k139qE5t016812
Report: ClamAV Module: postcard.index.jpg4031.zip was infected:
Trojan.Downloader.Small-1004
Bitdefender: Found virus [EMAIL PROTECTED] in file
postcard.index.jpg4031.zip
McAfee: /k139qE5t016812/postcard.index.jpg4031.zip
Found the W32/[EMAIL PROTECTED] virus !!!

Cheers,

Phil

Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Is CME officially supported/supporting ClamAV?

2006-02-01 Thread Randal, Phil 
Jason Haar wrote:

 I've been watching CME (Common Malware Enumerator) starting 
 to take off over the past few weeks, and I've noticed CME 
 entries and their corresponding names used by antivirus vendors.
 
 ...and ClamAV ain't in there from what I've seen...
 
 Is there no interest in supporting this, or am I just blind? 
 (the latter is quite possible ;-)
 
 See http://cme.mitre.org/

From the CME FAQ:

A8. How can my organization and I participate?

An integral component of the CME initiative is broad community
participation.
We strongly encourage users of anti-virus products to ask their
preferred
vendors to adopt CME identifiers. For anti-virus product vendors,
supporting
and participating in the CME initiative is a bold first step in
announcing
to your users that you want to help alleviate their confusion and
further
protect their systems and networks. Adopting the use of CME identifiers
is
a significant first step in establishing a consistent approach by
anti-virus
entities that will benefit users and the entire information security
community.

Contact us at [EMAIL PROTECTED] to discuss how you and your organization can
help
this growing anti-virus and information security initiative.

Looks like they expect the ClamAV team to contact them, not the other
way round.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Undetected Virus

2006-01-18 Thread Randal, Phil 
 I have the latest version of ClamAV and the signature files 
 installed, however it fails to detect the Win32.Blackmail.F virus.
 
 My mail is delivered to a FreeBSD server that I run. One of 
 the machines on the network is a WinXP machine running 
 ZoneAlarm Suite. When this Windows machine POPs mail from the 
 mail server it detects this virus. It has happened three 
 times in the past 24 hours. The messages are marked as clean 
 by ClamAV.
 
 Is this something that I should be reporting to someone?
 
 Thanks!
 
 --
 Gerard Seibert
 [EMAIL PROTECTED]

I submitted a sample yesterday afternoon (GMT) to
http://cgi.clamav.net/sendvirus.cgi , http://virusscan.jotti.org/ , and
http://www.virustotal.com/

Cheers,

Phil

Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Large number of Mytob.MM this morning?

2006-01-12 Thread Randal, Phil 
Jay Lee wrote:
 I've already submitted a sample to the website, any hope of getting 
 this blocked soon?
  Did you submit it to the online testing web page to see if 
 that system 
  handles it differently from yours?
 
 I have now yes,  I tried sending the raw email message, the 
 attached .zip file and the unzipped .exe, it reported them 
 all as clean.
 
 Jay

It's worth submitting the raw message file to http://virusscan.jotti.org
and http://www.virustotal.com as well.

Phil

Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] RE: Report infected mail to the user

2006-01-06 Thread Randal, Phil 
  But you do not know the sender. You only know an address that the 
  virus presents as the sender address. And you trust the virus...
 
 Ok, i see you must have experience. Are there really so many 
 virussender who specify a fake REAL EXIST mail address?
 
 Michael Neurohr

Many viruses harvest email addresses from the infected PC user's address
book and inbox etc and use these as the From: address.

And I can verify that this is the case from the number of virus bounces
we get from clueless sites which still insist on sending the (spoofed)
senders virus warnings.

Incidentally, 5 minutes on Google would have told you the answer.

Cheers,

Phil

Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] clamav-milter sendmail: postmaster notificat ion

2006-01-06 Thread Randal, Phil 
Dennis Peterson said:

 Regardless, anything you need to know about the message can 
 be found in the logs. I've never seen a need to keep a virus 
 around - even in the postmaster account or quarantine directory.

I have.  It's very useful when a new virus variant arrives and is
detected by only one of our three virus scanners (or is blocked by
filetype alone).  If it is quarantined I can pull out the quarantined
copy and submit it to virusscan.jotti.org, www.virustotal.com, and the
Antivirus vendors.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] clamav-milter sendmail: postmaster notificat ion

2006-01-06 Thread Randal, Phil 
Dennis Peterson said:

 I guess I don't understand the need to submit a detected and 
 quarantined virus to anti-virus vendors.

It's called being socially responsible.

Just because ClamAV (or Bitdefender or McAfee or whatever) detected it
doesn't mean that everybody else does or have even seen samples of that
variant.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] 9.scr

2005-10-10 Thread Randal, Phil 
Maurizio Marini said:

 Hi there
 i have received a mail with an attachment:
 Secret.zip
 inside it there is a file 
 
 Filename 9.src
 Size 75,776
 Size now 43721
 
 
 is this a virus/worm/malware?
 
 
 the mail server report this freshclam output:
 mailgw1:/etc/postfix# freshclam
 ClamAV update process started at Mon Oct 10 14:56:11 2005 
 main.cvd is up to date (version: 34, sigs: 39625, f-level: 5, 
 builder: tkojm) daily.cvd is up to date (version: 1125, sigs: 
 886, f-level: 6, builder: tomek)
 
 there is something wrong in my confs or should i submit it to 
 clamav.net site?
 
 -- 
 Maurizio Marini   GSM +39-335-8259739
 Fano: +39-0721-855285 Milano +39-02303123406
 S. Costanzo: +39-0721950396   IAXTel: (700) 350-1234
 Crashing is the only thing windows does quickly.

It's always worth submitting suspect emails (the whole raw message) to
online scanners such as http://virusscan.jotti.org/ and
http://www.virustotal.com/.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] New Bagle / Mytob variant

2005-10-06 Thread Randal, Phil 
We've received over two dozen copies of a new Bagle / Mytob variant in
the last few hours.

Various subjects, attached files

Re: DocumentDetails.exe
Re: Hello   Information.exe
Re: Details.exe
Encrypted document  MoreInfo.exe
Protected message   Updates.exe

etc etc...

Submitted to virusscan.jotti.org, www.virustotal.com, clamav.net, and
webimmune.net.

Detected as W32/[EMAIL PROTECTED] by F-Prot, Webimmune claims it is a Bagle
variant.

Cheers,

Phil



Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Two new Bagles out

2005-09-19 Thread Randal, Phil 
I wrote:

 Both caught by Bitdefender as [EMAIL PROTECTED]
 
 ClamAV daily update 1085 catches one of them as Worm.Bagle.BO
 (McAfee also picks it up as generic malware) but not the later one.
 
 I've submitted samples of both to clamav.net,
 virusscan.jotti.org, virustotal.com, malwareupload.com, and
 webimmune.net. 

Make that three variants.  I've sent the ClamAV team have a sample of
the latest one (which only McAfee detected).

Cheers,

Phil

Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Clam AV on windows with the cygwin environment installed

2005-08-01 Thread Randal, Phil 
[EMAIL PROTECTED] asked:

 Subject: [Clamav-users] Clam AV on windows with the cygwin 
 environment installed
 
 Is this possible? Are there any pitfalls in doing this?

Yes, take a look at http://www.clamwin.com/.  It's not a realtime
scanner, just an on-demand one.

Cheers,

Phil

Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] clamav only virus? - Trojan.Briss-1

2005-07-27 Thread Randal, Phil 
Pablo Chamorro C. wrote:

  Try submitting the infected file to http://virusscan.jotti.org and 
  http://www.virustotal.com and see if any of their scanners 
 detect it.
 
 Thank for all the answers, I found that only clamav on July 
 12th included that signature, but now, where can I find 
 information about the associated risks?  I would like to 
 share that info with a workmate who only trust on propietary 
 antivirus (I think so).
 
 thanks,
 
 Pablo

Well, the advice I gave above still applies.  Those two online virus
scanners would reveal the name other vendors call that virus by, and the
appropriate searches of their sites would reveal the required
information.

This is basic research, easily done.

There's no point in us spoon feeding you the answers or you'll be asking
the same question with each new virus and not learning how to find the
anser for yourself.

Cheers,

Phil (who hates having to give the same answer twice to an elementary
question)


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] clamav only virus? - Trojan.Briss-1

2005-07-26 Thread Randal, Phil 
Pablo Chamorro C. said
 
 I installed clamwin under windows 2000 and it found a file 
 infected with Trojan.Briss-1 but looking up in
 http://www.rainingfrogs.co.uk/index.orig.php?search=numvid=97961
 I'm noting that only clamav detect that virus.
 
 How can we know that virus is really a virus if any other 
 antivirus software know about trojan.briss-1? or am I wrong?

Try submitting the infected file to http://virusscan.jotti.org and
http://www.virustotal.com and see if any of their scanners detect it.

Other vendors may well use different names.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Question about Virus definitions

2005-06-30 Thread Randal, Phil 
Pedro Silva asked:

 Dear members,
 
 During the last hours I have received several email 
 containing the W32/Mytob-Fam (Sophos name), which were not 
 caught by Clam.
 
 Can someone tell me why Clam is not detecting this virus?

No idea, but you should submit samples to:

  http://cgi.clamav.net/sendvirus.cgi

  http://www.virustotal.com/flash/index_en.html

  http://virusscan.jotti.org/

Cheers,

Phil

Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] libcrypto.so.4

2005-06-22 Thread Randal, Phil 
David Kandou wrote:

 Dear all,
 When I want to install clamav 0.85 (rpm version) i found that 
 clamav need libcrypto.so.4 installed.
 Can anybody help me how to get libcrypto.so.4 ???
 
 Regards,
 David Kandou

That's an OpenSSL library (see
http://www.rpmfind.net/linux/rpm2html/search.php?query=libcrypto.so.4su
bmit=Search).  Make sure the current OpenSSL RPM for your OS is properly
installed and try rebuilding ClamAV.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] freshclam's daily.cvd messages not showing

2005-05-17 Thread Randal, Phil 
[EMAIL PROTECTED] wrote:
 Hello,
 
 I'm running clamav (currently version 0.85) on two separate
 servers and my home notebook and recently noticed odd
 behavior when running freshclam.
 While on one server and my notebook it always both displays
 to the console and logs information about both main.cvd and
 daily.cvd (i.e. whether the were updated or are up to date),
 on the other server it only displays that information about
 main.cvd, though it does log information about both main.cvd
 and daily.cvd to the log and does update daily.cvd when
 appropriate.  For example, here is the output from the first,
 normally operating server:
 
 root ~ # /usr/local/bin/freshclam
 ClamAV update process started at Sun May 15 04:49:38 2005
 main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder:
 tkojm)
 daily.cvd is up to date (version: 878, sigs: 1281, f-level: 5,
 builder: ccordes)
 root ~ #
 
 while the other server, running the same version of clamav
 with identical configuration files (as verified by md5sums), displays
 only: 
 
 [EMAIL PROTECTED]:~# /usr/local/bin/freshclam
 ClamAV update process started at Sun May 15 04:50:39 2005
 main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder:
 tkojm)
 [EMAIL PROTECTED]:~#
 
 The log files for both, however, are identical (except for times, of
 course): 
 
 [EMAIL PROTECTED]:~# tail -n 4 /var/log/freshclam.log
 --
 ClamAV update process started at Sun May 15 04:50:39 2005
 main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder:
 tkojm)
 daily.cvd is up to date (version: 878, sigs: 1281, f-level: 5,
 builder: ccordes)
 
 Both installations were compiled from source using identical
 config options (./configure --sysconfdir=/etc) and with the
 default optimizations.  I did grep -r 'up to date' in the
 source directory and find only four occurences, all in
 freshclam/manager.c, that consisted of two places where this
 message is first written to stdout then in the immediate next
 line apparently logged, so I am at a loss as to how the
 daily.cvd messages could be logged but not display to the
 console.  I'm no C programmer, though, so perhaps someone who
 is has a better idea as to what's going on here?
 
 The first (normal) server is a linux virtual machine
 running under UML on a box with dual Intel Xeon processors.
 My notebook has a pentium3 processor, and the server where
 freshclam behaves oddly is an old box with an amd k6-3
 processor.  The UML server is running a linux 2.4.26 based
 kernel, while my notebook and the other server currently run linux
 2.6.11-7 kernels.  If you need any other information let me know.
 
 Thanks,
 Zibeli
 
 ___
 http://lurker.clamav.net/list/clamav-users.html

This is fixed in ClamAV 0.85.1

Thanks for the rapid update, team.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Clam AV allows e-mail fromwww.webmail.us/testv irus through?

2005-05-17 Thread Randal, Phil 
Douglas Ward asked:

 Do you by chance know of any resources that I could look at 
 that would outline how to plug the two together?  Thanks!

Have a look at MailScanner (http://www.mailscanner.info).

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] sober.p and german adverts?

2005-05-16 Thread Randal, Phil 
It's easy to block.

Check the handler's Diary at http://isc.sans.org/ and follow the links.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Bart Silverstrim
 Sent: 16 May 2005 16:05
 To: ClamAV users ML
 Subject: Re: [Clamav-users] sober.p and german adverts?
 
 
 On May 16, 2005, at 10:52 AM, Rainer Zocholl wrote:
 
  [EMAIL PROTECTED](Bart Silverstrim)  16.05.05 08:51 
 Maybe you 
  should have simply entered it into google?
  I'm quite sure that google would have lead you to the right place.
  Yes, google can search for german strings too! IMOH ;-)
 
 I did enter it in when I first discovered it, but there were 
 no hits.   
 I thought perhaps it was too new at the time, and then turned 
 to the lists to corroborate what I was seeing.
 
  and the text appears to be just a link to a website...?
 
  Yes, it is.
  Many of them are pointing to websites of reputated printed 
  newletters/magazins like Der Spiegel.
 
 Apparently it will be very hard to block if it's just text 
 without extra spammer tricks in it to bypass filters...or at 
 least not enough to cross the threshold of spam vs. regular mail.
 
  Perhaps we now know what happened to sober.p?
 
  See:
 
  http://www.viruslist.com/en/weblog
  http://www.trendmicro.com/vinfo/virusencyclo/default5.asp? 
  VName=WORM%5FSOBER%2EUVSect=P
  Details in german:
  http://www.heise.de/newsticker/meldung/59562
 
 Well...I'm somewhat proud of myself that so far my hunches and
 (amateurish) deductions had me on the right track :-)
 
  (anyone know offhand how to use the access file for 
 postfix to reject 
  a message by *sender* instead of recipient?)
 
  Write complaints to the owners of the IP blocks!
The MAIL FROM is always faked.
The URL-owner is mostly innocent too.
 
  Block all mails from dynamic IP.
  They are 99,99% spam.
 
 Is there a way to do that with the access file/postmap in postfix?   
 Block sender IP's/IP blocks?
 
 I thought it was odd that our hammering from particular 
 sober.p infections were consistent in IP.  If they were 
 spoofing (this was from the logs that I extracted that grep), 
 then why wouldn't I have 16000 different sober.p sources 
 instead of a few of them over and over?
 
 ___
 http://lurker.clamav.net/list/clamav-users.html
 
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Maybe a virus Sober.P

2005-05-05 Thread Randal, Phil 
[EMAIL PROTECTED] wrote:
 On Wed, 2005-05-04 at 16:24 +0100, Nigel Horne wrote:
 On Wednesday 04 May 2005 16:16, [EMAIL PROTECTED] wrote:
 Man that never gets old. hahahaha not funny.
 
 I have no control over this warning.
 
 Yes you do. Use a hotmail/yahoo/gmail account.
 
 At our company, all webmail is blocked and policy forbids
 it's use, as it is harder to scan those messages for viruses
 (and the last time we got hit by a mass-mailing worm - Melisa - was
 due to a person using web-mail.)
 
 Any company paranoid to force a disclaimer on every mail
 ought to similarly block webmail, if they have any intelligence.

If they're forcing a legally dubious disclaimer on every email (at the
bottom after it has been read, in particular), then that's the prima
facie case for their lack of intelligence.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Exploit.W32.MS05-002 False Positives

2005-02-08 Thread Randal, Phil 
Francis Stevens wrote:

 I'm seeing several false positives for Exploit.W32.MS05-002 
 since I upgraded to 0.82 yesterday.  I've posted samples to 
 the submission website but would like to do something about 
 this.  Using sigtool -l 
 doesn't list Exploit.W32.MS05-002 as a signature in the 
 database, is there any way I can disable this check?  I tried 
 reverting to 0.81 but that didn't help.
 
 FAS

Seen it here too.

Cheers,

Phil

Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] Virus Name

2005-02-03 Thread Randal, Phil 
Look at the thread on
http://news.gmane.org/gmane.comp.security.virus.clamav.user entitled
RAR Module Failure.  ClamAV supports RAR 2 and not RAR 3 format
archives.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Jason Frisvold
 Sent: 03 February 2005 14:02
 To: clamav-users@lists.clamav.net
 Subject: [Clamav-users] Virus Name
 
 Hi all,
 
   There is an article on zdnet regarding a new type of 
 trojan that uses an ISP's mailserver to send spam.  I'm not 
 at all interested in getting into a discussion regarding 
 this..  What I am interested in is to know if anyone has seen 
 this in the wild, and whether or not ClamAV currently has a 
 signature for it.  Unfortunately, the article does not detail 
 how this Trojan is installed onto the users system.  However, 
 mail seems to be one of the most prevalent methods, so I'm 
 guessing it will come in that way...
 
   So, anyone know if this is blocked by Clam yet, and if 
 so, the name?
 
   For those interested, that article is located here : 
 http://news.zdnet.com/2100-1009_22-5560664.html
 
 Thanks!
 
 --
 Jason Frisvold
 Penteledata
 ___
 http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
 
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] Are we safe - WORM_BAGLE.AZ

2005-01-27 Thread Randal, Phil 
[EMAIL PROTECTED] wrote:
 Trog wrote:
 It is detected by Clam as Trojan.Downloader.Small-165, which was
 added on 8th Nov 2004 by Christoph. 
 
 Wow, that was some time ago, and TrendNet is only just now
 putting out an update! That's scarry!
 
 Thanks Trog
 
 --
 Craig Daters ([EMAIL PROTECTED])
 Systems Administrator
 West Press Print Communications
 
 1663 West Grant Road
 Tucson, Arizona 85705
 (520) 624-4939
 (520) 624-2715 fax
 
 www.westpress.com

We caught our first copy at 10:20 GMT today.  ClamAV, Bitdefender, and
McAfee's uvscan (4423 DATs) all detected it.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] Are we safe - WORM_BAGLE.AZ

2005-01-27 Thread Randal, Phil 
[EMAIL PROTECTED] wrote:
 Craig Daters
 Wow, that was some time ago, and TrendNet is only just now putting
 out an update! That's scarry! 
 
 Thanks Trog
 
 What concerns me (if it is true that ClamAV has detected this
 specific variant since November) is that ClamAV is not
 performing due diligence and sharing samples to protect users
 of other products on the Internet.
 
 AV teams working together is a good thing, and I personally
 share all of my samples with over 20+ AV vendors.
 
 sk3tch
 
 ___
 http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Hold on a minute there!  ClamAV detects it because it matches an
existing ClamAV virus pattern - that is serendipitous rather than
malicious.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] downloading without advertising

2004-10-12 Thread Randal, Phil 
David Thompson wrote:

 I would like to download clamav. however using adblock in
 mozilla stops the ability to download.

I'm using AdBlock here without problems.

It looks like you have some erroneous or over-zealous AdBlock rules.

Cheers,

Phil

Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] Error compiling Mail-Clamav 0.11 - Please help

2004-10-07 Thread Randal, Phil 
Alessandro Bianchi wrote:
 
 I've reopened the bug I filed against Mail::ClamAV for this issue:
 
   http://rt.cpan.org/NoAuth/Bug.html?id=7320
 
 The workaround is to uninstall 0.80rc, install 0.75, build
 Mail::ClamAV, uninstall 0.75, reinstall 0.80rc.
 
 Thank you Phil
 
 Alex

Unfortunately, Mail::ClamAV's author is NOT being at all helpful:

 rc stands for release candidiate. It is NOT a release. Also please
note
 the libclamav 0.80rc3 is very buggy and should not be used anyway. Use
 0.75.1 until 0.80 comes out.

 Scott

Sighing loudly,

Phil

Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] Notification E-mail

2004-09-22 Thread Randal, Phil 
Steffen wrote:
 Hi
 
 Why? Since all you achieve with rejects is indirectly
 causing a lot of
 virus bounces to appear at innocent bystanders.
 
 NO.
 Virii are usually send directly from the virus and the virus
 will not send bounces... :D However, if a virus can send
 through an SMTP server, that server needs to be blamed for forwarding
 virii. 
 
 Regards,
   Steffen

BUT...  The bounce goes back to the spoofed sender, not the actual
sender.

Read the SMTP RFCs sometime.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK


---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Worm.Mydoom.R

2004-09-09 Thread Randal, Phil 
Submit it to the clamav team (link on www.clamav.net).

It is probably Mydoom.u (McAfee).

http://vil.nai.com/vil/content/v_128346.htm

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf 
 Of Steffen Heil
 Sent: 09 September 2004 14:35
 To: [EMAIL PROTECTED]
 Subject: [Clamav-users] Worm.Mydoom.R
 
 Hi
 
 On 2004-08-11, I got the following.
 
 Submission: n/a
 Sender: n/a
 Virus: Worm.Mydoom.R
 Alias: Worm/MyDoom.r (Hbedv), W32/MyDoom-R (Sophos), 
 [EMAIL PROTECTED] (Bitdefender), Win32.HLLM.MyDoom.27136 (Drweb)
 Added: Worm.Mydoom.R
 Note: It has been already detected as Worm.Mydoom.Gen-unp by 
 devel version.
 The signature added for stable version.
 
 But today, I got a virus that was not detected with most recent clamd:
   ClamAV version 0.75-1
 and recent freshclam:
   main.cvd is up to date (version: 26, sigs: 22925, f-level: 
 2, builder:
 tomek)
   daily.cvd is up to date (version: 483, sigs: 1113, f-level: 
 2, builder:
 ccordes)
 
 The virus was detected using McAfee Antivirus Enterprise 7.0:
   Anlagendatei: syu.zip
   Virusname: W32/[EMAIL PROTECTED]
   Sekundäre unternommene Aktion: Verschoben...
 
 Is there anything I can do to make clamav detect these?
 - WITHOUT having to take the CVS version.
 
 I see, that there will always be some new virii, that can 
 only be detected using cvs, but a virus that was added 
 2004-08-11 and that is not detected today IS a problem.
 
 (Otherwise I am very happy with clamav. I use it for 6 month 
 now and had only 2 virii getting through. One was added to 
 the database several minutes later, the other is the one above.)
 
 Regards,
Steffen
 
 
 
 ---
 This SF.Net email is sponsored by BEA Weblogic Workshop FREE 
 Java Enterprise J2EE developer tools!
 Get your free copy of BEA WebLogic Workshop 8.1 today.
 http://ads.osdn.com/?ad_idP47alloc_id808op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users
 


---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Idea for more timely virusdb updates

2004-08-11 Thread Randal, Phil 
Daniel J McDonald wrote:

 That's one of the things that seems to be driving the size of
 daily.cvd up - updating main.cvd entails a massive
 distribution of files to the world.

Current main.cvd  = 1103636 bytes, last updated on July 8
Current daily.cvd = 156470 bytes

A bit of mental arithmetic suggests thatdaily.cvd grows by about 5KB per
day.

A few sums in my head suggest that total download savings in a month if
main.cvd was updated fortnightly would be around 200KB (circa 3100KB
total download instead of 3300KB), a virtually insignificant difference.
 
 Perhaps a tiered approach to the update files, with main.cvd,
 monthly.cvd, weekly.cvd, daily.cvd, and hot.cvd

 The advantage there is that the really big update could be
 distributed very seldom - perhaps only with new code (the
 code generally has to be upgraded every few months to deal
 with a new threat anyway).

Big updates often remove false positives, improve detections of existing
viruses, so might still need monthly (or more frequent) updating.
 
 If you had overlapping signatures between the files, you
 could add a fuzzy-factor into freshclam that it might not
 bring down the latest weekly/monthly if the other files
 overlap completely.  That would distribute the load on the
 freshclam servers for the larger updates, and there would
 just be the very small daily.cvd (and perhaps hot.cvd) downloads.

If we could use incremental (or, more correctly, differential) updates
which effectively create a new main.cvd then we could have a large
reduction in the load on the download servers.  However, we then have
the problem of ensuring that main.cvd remains consistent.

 I like the idea of using DNS to signal the change - maybe
 just for hot.cvd.  so, whenever a major virus breakout
 occurs, the new sig would be added to hot.cvd  and the DNS
 TXT record changed.  10,000 users pulling down a 2-3K file is
 not terribly hard for a server with decent bandwidth

I've known DNS servers to completely ignore TTL figures and cache stuff
which should have expired, so this might not be reliable.

Cheers,

Phil

Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK


---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Error: Verification: Broken or not a CVD file

2004-08-11 Thread Randal, Phil 
[EMAIL PROTECTED] wrote:
 Everyone,
 
 For the last 2 days I have been getting:
 
 ERROR: Verification: Broken or not a CVD file
 
 when freshclam tries to download an updated file.
 
 I am getting this message on both of our servers.  Any ideas?
 
 Greg Ennis

Which version of ClamAV are you using?  If it's less than 0.75.1,
upgrade.

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK


---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] ClamAV Virus DB updates list not up to date

2004-06-14 Thread Randal, Phil 
Last update details on clamav-virusdb is 349 (June 10th), current version is
354.

Are the individual update summaries available elsewhere?

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 


---
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the
one installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: Freshclam not responding

2004-06-03 Thread Randal, Phil 
 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Gervase
 Sent: 03 June 2004 14:24
 To: [EMAIL PROTECTED]
 Subject: RE: [Clamav-users] Re: Freshclam not responding
 
 On Wed, 2004-06-02 at 15:49, Ron Snyder wrote:
 
  if you do a 'dig database.clamav.net' or a 'host 
 database.clamav.net', 
  do you get useful answers?
 
 No.  Both merely say:
 truncated, retrying in TCP mode,
 timed out -no servers could be reached.
 
 I am baffled, especially by the fact that the problem first 
 occurred for no apparent reason while happily using Clamav 
 0.70.  Upgrading to 0.71 didn't help.  I agree with you and 
 others that the firewall is the most likely culprit but 
 turning it off didn't help.  Nor did changing ISPs. I have 
 not made any amendments to freshclam.conf, nor to clamav.conf 
 (except for the necessary addition of # before example.  We 
 seem to have eliminated everything.
 
 I think that I have reached to end of my technical ability 
 and have tried your and others' patience enough so will start 
 from scratch with a reformat and reinstall.
 
 I am most grateful to you and all who have helped.  Although 
 the problem is not solved, I have learned a lot and maybe one 
 day I shall have enough knowledge to help others lower down 
 on the learning curve.
 
 Gervase

It's a firewalling problem.  Many sysadmins mistakenly think that DNS
queries only use UDP port 53.  You need to allow TCP port 53 out (and the
response back) too.

See http://www.intac.com/~cdp/cptd-faq/section2.html#ports for the
explanation.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK


---
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus Names

2004-04-06 Thread Randal, Phil 
Graham Murray wrote:

 So maybe, as with celestial objects, there should be 
 agreement that the first AV 'vendor' to publish a detection 
 for a virus should be given the honour of naming it and the 
 other vendors adopt the same name rather than inventing their 
 own (and potentially causing confusion). So if Clamav is 
 first, other vendors should adopt its name and if some other 
 vendor is first then Clamav should use the name that vendor gives it.

Viruses are discovered a darned sight more rapidly than celestial objects.

Let's not waste the antivirus folks' time by making them jump through hoops
over naming protocols.  I'd rather priorities were given to protecting us
the darned things instead of worrying about what the vendors call them.

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clam not fresh

2004-03-26 Thread Randal, Phil 
 I do still have the old style signatures located in 
 /usr/share/clamav from clam-0.65.  Tomasz mentioned
 in an earlier post that this could be the problem.
 I am wondering if I should change the freshclam.conf  
 database line from /var/lib/clamav to /usr/share/clamav?
 
 It seems to me that I am updated, as I have the same
 number of signatures as you do, but when I grep it
 for somefool, maybe it is going to the old set in
 the other directory?
 
 What do you think?

I think it is time for you to erase ALL of your clamAV
files, wherever you have them scattered, and reinstall
and reconfigure, so you only have one set of .conf files
and one set of .cvd files, and then reboot.

At least then you'll know where to look and/or get
meaningful error messages.

Cheers,

Phil
-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Iframe messages

2004-03-24 Thread Randal, Phil 
Don't call us, we'll call you.

Marketing emails are spam unless explicitly requested.

Phil

-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Colin A.
 Bartlett
 Sent: 24 March 2004 12:43
 To: [EMAIL PROTECTED]
 Subject: RE: [Clamav-users] Iframe messages
 
 
 Stuart Mycock Sent: Wednesday, March 24, 2004 5:03 AM
 
  What's the consensus about messages with embedded iframe links?
 
  They look like a great potential for viral activity because they
  can be used to auto-download viruses, etc.. The reason I ask is my
  secondary AV caught a couple of messages that got past clam that
  weren't carrying a virus as such but contained iframe code.
 
 I use MailScanner with ClamAV and by default it catches 
 Iframes. I've left
 it on but the only emails that it has appeared to catch seem to be
 quasi-legitimate marketing emails. Can't be too important 
 though since no
 clients have complained. I would think that scanning for 
 iframes would be
 better left to something like MailScanner or Amavis rather than Clam.
 
 cheers,
 Colin
 
 Colin A. Bartlett
 Kinetic Web Solutions
 www.kineticweb.biz
 
 
 
 ---
 This SF.Net email is sponsored by: IBM Linux Tutorials
 Free Linux tutorial presented by Daniel Robbins, President and CEO of
 GenToo technologies. Learn everything from fundamentals to system
 administration.http://ads.osdn.com/?ad_id70alloc_id638op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users
 


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] attachment-free worms

2004-03-18 Thread Randal, Phil 
Jeffrey Moskot wrote:

 Based on what this article says, it looks like there will 
 soon be problems
 with my config: 
 http://www.sophos.com/virusinfo/articles/bagletwist.html
 
 I wasn't able to get my version of amavis properly patched to 
 submit the
 body of the message to clam (or at least as far as I can 
 tell, that's not
 what's happening).
 
 The clam team saved my butt last round by coming up with those generic
 signatures, but does this article mean I'm finally going to 
 beat my old amavis script into shape?
 
 Jeffrey Moskot
 System Administrator
 [EMAIL PROTECTED]

MailScanner (http://www.mailscanner.info) as of today's version 4.29.2 can
now disable Object Data tags.

And ClamAV catches it (of course):

ClamAV databases updated (18-mar-2004 12:02 GMT): daily.cvd, viruses.db2
version: 194

Submission: 2032
Sender: webdigger
Submitted virus name: Unknown Virus
Virus name: Exploit.HTML.Bagle.Q-eml
Notes: Worm.Bagle.Q has the ability to distribute through 
Notes: an e-mail with a HTML exploit (and no binary 
Notes: attachment). This signature will detect these e-mails. 
Added: Yes

Cheers,

Phil
-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Troubles with recent clamav's

2004-03-17 Thread Randal, Phil 
Doug Hardie erote:
 The problem I encountered has now been identified and I have 
 a working  
 clamd that does not hang.  I compiled it two different ways and both  
 worked.  The problem was /dev/urandom returning either a -1 or a 0.   
 Either of those will cause others.c to hang as it does not test for  
 that condition.  One approach was to put in a trivial test 
 for it and  
 exit from the loop.  The other was to remove the define for 
 C_URANDOM  
 in the .h file.  Both of those approaches worked in my 
 testing.  Since  
 I couldn't easily determine if the first would have some side 
 effects  
 if it didn't return enough random bits, I have gone with the second  
 approach.  My production server has been running for slightly over 6  
 hours now and no problems have been seen.

0 is a valid return value from either /dev/urandom or rand().

And if urandom returns -1, shouldn't we just fallback to using rand()?

Cheers,

Phil
-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Problem with *.zip atachments!

2004-03-03 Thread Randal, Phil 
MailScanner users need to upgrade to MailScanner 4.28.4 (just out), which
can block password-protected .zip files.

Cheers,

Phil

-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] Behalf Of 
 Thomas Lamy
 Sent: 03 March 2004 15:02
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Problem with *.zip atachments!
 
 
 Grzegorz Staleczyk schrieb:
 
  Hey There!
  
  I've got a  problem with viri on *.zip attachments in e-mails!
  
  when I scan file.zip by hand clamscan find virus, but 
 e-mail with this infected files
  in atachment can go (IT IS NOT STOPED!)
  
  Why? What have I wrog configured?
  
  
  [EMAIL PROTECTED] ~]$/usr/local/bin/clamscan freaky.zip
  freaky.zip: Worm.SomeFool.B.2 FOUND
  
  --- SCAN SUMMARY ---
  Known viruses: 20366
  Scanned directories: 0
  Scanned files: 1
  Infected files: 1
  Data scanned: 0.02 MB
  I/O buffer size: 131072 bytes
  Time: 10.594 sec (0 m 10 s)
  
  
  Mar  3 14:53:55 mail MailScanner[11494]: 
 /export/home2/mail/incoming/11494/./i23Dps11/portmoney.zip
 : Worm.SomeFool.B FOUND
  Mar  3 14:53:56 mail MailScanner[11494]: Virus Scanning: 
 ClamAV found 1 infections
  Mar  3 14:53:56 mail MailScanner[11494]: Virus Scanning: 
 Found 1 viruses
  Mar  3 14:53:59 mail MailScanner[11494]: Filetype Checks: 
 Allowing i23Dps11 portmoney.zip
  Mar  3 14:54:00 mail MailScanner[11494]: Virus Scanning 
 completed at 934 bytes per second
  Mar  3 14:54:01 mail MailScanner[11517]: Virus Scanning 
 completed at 86 bytes per second
  
  I have  run on Solaris 8,  Clam AntiVirus Scanner 0.67 , 
 MailScanner  4.26.8
  
  Thank for your help!
 Please fix your MailScanner configuration. I'm of no further 
 help, since 
 I don't know MailScanner, but from the logs I can see that clamAV 
 actually _found_ the virus, but MailScanner is forwarding it.
 
 Thomas
 
 
 ---
 SF.Net is sponsored by: Speed Start Your Linux Apps Now.
 Build and deploy apps  Web services for Linux with
 a free DVD software kit from IBM. Click Now!
 http://ads.osdn.com/?ad_id56alloc_id438op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users
 


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56alloc_id438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Why are the virus names different?

2004-02-26 Thread Randal, Phil 
Would you rather have a prompt and timely detection of new viruses or wait
for a committee to decide a common name?

Your call.

Cheers,

Phil

-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Andrew
 McCall
 Sent: 26 February 2004 10:50
 To: [EMAIL PROTECTED]
 Subject: [Clamav-users] Why are the virus names different?
 
 
 Hi,
 
 Can anyone tell me why the virus names within ClamAV are 
 different from ones 
 from other virus vendors?
 
 For example, W32.Netsky.B (as called by Sophos, McAfee etc.) 
 is detected and 
 named Worm.Somefool by ClamAV.
 
 Thanks,
 
 Andrew McCall
 
 
 
 ---
 SF.Net is sponsored by: Speed Start Your Linux Apps Now.
 Build and deploy apps  Web services for Linux with
 a free DVD software kit from IBM. Click Now!
 http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users
 


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Worm.SomeFool is this w32/Netsky.b@MM

2004-02-18 Thread Randal, Phil 
What McAfee detects as Netsky and Netsky.b are both detected by ClamAV as
Worm.SomeFool.

It's starting to flood in here.

Phil

-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Lucas
 Albers
 Sent: 18 February 2004 16:32
 To: [EMAIL PROTECTED]
 Subject: [Clamav-users] Worm.SomeFool is this w32/[EMAIL PROTECTED]
 
 
 I saw this virus show up today:Worm.SomeFool
 
 Updated here:
 Submission: 1235-web
  Sender: Tobias Oetiker
  Virus: Unknown Virus
  Added: Worm.SomeFool
  Notes: File uses the same icon as a word document,double extension
 (.rtf.pif i.e.),starts
 to massmail with a own smtp engine, drops a 'services.exe' in the
 %windows% folder. Name
 could be changed later.
 
 
 Is it this mcafee virus?
 This is a Medium Threat Advisory for W32/[EMAIL PROTECTED] worm.
 Justification
 W32/[EMAIL PROTECTED] has been deemed Medium due to prevalence.
 Read About It
 Information about W32/[EMAIL PROTECTED] is located on VIL at:
 http://vil.nai.com/vil/content/v_101034.htm
 
 -- 
 Luke Computer Science System Administrator
 Security Administrator,College of Engineering
 Montana State University-Bozeman,Montana
 
 
 
 ---
 SF.Net is sponsored by: Speed Start Your Linux Apps Now.
 Build and deploy apps  Web services for Linux with
 a free DVD software kit from IBM. Click Now!
 http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users
 


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] What exactly is the Worm.YoursID ?

2004-02-17 Thread Randal, Phil 
It is also known as W32/[EMAIL PROTECTED] (McAfee) Alua (symantec)

http://vil.nai.com/vil/content/v_101030.htm

Phil

-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Support
 ePaxsys/FRWS
 Sent: 17 February 2004 17:06
 To: [EMAIL PROTECTED]
 Subject: [Clamav-users] What exactly is the Worm.YoursID ?
 
 
 What is the Worm.YoursID virus/worm?
 
 This is one virus/worm that has become active since last 
 night. Any clue 
 what it may be? Google searches, archived list searches and searches 
 anywhere I can think of failed to find any record of the 
 name. Is it just 
 hitting this one instead of maybe Klez or one of the other 
 viruses and 
 giving us a false indication of what it really is?
 
 Subject: ID mradjaip... thanks
   MessageID: i1HHseJH008422
  Report: nlvygxcuy.exe contains Worm.YoursID
  Executable DOS/Windows programs are dangerous in email 
 (nlvygxcuy.exe)
  No programs allowed (nlvygxcuy.exe)
 
 
 Thanks for a good product, protects thousands a day!
 
 JPP
 
 
 
 ePaxsys/FRWS Technical Staff
 ePaxsys, Inc. http://www.epaxsys.net
 FRWS: http://www.frws.com
 Live Text Support: http://www.epaxsys.net/live-help
 
 
 
 ---
 SF.Net is sponsored by: Speed Start Your Linux Apps Now.
 Build and deploy apps  Web services for Linux with
 a free DVD software kit from IBM. Click Now!
 http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users
 


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] libunrar.so support?

2004-02-12 Thread Randal, Phil 
http://www.win-rar.com/index.php?lang=aid=knowlkb_category_id=kb_article_
id=67kb=

And the license.txt reads:

 ***   **   unRAR - free utility for RAR archives
 **   **  **   **  **   **  ~
 **   ***  **License for use and distribution of
 **   **  **   **  **   **   ~~~
 **   **  **   **  **   ** FREE portable version
   ~

  The source code of unRAR utility is freeware. This means:

   1. All copyrights to RAR and the utility unRAR are exclusively
  owned by the author - Eugene Roshal.

   2. The unRAR sources may be used in any software to handle RAR
  archives without limitations free of charge, but cannot be used
  to re-create the RAR compression algorithm, which is proprietary.
  Distribution of modified unRAR sources in separate form or as a
  part of other software is permitted, provided that it is clearly
  stated in the documentation and source comments that the code may
  not be used to develop a RAR (WinRAR) compatible archiver.

   3. The unRAR utility may be freely distributed. No person or company 
  may charge a fee for the distribution of unRAR without written
  permission from the copyright holder.

   4. THE RAR ARCHIVER AND THE UNRAR UTILITY ARE DISTRIBUTED AS IS.
  NO WARRANTY OF ANY KIND IS EXPRESSED OR IMPLIED.  YOU USE AT 
  YOUR OWN RISK. THE AUTHOR WILL NOT BE LIABLE FOR DATA LOSS, 
  DAMAGES, LOSS OF PROFITS OR ANY OTHER KIND OF LOSS WHILE USING
  OR MISUSING THIS SOFTWARE.

   5. Installing and using the unRAR utility signifies acceptance of
  these terms and conditions of the license.

   6. If you don't agree with terms of the license you must remove
  unRAR files from your storage devices and cease to use the
  utility.

  Thank you for your interest in RAR and unRAR.


Eugene Roshal

-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Tomasz
 Kojm
 Sent: 12 February 2004 15:01
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] libunrar.so support?
 
 
 On Tue, 10 Feb 2004 10:56:37 -0500
 Joshua Megerman [EMAIL PROTECTED] wrote:
 
  It appears that someone has adapted the UnRAR 3.0 code to be a
  linux/unix shared library similar to the uRarLib currently used to
 
 What is the license of that code ? I downloaded it and it compiles and
 works OK, but it's Released under rarlab licence (see
 http://www.rarlab.com and I can't find any license information for
 the code there.
 
 Best regards,
 Tomasz Kojm
 -- 
   oo. [EMAIL PROTECTED] www.ClamAV.net
  (\/)\.   http://www.clamav.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\Thu Feb 12 15:58:57 CET 2004
 


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Spam filter and clam-av

2004-02-09 Thread Randal, Phil 
MailScanner (from http://www.mailscanner.info).

See also http://www.sng.ecs.soton.ac.uk/mailscanner/install/zmailer.shtml
for how to use it with ZMailer.

Cheers,

Phil

-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Claudio
 Alonso
 Sent: 09 February 2004 15:32
 To: [EMAIL PROTECTED]
 Subject: [Clamav-users] Spam filter and clam-av
 
 
 Hello,
 I'd like to know if you can recommend any spam filter to work 
 together with clamav on a Digital
 Unix server running ZMailer.
 Thanks a lot,
 
 --Claudio
 
 
 Los mejores usados y las más tentadoras 
 ofertas de 0km están en Yahoo! Autos.
 Comprá o vendé tu auto en
 http://autos.yahoo.com.ar
 
 
 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference on Open Tools Development and Integration
 See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
 http://www.eclipsecon.org/osdn
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users
 


---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] MyDoom???

2004-02-04 Thread Randal, Phil 
I think you'll find it was one of the first to detect it.

ClamAV calls it Worm.SCO.A, and it has caught hundred of the critters here.

Cheers,

Phil

-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] Behalf Of 
 Dinko Ivanov
 Sent: 04 February 2004 10:57
 To: [EMAIL PROTECTED]
 Subject: [Clamav-users] MyDoom???
 
 
 When clamav will  detect MyDoom?
 I hope soon?!
 
 
 
 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference on Open Tools Development and Integration
 See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
 http://www.eclipsecon.org/osdn
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users
 


---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Mimail.R/S

2004-01-30 Thread Randal, Phil 
ClamAV's just detected Worm.Mimail.R here.

McAfee calls it Mimail.s - http://vil.nai.com/vil/content/v_100989.htm

Cheers,

Phil

-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 


---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Worm.SCO.A

2004-01-29 Thread Randal, Phil 
ClamAV was picking up the original version here 6 hours before McAfee had
their 4319 DATs out, and detected the B variant here yesterday at least 4
hours before McAfee's 4320 DATs were released.

You guys deserve medals.

A big heartfelt thank you to all the ClamAV team (and virus submitters).

Phil

-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Kevin
 Spicer
 Sent: 29 January 2004 00:01
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Worm.SCO.A
 
 
 On Wed, 2004-01-28 at 16:01, Patricia Viana wrote:
  Hi.
   
  My SMTP filter running ClamAV is blocking a huge amount 
 of messages with the Worm.SCO.A.
  It seams to be the same virus as MyDoom or Novarg.
  Can anyone confirm this?!
   
 That is correct.
 
 Clam had a signature whilst the commercial vendors were still busy
 thinking up names, hence the difference.
 
 
 
 
 BMRB International 
 http://www.bmrb.co.uk
 +44 (0)20 8566 5000
 _
 This message (and any attachment) is intended only for the 
 recipient and may contain confidential and/or privileged 
 material.  If you have received this in error, please contact the 
 sender and delete this message immediately.  Disclosure, copying 
 or other action taken in respect of this email or in 
 reliance on it is prohibited.  BMRB International Limited 
 accepts no liability in relation to any personal emails, or 
 content of any email which does not directly relate to our 
 business.
 
 
 
 
 ---
 The SF.Net email is sponsored by EclipseCon 2004
 Premiere Conference on Open Tools Development and Integration
 See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
 http://www.eclipsecon.org/osdn
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users
 


---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users