[clamav-users] ClamAv updates not being published properly?
Latest from clamav-virusdb announcements: ClamAV database updated (28 May 2014 04-17 -0400): daily.cvd Yet freshclam says (with and without -no-dns) # freshclam ClamAV update process started at Wed May 28 09:33:52 2014 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cld is up to date (version: 19037, sigs: 970172, f-level: 63, builder: neo) bytecode.cld is up to date (version: 241, sigs: 46, f-level: 63, builder: dgoddard) Cheers, Phil -- Phil Randal Infrastructure Engineer Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT Tel: 01432 260415 | Email: phil.ran...@hoopleltd.co.ukmailto:phil.ran...@hoopleltd.co.uk Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] ClamAv updates not being published properly?
Oops, left off the latest version of patterns - 19041, allegedly, yet we're stuck on 19037. Cheers, Phil -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Randal, Phil Sent: 28 May 2014 09:35 To: Clamav-Users (clamav-users@lists.clamav.net) Subject: [clamav-users] ClamAv updates not being published properly? Latest from clamav-virusdb announcements: ClamAV database updated (28 May 2014 04-17 -0400): daily.cvd Yet freshclam says (with and without -no-dns) # freshclam ClamAV update process started at Wed May 28 09:33:52 2014 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cld is up to date (version: 19037, sigs: 970172, f-level: 63, builder: neo) bytecode.cld is up to date (version: 241, sigs: 46, f-level: 63, builder: dgoddard) Cheers, Phil -- Phil Randal Infrastructure Engineer Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT Tel: 01432 260415 | Email: phil.ran...@hoopleltd.co.ukmailto:phil.ran...@hoopleltd.co.uk Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] CentOS 5.6 and clamav 0.97.4
There are packages in the rpmforge (aka repoforge) yum repository. Cheers, Phil -- Phil Randal Infrastructure Engineer Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT Tel: 01432 260415 | Email: phil.ran...@hoopleltd.co.uk -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Trixi D. Bubemyre Sent: 12 April 2012 21:56 To: clamav-users@lists.clamav.net Subject: [clamav-users] CentOS 5.6 and clamav 0.97.4 Is clamav 0.97.4 supported for CentOS 5.6? I do not find it listed among the supported linux platforms. Thanks. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml “Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Mirrors not being updated!!!!
It is fixed now. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Randal, Phil Sent: 07 July 2010 11:11 To: clamav-users@lists.clamav.net Subject: [Clamav-users] Mirrors not being updated Hi folks, Anyone else having problems updating patterns? The clamav-virusdb mailing list says: ClamAV database updated (07 Jul 2010 05-56 -0400): daily.cvd Version: 11333 Yet clamav.net, DNS, and the mirrors say we're still at 11330. Not good! Phil -- Phil Randal | Networks Engineer NHS Herefordshire Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamd memory usage (Solved)
Francis Stevens wrote: Chris wrote: I've misplaced the original post I made so I can't reply to it, however I'd like to make a note for the archives what the problem is and to thank Steve Basford and Edwin for the their help in finding it. Seems like I had both a main.cvd and main.cld. I removed the main.cld file and all is back to the way it should be. Chris I was interested in this thread and so checked my clam folder on seeing this. I've got a main.cld file and no main.cvd have I got a problem (everything seems to be working correctly)? FAS Having one of main.cld or main.cvd is fine, having both is the problem. Same's true of daily.cld and daily.cvd. If you have both, delete the .cld file and then run freshclam to make sure you're up to date. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] vscan-clamav samba with new redHat 5.5
That looks like the same issue we've got wth clamd 0.96 and MailScanner: http://thread.gmane.org/gmane.mail.virus.mailscanner/74234 Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Philippe Camps Sent: 15 April 2010 15:19 To: clamav-users@lists.clamav.net Subject: Re: [Clamav-users] vscan-clamav samba with new redHat 5.5 I reboot the server with the new kernel, and then rebuild the vscan-clamav.so module and upgrade clamav.0.95.3 to clamav.0.96. I have no errors when I start clamav. I put the debug yes in clamd.conf. I put a file test.txt in my samba share folder, and I notice always the same error: /Apr 15 15:10:16 spinel clamd[23749]: THRMGR: queue (bulk) crossed low threshold - signaling Apr 15 15:10:17 spinel smbd_vscan-clamav[29088]: INFO: File . is a directory! Not scanned! Apr 15 15:10:17 spinel smbd_vscan-clamav[29088]: INFO: file .// was not modified - not scanned Apr 15 15:10:39 spinel smbd_vscan-clamav[29088]: INFO: File . is a directory! Not scanned! Apr 15 15:10:39 spinel smbd_vscan-clamav[29088]: INFO: file .// was not modified - not scanned Apr 15 15:10:39 spinel smbd_vscan-clamav[29088]: INFO: File . is a directory! Not scanned! Apr 15 15:10:39 spinel smbd_vscan-clamav[29088]: INFO: file .// was not modified - not scanned Apr 15 15:10:40 spinel smbd_vscan-clamav[29088]: INFO: File . is a directory! Not scanned! Apr 15 15:10:40 spinel smbd_vscan-clamav[29088]: INFO: file .// was not modified - not scanned Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: File . is a directory! Not scanned! Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: file .// was not modified - not scanned Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: File . is a directory! Not scanned! Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: file .// was not modified - not scanned Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: File test.txt not found! Not scanned! Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: File . is a directory! Not scanned! Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: file .// was not modified - not scanned Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: File . is a directory! Not scanned! Apr 15 15:10:50 spinel smbd_vscan-clamav[29088]: INFO: file .// was not modified - not scanned Apr 15 15:11:04 spinel smbd_vscan-clamav[29088]: INFO: Scanning file : './/test.txt' Apr 15 15:11:04 spinel clamd[23749]: Received POLLIN|POLLHUP on fd 4 Apr 15 15:11:04 spinel clamd[23749]: Received POLLIN|POLLHUP on fd 4 Apr 15 15:11:04 spinel clamd[23749]: Got new connection, FD 9 Apr 15 15:11:04 spinel clamd[23749]: Got new connection, FD 9 Apr 15 15:11:04 spinel clamd[23749]: Received POLLIN|POLLHUP on fd 5 Apr 15 15:11:04 spinel clamd[23749]: Received POLLIN|POLLHUP on fd 5 Apr 15 15:11:04 spinel clamd[23749]: fds_poll_recv: timeout after 5 seconds Apr 15 15:11:04 spinel clamd[23749]: fds_poll_recv: timeout after 5 seconds Apr 15 15:11:04 spinel clamd[23749]: Received POLLIN|POLLHUP on fd 9 Apr 15 15:11:04 spinel clamd[23749]: Received POLLIN|POLLHUP on fd 9 Apr 15 15:11:04 spinel clamd[23749]: got command SCAN .//test.txt (16, 5), argument: .//test.txt Apr 15 15:11:04 spinel clamd[23749]: got command SCAN .//test.txt (16, 5), argument: .//test.txt Apr 15 15:11:04 spinel clamd[23749]: mode - MODE_WAITREPLY Apr 15 15:11:04 spinel clamd[23749]: mode - MODE_WAITREPLY Apr 15 15:11:04 spinel clamd[23749]: Breaking command loop, mode is no longer MODE_COMMAND Apr 15 15:11:04 spinel clamd[23749]: Breaking command loop, mode is no longer MODE_COMMAND Apr 15 15:11:04 spinel clamd[23749]: Consumed entire command Apr 15 15:11:04 spinel clamd[23749]: Consumed entire command Apr 15 15:11:04 spinel clamd[23749]: Number of file descriptors polled: 1 fds Apr 15 15:11:04 spinel clamd[23749]: Number of file descriptors polled: 1 fds Apr 15 15:11:04 spinel clamd[23749]: fds_poll_recv: timeout after 600 seconds Apr 15 15:11:04 spinel clamd[23749]: fds_poll_recv: timeout after
Re: [Clamav-users] APER
Check out Julian Field's ScamNailer: http://www.scamnailer.info/ 18/10/2009 - New scamnailer.ndb ClamAV signature database is now available from http://www.mailscanner.eu/scamnailer.ndb. This is updated very frequently. Do not download it more than once per hour! Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of John Rudd Sent: 22 October 2009 15:03 To: ClamAV users ML Subject: [Clamav-users] APER Hope I haven't missed this one being discussed... but ... APER is a project hosted at Google Code (Anti-Phishing Email Reply) that tracks From, Reply-to, and Body URLs that match known phishing attacks. There are a few examples for how to use it ... but I was wondering: Has anyone turned this into a regularly updated set of ClamAV signatures? I've been tasked with implementing it, and I'd love to be able to just plug it into my existing regiment of ClamAV signatures (I currently use MBL, MSRBL, and some (but not all) of the signatures hosted at Sane Security). ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [Fwd: Advance Warning: End of Life Announcement:ClamAV 0.94.x]
On the subject of 0.94.x's end-of-life, will the ClamAV developers please work with the folks at VirusTotal to ensure that VirusTotal runs ClamAV 0.95.x. It is still on 0.94.x. Cheers, Phil P.S. This has come up on the list before, but was never resolved. -- Phil Randal | Networks Engineer NHS Herefordshire Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Steve Basford Sent: 07 October 2009 20:50 To: ClamAV users ML Subject: [Clamav-users] [Fwd: Advance Warning: End of Life Announcement:ClamAV 0.94.x] Original Message Subject:Advance Warning: End of Life Announcement: ClamAV 0.94.x Date: Wed, 07 Oct 2009 20:47:57 +0100 From: Steve Basford steveb_cla...@sanesecurity.com To: sanesecur...@freelists.org, sanesecurity_annou...@freelists.org Hi All, While this message doesn't impact people until 15 April 2010, I thought I'd re-post to give people plenty of time to look at their upgrade plans. In fact, when v0.95.3 is released.. some of the Sanesecurity, InetMsg and Winnow signatures will be using features of the 0.95.3 engine that will improve your scanning speed/memory usage.. however they won't be compatible with pre-0.95.3 engines, ie. the new signatures will be ignored by the pre-0.95.3 engines. Bill, Tom and myself are thrashing out the details of how we move our signatures over to the new format, as smoothly as possible and while we'll try to support pre-0.95.3 engines for a short while after 0.95.3 is released, at some point, support will be dropped for pre-0.95.3 engines *on some of the signature databases*. *More news on these changes after/when 0.95.3 is released*. Cheers, Steve Sanesecurity = original message == Author: *Luca Gibelli mailto:nore...@clamav.net *Date: * 2009-10-06 15:36 +100 *To: *clamav-announce mailto:clamav-annou...@lists.clamav.net *Subject: *[Clamav-announce] End of Life Announcement: ClamAV 0.94.x Dear ClamAV users, all ClamAV releases older than 0.95 are affected by a bug in freshclam which prevents incremental updates from working with signatures longer than 980 bytes. You can find more details on this issue on our bugzilla: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1395 This bug affects our ability to distribute complex signatures (e.g. logical signatures) with incremental updates. So far we haven't released any signatures which exceed this limit. Before we do we want as many users as possible to upgrade to the latest version of ClamAV. Starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 - that is to say older than 1 year. This move is needed to push more people to upgrade to 0.95 . We would like to keep on supporting all old versions of our engine, but unfortunately this is no longer possible without causing a disservice to people running a recent release of ClamAV. The traffic generated by a full CVD download, as opposed to an incremental update, cannot be sustained by our mirrors. We plan to start releasing signatures which exceed the 980 bytes limit on May 2010. We recommend that you always run the latest version of ClamAV to get optimal protection, reliability and performance. This message will be sent every two months to remind you to upgrade all of your ClamAV installations in time. Thanks for your cooperation, Best regards -- Luca Gibelli (luca _at_ clamav.net) ClamAV, a GPL anti-virus toolkit ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are
Re: [Clamav-users] Missing option on freshclam 0.95?
aCaB wrote: Charles Gregory wrote: Oh, and FTR, I could not find a change log or version notes on the main clamav website, or I could have answered this question myself A link in the left-side menu would be nice. :) It's not that hard... http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog -aCaB Or, from the main site, the Download / Sources page leads you there. Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Once again, daily updates being announced but nowhere to be found
Still stuck - DNS and mirror says 9002, yet 9009 has been announced. Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Randal, Phil Sent: 18 February 2009 17:31 To: ClamAV users ML Subject: [Clamav-users] Once again,daily updates being announced but nowhere to be found Just a heads up. DNS is still reporting 9002, which seems to be the latest on mirrors, yet 9005 has been announced. Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] please remove
Francesco Peeters wrote: Seeing this list is clearly an OPT-IN affair, those rules are mostly irrelevant, and - as stated - the required info *is* provided... Having said that, I do think it would be a good idea to expose the unsubscribe link in the footer, even though nobody will read it anyway... ;) --FP ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml The above page would be a good place to put unsubscribe instructions, too. Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Once again, daily updates being announced but nowhere to be found
Just a heads up. DNS is still reporting 9002, which seems to be the latest on mirrors, yet 9005 has been announced. Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] OK, what's up?
No 8996, 8997, 0r 8998 clamav tweeted Daily CVD 8998 (sigs: 13223; new: 15) on 16 Feb 2009 22-40 -0500 but no sign. No message on web page, no tweet explaining difficulties, or anything. Arrrggghhh... Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Where's daily update 8996?
Luca Gibelli wrote: Hello Randal, A quick nudge of the ClamAV team. Christoph Cordes announced update 8996 at 16:51GMT (or thereabouts), but there's no sign of it on mirrors... we have experienced some connectivity problems between the server where the CVD are created and the server which distributes them to the mirrors. The situation has improved now, but there are still some occasional outages. We are monitoring the situation. Regards, Thanks Luca, it's all working fine now. Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Where's daily update 8996?
A quick nudge of the ClamAV team. Christoph Cordes announced update 8996 at 16:51GMT (or thereabouts), but there's no sign of it on mirrors... Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Twitter
Nigel Horne wrote: McDonald, Dan wrote: how about: Daily CVD 8721 (sigs: 32788, new: 1) at 04 Dec 2008 13-26 + Thank you for your suggestion. It's a great idea so we've made the change! -Nigel And now you've sorted out twittering, how about fixing the clamav-virusdb mailing list? There have been no emails to it since December 8th. See http://news.gmane.org/gmane.comp.security.virus.clamav.virusdb Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: [EMAIL PROTECTED] Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Announcing ClamAV 0.94.1 RC1
Steve Basford wrote: For details of the new features please refer to the Changelog. For an overview please refer to http://www.clamav.net/press/0.94.1-WhatsNew.pdf. Nigel, does the stats sent... only send information regarding ClamAV default signatures (when detected)... or does this also include detections by Third-Party signature names, such as MSRBL, MBL and Sanesecurity ones? Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml I haven't had the time to check the source code. How does it send it? What protocol and port, to which servers? Anything that firewall admins will need to be aware of? Cheers, Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: [EMAIL PROTECTED] Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Announcing ClamAV 0.94.1 RC1
Tomasz Kojm wrote: On Thu, 16 Oct 2008 13:43:12 +0100 Randal, Phil [EMAIL PROTECTED] wrote: I haven't had the time to check the source code. How does it send it? What protocol and port, to which servers? Anything that firewall admins will need to be aware of? It sends information about a file name, malware name and time to stats.clamav.net using HTTP (POST) port 80. HTH, Fabulous, thanks very much for the rapid reply. Phil -- Phil Randal | Networks Engineer Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: [EMAIL PROTECTED] Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Scanning performance issues on some files
[EMAIL PROTECTED] wrote: Hi, For a couple of days now, I have some performance issues with clamav. I use clamav on my email server to scan incoming traffic. I faced the problem yesterday with the Trojan.Agent-49425 before clamav was considering it as a virus. The scanning time of this 35KB zipped file was 16444.5 ms, once considered as a virus it was taking 50.531 ms to scan it. Today I face the same problem with an email containing a zipped file with the virus Email.Trojan-14. It's a 32KB file and clamdscan take 15s to scan it. I'm currently using clamav 0.94. I really don't know what to do to fix this issue. Thanks for your help. This problem is also being discussed on the MailScanner mailing list. It's been affecting us here since Friday. Fortunately my email relays can cope with the extra load. Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [0.0] Re: simplest replacement for ancient amavis-perl
This is what I have in my milter-greylist's greylist.conf. The google entries are accurate as of a week or so ago, taken from their SPF record. list broken mta addr { \ 12.5.136.141/32\ # Southwest Airlines (unique sender) 12.5.136.142/32\ # Southwest Airlines 12.5.136.143/32\ # Southwest Airlines 12.5.136.144/32\ # Southwest Airlines 12.107.209.244/32 \ # kernel.org (unique sender) 12.107.209.250/32 \ # sourceware.org (unique sender) 63.82.37.110/32\ # SLmail 63.169.44.143/32 \ # Southwest Airlines 63.169.44.144/32 \ # Southwest Airlines 64.7.153.18/32 \ # sentex.ca (common pool) 64.12.136.0/24 \ # AOL (common pool) 64.12.137.0/24 \ # AOL 64.12.138.0/24 \ # AOL 64.18.0.0/20 \ # google 64.124.204.39 \ # moveon.org (unique sender) 64.125.132.254/32 \ # collab.net (unique sender) 64.233.160.0/19\ # google 66.94.237.16/28\ # Yahoo Groups servers (common pool) 66.94.237.32/28\ # Yahoo Groups servers (common pool) 66.94.237.48/30\ # Yahoo Groups servers (common pool) 66.100.210.82/32 \ # Groupwise? 66.102.0.0/20 \ # google 66.135.192.0/19\ # Ebay 66.162.216.166/32 \ # Groupwise? 66.206.22.82/32\ # Plexor 66.206.22.83/32\ # Plexor 66.206.22.84/32\ # Plexor 66.206.22.85/32\ # Plexor 66.218.66.0/23 \ # Yahoo Groups servers (common pool) 66.218.67.0/23 \ # Yahoo Groups servers (common pool) 66.218.68.0/23 \ # Yahoo Groups servers (common pool) 66.218.69.0/23 \ # Yahoo Groups servers (common pool) 66.249.80.0/20 \ # google 66.27.51.218/32\ # ljbtc.com (Groupwise) 72.14.192.0/18 \ # google 74.125.0.0/16 \ # google 152.163.225.0/24 \ # AOL 194.245.101.88/32 \ # Joker.com 195.235.39.19/32 \ # Tid InfoMail Exchanger v2.20 195.238.2.0/24 \ # skynet.be (wierd retry pattern, common pool) 195.238.3.0/24 \ # skynet.be 195.46.220.208/32 \ # mgn.net 195.46.220.209/32 \ # mgn.net 195.46.220.210/32 \ # mgn.net 195.46.220.211/32 \ # mgn.net 195.46.220.221/32 \ # mgn.net 195.46.220.222/32 \ # mgn.net 195.238.2.0/24 \ # skynet.be (wierd retry pattern) 195.238.3.0/24 \ # skynet.be 204.107.120.10/32 \ # Ameritrade (no retry) 205.188.0.0/16 \ # AOL 205.206.231.0/24 \ # SecurityFocus.com (unique sender) 207.115.63.0/24\ # Prodigy - retries continually 207.126.144.0 \ # google 207.171.168.0/24 \ # Amazon.com 207.171.180.0/24 \ # Amazon.com 207.171.187.0/24 \ # Amazon.com 207.171.188.0/24 \ # Amazon.com 207.171.190.0/24 \ # Amazon.com 209.85.128.0/17\ # google 209.132.176.174/32 \ # sourceware.org mailing lists (unique sender) 211.29.132.0/24\ # optusnet.com.au (wierd retry pattern) 213.136.52.31/32 \ # Mysql.com (unique sender) 216.33.244.0/24\ # Ebay 216.239.32.0/19\ # google 217.158.50.178/32 \ # AXKit mailing list (unique sender) } Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Gregory Sent: 12 August 2008 12:58 To: ClamAV users ML Subject: Re: [Clamav-users] [0.0] Re: simplest replacement for ancient amavis-perl On Mon, 11 Aug 2008, Dennis Peterson wrote: . A problem I've seen with greylisting is the round-robin MTA pool. Each is told in turn to come back later and if the pool is large it can take a long time to cycle through all of them. I don't suppose anyone has a list of these available for a whitelist or avoid greylisting? Preferably a list of IP's not domains? - Charles ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] ClamAV updates - where is 7421?
Last pattern posted to clamav-virusdb was: ClamAV database updated (10 Jun 2008 14-18 +): daily.cvd Version: 7421 Yet the DNS, clamav homepage, and mirrors still say 7417. What gives? Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.92.1 anomaly
I wrote earlier that clamscan --version behaves differently in 0.92.1 to 0.92 # clamscan --version ClamAV 0.92.1 # clamscan --version ClamAV 0.92/5785/Tue Feb 12 10:41:10 2008 It looks like the checkin to fix bug 699 (https://wwws.clamav.net/bugzilla/show_bug.cgi?id=699) has broken things. Cheers, Phil ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] ClamAV 0.92.1 anomaly
clamscan --version behaves differently in 0.92.1 to 0.92 # clamscan --version ClamAV 0.92.1 # clamscan --version ClamAV 0.92/5785/Tue Feb 12 10:41:10 2008 Can we have the old behaviour back please? Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Instability and Modern Anti-Virus Software
[EMAIL PROTECTED] wrote: There is an article on eWeek.com today concerning instability in AV software due to the impossibility of adequately testing updates when releasing them as quickly as they are needed (www.eweek.com/article2/0,1895,2240656,00.asp?kc=EWKNLINF010208STR3). Just to force the point home, NcAfee yesterday released datfile 5197 yesterday which erroneously detected JS/Exploit-BO virus on sites like ESPN and Friendster. They've since released dat 5198 to fix the problem. The problem of false positives from bad patterns or heuristics is, IMHO, a good reason for never doing on-demand full scans of filesystems. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Recent viruses
Do you give risk assessments of each and every virus caught, then? That would be a complete waste of time. But, just to let you know the risks we're talking about here: eCard stuff: emails containing either a link to a website pushing Trojans onto the PCs of those stupid enough to visit; or a .zip attachment containing a Trojan. The risk? Malware on your PC, data harvesting, turning PC into a spambot, etc. The phishing ones usually contain links to fake bank sites in an attempt to harvest people's usernames and passwords, and thence their money. The risk is of your staff being fleeced, quickly followed by legal action by them against management for failure in their duty of care for their employees (by not blocking these phishing emails they are aiding and abetting the criminals). And if you really have to argue the case individually for each and every virus pattern in your antivirus products' databases, you should start seeking a new job right now. Cheers, Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gomes, Rich Sent: 25 October 2007 18:20 To: ClamAV users ML Subject: Re: [Clamav-users] Recent viruses Dennis, Thanks for the reply. I understand all of what you are saying, having worked as a sysadmin for many years now. My issue is that even with most vendors using different naming conventions, they are usually cross-reference in any technical info that is out there. I can't find any data on these messages and would like to know what other malware names they match up to so I can present it to management. At this point I can't even give a risk assessment. Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Peterson Sent: Thursday, October 25, 2007 12:54 PM To: ClamAV users ML Subject: Re: [Clamav-users] Recent viruses Gomes, Rich wrote: I received some emails yesterday matching the following: Infected messages: Email.Ecard-28: 2 Message(s) Email.Phishing.RB-1804: 2 Message(s) Email.Phishing.RB-1806: 2 Message(s) I think these are ClamAV-specific names, how can I find out more detailed info on each one? I do not see them anywhere on the web. Any help would be greatly appreciated. There are no naming standards and it doesn't look like any initiative to create one is going anywhere. The problem is each AV vendor has to call it something (I actually don't agree with this, but sexy names sell product). So what do you call a virus you've not seen before? I suppose you could submit it to all the other vendors' systems to see if they have a name for it and adopt that, but then that's a lot of work and there are no returns. And what if you are the first to discover it? You can't wait around for a committee to come up with a name so you call it something and release the update. As you know, within a day all the vendors will have discovered that same virus and will also go through this same drill. If you think about it, vendor A using vendor B's names is an admission that vendor A was not the first to discover it, and that means vendor B is going to look better in reviews. My bottom line is, I really don't care what they're called. A simple serial number would be fine with me. The names mean more to the popular press than anyone else on the planet because they make great headlines. A name that is also the date discovered would be even better as I could voluntarily remove any old virus patterns I think are obsolete. This addresses another issue - AV vendors get a big plus for showing they have a bizzillion patterns in their database. I don't care - if that represents something that was an issue in 1987 it is not a problem for me today. Get rid of it. How to get more detail? You can translate (they're hex encoded) the record for the the virus name and read what the pattern is. This is especially true for the phishing and text based viruses. Less useful for viruses found in executable files. One final point: phishing and scam mails will not necessarily have a corresponding identity with other vendors. They may not provide phishing and scam protection, for one thing, and for another the manner of detecting them is entirely arbitrary. Vendor A might look for embedded URL's in the message where vendor B might look for repeating misspelled words or unusual phrasing in the same message. In other words there is no guarantee of a match with any other vendor. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav needs 3 minutes to start
Conrad Zane Minnaar wrote: Le mercredi 27 juin 2007 15:09, Schramm e.K. [ Deutschland ] a écrit : Dear clamav-users-list, like the subject sounds have i some problems with clamav. Known bug. Already corrected in version 0.91 rc2. I don't know if it is really fixed. I have posted a request concerning this issue earlier this week. I am running versions 0.99.2 and 0.99.3 and clamd is taking ages to start. I will admit it does not take 3 minutes, but it is causing a major problem, because it causes the startup of clamav-milter to break. Any suggestions? -Conrad- Yes, check your version numbers... I guess you mean 0.90.2 and 0.90.3. It is definitely fixed in 0.91rc2. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Terrible performance with 0.90.2
[EMAIL PROTECTED] wrote: Michael Heiming wrote: René Berber wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Michael Heiming wrote: Tests show pretty bad performance with 0.90.2 and clamscan. Running Mailscanner it seems not trivial to switch to clamd, It is trivial, just change lib/clamav-wrapper and lib/MailScanner/SweepViruses.pm; I include my changes at the end. Rene, indeed this looks pretty much straight forward. Could you send me the patches as attachment, seems they got garbled in the mail? It seems the version of my clamav-wrapper is different (MS 4.54.6-1), could you please send me your patched version completely? Best regards The appropriate course of action is for you to upgrade to MailScanner 4.58.9. You're running a version which is well out of date. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Release-Date for 0.90 ??
Christopher X. Candreva wrote I've been running 0.90rc2 here for a few months. IMHO it is more stable than the 0.88.x I was running previously. Just yeaterday I received a Bugzilla note from one I had submitted that it was fixed in 0.90rc3. I am taking that to mean we will see rc3 soon. 0.90rc3 has just been released. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Trojan Peacomm?
Galactic wrote: Seems it is already in the DB as something else, Trojan.Downloader-6xx. Norton was stripping the file from my email so I couldn't read the headers on it. Not sure why it was slipping past ClamAV however. When I tried to upload these 3 files postcard.exe, Full Clip.exe, and Greeting Card.exe the submission engine said that they exist in the DB as the Trojan.downloader-6xx.. Norton is seeing them as [EMAIL PROTECTED] and Trojan.Peacomm. As far as running freshclam, had been doing that manually ever couple of hours for the past two days to be sure that this little bugger wouldn't get through. Franklyn It's worth checking http://cme.mitre.org/ in cases like this, and http://isc.sans.org/ , which is pretty good at following outbreaks. This particular trojan is CME-711. If you have a virus sample you're not detecting locally, try submitting it to http://virusscan.jotti.org and http://www.virustotal.com . Those sites will tell you who is detecting it as what, and will forward samples to the vendors of the antivirus tools they use. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] libclamav saying DB is old, can't detect virus
Not detected here either, nor by ClamAV at http://virusscan.jotti.org Scan taken on 23 Jan 2007 14:57:25 (GMT) AntiVir Found nothing ArcaVir Found Trojan.Door.Mirc-based Avast Found Win32:Trojan-gen. {VC} AVG Antivirus Found HideExec.G, IRC/BackDoor.Flood BitDefender Found Trojan.Hidewindows.C, Backdoor.IRC.Zapchast.GJ, Backdoor.IRC.Zapchast.LK ClamAV Found nothing Dr.Web Found Tool.HideApp, Program.mIRC.603 F-Prot Antivirus Found nothing F-Secure Anti-Virus Found Backdoor.IRC.Zapchast, Backdoor.Win32.mIRC-based FortinetFound nothing Kaspersky Anti-Virus Found Backdoor.IRC.Zapchast, Backdoor.Win32.mIRC-based NOD32 Found IRC/Flood.CP, probably a variant of IRC/Zapchast.J (probable variant) Norman Virus Control Found Zapchast.ACA VirusBuster Found IRC.Flood.BU VBA32 Found Backdoor.IRC.Zapchast#13, BackDoor.IRC.based, Backdoor.IRC.Zapchast#36 Yet over at http://www.virustotal.com: AntiVir 7.3.0.2601.23.2007 no virus found Authentium 4.93.8 01.22.2007 no virus found Avast 4.7.936.0 01.23.2007 Win32:Trojan-gen. {VC} AVG 386 01.23.2007 IRC/BackDoor.Flood BitDefender 7.2 01.23.2007 Trojan.Hidewindows.C CAT-QuickHeal 9.0001.22.2007 no virus found ClamAV devel-20060426 01.23.2007 Trojan.IRC.Zapchast-11 DrWeb 4.3301.23.2007 no virus found eSafe 7.0.14.001.23.2007 VBS.Chode911.2 eTrust-InoculateIT 23.73.120 01.23.2007 no virus found eTrust-Vet 30.3.3344 01.23.2007 no virus found Ewido 4.0 01.23.2007 no virus found Fortinet2.82.0.001.23.2007 Misc/Hidewindow F-Prot 3.16f 01.22.2007 no virus found F-Prot4 4.2.1.2901.22.2007 no virus found Ikarus T3.1.0.27 01.23.2007 Backdoor.IRC.Zapchast Kaspersky 4.0.2.2401.23.2007 Backdoor.IRC.Zapchast McAfee 494601.22.2007 no virus found Microsoft 1.1904 01.23.2007 Trojan:Win32/HideWindows.C NOD32v2 199901.23.2007 IRC/Flood.CP Norman 5.80.02 01.23.2007 Zapchast.ACA Panda 9.0.0.4 01.23.2007 no virus found Prevx1 V2 01.23.2007 Covert.Sys.Exec Sophos 4.13.0 01.20.2007 no virus found Sunbelt 2.2.907.0 01.22.2007 IRC.Backdoor.Trojan TheHacker 6.0.3.154 01.22.2007 no virus found UNA 1.8301.22.2007 Trojan.Win32.Hidewindows.E2AC VBA32 3.11.2 01.22.2007 Backdoor.IRC.Zapchast#13 VirusBuster 4.3.19:901.23.2007 IRC.Flood.BU Strange... Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roy Carin Sent: 23 January 2007 13:15 To: ClamAV users ML Subject: Re: [Clamav-users] libclamav saying DB is old, can't detect virus On 01/23/2007 05:00 AM, Andy wrote: Andy ([EMAIL PROTECTED]) wrote: Hey, I'm having some trouble with a virus that got past clamav. Log is pasted below, but I seem to have two problems: 1) libclamav is saying my database is old when it isn't update... I didn't want to stop clamav on a production system but on comparing the filesizes to another clamav installation I noticed they were different. So even though it shows it reading the right files: LibClamAV debug: Loading databases from /var/lib/clamav LibClamAV debug: Loading /var/lib/clamav/daily.cvd And even though I restarted freshclam and it looked like it had updated: mx tmp # ls -l /var/lib/clamav/daily.cvd -rw-rw-r-- 1 clamav clamav 752606 Jan 23 09:41 /var/lib/clamav/daily.cvd ... it obviously hadn't. I deleted the current database and restarted freshclam. It got a new set of files which were different to old ones, and had no problem detecting the virus. I'm still confused to what caused this though so I can stop it happening again. I'm also still worried it couldn't scan that .exe file, yet by just upgrading the DB it can somehow magically do it now? Andy. I'm afraid that I don't have any advice for you, but I can say that I'm having a similar problem. I received a link to a postcard.exe file in a spam message: Size: 678849 MD5sum: 8372e0dcd2ccf5e5247f098e818c5e46 Site: http://www.newfriendsonline.com/videos/postcard.exe Virustotal.com says this about the file: ClamAVdevel-20060426/20070123 found [Trojan.IRC.Zapchast-11] So someone's version of clamav can detect the trojan; however, my installation of clamav (0.88.7) always says the file is clean--even after I've just run freshclam. I even submitted the file to clamav.net a couple of days ago, but my clamscan still doesn't detect the file. -- Send instant messages to your online friends http://au.messenger.yahoo.com ___ Help us build a comprehensive ClamAV guide: visit
RE: [Clamav-users] Longer writeup on new viruses that Clam has de tected?
There were two or three variants of that Trojan (not strictly a virus) spammed out on the 18th, with one or more variants pushed out a day later (sample submitted, still waiting for the updated patterns for that). Trojan-downloader.647 was one of the variants. If you keep your eye on whatever virus alert messages you produce it should be pretty obvious which ClamAV name relates to malware in the news. It's not a trivial task to produce a dictionary of malware cross-referencing all the vendors' pet names for them, and I for one would rather the effort went into catching the malware rather than naming it. Cheers, Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly Jones Sent: Saturday, January 20, 2007 1:26 AM To: clamav-users@lists.clamav.net Subject: [Clamav-users] Longer writeup on new viruses that Clam has detected? My users sometimes forward me news stories on new viruses. I want to reassure them that Clam is catching this virus, but I'm not quite sure how. Example: a user sent me a story on a virus that I'm pretty sure is Trojan.Downloader-647, but I couldn't find a web-page describing this virus. Is there such a thing? Basically, I'm looking for a short Symantec-like writeup (or even a link to Symantec's writeup) saying things like: This virus was first detected 18 Jan 2006. The subject lines for this virus are: A killer at 11, he's free at 21..., U.S. Secretary of State Condoleezza Rice has kicked..., 230 dead as storm batters Europe, Naked teens attack home director, etc. The virus contains an attachment called Full Story.exe That sort of thing. It would also be nice to type in a virus subject and see all Clam signatures/viruses matching that subject (I realize some viruses have random subjects, but many/most do have a finite list of subjects or at least adhere to a pattern). Any thoughts? -- We're just a Bunch Of Regular Guys, a collective group that's trying to understand and assimilate technology. We feel that resistance to new ideas and technology is unwise and ultimately futile. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Which wiki?
I'd recommend pmwiki. Phil ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] I-Worm/Generic.RX undetected
Daniel Hertanu wrote: Yesterday I received 3 emails in which the local antivirus (AVG for Windows, Free edition) has detected a virus named I-Worm/Generic.RX. The email server is a sendmail with clamav-milter. Having a look into the log file I discovered that clamav-milter declared the emails as clean. Freshclam is executed daily, so the virus database is updated. As this virus name is not listed in Clamav virus database, I'm wondering if there is known under a different name, and, if so, why it was not detected. Any idea would be much appreciated. Thank you. Daniel The standard rule is to submit any sample raw email to each of http://virusscan.jotti.org/ http://www.virustotal.com/ http://www.clamav.net/sendvirus.html That way you're doing a service to the whole internet community (as well as finding out which scanners pick it up already). Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Scan Signature
Diego Lorenzo - OJC said Hello, folks! I´m needing to mark all incoming and outgoing e-mails with a virus scanned message, kindda This e-mail was scanned by Clamav (or Amavis), something like that. Is there any flag I can set it? It is really in Clamav configuration file I can do that? Regards, Diego Lorenzo And the virus spammers get wise and add a this message was scanned by footer to their infected emails. Such disclaimers are worthless. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Questions about ClamAV
Dear all, 1) I am going to use the anti-virus in a closed network, and connection to the Internet is not possible. How can ClamAV be updated manully without accessing the Internet? Can freshclam be deactivated? And will there be any effect on the signature update if freshclam is deactivated? manually copy the database files from a connected machine to one not connected. run an internal database mirror. 2) There is a large number of end users within the closed network. Are mass installation and update possible? Are remote installation and update possible? If yes, how can they be done? search the list archives 3) What is the actual virus database update frequency? Whenever an update is available. can be several times a day. When your (legally worthless) disclaimer and sig are longer than the content of your email, you need to learn some net etiquette before people will take you seriously and not treat you with contempt. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Footnote messages
Fernando Azevedo asked: I'm running a pretty stable server with clamav 0.88.2 on top of qmail with simscan. I'm checking all messages (incoming and outgoing) and I'd like to append a small footnote with a disclaimer and also with some (free) advertisement stating that the message has gone through ClamAV and is clean of any known viruses. Is this possible in ClamAV? Consider this simple scenario: I'm Mr mega-trojan distributor, and I've decided that a good new social engineering trick is to include a footer on each of my spammed trojanised emails. Do I need to explain in any detail or have you figured it yet? Such footers are at best misleading, at worst lulling people into a false sense of confidence. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK This email has been scanned by Phil's Antivirus (tm), and found to be virus-free. Yeah, right... ;-) ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] dreaded Can't query current.cvd.clamav.net m essage
Pat Masterson wrote: I just installed clamav-0.88.2 on a solaris 9 system. when running freshclam I get this: [EMAIL PROTECTED] [170]: /usr/local/bin/freshclam --datadir=/home/clamav -v Current working dir is /home/clamav Max retries == 3 ClamAV update process started at Fri Jun 16 10:18:50 2006 SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES See the FAQ at http://www.clamav.net/faq.html for an explanation. Querying current.cvd.clamav.net ERROR: Can't query current.cvd.clamav.net WARNING: Invalid DNS reply. Falling back to HTTP mode. ^C But I can get the TXT records OK: [EMAIL PROTECTED] [171]: host -t txt current.cvd.clamav.net current.cvd.clamav.net descriptive text 0.88.2:39:1546:1150468141:1 And DNS resolution is fine: [EMAIL PROTECTED] [172]: nslookup www.ibm.com . . Non-authoritative answer: Name:www.ibm.com.cs186.net Address: 129.42.34.212 Aliases: www.ibm.com Any ideas for me? Thanks. -Pat http://www.clamav.net/faq.html says this: 20. What does SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES mean? The ClamAV package requires the GMP library to verify the digital signature of the virus database. When building ClamAV you need the GMP library and its headers: if you are using Debian just run apt-get install libgmp3-dev, if you are using an RPM based distribution install the gmp-devel package. You'll need to rerun ./configure and recompile ClamAV. 24. I get this error when running freshclam: ERROR: Connection with ??? failed . What shall I do? Either your dns servers are not working or you are blocking port 53/tcp. You should manually check that you can resolve hostnames with: $ host database.clamav.net If it doesn't work, check your dns settings in /etc/resolv.conf. If it works, check that you can receive dns answers longer than 512 bytes, e.g. check that your firewall is not blocking packets which originate from port 53/tcp. An easy way to find it out is: $ host db.us.clamav.net $ dig @ns1.clamav.net db.us.clamav.net Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] updated: PSCM - RPM package (clamav, postfix, spamassassin, mailscanner or amavisd-new)
I'd keep well clear of this until PSCM is updated to use MailScanner 4.53.8. 4.53.6 had a major bug in the phishing detection code which could cause MailScanner to loop. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Isaac Sent: 09 May 2006 16:37 To: 'ClamAV users ML' Subject: RE: [Clamav-users] updated: PSCM - RPM package (clamav, postfix, spamassassin, mailscanner or amavisd-new) Is there a similar rpm for sendmail? Bob ___ Robert Isaac Director/Web Admin www.volvoclub.org.uk Please include all previous text with reply All messages are scanned with an antivirus scanner. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Janet Bindner Sent: 09 May 2006 06:18 To: clamav-users@lists.clamav.net Subject: [Clamav-users] updated: PSCM - RPM package (clamav, postfix,spamassassin, mailscanner or amavisd-new) Hi all, I have updated PSCM. The latest RPM package contains: * Clamav: 0.88.2 * MailScanner: 4.53.6-1 * SpamAssassin: 3.1.1 * Postfix: 2.2.10 * Amavisd-new-2.4.0 http://m-net.arbornet.org/~pscm/index.html // PSCM integrats postfix, spamassassin, clamav and mailscanner/amavisd-new. This should help to eliminate the hassle of installing and making these applications work together. PSCM comes in 2 flavors: 1. Postfix, SpamAssassin, ClamAV and MailScanner 2. Postfix, SpamAssassin, ClamAV and Amavisd-new // Cheers, Janet Send instant messages to your online friends http://uk.messenger.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] updated: PSCM - RPM package (clamav, postfix, spamassassin, mailscanner or amavisd-new)
Robert Isaac wrote: 4.53.7 is the latest version, it came out a few days after 4.53.6 Check http://www.sng.ecs.soton.ac.uk/mailscanner/downloads.shtml for yourself if you don't believe me! Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] submiting form
It's always worth submitting samples to http://www.virustotal.com and http://virusscan.jotti.org as well. They forward to the ClamAV team and other antivirus vendors. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Gavriloff Sent: 17 March 2006 08:54 To: clamav-users@lists.clamav.net Subject: [Clamav-users] submiting form I've submit a virus three times using sendvirus form but still no reaction. any of. Should I do something else? -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Zafi worm misidentified as Trojan.Downloader.Small-1004
Don't know when this started happening, but ClamAV is misidentifying the Zafi worm as Trojan.Downloader.Small-1004. From a MailScanner notification: Sender: [EMAIL PROTECTED] IP Address: 85.98.131.226 Recipient: [EMAIL PROTECTED] (changed to protect the innocent) Subject: Fw: Merry Christmas! MessageID: k139qE5t016812 Quarantine: /var/spool/MailScanner/quarantine/20060203/k139qE5t016812 Report: ClamAV Module: postcard.index.jpg4031.zip was infected: Trojan.Downloader.Small-1004 Bitdefender: Found virus [EMAIL PROTECTED] in file postcard.index.jpg4031.zip McAfee: /k139qE5t016812/postcard.index.jpg4031.zip Found the W32/[EMAIL PROTECTED] virus !!! Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Is CME officially supported/supporting ClamAV?
Jason Haar wrote: I've been watching CME (Common Malware Enumerator) starting to take off over the past few weeks, and I've noticed CME entries and their corresponding names used by antivirus vendors. ...and ClamAV ain't in there from what I've seen... Is there no interest in supporting this, or am I just blind? (the latter is quite possible ;-) See http://cme.mitre.org/ From the CME FAQ: A8. How can my organization and I participate? An integral component of the CME initiative is broad community participation. We strongly encourage users of anti-virus products to ask their preferred vendors to adopt CME identifiers. For anti-virus product vendors, supporting and participating in the CME initiative is a bold first step in announcing to your users that you want to help alleviate their confusion and further protect their systems and networks. Adopting the use of CME identifiers is a significant first step in establishing a consistent approach by anti-virus entities that will benefit users and the entire information security community. Contact us at [EMAIL PROTECTED] to discuss how you and your organization can help this growing anti-virus and information security initiative. Looks like they expect the ClamAV team to contact them, not the other way round. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Undetected Virus
I have the latest version of ClamAV and the signature files installed, however it fails to detect the Win32.Blackmail.F virus. My mail is delivered to a FreeBSD server that I run. One of the machines on the network is a WinXP machine running ZoneAlarm Suite. When this Windows machine POPs mail from the mail server it detects this virus. It has happened three times in the past 24 hours. The messages are marked as clean by ClamAV. Is this something that I should be reporting to someone? Thanks! -- Gerard Seibert [EMAIL PROTECTED] I submitted a sample yesterday afternoon (GMT) to http://cgi.clamav.net/sendvirus.cgi , http://virusscan.jotti.org/ , and http://www.virustotal.com/ Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Large number of Mytob.MM this morning?
Jay Lee wrote: I've already submitted a sample to the website, any hope of getting this blocked soon? Did you submit it to the online testing web page to see if that system handles it differently from yours? I have now yes, I tried sending the raw email message, the attached .zip file and the unzipped .exe, it reported them all as clean. Jay It's worth submitting the raw message file to http://virusscan.jotti.org and http://www.virustotal.com as well. Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] RE: Report infected mail to the user
But you do not know the sender. You only know an address that the virus presents as the sender address. And you trust the virus... Ok, i see you must have experience. Are there really so many virussender who specify a fake REAL EXIST mail address? Michael Neurohr Many viruses harvest email addresses from the infected PC user's address book and inbox etc and use these as the From: address. And I can verify that this is the case from the number of virus bounces we get from clueless sites which still insist on sending the (spoofed) senders virus warnings. Incidentally, 5 minutes on Google would have told you the answer. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] clamav-milter sendmail: postmaster notificat ion
Dennis Peterson said: Regardless, anything you need to know about the message can be found in the logs. I've never seen a need to keep a virus around - even in the postmaster account or quarantine directory. I have. It's very useful when a new virus variant arrives and is detected by only one of our three virus scanners (or is blocked by filetype alone). If it is quarantined I can pull out the quarantined copy and submit it to virusscan.jotti.org, www.virustotal.com, and the Antivirus vendors. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] clamav-milter sendmail: postmaster notificat ion
Dennis Peterson said: I guess I don't understand the need to submit a detected and quarantined virus to anti-virus vendors. It's called being socially responsible. Just because ClamAV (or Bitdefender or McAfee or whatever) detected it doesn't mean that everybody else does or have even seen samples of that variant. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] 9.scr
Maurizio Marini said: Hi there i have received a mail with an attachment: Secret.zip inside it there is a file Filename 9.src Size 75,776 Size now 43721 is this a virus/worm/malware? the mail server report this freshclam output: mailgw1:/etc/postfix# freshclam ClamAV update process started at Mon Oct 10 14:56:11 2005 main.cvd is up to date (version: 34, sigs: 39625, f-level: 5, builder: tkojm) daily.cvd is up to date (version: 1125, sigs: 886, f-level: 6, builder: tomek) there is something wrong in my confs or should i submit it to clamav.net site? -- Maurizio Marini GSM +39-335-8259739 Fano: +39-0721-855285 Milano +39-02303123406 S. Costanzo: +39-0721950396 IAXTel: (700) 350-1234 Crashing is the only thing windows does quickly. It's always worth submitting suspect emails (the whole raw message) to online scanners such as http://virusscan.jotti.org/ and http://www.virustotal.com/. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] New Bagle / Mytob variant
We've received over two dozen copies of a new Bagle / Mytob variant in the last few hours. Various subjects, attached files Re: DocumentDetails.exe Re: Hello Information.exe Re: Details.exe Encrypted document MoreInfo.exe Protected message Updates.exe etc etc... Submitted to virusscan.jotti.org, www.virustotal.com, clamav.net, and webimmune.net. Detected as W32/[EMAIL PROTECTED] by F-Prot, Webimmune claims it is a Bagle variant. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Two new Bagles out
I wrote: Both caught by Bitdefender as [EMAIL PROTECTED] ClamAV daily update 1085 catches one of them as Worm.Bagle.BO (McAfee also picks it up as generic malware) but not the later one. I've submitted samples of both to clamav.net, virusscan.jotti.org, virustotal.com, malwareupload.com, and webimmune.net. Make that three variants. I've sent the ClamAV team have a sample of the latest one (which only McAfee detected). Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Clam AV on windows with the cygwin environment installed
[EMAIL PROTECTED] asked: Subject: [Clamav-users] Clam AV on windows with the cygwin environment installed Is this possible? Are there any pitfalls in doing this? Yes, take a look at http://www.clamwin.com/. It's not a realtime scanner, just an on-demand one. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] clamav only virus? - Trojan.Briss-1
Pablo Chamorro C. wrote: Try submitting the infected file to http://virusscan.jotti.org and http://www.virustotal.com and see if any of their scanners detect it. Thank for all the answers, I found that only clamav on July 12th included that signature, but now, where can I find information about the associated risks? I would like to share that info with a workmate who only trust on propietary antivirus (I think so). thanks, Pablo Well, the advice I gave above still applies. Those two online virus scanners would reveal the name other vendors call that virus by, and the appropriate searches of their sites would reveal the required information. This is basic research, easily done. There's no point in us spoon feeding you the answers or you'll be asking the same question with each new virus and not learning how to find the anser for yourself. Cheers, Phil (who hates having to give the same answer twice to an elementary question) Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] clamav only virus? - Trojan.Briss-1
Pablo Chamorro C. said I installed clamwin under windows 2000 and it found a file infected with Trojan.Briss-1 but looking up in http://www.rainingfrogs.co.uk/index.orig.php?search=numvid=97961 I'm noting that only clamav detect that virus. How can we know that virus is really a virus if any other antivirus software know about trojan.briss-1? or am I wrong? Try submitting the infected file to http://virusscan.jotti.org and http://www.virustotal.com and see if any of their scanners detect it. Other vendors may well use different names. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Question about Virus definitions
Pedro Silva asked: Dear members, During the last hours I have received several email containing the W32/Mytob-Fam (Sophos name), which were not caught by Clam. Can someone tell me why Clam is not detecting this virus? No idea, but you should submit samples to: http://cgi.clamav.net/sendvirus.cgi http://www.virustotal.com/flash/index_en.html http://virusscan.jotti.org/ Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] libcrypto.so.4
David Kandou wrote: Dear all, When I want to install clamav 0.85 (rpm version) i found that clamav need libcrypto.so.4 installed. Can anybody help me how to get libcrypto.so.4 ??? Regards, David Kandou That's an OpenSSL library (see http://www.rpmfind.net/linux/rpm2html/search.php?query=libcrypto.so.4su bmit=Search). Make sure the current OpenSSL RPM for your OS is properly installed and try rebuilding ClamAV. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] freshclam's daily.cvd messages not showing
[EMAIL PROTECTED] wrote: Hello, I'm running clamav (currently version 0.85) on two separate servers and my home notebook and recently noticed odd behavior when running freshclam. While on one server and my notebook it always both displays to the console and logs information about both main.cvd and daily.cvd (i.e. whether the were updated or are up to date), on the other server it only displays that information about main.cvd, though it does log information about both main.cvd and daily.cvd to the log and does update daily.cvd when appropriate. For example, here is the output from the first, normally operating server: root ~ # /usr/local/bin/freshclam ClamAV update process started at Sun May 15 04:49:38 2005 main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: tkojm) daily.cvd is up to date (version: 878, sigs: 1281, f-level: 5, builder: ccordes) root ~ # while the other server, running the same version of clamav with identical configuration files (as verified by md5sums), displays only: [EMAIL PROTECTED]:~# /usr/local/bin/freshclam ClamAV update process started at Sun May 15 04:50:39 2005 main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: tkojm) [EMAIL PROTECTED]:~# The log files for both, however, are identical (except for times, of course): [EMAIL PROTECTED]:~# tail -n 4 /var/log/freshclam.log -- ClamAV update process started at Sun May 15 04:50:39 2005 main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: tkojm) daily.cvd is up to date (version: 878, sigs: 1281, f-level: 5, builder: ccordes) Both installations were compiled from source using identical config options (./configure --sysconfdir=/etc) and with the default optimizations. I did grep -r 'up to date' in the source directory and find only four occurences, all in freshclam/manager.c, that consisted of two places where this message is first written to stdout then in the immediate next line apparently logged, so I am at a loss as to how the daily.cvd messages could be logged but not display to the console. I'm no C programmer, though, so perhaps someone who is has a better idea as to what's going on here? The first (normal) server is a linux virtual machine running under UML on a box with dual Intel Xeon processors. My notebook has a pentium3 processor, and the server where freshclam behaves oddly is an old box with an amd k6-3 processor. The UML server is running a linux 2.4.26 based kernel, while my notebook and the other server currently run linux 2.6.11-7 kernels. If you need any other information let me know. Thanks, Zibeli ___ http://lurker.clamav.net/list/clamav-users.html This is fixed in ClamAV 0.85.1 Thanks for the rapid update, team. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Clam AV allows e-mail fromwww.webmail.us/testv irus through?
Douglas Ward asked: Do you by chance know of any resources that I could look at that would outline how to plug the two together? Thanks! Have a look at MailScanner (http://www.mailscanner.info). Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] sober.p and german adverts?
It's easy to block. Check the handler's Diary at http://isc.sans.org/ and follow the links. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Silverstrim Sent: 16 May 2005 16:05 To: ClamAV users ML Subject: Re: [Clamav-users] sober.p and german adverts? On May 16, 2005, at 10:52 AM, Rainer Zocholl wrote: [EMAIL PROTECTED](Bart Silverstrim) 16.05.05 08:51 Maybe you should have simply entered it into google? I'm quite sure that google would have lead you to the right place. Yes, google can search for german strings too! IMOH ;-) I did enter it in when I first discovered it, but there were no hits. I thought perhaps it was too new at the time, and then turned to the lists to corroborate what I was seeing. and the text appears to be just a link to a website...? Yes, it is. Many of them are pointing to websites of reputated printed newletters/magazins like Der Spiegel. Apparently it will be very hard to block if it's just text without extra spammer tricks in it to bypass filters...or at least not enough to cross the threshold of spam vs. regular mail. Perhaps we now know what happened to sober.p? See: http://www.viruslist.com/en/weblog http://www.trendmicro.com/vinfo/virusencyclo/default5.asp? VName=WORM%5FSOBER%2EUVSect=P Details in german: http://www.heise.de/newsticker/meldung/59562 Well...I'm somewhat proud of myself that so far my hunches and (amateurish) deductions had me on the right track :-) (anyone know offhand how to use the access file for postfix to reject a message by *sender* instead of recipient?) Write complaints to the owners of the IP blocks! The MAIL FROM is always faked. The URL-owner is mostly innocent too. Block all mails from dynamic IP. They are 99,99% spam. Is there a way to do that with the access file/postmap in postfix? Block sender IP's/IP blocks? I thought it was odd that our hammering from particular sober.p infections were consistent in IP. If they were spoofing (this was from the logs that I extracted that grep), then why wouldn't I have 16000 different sober.p sources instead of a few of them over and over? ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Maybe a virus Sober.P
[EMAIL PROTECTED] wrote: On Wed, 2005-05-04 at 16:24 +0100, Nigel Horne wrote: On Wednesday 04 May 2005 16:16, [EMAIL PROTECTED] wrote: Man that never gets old. hahahaha not funny. I have no control over this warning. Yes you do. Use a hotmail/yahoo/gmail account. At our company, all webmail is blocked and policy forbids it's use, as it is harder to scan those messages for viruses (and the last time we got hit by a mass-mailing worm - Melisa - was due to a person using web-mail.) Any company paranoid to force a disclaimer on every mail ought to similarly block webmail, if they have any intelligence. If they're forcing a legally dubious disclaimer on every email (at the bottom after it has been read, in particular), then that's the prima facie case for their lack of intelligence. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Exploit.W32.MS05-002 False Positives
Francis Stevens wrote: I'm seeing several false positives for Exploit.W32.MS05-002 since I upgraded to 0.82 yesterday. I've posted samples to the submission website but would like to do something about this. Using sigtool -l doesn't list Exploit.W32.MS05-002 as a signature in the database, is there any way I can disable this check? I tried reverting to 0.81 but that didn't help. FAS Seen it here too. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Virus Name
Look at the thread on http://news.gmane.org/gmane.comp.security.virus.clamav.user entitled RAR Module Failure. ClamAV supports RAR 2 and not RAR 3 format archives. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Frisvold Sent: 03 February 2005 14:02 To: clamav-users@lists.clamav.net Subject: [Clamav-users] Virus Name Hi all, There is an article on zdnet regarding a new type of trojan that uses an ISP's mailserver to send spam. I'm not at all interested in getting into a discussion regarding this.. What I am interested in is to know if anyone has seen this in the wild, and whether or not ClamAV currently has a signature for it. Unfortunately, the article does not detail how this Trojan is installed onto the users system. However, mail seems to be one of the most prevalent methods, so I'm guessing it will come in that way... So, anyone know if this is blocked by Clam yet, and if so, the name? For those interested, that article is located here : http://news.zdnet.com/2100-1009_22-5560664.html Thanks! -- Jason Frisvold Penteledata ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Are we safe - WORM_BAGLE.AZ
[EMAIL PROTECTED] wrote: Trog wrote: It is detected by Clam as Trojan.Downloader.Small-165, which was added on 8th Nov 2004 by Christoph. Wow, that was some time ago, and TrendNet is only just now putting out an update! That's scarry! Thanks Trog -- Craig Daters ([EMAIL PROTECTED]) Systems Administrator West Press Print Communications 1663 West Grant Road Tucson, Arizona 85705 (520) 624-4939 (520) 624-2715 fax www.westpress.com We caught our first copy at 10:20 GMT today. ClamAV, Bitdefender, and McAfee's uvscan (4423 DATs) all detected it. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Are we safe - WORM_BAGLE.AZ
[EMAIL PROTECTED] wrote: Craig Daters Wow, that was some time ago, and TrendNet is only just now putting out an update! That's scarry! Thanks Trog What concerns me (if it is true that ClamAV has detected this specific variant since November) is that ClamAV is not performing due diligence and sharing samples to protect users of other products on the Internet. AV teams working together is a good thing, and I personally share all of my samples with over 20+ AV vendors. sk3tch ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Hold on a minute there! ClamAV detects it because it matches an existing ClamAV virus pattern - that is serendipitous rather than malicious. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] downloading without advertising
David Thompson wrote: I would like to download clamav. however using adblock in mozilla stops the ability to download. I'm using AdBlock here without problems. It looks like you have some erroneous or over-zealous AdBlock rules. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Error compiling Mail-Clamav 0.11 - Please help
Alessandro Bianchi wrote: I've reopened the bug I filed against Mail::ClamAV for this issue: http://rt.cpan.org/NoAuth/Bug.html?id=7320 The workaround is to uninstall 0.80rc, install 0.75, build Mail::ClamAV, uninstall 0.75, reinstall 0.80rc. Thank you Phil Alex Unfortunately, Mail::ClamAV's author is NOT being at all helpful: rc stands for release candidiate. It is NOT a release. Also please note the libclamav 0.80rc3 is very buggy and should not be used anyway. Use 0.75.1 until 0.80 comes out. Scott Sighing loudly, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Notification E-mail
Steffen wrote: Hi Why? Since all you achieve with rejects is indirectly causing a lot of virus bounces to appear at innocent bystanders. NO. Virii are usually send directly from the virus and the virus will not send bounces... :D However, if a virus can send through an SMTP server, that server needs to be blamed for forwarding virii. Regards, Steffen BUT... The bounce goes back to the spoofed sender, not the actual sender. Read the SMTP RFCs sometime. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Worm.Mydoom.R
Submit it to the clamav team (link on www.clamav.net). It is probably Mydoom.u (McAfee). http://vil.nai.com/vil/content/v_128346.htm Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steffen Heil Sent: 09 September 2004 14:35 To: [EMAIL PROTECTED] Subject: [Clamav-users] Worm.Mydoom.R Hi On 2004-08-11, I got the following. Submission: n/a Sender: n/a Virus: Worm.Mydoom.R Alias: Worm/MyDoom.r (Hbedv), W32/MyDoom-R (Sophos), [EMAIL PROTECTED] (Bitdefender), Win32.HLLM.MyDoom.27136 (Drweb) Added: Worm.Mydoom.R Note: It has been already detected as Worm.Mydoom.Gen-unp by devel version. The signature added for stable version. But today, I got a virus that was not detected with most recent clamd: ClamAV version 0.75-1 and recent freshclam: main.cvd is up to date (version: 26, sigs: 22925, f-level: 2, builder: tomek) daily.cvd is up to date (version: 483, sigs: 1113, f-level: 2, builder: ccordes) The virus was detected using McAfee Antivirus Enterprise 7.0: Anlagendatei: syu.zip Virusname: W32/[EMAIL PROTECTED] Sekundäre unternommene Aktion: Verschoben... Is there anything I can do to make clamav detect these? - WITHOUT having to take the CVS version. I see, that there will always be some new virii, that can only be detected using cvs, but a virus that was added 2004-08-11 and that is not detected today IS a problem. (Otherwise I am very happy with clamav. I use it for 6 month now and had only 2 virii getting through. One was added to the database several minutes later, the other is the one above.) Regards, Steffen --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idP47alloc_id808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Idea for more timely virusdb updates
Daniel J McDonald wrote: That's one of the things that seems to be driving the size of daily.cvd up - updating main.cvd entails a massive distribution of files to the world. Current main.cvd = 1103636 bytes, last updated on July 8 Current daily.cvd = 156470 bytes A bit of mental arithmetic suggests thatdaily.cvd grows by about 5KB per day. A few sums in my head suggest that total download savings in a month if main.cvd was updated fortnightly would be around 200KB (circa 3100KB total download instead of 3300KB), a virtually insignificant difference. Perhaps a tiered approach to the update files, with main.cvd, monthly.cvd, weekly.cvd, daily.cvd, and hot.cvd The advantage there is that the really big update could be distributed very seldom - perhaps only with new code (the code generally has to be upgraded every few months to deal with a new threat anyway). Big updates often remove false positives, improve detections of existing viruses, so might still need monthly (or more frequent) updating. If you had overlapping signatures between the files, you could add a fuzzy-factor into freshclam that it might not bring down the latest weekly/monthly if the other files overlap completely. That would distribute the load on the freshclam servers for the larger updates, and there would just be the very small daily.cvd (and perhaps hot.cvd) downloads. If we could use incremental (or, more correctly, differential) updates which effectively create a new main.cvd then we could have a large reduction in the load on the download servers. However, we then have the problem of ensuring that main.cvd remains consistent. I like the idea of using DNS to signal the change - maybe just for hot.cvd. so, whenever a major virus breakout occurs, the new sig would be added to hot.cvd and the DNS TXT record changed. 10,000 users pulling down a 2-3K file is not terribly hard for a server with decent bandwidth I've known DNS servers to completely ignore TTL figures and cache stuff which should have expired, so this might not be reliable. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Error: Verification: Broken or not a CVD file
[EMAIL PROTECTED] wrote: Everyone, For the last 2 days I have been getting: ERROR: Verification: Broken or not a CVD file when freshclam tries to download an updated file. I am getting this message on both of our servers. Any ideas? Greg Ennis Which version of ClamAV are you using? If it's less than 0.75.1, upgrade. Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] ClamAV Virus DB updates list not up to date
Last update details on clamav-virusdb is 349 (June 10th), current version is 354. Are the individual update summaries available elsewhere? Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Re: Freshclam not responding
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gervase Sent: 03 June 2004 14:24 To: [EMAIL PROTECTED] Subject: RE: [Clamav-users] Re: Freshclam not responding On Wed, 2004-06-02 at 15:49, Ron Snyder wrote: if you do a 'dig database.clamav.net' or a 'host database.clamav.net', do you get useful answers? No. Both merely say: truncated, retrying in TCP mode, timed out -no servers could be reached. I am baffled, especially by the fact that the problem first occurred for no apparent reason while happily using Clamav 0.70. Upgrading to 0.71 didn't help. I agree with you and others that the firewall is the most likely culprit but turning it off didn't help. Nor did changing ISPs. I have not made any amendments to freshclam.conf, nor to clamav.conf (except for the necessary addition of # before example. We seem to have eliminated everything. I think that I have reached to end of my technical ability and have tried your and others' patience enough so will start from scratch with a reformat and reinstall. I am most grateful to you and all who have helped. Although the problem is not solved, I have learned a lot and maybe one day I shall have enough knowledge to help others lower down on the learning curve. Gervase It's a firewalling problem. Many sysadmins mistakenly think that DNS queries only use UDP port 53. You need to allow TCP port 53 out (and the response back) too. See http://www.intac.com/~cdp/cptd-faq/section2.html#ports for the explanation. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Virus Names
Graham Murray wrote: So maybe, as with celestial objects, there should be agreement that the first AV 'vendor' to publish a detection for a virus should be given the honour of naming it and the other vendors adopt the same name rather than inventing their own (and potentially causing confusion). So if Clamav is first, other vendors should adopt its name and if some other vendor is first then Clamav should use the name that vendor gives it. Viruses are discovered a darned sight more rapidly than celestial objects. Let's not waste the antivirus folks' time by making them jump through hoops over naming protocols. I'd rather priorities were given to protecting us the darned things instead of worrying about what the vendors call them. Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] clam not fresh
I do still have the old style signatures located in /usr/share/clamav from clam-0.65. Tomasz mentioned in an earlier post that this could be the problem. I am wondering if I should change the freshclam.conf database line from /var/lib/clamav to /usr/share/clamav? It seems to me that I am updated, as I have the same number of signatures as you do, but when I grep it for somefool, maybe it is going to the old set in the other directory? What do you think? I think it is time for you to erase ALL of your clamAV files, wherever you have them scattered, and reinstall and reconfigure, so you only have one set of .conf files and one set of .cvd files, and then reboot. At least then you'll know where to look and/or get meaningful error messages. Cheers, Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Iframe messages
Don't call us, we'll call you. Marketing emails are spam unless explicitly requested. Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Colin A. Bartlett Sent: 24 March 2004 12:43 To: [EMAIL PROTECTED] Subject: RE: [Clamav-users] Iframe messages Stuart Mycock Sent: Wednesday, March 24, 2004 5:03 AM What's the consensus about messages with embedded iframe links? They look like a great potential for viral activity because they can be used to auto-download viruses, etc.. The reason I ask is my secondary AV caught a couple of messages that got past clam that weren't carrying a virus as such but contained iframe code. I use MailScanner with ClamAV and by default it catches Iframes. I've left it on but the only emails that it has appeared to catch seem to be quasi-legitimate marketing emails. Can't be too important though since no clients have complained. I would think that scanning for iframes would be better left to something like MailScanner or Amavis rather than Clam. cheers, Colin Colin A. Bartlett Kinetic Web Solutions www.kineticweb.biz --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70alloc_id638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] attachment-free worms
Jeffrey Moskot wrote: Based on what this article says, it looks like there will soon be problems with my config: http://www.sophos.com/virusinfo/articles/bagletwist.html I wasn't able to get my version of amavis properly patched to submit the body of the message to clam (or at least as far as I can tell, that's not what's happening). The clam team saved my butt last round by coming up with those generic signatures, but does this article mean I'm finally going to beat my old amavis script into shape? Jeffrey Moskot System Administrator [EMAIL PROTECTED] MailScanner (http://www.mailscanner.info) as of today's version 4.29.2 can now disable Object Data tags. And ClamAV catches it (of course): ClamAV databases updated (18-mar-2004 12:02 GMT): daily.cvd, viruses.db2 version: 194 Submission: 2032 Sender: webdigger Submitted virus name: Unknown Virus Virus name: Exploit.HTML.Bagle.Q-eml Notes: Worm.Bagle.Q has the ability to distribute through Notes: an e-mail with a HTML exploit (and no binary Notes: attachment). This signature will detect these e-mails. Added: Yes Cheers, Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Troubles with recent clamav's
Doug Hardie erote: The problem I encountered has now been identified and I have a working clamd that does not hang. I compiled it two different ways and both worked. The problem was /dev/urandom returning either a -1 or a 0. Either of those will cause others.c to hang as it does not test for that condition. One approach was to put in a trivial test for it and exit from the loop. The other was to remove the define for C_URANDOM in the .h file. Both of those approaches worked in my testing. Since I couldn't easily determine if the first would have some side effects if it didn't return enough random bits, I have gone with the second approach. My production server has been running for slightly over 6 hours now and no problems have been seen. 0 is a valid return value from either /dev/urandom or rand(). And if urandom returns -1, shouldn't we just fallback to using rand()? Cheers, Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Problem with *.zip atachments!
MailScanner users need to upgrade to MailScanner 4.28.4 (just out), which can block password-protected .zip files. Cheers, Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thomas Lamy Sent: 03 March 2004 15:02 To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] Problem with *.zip atachments! Grzegorz Staleczyk schrieb: Hey There! I've got a problem with viri on *.zip attachments in e-mails! when I scan file.zip by hand clamscan find virus, but e-mail with this infected files in atachment can go (IT IS NOT STOPED!) Why? What have I wrog configured? [EMAIL PROTECTED] ~]$/usr/local/bin/clamscan freaky.zip freaky.zip: Worm.SomeFool.B.2 FOUND --- SCAN SUMMARY --- Known viruses: 20366 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.02 MB I/O buffer size: 131072 bytes Time: 10.594 sec (0 m 10 s) Mar 3 14:53:55 mail MailScanner[11494]: /export/home2/mail/incoming/11494/./i23Dps11/portmoney.zip : Worm.SomeFool.B FOUND Mar 3 14:53:56 mail MailScanner[11494]: Virus Scanning: ClamAV found 1 infections Mar 3 14:53:56 mail MailScanner[11494]: Virus Scanning: Found 1 viruses Mar 3 14:53:59 mail MailScanner[11494]: Filetype Checks: Allowing i23Dps11 portmoney.zip Mar 3 14:54:00 mail MailScanner[11494]: Virus Scanning completed at 934 bytes per second Mar 3 14:54:01 mail MailScanner[11517]: Virus Scanning completed at 86 bytes per second I have run on Solaris 8, Clam AntiVirus Scanner 0.67 , MailScanner 4.26.8 Thank for your help! Please fix your MailScanner configuration. I'm of no further help, since I don't know MailScanner, but from the logs I can see that clamAV actually _found_ the virus, but MailScanner is forwarding it. Thomas --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56alloc_id438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56alloc_id438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Why are the virus names different?
Would you rather have a prompt and timely detection of new viruses or wait for a committee to decide a common name? Your call. Cheers, Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew McCall Sent: 26 February 2004 10:50 To: [EMAIL PROTECTED] Subject: [Clamav-users] Why are the virus names different? Hi, Can anyone tell me why the virus names within ClamAV are different from ones from other virus vendors? For example, W32.Netsky.B (as called by Sophos, McAfee etc.) is detected and named Worm.Somefool by ClamAV. Thanks, Andrew McCall --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Worm.SomeFool is this w32/Netsky.b@MM
What McAfee detects as Netsky and Netsky.b are both detected by ClamAV as Worm.SomeFool. It's starting to flood in here. Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Lucas Albers Sent: 18 February 2004 16:32 To: [EMAIL PROTECTED] Subject: [Clamav-users] Worm.SomeFool is this w32/[EMAIL PROTECTED] I saw this virus show up today:Worm.SomeFool Updated here: Submission: 1235-web Sender: Tobias Oetiker Virus: Unknown Virus Added: Worm.SomeFool Notes: File uses the same icon as a word document,double extension (.rtf.pif i.e.),starts to massmail with a own smtp engine, drops a 'services.exe' in the %windows% folder. Name could be changed later. Is it this mcafee virus? This is a Medium Threat Advisory for W32/[EMAIL PROTECTED] worm. Justification W32/[EMAIL PROTECTED] has been deemed Medium due to prevalence. Read About It Information about W32/[EMAIL PROTECTED] is located on VIL at: http://vil.nai.com/vil/content/v_101034.htm -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] What exactly is the Worm.YoursID ?
It is also known as W32/[EMAIL PROTECTED] (McAfee) Alua (symantec) http://vil.nai.com/vil/content/v_101030.htm Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Support ePaxsys/FRWS Sent: 17 February 2004 17:06 To: [EMAIL PROTECTED] Subject: [Clamav-users] What exactly is the Worm.YoursID ? What is the Worm.YoursID virus/worm? This is one virus/worm that has become active since last night. Any clue what it may be? Google searches, archived list searches and searches anywhere I can think of failed to find any record of the name. Is it just hitting this one instead of maybe Klez or one of the other viruses and giving us a false indication of what it really is? Subject: ID mradjaip... thanks MessageID: i1HHseJH008422 Report: nlvygxcuy.exe contains Worm.YoursID Executable DOS/Windows programs are dangerous in email (nlvygxcuy.exe) No programs allowed (nlvygxcuy.exe) Thanks for a good product, protects thousands a day! JPP ePaxsys/FRWS Technical Staff ePaxsys, Inc. http://www.epaxsys.net FRWS: http://www.frws.com Live Text Support: http://www.epaxsys.net/live-help --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] libunrar.so support?
http://www.win-rar.com/index.php?lang=aid=knowlkb_category_id=kb_article_ id=67kb= And the license.txt reads: *** ** unRAR - free utility for RAR archives ** ** ** ** ** ** ~ ** *** **License for use and distribution of ** ** ** ** ** ** ~~~ ** ** ** ** ** ** FREE portable version ~ The source code of unRAR utility is freeware. This means: 1. All copyrights to RAR and the utility unRAR are exclusively owned by the author - Eugene Roshal. 2. The unRAR sources may be used in any software to handle RAR archives without limitations free of charge, but cannot be used to re-create the RAR compression algorithm, which is proprietary. Distribution of modified unRAR sources in separate form or as a part of other software is permitted, provided that it is clearly stated in the documentation and source comments that the code may not be used to develop a RAR (WinRAR) compatible archiver. 3. The unRAR utility may be freely distributed. No person or company may charge a fee for the distribution of unRAR without written permission from the copyright holder. 4. THE RAR ARCHIVER AND THE UNRAR UTILITY ARE DISTRIBUTED AS IS. NO WARRANTY OF ANY KIND IS EXPRESSED OR IMPLIED. YOU USE AT YOUR OWN RISK. THE AUTHOR WILL NOT BE LIABLE FOR DATA LOSS, DAMAGES, LOSS OF PROFITS OR ANY OTHER KIND OF LOSS WHILE USING OR MISUSING THIS SOFTWARE. 5. Installing and using the unRAR utility signifies acceptance of these terms and conditions of the license. 6. If you don't agree with terms of the license you must remove unRAR files from your storage devices and cease to use the utility. Thank you for your interest in RAR and unRAR. Eugene Roshal - Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tomasz Kojm Sent: 12 February 2004 15:01 To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] libunrar.so support? On Tue, 10 Feb 2004 10:56:37 -0500 Joshua Megerman [EMAIL PROTECTED] wrote: It appears that someone has adapted the UnRAR 3.0 code to be a linux/unix shared library similar to the uRarLib currently used to What is the license of that code ? I downloaded it and it compiles and works OK, but it's Released under rarlab licence (see http://www.rarlab.com and I can't find any license information for the code there. Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] www.ClamAV.net (\/)\. http://www.clamav.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\Thu Feb 12 15:58:57 CET 2004 --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Spam filter and clam-av
MailScanner (from http://www.mailscanner.info). See also http://www.sng.ecs.soton.ac.uk/mailscanner/install/zmailer.shtml for how to use it with ZMailer. Cheers, Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Claudio Alonso Sent: 09 February 2004 15:32 To: [EMAIL PROTECTED] Subject: [Clamav-users] Spam filter and clam-av Hello, I'd like to know if you can recommend any spam filter to work together with clamav on a Digital Unix server running ZMailer. Thanks a lot, --Claudio Los mejores usados y las más tentadoras ofertas de 0km están en Yahoo! Autos. Comprá o vendé tu auto en http://autos.yahoo.com.ar --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] MyDoom???
I think you'll find it was one of the first to detect it. ClamAV calls it Worm.SCO.A, and it has caught hundred of the critters here. Cheers, Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dinko Ivanov Sent: 04 February 2004 10:57 To: [EMAIL PROTECTED] Subject: [Clamav-users] MyDoom??? When clamav will detect MyDoom? I hope soon?! --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Mimail.R/S
ClamAV's just detected Worm.Mimail.R here. McAfee calls it Mimail.s - http://vil.nai.com/vil/content/v_100989.htm Cheers, Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Worm.SCO.A
ClamAV was picking up the original version here 6 hours before McAfee had their 4319 DATs out, and detected the B variant here yesterday at least 4 hours before McAfee's 4320 DATs were released. You guys deserve medals. A big heartfelt thank you to all the ClamAV team (and virus submitters). Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Spicer Sent: 29 January 2004 00:01 To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] Worm.SCO.A On Wed, 2004-01-28 at 16:01, Patricia Viana wrote: Hi. My SMTP filter running ClamAV is blocking a huge amount of messages with the Worm.SCO.A. It seams to be the same virus as MyDoom or Novarg. Can anyone confirm this?! That is correct. Clam had a signature whilst the commercial vendors were still busy thinking up names, hence the difference. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users