Re: [clamav-users] Compiling and installing from an NFS mount
As in administrator I would be very afraid to automate the installation or updating of any software. Are you doing many machines? If so, and they all use the same OS, why not build on one, and just distribute the build to all the others? Just sharing :) From: deha...@drever.be To: clamav-users@lists.clamav.net Date: Tue, 13 Mar 2012 15:32:40 +0100 Subject: Re: [clamav-users] Compiling and installing from an NFS mount Hmm, my script is a bit more complex as it: - unzip untar - configure - make make check - backs up the current clamav directory (who knows...) - backs up the configuration files - disable the clamav service (I'm running on Solaris) - make uninstall (from the previous build directory) - make install - mkdir, chown, chmod the service method and manifest subdirectories under the prefix directory (which is /opt/clamav here) - touches /opt/clamav/etc/clamd if needed - copies the manifest if needed - imports the manifest to create the service if needed - compares the old revision freshclam.conf.orig and freshclam.conf to reapply (patch) the same changes to the current freshclam.conf - does the same for clamd.conf - checks if my own signatures have not disappeared - enables the service and checks if it starts smoothly. It's maybe overkill here and there but, for instance, I don't want to reconfigure manually clamav and freshclam from the default files, and I don't want to keep the old configuration files that may miss new settings. If you have any advise, please share ! Thank you Regards, Pierre On 13 Mar 2012 at 11:47, G.W. Haywood wrote: [...] What's wrong with a small shell script? #!/bin/bash cd /tmp tar xzvf /nfs_mount/clamav-x.xx.tgz cd clamav-x.xx ./configure --with-various-options make sudo make install cd .. rm -rf clamav-x.xx -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] My outdated Clam.
hhh... I have over 250 users at my site. We use clamAV on our mail (SMTP) gateway currently running FC 16. It's not just good, it's great :) and given it's open source I have to take my hats off to those who commit the time to make it happen, and I hardly consider myself a guru (or technically ... knowledgeable) Yes, the average consumer should not be concerned with such stuff, but if your on this list, I would hardly consider you the average consumer. It's like Alulah use to say. First learn to play before you sit down to jam :) Date: Sat, 10 Mar 2012 11:47:57 -0700 From: jimli...@commspeed.net To: clamav-users@lists.clamav.net Subject: Re: [clamav-users] My outdated Clam. On 03/07/2012 12:25 PM, Steve Kirkby wrote: I accept that clam is a good anti-malware software, and that those who understand all this technicality are very knowledgable and intelligent, but it is so many light-years away for the average consumer that it is unsuitable for any other user than a technical guru. Commercial software, such as Microsoft Word, Photoshop, and also various anti-malware software, install at the touch of a key without any complexity. Compare that to the download for Clam: 55 folders and files, only one of which looked like an installation, and that had Terminal instructions. That is why there is a default installation for most platforms and vendors do updates as they can. Unfortunately that means that there is always a lag in updating and it does not usually mean much. The warnings about out-of-date do not mean much as long as they are for minor updates of the application itself, e.g. 0.97.2 - 0.97.3. If your signatures are more than a day over due for updating that is another matter. Sorry folks, but I have removed as much of Clam as I can and, regretfully but thankfully, will not approach it ever again. But thanks for the reply. Sorry you feel that way, but with these sentiments, you are probably better off with one of the other free AV solutions. -- Jim Preston jimli...@commspeed.net ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamav dies unexpectly
I've been having the same issue with my Linux FC 8 X86_64. ClamAV 0.96.5/13427/Wed Aug 10 16:31:52 2011 (I know its old, I need to update) I use the old restarting the daemon every night method. It seems to work for me. From: uli...@mfp.gov.cu To: clamav-users@lists.clamav.net Date: Thu, 11 Aug 2011 15:02:48 -0400 Subject: Re: [clamav-users] clamav dies unexpectly On Thursday 11 August 2011 02:29:17 pm Török Edwin wrote: How? Is it a SIGSEGV/SIGBUS/something else? Excuse me, how I can do this...?? Grep your dmesg for messages about clamd (segfaults are usually logged there). Also see if clamd created a core file. There is nothing in dmesg servergrupo:~/clamv-clamuko-squeeze# dmesg | grep clamav servergrupo:~/clamv-clamuko-squeeze# dmesg | grep clamd servergrupo:~/clamv-clamuko-squeeze# See here for instructions on how to get a stacktrace: http://www.clamav.net/lang/en/bugs/ I'll do this Then open a bug on bugs.clamav.net. Also does this happen only if you enable Clamuko in clamd.conf, or does it happen if you disable it too? No, if I don't enable clamuko it selfcheck correctly Thu Aug 11 14:55:59 2011 - PDF support enabled. Thu Aug 11 14:55:59 2011 - HTML support enabled. Thu Aug 11 14:55:59 2011 - Self checking every 72 seconds. Thu Aug 11 14:57:11 2011 - No stats for Database check - forcing reload Thu Aug 11 14:57:12 2011 - Reading databases from /var/lib/clamav Thu Aug 11 14:57:18 2011 - Database correctly reloaded (1018481 signatures) It only happens with clamuko enabled -- Salu2 Ulinx Administrador de redes Ministerio de Finanzas y Precios Linux user 366775 En un problema con n ecuaciones siempre habrá al menos n+1 incógnitas. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] error in make install libtool: install: `' is not a directory
Bojoure! You are referencing root ( / ) as the library directory. Not sure what -libdir is for but I am pretty sure you should not be building to the root directory. Try changing it to --libdir=/usr/lib or --libdir=/usr/local/lib which are the traditional locations. Shawn From: laurent.he...@ehess.fr To: clamav-users@lists.clamav.net Date: Thu, 29 Jul 2010 15:24:32 +0200 Subject: [Clamav-users] error in make install libtool: install: `' is not a directory Hello, i am using clamav by compiling it from sources. I am having a 0.96 version compiling and working fine on a Linux Opensuse 11.1 x64 While trying to install from 0.96.1 sources with this configure: ./configure --with-user=mail --with-group=mail --enable-clamdtop --enable-bigstack --sysconfdir=/etc --libdir=/ the make install goes wrong with: [...] make[3]: entrant dans le répertoire « /root/clamav-0.96.1/libclamav » GENversion.h.tmp GENversion.h make[4]: entrant dans le répertoire « /root/clamav-0.96.1/libclamav » GENversion.h.tmp GENversion.h test -z / || /bin/mkdir -p / /bin/sh ../libtool --mode=install /usr/bin/install -c libclamunrar.la libclamunrar_iface.la libclamav.la '/' libtool: install: `' is not a directory libtool: install: Try `libtool --help --mode=install' for more information. make[4]: *** [install-libLTLIBRARIES] Erreur 1 make[4]: quittant le répertoire « /root/clamav-0.96.1/libclamav » make[3]: *** [install-am] Erreur 2 make[3]: quittant le répertoire « /root/clamav-0.96.1/libclamav » make[2]: *** [install-recursive] Erreur 1 make[2]: quittant le répertoire « /root/clamav-0.96.1/libclamav » make[1]: *** [install] Erreur 2 make[1]: quittant le répertoire « /root/clamav-0.96.1/libclamav » make: *** [install-recursive] Erreur 1 Does anyone exprienced something similar ? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Feedback on clamav + sanesecurity experience
Checked out GreyListing and Sanesecurity. Both look like really cool tools. However, we have been using SpamAssassin, ClamAV, with sendmail (Fedora Core 8), and zan.spamhaus.org RBL, which does most of the heavy work, of blocking incoming SPAM. I prefer this method since it is not at all resource intensive (it doesn't really need to parse the header or body, doing so only after the RBL oks the IP). With Graylisting, and sanesecurity, you would be doing a lot of processing that the RBL (should) already be blocking. So I would definitely implement RBL first (if not already there), before trying out the others. Again they are fantastic tools, if needed, but how much processor power are you going to through at every email, vs. the rare occasion that a SPAM email may get through before the RBL is updated? Shawn Date: Tue, 20 Jul 2010 21:54:55 +0200 From: moind...@unistra.fr To: clamav.u...@seibercom.net CC: clamav-users@lists.clamav.net Subject: Re: [Clamav-users] Feedback on clamav + sanesecurity experience Hi Everyone, We are currently using clamav (0.96.1), spamassassin (3.3.1), greylisting (4.2.5) and sendmail (8.14.4) on our mailserver's cluster (OS : freeBSD 8.0) at the University of Strasbourg. This antispam and antivirus solution was quiet sure until last month. We've been having intensive phishing's issues for one month and we are considering using sanesecurity'signatures to improve the situation. We would appreciate any feedback on your experience using clamav with sanesecurity. Using the signatures provided by Sanesecurity would greatly enhance your AV/AS environment. There are scripts that automate the downloading and installation of these signature files also available on the Sanesecurity site. If you need further information feel free to contact me. I will setup a test plateform and I'll let you know how it goes. Thanks Laurence ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml _ Hotmail is redefining busy with tools for the New Busy. Get more from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter dies after awhile
Date: Fri, 16 Jul 2010 09:39:55 +0300 From: edwinto...@gmail.com To: clamav-users@lists.clamav.net Subject: Re: [Clamav-users] clamav-milter dies after awhile On Thu, 15 Jul 2010 17:35:49 -0700 Jim Preston jimli...@commspeed.net wrote: On Jul 15, 2010, at 5:14 PM, Jim Preston wrote: On Jul 15, 2010, at 1:40 PM, Török Edwin wrote: On Thu, 15 Jul 2010 16:22:49 -0400 Shawn Bakhtiar shashan...@hotmail.com wrote: having a sinister problem. I have modfied a SysV script to start the clamd and than clam- milter. when I check status I get: [r...@smtp ~]# /etc/init.d/clamav-milter status clamav-milter (pid 3432) is running... clamd (pid 3426) is running... I send an email and the header has : X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.96 at smtp.inksystemsinc.com I come back a few days later and I get this: [r...@smtp ~]# /etc/init.d/clamav-milter status clamav-milter dead but subsys locked clamd (pid 5152) is running... This is very similar to what I get with my mail server. Seemed to be happening every time freshclam ran which is handled via a cron task. I could not figure out was was causing it and just went to a workaround of having a cron task restart of the clamav-milter 2 min after the freshclam task. I will be happy to try any solutions that get posted here regarding a fix for this. It is a personal test mail server so I am not terribly concerned about having the restart task. Thanks, Jim___ Edwin, This may have nothing to do with Shawn's problem but .. Could this be a problem with SELinux on my system? /var/log/clamav-milter.log.scan:audit/audit.log:type=ANOM_ABEND msg=audit(1264972228.023:953): auid=4294967295 uid=46 gid=46 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 pid=25871 comm=clamav- milter sig=25 I do get this in the audit log ... That doesn't look like an SELinux message (they are all AVC something...), rather it looks like it just logs the fact that the milter crashed. So yes it might be the same problem as Shawn's. Do you have core files enabled? Did it leave a core file behind? You could also try to attach gdb to clamav-milter, and get a stacktrace when it crashes: # gdb /usr/sbin/clamav-milter `pidof clamav-milter` ... (gdb) continue . SIGSEGV (gdb) thread apply bt full Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml I have freshclam running every hour. If freshclam was the the problem I would imaging it would be reproduce-able. Here is all lines (grep milt) in /var/log/clamav.log Jul 4 09:56:46 smtp clamav-milter[24943]: +++ Started at Sun Jul 4 09:56:46 2010 Jul 6 14:11:29 smtp clamav-milter[11442]: +++ Started at Tue Jul 6 14:11:29 2010 Jul 6 20:05:04 smtp clamav-milter[11443]: Message from 8429142657.12...@e2ma.net to sjacob...@postoffice.inksystemsinc.com infected by Heuristics.Phishing.Email.SpoofedDomain Jul 8 11:04:52 smtp clamav-milter[11443]: Message from fail_con...@conway.com to uhir...@postoffice.inksystemsinc.com infected by Heuristics.Phishing.Email.SpoofedDomain Jul 10 16:10:50 smtp clamav-milter[5157]: +++ Started at Sat Jul 10 16:10:50 2010 Jul 15 13:03:19 smtp clamav-milter[3431]: +++ Started at Thu Jul 15 13:03:19 2010 Jul 15 13:03:39 smtp clamav-milter[3432]: Message from fail_con...@conway.com to uhir...@postoffice.inksystemsinc.com infected by Heuristics.Phishing.Email.SpoofedDomain here is (/var/log/messages | grep clam) which shows some of the same stuff, however my SELinux is set to passive (log only) - I have had so many problems with SEL, like the theory, suffered in practice. ... Jul 13 04:01:02 smtp freshclam[19049]: ClamAV update process started at Tue Jul 13 04:01:02 2010 Jul 13 04:01:02 smtp freshclam[19049]: main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven) Jul 13 04:01:02 smtp freshclam[19049]: daily.cld is up to date (version: 11359, sigs: 102693, f-level: 53, builder: ccordes) Jul 13 04:01:02 smtp freshclam[19049]: bytecode.cld is up to date (version: 31, sigs: 7, f-level: 53, builder: nervous) Jul 13 04:05:39 smtp clamd[5152]: SelfCheck: Database status OK. Jul 13 04:14:29 smtp kernel: type=1400 audit(1279019669.096:110): avc: denied { getattr } for pid=19613 comm=sendmail path=/var/run/clamd/clamav-milter.socket dev=dm-0 ino=2850822 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file Jul 13 04:14:29 smtp kernel: type=1400 audit(1279019669.096:111): avc: denied { write } for pid=19613 comm=sendmail name=clamav-milter.socket dev=dm-0 ino=2850822 scontext=system_u:system_r:sendmail_t:s0 tcontext
Re: [Clamav-users] clamav-milter.sock
Looks like a permissions issue??: Here is the perms on /var/run/clamd which is where my pid files et al are put -rw-rw-r-- 1 clamav clamav 4 2010-07-10 16:10 clamav-milter.pid srw-r--r-- 1 clamav clamav 0 2010-07-10 16:10 clamav-milter.socket -rw-rw-r-- 1 clamav clamav 4 2010-07-10 16:10 clamd.pid srw-rw-rw- 1 clamav clamav 0 2010-07-10 16:10 clamd.socket But more importantly who is the clamd and clam-milt running as? Date: Thu, 15 Jul 2010 17:47:27 +0200 From: m...@cirm.univ-mrs.fr To: clamav-users@lists.clamav.net Subject: [Clamav-users] clamav-milter.sock Hello, I ran successfully clamav-milter under solaris 10. My sendmail claims in its log file : WARNING: Xclamav-milter: local socket name /var/clamav/clamav-milter.sock missing The process is running and the socket is listing in /var/clamav : srw-r--r-- 1 root root 0 juil. 15 07:49 /var/clamav/clamav-milter.sock sendmail is running without problems. Can someone have an idea ? Thanks a lot ! Marie Pensez environnement ! N'imprimez ce mail que si c'est vraiment nécessairehe ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml _ Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_1 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] clamav-milter dies after awhile
having a sinister problem. I have modfied a SysV script to start the clamd and than clam-milter. when I check status I get: [r...@smtp ~]# /etc/init.d/clamav-milter status clamav-milter (pid 3432) is running... clamd (pid 3426) is running... I send an email and the header has : X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.96 at smtp.inksystemsinc.com I come back a few days later and I get this: [r...@smtp ~]# /etc/init.d/clamav-milter status clamav-milter dead but subsys locked clamd (pid 5152) is running... and my emails do not include the X-Virus-Status info. Files to follow (- comment sections): [r...@smtp ~]# more /usr/local/etc/clamd.conf LogFacility LOG_LOCAL6 PidFile /var/run/clamd/clamd.pid OfficialDatabaseOnly no LocalSocket /var/run/clamd/clamd.socket [r...@smtp ~]# more /usr/local/etc/clamav-milter.conf MilterSocket /var/run/clamd/clamav-milter.socket User clamav PidFile /var/run/clamd/clamav-milter.pid ClamdSocket unix:/var/run/clamd/clamd.socket ReportHostname smtp.inksystemsinc.com LogTime yes LogSyslog yes LogFacility LOG_LOCAL6 LogInfected Basic [r...@smtp ~]# more /etc/init.d/clamav-milter #!/bin/sh . /etc/rc.d/init.d/functions . /etc/sysconfig/network CLAMAV_FLAGS= test -f /etc/sysconfig/clamav-milter . /etc/sysconfig/clamav-milter [ ${NETWORKING} = no ] exit 0 PATH=$PATH:/usr/bin:/usr/local/sbin:/usr/local/bin RETVAL=0 start_clamd() { # ADD BY SHAWN 04122010 for new ClamAV implementation echo -n Starting clam AV Server: touch /var/lock/subsys/clamd if [ -x /sbin/restorecon ] ; then /sbin/restorecon /var/lock/subsys/clamd fi LANG= daemon clamd ${CLAMD_FLAGS} RETVAL=$? echo test $RETVAL -eq 0 return $RETVAL } start_clamilt() { echo -n Starting clamav-milter: # Don't allow files larger than 20M to be created, to limit DoS # Needs to be large enough to extract the signature files ulimit -f 2 touch /var/lock/subsys/clamav-milter # SE Linux Fix from http://webui.sourcelabs.com/fedora/issues/447247 (and in spamass-miter) if [ -x /sbin/restorecon ] ; then /sbin/restorecon /var/lock/subsys/clamav-milter fi LANG= daemon clamav-milter ${CLAMAV_FLAGS} RETVAL=$? echo test $RETVAL -eq 0 return $RETVAL } start() { start_clamd start_clamilt } stop_clamd() { echo -n Shuttung down clamd: killproc clamd RETVAL=$? echo test $RETVAL -eq 0 rm -f /var/lock/subsys/clamd } stop_clamilt() { echo -n Shutting down clamav-milter: killproc clamav-milter RETVAL=$? echo test $RETVAL -eq 0 rm -f /var/lock/subsys/clamav-milter } stop() { stop_clamilt stop_clamd } restart() { stop start } # See how we were called. case $1 in start) case $2 in clamd) start_clamd ;; clamilt) start_clamilt ;; *) start ;; esac ;; stop) case $2 in clamd) stop_clamd ;; clamilt) stop_clamilt ;; *) stop ;; esac ;; restart|reload) restart ;; condrestart) test -f /var/lock/subsys/clamav-milter -f /var/lock/subsys/clamd restart || : ;; status) status clamav-milter status clamd ;; *) echo Usage: $0 {start[clamd|clamilt]|stop[clamd|clamilt]|reload|restart|condrestart|status} exit 1 esac exit $? _ The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multicalendarocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamd missed
To preface the importance of what is being said: 1) Production servers should ALL have UPS and UPS should be tested, and if power outages are longer than the UPS ability to maintain, some proper shutdown mechanism must be enabled (do not be cheap with production servers). 2) I have hard booted linux boxes (FreeBSD should be very much similar - OS X - ) many many many times (in a lab environment, and on rare occasions in production) and have never experienced this, unless as stated here, there was a greater issue with the installation such as a failing drive, incorrect settings on a RAID, or something more sinister, which in turn would cause ALL kinds of failures. Services would not start up (missing configs and libs), etc... 3) I've compiled ClamAV since it is not available through yum on my distro (at least the latest version) and have had no issues of the kind you describe specifically related to clam. 4) Do you have anything like tripwire installed (yes you can tell exactly what files have been altered) ? You would have needed to install it before the system became unstable. 5) Do not focus on clam, focus on the fact that a file is getting corrupted when it should not. Do you have other mechanisms installed that check, or maintain files for you? Some other security. Is SELinux enabled (this is a far shot)? ONLY IF YOU ARE ABSOLUTLY SURE THIS IS THE ONLY FILE! All of the advice on this thread has been dead on. Critical systems should not be able to fail in this manor, and a good understanding of file structure and systems is important in being able to trace it down. Date: Thu, 1 Jul 2010 17:13:27 +0100 From: g...@jubileegroup.co.uk To: clamav-users@lists.clamav.net Subject: Re: [Clamav-users] clamd missed Hi there, On Thu, 1 Jul 2010 Jerry wrote: Yeah, It's an UPS failure. Perhaps you should get a better UPS. If it's important to you that the server runs reliably I'd recommend one which has the converter running continuously, not a cheap 'line interactive' one. Make sure that the battery health is monitored by the UPS and that batteries can be replaced while it is on line. Did you run a filesystem checking tool after the abnormal shutdown? Yes, fsck -f Are you sure about that? The man page for fsck on FreeBSD that I just checked seems to indicate that the -p flag is required with -f. How exactly did you run fsck? Do you know that it is dangerous to run it on a mounted, writable partition? If I had only one partiton on a machine I would normally want to boot on a LiveCD or move the disc to another machine to check it, so that I have a full running system with all the tools I need to examine and repair partitions. Did you only reinstall ClamAV?? If so I do not believe that you know that all is OK.? Under these circumstances, I would not know. As far as I know, mails get trought, Av is working, no file system errors How many files are there in the system? 10,000? 100,000? A million? How have you ensured that clamd in /usr/local/sbin/ was the only one which suffered any damage? What mechanism can you suggest which might explain that this one single file was damaged, and all the others were protected by some magical shield? Do you understand that damage to a directory is not the same as damage to the file? How can you explain that some tiny part of a directory which is normally only being read has twice accidentally been written in the same highly improbable way? Looking at the information before me I have to say that if this is not beyond the bounds of credibility, it's certainly out there at the edge. It is a _very_ bad idea to shut down a modern operating system the hard way This is crystal clear. I'll let Power company know that :)) I thought you said it was a UPS failure. By the way, still in dark of WHY clamd can't work. You showed us why in your OP. On Wed, 30 June Hook wrote: argos [/var/log/clamav]# ll /usr/local/sbin/clamd srw-rw-rw- 1 root wheel 0 Jun 2 08:37 /usr/local/sbin/clamd It is easy to understand why clamd doesn't work if it's (a) zero length and (b) not executable Why not try this for yourself as an experiment? Create a file of zero length, make sure that it is not executable, and then try to run it. My guess is that you won't get very far. :) Zero lenght and ONLY clamd affected. I'm still far from convinced that you know what damage has been done to your system. I'm not convinced that you understand how filesystems work, and for example the difference between the content of a file and the information which is contained about it in a directory. From the information which you have given us, under these circumstances I would have no confidence that the only damage done to the filesystem was to one single file. The directory containing the file seems to have been corrupted -- the file should have been executable, and
Re: [Clamav-users] Clamav Memory/System requirements
ps -aux ... clamav2716 0.0 4.1 222492 168760 ? Ssl May26 0:40 clamd clamav2722 0.0 0.0 57540 784 ?Ssl May26 0:00 clamav-milter ... On a Prolient GL165 4 x Quad-Core AMD Opteron(tm) Processor 2352 with 4GIG of memory. Fedora release 8 (Werewolf), ClamAV 0.96.1/11089/Thu May 27 06:47:23 2010. The process has been running for a day on our resides on our smtp gateway server, along side SpamAssassin.. From: cswi...@mac.com Date: Wed, 26 May 2010 15:27:05 -0700 To: clamav-users@lists.clamav.net Subject: Re: [Clamav-users] Clamav Memory/System requirements Hi, Alex-- On May 26, 2010, at 3:04 PM, Alex wrote: Is it expected that clamd on Linux should take 315MB of RAM with a normal configuration? The system is pretty busy, with clamdtop being IDLE for no longer than two seconds at a time, with apparently three instances running. v0.96.1 clamd tends to run around 190MB during normal operation here under FreeBSD, and can drop back to around 120 MB if left completely idle. It also tends to bounce up to nearly 300MB for a brief period when a DB refresh happens, but it drops back to ~190MB pretty quickly Is that 315MB an accurate representation, as reported by clamdtop, and standard top? Probably. I gather that GNU's libc has deferred free() semantics when threading is in use, so it might not be freeing up memory as quickly as other C library implementations do. You might also check that you don't have both a main.cvd and main.cld, because that might cause two copies of the signatures to get loaded and nearly double the memory requirements Is the memory requirements dependent upon the number of signatures, databases, or otherwise? Mostly proportional to the # of signatures, which in my case is ~ 977401-- plus some more if you scan big files. Regards, -- -Chuck ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml _ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Tiered freshclam updates on port443
LOL You are assuming I use PC on my network. Sorry I don't mean the LOL in a bad way at all. I guess I just come from a different world (I started my life on Sun). I believe each of the points you both made, including OUTBOUND security to prevent hackers from using a hacked machine on our network, are very valid points. But I have yet to see gateway blocks actually reduce the number of infections on my network, and when compared to the complexity it introduces into the system, it is just not worth it. Complexity is your worst enemy. When things are kept as simple as possible, in a time of crisis, they are simple to figure out. If my goal was to keep infected machines off my network, monitoring (SNMP (CPU usage, IO, etc...) , Snort, Port Mapping, etc...) are a much more effective way. I would actively be monitoring every device (we only do routers and servers), I would use products like nagios to set alerts. I would become intimate with the way my users work, and the way their machines operate. I would never violate a netizen's right by restricting his or her movements on the internet. I believe a user should be able to use the machine assigned to them for what ever purpose they choose, and it is my job to provide a reliable, safe, and secure, environment for them to operate in. ;) Primary objective: Create a secure, safe, meaningful environment for OUR users. From: st...@greengecko.co.nz To: clamav-users@lists.clamav.net Date: Fri, 21 May 2010 08:46:45 +1200 Subject: Re: [Clamav-users] Tiered freshclam updates on port443 On Thu, 2010-05-20 at 16:09 -0400, Shawn Bakhtiar wrote: Back to the original issue. I still say having firewalls from higher security zones to lower ones, does not make sense. Security is only valid when it is INBOUND. Outbound security is no security at all, just a pain for your users. Although this is way off topic for this group here's a couple of basic scenarios for you... 1. How can you stop an infected PC on your network talking to it's controller 2. How can you stop an infected PC on your network spewing spam to the world+dog? ...in a simple and controllable manner ( and yes, you will always get infected PCs on your internal network ). Point 2. above is a no-brainer - just stop outgoing traffic on port 25 from all but your mail servers; point 1. takes a bit more work. Steve -- Steve Holdoway st...@greengecko.co.nz http://www.greengecko.co.nz MSN: st...@greengecko.co.nz Skype: sholdowa _ Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_1 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Duplicate signature files
If your using wget: form the man pages under -c option Note that you don’t need to specify this option if you just want the current invocation of Wget to retry downloading a file should the connection be lost midway through. This is the default behavior. -c only affects resumption of downloads started prior to this invocation of Wget, and whose local files are still sitting around. Did you clean out the download before using wget, maybe you have partial of two files? Date: Fri, 21 May 2010 08:12:12 -0700 From: denni...@inetnw.com To: clamav-users@lists.clamav.net Subject: Re: [Clamav-users] Duplicate signature files On 5/21/10 8:06 AM, Török Edwin wrote: On 05/21/2010 05:49 PM, Dennis Peterson wrote: I just repeated this test (manually dl bytecode.cvd and test it with clamscan) My configuration is probably different than yours, that is why it fails for you and not for me. That is why I asked for output of 'clamconf -n'. Can you provide it please? Time marched on since the first failure :). I've got 3 different compilers I'm testing. Here's the results for the current build: Software settings - Version: 0.96.1 Optional features supported: MEMPOOL IPv6 BIGSTACK AUTOIT_EA06 BZIP2 RAR Database directory: /usr/local/share/clamav main.cld: version 52, sigs: 704727, built on Mon Feb 15 06:54:51 2010 daily.cld: version 11068, sigs: 81593, built on Fri May 21 05:54:03 2010 Platform information OS: solaris2.9, ARCH: sparc, CPU: sparc Full OS version:Solaris 9 s9_58shwpl3 SPARC zlib version: 1.2.2 (1.2.2), compile flags: 55 Build information - GNU C: 3.3.2 (3.3.2) CPPFLAGS: -I/usr/local/include CFLAGS: -mcpu=ultrasparc CXXFLAGS: LDFLAGS: -lmalloc -R/usr/local/lib/sparcv9 -R/usr/local/lib -L/usr/local/lib -L/usr/lib -L/usr/local/ssl9.8e/lib Configure: '--prefix=/usr/local' '--with-user=smmsp' '--with-group=smmsp' '--enable-bigstack' '--enable-clamdtop' '--disable-zlib-vcheck' 'CC=gcc' 'CFLAGS=-mcpu=ultrasparc' 'LDFLAGS=-lmalloc -R/usr/local/lib/sparcv9 -R/usr/local/lib -L/usr/local/lib -L/usr/lib -L/usr/local/ssl9.8e/lib' --enable-ltdl-convenience I'm now trying it with Sun's compiler, Studio 12. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml _ The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multiaccountocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Tiered freshclam updates on port443
Indeed. I do scan all inbound out outbound email for spam AND viruses. Our ISP managed the MX records, we have to tell them to setup the correct reverses. I am the admin, and users are only allowed to install apps in there own user space, not OS space. That is the idea, to have people want to work here, innovate, and create! and my function should not hamper that in any way. I can certainly understand blocking websites at a school, but if the kids are prevented from hacking, than where will all our future hacks come from? Date: Fri, 21 May 2010 08:53:04 -0700 From: denni...@inetnw.com To: clamav-users@lists.clamav.net Subject: Re: [Clamav-users] Tiered freshclam updates on port443 On 5/21/10 8:33 AM, Freddie Cash wrote: It may not have happened on your network, but it's (filtering outbound traffic) saved our bacon several times over the years, especially back in the Code Red/Nimda days. And, in an educational setting (I work for a school district now), you definitely do not want to have wide-open Internet access for student computers. This thread is getting nutty - I scan outbound mail because it's the right thing to do. I am ultimately responsible for every byte that leaves my system. End of story. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml _ Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_1 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Tiered freshclam updates on port443
Back to the original issue. I still say having firewalls from higher security zones to lower ones, does not make sense. Security is only valid when it is INBOUND. Outbound security is no security at all, just a pain for your users. Any sysadmin who thinks they are able to fathom all the user will do, or worse, think that all the user does is screw up, really is no sysadmin at all. There just a hack with a big ego. Machines like people are users too. To hamper a high security server, not to gain access to the outside on some port (especially for updates), is hampering that server, not improving security, without its updates it actually less secure, then having a single binary based port open to the some less secure facility. I can not imagine (and I think this is the point of the chain) a situation in which a servers would not have OUTBOUND access on 443 (ESTABLISHED INBOUND), which is functioning as a anti virus. After all, how do you update your client boxes, even a deployment server has to be able to pull updates? I'm fascinated, because I can not imagine how this is all setup, which would cause such a unique situation. Date: Wed, 19 May 2010 15:22:04 -0400 From: nat...@cmpublishers.com To: clamav-users@lists.clamav.net Subject: Re: [Clamav-users] Tiered freshclam updates on port443 * Matus UHLAR - fantomas wrote: * Matus UHLAR - fantomas wrote: Why? is there an aggresive firewall on the machine? Or is the machine maintained by a moron? On 14.05.10 14:50, Nathan Gibbs wrote: Blah, Blah, Bl;ah. I have asked why it's impossible. True. Having moron sysadmin is one of possibilities. Also, could be true, but that possibility doesn't necessarily need to be stated. I'd guess that most of those on this ML are sysadmins, and very smart people. However, each person's idea of what the Right Thing is, in a given situation, will be different. Even if there is agreement on what, there will be disagreement on how. In summary, just because someone here sees it differently, or disagrees with me, they are NOT a moron. I would be the moron for calling or implying that they where, and vise versa. You have apparently chosen this one. Blah, Blah, Blah I haven't called anyone a moron yet, but you have apparently applied to this. You could better answer my question first. That would be pointless as they are Eddie's hosts not mine. -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com _ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Tiered freshclam updates on port443
I would have to agree with Henrik here. Not to allow established connection from a higher level security zone to a lesser one, seem to be more a design issue, than, that of clam implementation issue. The idea of zones should be to guard inbound, no hamper user outbound. It's true you can skin a cat a million ways, but some of those ways are simply cruel, time consuming, and of little relevance to the objective. If there is a router acting as a firewall (PIX or Cisco 2621, etc...) the a simple ACL seems a much more robust solution. Of course the likely hood you are using internal IP address is high, which means you will need to NAT from that segment, which you most likely do because you need to have internet. If the firewall is on the machine, then a simple allow statement to the right chain in the iptables will achieve the same thing (windows has the same level of security via a GUI). In either case, the hack would be to figure it out on your network, not request bloatware that will be used in very few situations, given the complexity (thus insecurity) it introduces. (IMHO) Frankly my objection is a bit personal too. I hate the fact that everyone and everything is becoming HTTP. It is one single silly port of a possible 60,000 +, and its protocol was designed to centralize documentation. It has now become the default port AND PROTOCOL for everything. This beyond ridiculous! Since now everyone knows where to focus there attacks! The best way to protect data is to keep it binary and OFF port 80 or 443. This time in my IMNSHO :oP Date: Sun, 16 May 2010 09:29:57 +0300 From: h...@hege.li To: clamav-users@lists.clamav.net Subject: Re: [Clamav-users] Tiered freshclam updates on port443 On Fri, May 14, 2010 at 06:34:33PM -0400, Nathan Gibbs wrote: At our site, the update server hosts clamav DBs, snort rules, some conf files, etc. The ability to protect the other data would be a plus. It would add another layer of defense to our setup. However its not workable if Freshclam cannot speak https. Its redundant as far as ClamAV's data integrity goes. However, I think its worth doing as far as hack value and interoperability go. Using https sounds silly in favor of more robust methods like rsync+ssh. I certainly would trust rsyncing a verified set of signatures more than using freshclam code which has had bugs in past. -1 for adding yet another external library dependency for little purpose. As far as the original poster goes, I don't think https protocol was the issue, only TCP port. Such human generated firewall problems are solvable in many ways if desired and IMHO has nothing to do with ClamAV. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml _ The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multicalendarocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [clamu] [Windows] How does ClamAV compare with closed-source alternatives?
Dud (Fred-145) do you work for a proprietary anti-virus company or something, cuz it sounds like your just trying to dis?? Charles is right google IS your friend (a big behemoth who's time will soon come): http://www.builderau.com.au/blogs/byteclub/viewblogpost.htm?p=339270831 Also, if you do not have the time to be intimately familiar with the product you are deploying, please hire a hack who is (notice I did not say a consulting firm, but a hack!)! Date: Wed, 12 May 2010 08:15:52 -0700 From: codecompl...@free.fr To: clamav-users@lists.clamav.net Subject: Re: [Clamav-users] [clamu] [Windows] How does ClamAV compare with closed-source alternatives? Charles Gregory wrote: The buzzword you need to remember is 'benchmark'. I googled for 'antivirus benchmark' and the top result had a nice long list. Thanks for the tip. Is this the list? Aug 3rd, 05 - The Best of AntiVirus Rank http://forums.vr-zone.com/developers-software-discussion/30083-shootout-antivirus-benchmark.html I couldn't find a recent comparison that came from a neutral source, ie. not marketing material from a vendor or ad-based site. Does someone have a link? -- View this message in context: http://old.nabble.com/-Windows--How-does-ClamAV-compare-with-closed-source-alternatives--tp28535727p28537369.html Sent from the clamav-users mailing list archive at Nabble.com. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml _ The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multicalendarocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] FW: Can not get clamav-milter to work on Sendmail
that the rpmforge repository has rpms of the current version of the clamav suite for FC8. - Richard Original Message Date: Tuesday, May 11, 2010 03:03:37 PM -0400 From: Shawn Bakhtiar shashan...@hotmail.com To: clamav-users@lists.clamav.net Subject: [Clamav-users] Can not get clamav-milter to work on Sendmail I have been trying to get clamav-milter to work on Linux FC 8: Linux smtp 2.6.26.6-49.fc8 #1 SMP Fri Oct 17 15:33:32 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux Fedora release 8 (Werewolf) I downloaded the latest source and built. freshclam is working, it looks like I am able to run the clamav daemon, but for some reason my clamav-milter is NOT starting... and given all the changes I don't know if I am doing this right: sendmail.mc: dnl # SPAM FILTERS INPUT_MAIL_FILTER(`spamassassin',`S=local:/var/run/spamass-milter/ spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl INPUT_MAIL_FILTER(`clmilter', `S=local:/var/run/clamd/clamav-milter.socket, F=, T=S:4m;R:4m')dnl define(`confINPUT_MAIL_FILTERS', `clmilter,spamassassin')dnl /usr/local/etc/clamav-milter.conf ... MilterSocket /var/run/clamd/clamav-milter.socket User clamav PidFile /var/run/clamd/clamav-milter.pid LogTime yes LogSyslog yes LogFacility LOG_LOCAL6 Here is my startup script which I updated to run the clamd then launch clamav (log follows). No matter what I do, clam-miter does not seem to be running? Any ideas? [r...@smtp log]# more /etc/init.d/clamav-milter # !/bin/sh # # clamav-milter This script starts and stops the clamav-milter # daemon # # chkconfig: - 79 40 # # description: clamav-milter is a daemon which hooks into sendmail # and routes \ email messages for virus scanning with ClamAV # processname: clamav-milter # pidfile: /var/lock/subsys/clamav-milter # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Local clamav-milter config CLAMAV_FLAGS= test -f /etc/sysconfig/clamav-milter . /etc/sysconfig/clamav-milter # Check that networking is up. [ ${NETWORKING} = no ] exit 0 PATH=$PATH:/usr/bin:/usr/local/sbin:/usr/local/bin RETVAL=0 start() { # ADD BY SHAWN 04122010 for new ClamAV implementation echo -n Starting clam AV Server: touch /var/lock/subsys/clamd if [ -x /sbin/restorecon ] ; then /sbin/restorecon /var/lock/subsys/clamd fi LANG= daemon clamd ${CLAMD_FLAGS} RETVAL=$? echo test $RETVAL -eq 0 return $RETVAL echo -n Starting clamav-milter: # Don't allow files larger than 20M to be created, to limit DoS # Needs to be large enough to extract the signature files ulimit -f 2 touch /var/lock/subsys/clamav-milter # SE Linux Fix from # http://webui.sourcelabs.com/fedora/issues/447247 (and in # spamass-miter) if [ -x /sbin/restorecon ] ; then /sbin/restorecon /var/lock/subsys/clamav-milter fi # removed as we log to syslog now #if [ -x /sbin/restorecon ] ; then #/sbin/restorecon /var/log/clamd.milter #fi LANG= daemon clamav-milter ${CLAMAV_FLAGS} RETVAL=$? echo test $RETVAL -eq 0 return $RETVAL } stop() { echo -n Shuttung down clamd: killproc clamd RETVAL=$? echo test $RETVAL -eq 0 rm -f /var/lock/subsys/clamd echo -n Shutting down clamav-milter: killproc clamav-milter RETVAL=$? echo test $RETVAL -eq 0 rm -f /var/lock/subsys/clamav-milter } restart() { stop start } # See how we were called. case $1 in start) # Start daemon. start ;; stop) # Stop daemon. stop ;; restart|reload) restart ;; condrestart) test -f /var/lock/subsys/clamav-milter restart || : ;; status) status clamav-milter status clamd ;; *) echo Usage: $0 {start|stop|reload|restart|condrestart|status} exit 1 esac exit $? /var/log/clamav.log May 11 11:55:20 smtp clamd[31928]: Pid file removed. May 11 11:55:20 smtp clamd[31928]: --- Stopped at Tue May 11 11:55:20 2010 May 11 11:55:20 smtp clamd[31928]: Socket file removed. May 11 11:55:23 smtp clamd[32161]: clamd daemon 0.96 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) May 11 11:55:23 smtp clamd[32161]: Running as user clamav (UID 497, GID 496) May 11 11:55:23 smtp clamd[32161]: Log file size limited to 1048576 bytes. May 11 11:55:23 smtp clamd[32161]: Reading databases from /usr/local/share/clamav May 11 11:55
Re: [Clamav-users] Can not get clamav-milter to work on Sendmail
Ah.. Thanks Jason... I think I'll the F-ing option out :d pardon z frenche Date: Wed, 12 May 2010 10:25:34 -0400 From: ja...@i6ix.com To: clamav-users@lists.clamav.net Subject: Re: [Clamav-users] Can not get clamav-milter to work on Sendmail On 2010/05/11 8:48 PM, Shawn Bakhtiar wrote: I don't know what the F= parameter does F= tells sendmail what to do if the milter fails. I prefer F=T. F=T means a temporary error, F=R means a permanent error, and no F= means pass through as if the filter did not exist. -- /Jason _ Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_1 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [Windows] How does ClamAV compare with closed-source alternatives?
ClamWin Free Antivirus is based on ClamAV engine and uses GNU General Public License by the Free Software Foundation, and is free (as in freedom) software. To find out more about GNU GPL, please visit the following link: Philosophy of the GNU Project - Free Software Foundation. Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library.(Read more...) What part of this is NOT Open Source? it is GPL (both windows and AV). Date: Wed, 12 May 2010 12:50:13 -0700 From: codecompl...@free.fr To: clamav-users@lists.clamav.net Subject: Re: [Clamav-users] [Windows] How does ClamAV compare with closed-source alternatives? Bowie Bailey wrote: Keep in mind that (at the moment), ClamAV and ClamAV for Windows are two completely unrelated products. Yup, that's what other users said above. Unfortunately, the page about ClamAV for Windows doesn't say anywhere that it only scans for malware in RAM, not on mass-storage: www.clamav.net/lang/en/about/win32/ I suspect this oversight is not unrelated to ClamAV for Windows being a closed-source product ;-) Bowie Bailey wrote: There is a Start Scan button on the Scan screen in the UI, but there are no options to specify what it is scanning so I'm not sure exactly what it does. It obviously only scans for malware in RAM. I have two 200GB hard-disks, and they are clearly not being scanned by ClamAV for Windows. Thank you. -- View this message in context: http://old.nabble.com/-Windows--How-does-ClamAV-compare-with-closed-source-alternatives--tp28535727p28540359.html Sent from the clamav-users mailing list archive at Nabble.com. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml _ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Can not get clamav-milter to work on Sendmail
I have been trying to get clamav-milter to work on Linux FC 8: Linux smtp 2.6.26.6-49.fc8 #1 SMP Fri Oct 17 15:33:32 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux Fedora release 8 (Werewolf) I downloaded the latest source and built. freshclam is working, it looks like I am able to run the clamav daemon, but for some reason my clamav-milter is NOT starting... and given all the changes I don't know if I am doing this right: sendmail.mc: dnl # SPAM FILTERS INPUT_MAIL_FILTER(`spamassassin',`S=local:/var/run/spamass-milter/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl INPUT_MAIL_FILTER(`clmilter', `S=local:/var/run/clamd/clamav-milter.socket, F=, T=S:4m;R:4m')dnl define(`confINPUT_MAIL_FILTERS', `clmilter,spamassassin')dnl /usr/local/etc/clamav-milter.conf ... MilterSocket /var/run/clamd/clamav-milter.socket User clamav PidFile /var/run/clamd/clamav-milter.pid LogTime yes LogSyslog yes LogFacility LOG_LOCAL6 Here is my startup script which I updated to run the clamd then launch clamav (log follows). No matter what I do, clam-miter does not seem to be running? Any ideas? [r...@smtp log]# more /etc/init.d/clamav-milter #!/bin/sh # # clamav-milter This script starts and stops the clamav-milter daemon # # chkconfig: - 79 40 # # description: clamav-milter is a daemon which hooks into sendmail and routes \ # email messages for virus scanning with ClamAV # processname: clamav-milter # pidfile: /var/lock/subsys/clamav-milter # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Local clamav-milter config CLAMAV_FLAGS= test -f /etc/sysconfig/clamav-milter . /etc/sysconfig/clamav-milter # Check that networking is up. [ ${NETWORKING} = no ] exit 0 PATH=$PATH:/usr/bin:/usr/local/sbin:/usr/local/bin RETVAL=0 start() { # ADD BY SHAWN 04122010 for new ClamAV implementation echo -n Starting clam AV Server: touch /var/lock/subsys/clamd if [ -x /sbin/restorecon ] ; then /sbin/restorecon /var/lock/subsys/clamd fi LANG= daemon clamd ${CLAMD_FLAGS} RETVAL=$? echo test $RETVAL -eq 0 return $RETVAL echo -n Starting clamav-milter: # Don't allow files larger than 20M to be created, to limit DoS # Needs to be large enough to extract the signature files ulimit -f 2 touch /var/lock/subsys/clamav-milter # SE Linux Fix from http://webui.sourcelabs.com/fedora/issues/447247 (and in spamass-miter) if [ -x /sbin/restorecon ] ; then /sbin/restorecon /var/lock/subsys/clamav-milter fi # removed as we log to syslog now #if [ -x /sbin/restorecon ] ; then #/sbin/restorecon /var/log/clamd.milter #fi LANG= daemon clamav-milter ${CLAMAV_FLAGS} RETVAL=$? echo test $RETVAL -eq 0 return $RETVAL } stop() { echo -n Shuttung down clamd: killproc clamd RETVAL=$? echo test $RETVAL -eq 0 rm -f /var/lock/subsys/clamd echo -n Shutting down clamav-milter: killproc clamav-milter RETVAL=$? echo test $RETVAL -eq 0 rm -f /var/lock/subsys/clamav-milter } restart() { stop start } # See how we were called. case $1 in start) # Start daemon. start ;; stop) # Stop daemon. stop ;; restart|reload) restart ;; condrestart) test -f /var/lock/subsys/clamav-milter restart || : ;; status) status clamav-milter status clamd ;; *) echo Usage: $0 {start|stop|reload|restart|condrestart|status} exit 1 esac exit $? /var/log/clamav.log May 11 11:55:20 smtp clamd[31928]: Pid file removed. May 11 11:55:20 smtp clamd[31928]: --- Stopped at Tue May 11 11:55:20 2010 May 11 11:55:20 smtp clamd[31928]: Socket file removed. May 11 11:55:23 smtp clamd[32161]: clamd daemon 0.96 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) May 11 11:55:23 smtp clamd[32161]: Running as user clamav (UID 497, GID 496) May 11 11:55:23 smtp clamd[32161]: Log file size limited to 1048576 bytes. May 11 11:55:23 smtp clamd[32161]: Reading databases from /usr/local/share/clamav May 11 11:55:23 smtp clamd[32161]: Not loading PUA signatures. May 11 11:55:27 smtp clamd[32161]: Loaded 767740 signatures. May 11 11:55:27 smtp clamd[32161]: LOCAL: Unix socket file /var/run/clamd/clamd.socket May 11 11:55:27 smtp clamd[32161]: LOCAL: Setting connection queue length to 15 May 11 11:55:27 smtp clamd[32162]: Limits: Global size limit set to 104857600 bytes. May 11 11:55:27 smtp clamd[32162]: Limits: File size limit set to 26214400 bytes. May 11 11:55:27 smtp clamd[32162]: Limits: Recursion level limit set to 16. May 11 11:55:27 smtp clamd[32162]: Limits: Files limit set to 1. May 11 11:55:27 smtp clamd[32162]: Archive support enabled. May 11 11:55:27 smtp clamd[32162]: Algorithmic detection enabled.