Re: [Clamav-users] HELP ME.

[Kevin Spicer]

On Mon, 2005-08-29 at 17:24 +0500, Shahzad Abid wrote:
 I know what error mesg says but this is FACT that when i emply specified 
 quortine folder clamd starts with following command i.e. service clamd 
 start.
 This occurs once in a week.
 
 Is there any permanent solution for this?

Is /tmp/tmp on the same filesystem as your quarantine, maybe you're
running into some kind of resource shortage (disk space/ inodes perhaps)

=

BMRB 
http://www.bmrb.co.uk
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB Limited accepts no liability 
in relation to any personal emails, or content of any email which 
does not directly relate to our business.
+

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] AV relay + MX backup question

[Kevin Spicer]

On Sun, 2005-08-28 at 14:31 -0700, Roger E. Rustad, Jr. wrote:
  I have a ASSP antivirus relay setup
 (assp.sourceforge.nethttp://assp.sourceforge.net)
 that's currently filtering spam and viruses for one domain. I'd like for it 
 to do the same for other domains, but would like to make sure if (for 
 whatever reason) the relay is down, mail still gets through. I am also 
 setting up an MX backup through DNS Made Easy for like $8/year. 

This is really off topic I think.  You need to be aware that many spam
and virus emails tend to arrive via secondary or tertiary MX, so having
an incoming route for mail which bypasses any scanning on lower MX
records is a bad idea.  Store and forward services (lower priority MX's
that queue mail and then forward to your primary when it comes back up)
are not so bad, but still be aware that they tend to blindly accept all
mail so this may be used to bypass certain measures such as IP
blacklisting.  Much better to have a second identical (in terms of
software) box and run both MX's yourself - if you lose your internet
connection temporarily legitimate senders will typically queue mail to
you for several days anyway.

=

BMRB 
http://www.bmrb.co.uk
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB Limited accepts no liability 
in relation to any personal emails, or content of any email which 
does not directly relate to our business.
+

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamav vs amavis (was: Where is the quanantine folder?)

[Kevin Spicer]

On Sun, 2005-07-17 at 22:11 -0400, Jim Popovitch wrote:
 One follow-up question:  I currently use clamav-milter to integrate
 clamav w/ sendmail.  Would I be better served by using amavisd-new, or
 does clamav-milter cover the ground good?  It sounds to me, based on
 your comments above, that amavisd-new provides more functionality.
 
You might also like to take a look at MailScanner
(http://www.mailscanner.info) before deciding if/where to jump.


=

BMRB 
http://www.bmrb.co.uk
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB Limited accepts no liability 
in relation to any personal emails, or content of any email which 
does not directly relate to our business.
+

___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] A suggestion....

[Kevin Spicer]

The following message seems to be the cause of one of the most
frequently asked questions around here...

SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES

May I suggest that as this is in the FAQ that any point where this
message is displayed (freshclam, configure?) it also displays the
text...

See the FAQ at http://www.clamav.net/faq.html for an explanation





BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ERROR: JPEG.Comment

[Kevin Spicer]

On Wed, 2004-09-29 at 05:34, Brandon Knitter wrote:
 I have a few images that seem to be flagged as virii, when they are not.  I'm
 taking an image that is considered fine (no virus), then when I process it
 through  convert (ImageMagick) it thinks it's has the virus.  I have over 4000
 images I've processed this way, and only 232 of them clamscan thinks has the error.
 
 Version: 0.80rc3
 
 Any advice?  Where do I post something like that?

Were these by any chance taken by an Olympus camera?  I've seen two
false positives using my own signature for this exploit - both of which
were pictures from an Olympus  (run strings on the file and grep for
Oly).




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] stats

[Kevin Spicer]

On Wed, 2004-09-22 at 15:17, Nikhil Parva wrote:
 hi,
 
 try using mailscanner-mrtg. It is available in the form of RPM and the
 webpage can be displayed using apache.

So long as you're using MailScanner of course!  If you are using
MailScanner you might also like to look at vispan (the two provide
different stats).






BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: AW: [Clamav-users] Re: Re: Re: Windows port ?

[Kevin Spicer]

On Wed, 2004-09-22 at 14:25, [EMAIL PROTECTED] wrote:

 The database is not a script.  It is a binary compilation.

It's not a script, true, but it also is not a binary compilation.  If
you look inside any of the database files unpacked by sigtool (sigtool
--unpack) you'll note that they are actually a plain text files, one
line per entry.  So I think the previous posters point about them being
analagous to scripts in that they are their own source is valid.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] 0.80rc and the new .ndb sig file format

[Kevin Spicer]

On Tue, 2004-09-21 at 02:21, Tomasz Kojm wrote:

 It seems there's a small type in filetypes.c. Try changing
 
 {0,  \377\330\377,   4, JPEG, CL_TYPE_GRAPHICS},
 
 to
 
 {0,  \377\330\377,   3, JPEG, CL_TYPE_GRAPHICS}

That did the trick, thanks very much Tomasz.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] 0.80rc and the new .ndb sig file format

[Kevin Spicer]

I'm just playing about with this and I can't seem to get it to work
quite the way I expect.  I've created two signatures, to match the jpeg
exploit we discussed recently.  My idea is that although the signature
is very small it minimises false positives by being restricted to
graphics files and then looking for the jpeg magic number at the start
of the file.  Since we established the other day that the four byte
sequence that triggers the exploit can't appear in a genuine jpeg this
should be okay.
Anyway, I created signatures in local.ndb as follows...

Exploit.Jpeg.comment.1:5:0:ffd8*fffe
Exploit.Jpeg.comment.2:5:0:ffd8*fffe0001

And tried scanning the exploit sample from here
http://www.gulftech.org/?node=downloads
Nothing!
Trying again with --debug I see this message
LibClamAV debug: Type: 501, expected: 514 (Exploit.Jpeg.comment.2)
LibClamAV debug: Type: 501, expected: 514 (Exploit.Jpeg.comment.1)

I only seem able to get this to work by changing the target type in the
sig to 0 i.e.
Exploit.Jpeg.comment.1:0:0:ffd8*fffe
Exploit.Jpeg.comment.2:0:0:ffd8*fffe0001

At which point it all works, but surely it should work with a target
type of 5?

BTW.  I tried both scanning the jpg and a message containing it same
result

BTW2. Symantec is now detecting this exploit as Bloodhound.exploit.13





BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] JPEG vulnerability

[Kevin Spicer]

On Sat, 2004-09-18 at 06:25, Matt wrote:
 One last question, do the fffe 000(0|1) bytes
 always have to follow each other for this exploit, or is this just a pure
 example of the possibility of this exploit?

they have to follow each other fffe denotes the start of a jpeg comment
field and the following two bytes indicate its length.  The exploit is
to specify a length of zero or one byte.  Inside a jpeg file the
sequence fffe _always_ indicates the start of a comment, therefore any
jpeg file containing the sequence fffe of fffe0001 is attempting the
exploit.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] JPEG vulnerability

[Kevin Spicer]

On Fri, 2004-09-17 at 03:02, Tomasz Kojm wrote:
  Okay, well I've found an easier to understand source...
  http://www.funducode.com/freec/Fileformats/format3/format3b.htm
  and it seems that the particular exploit byte sequence would be unique
  within jpeg files.  I've also tracked down docs on how to make a
  signature for clam, but it doesn't appear that its possible to form a
 
 A new signature format that will be included in 0.80rc will allow on
 advanced offset and target type specification, including JPEG images.

Cool, as ever you're one step ahead!

  signature by detecting two distinct patterns in a file, or anchoring
 
 With older clamav versions you can use HEX1*HEX2*...*HEXn

That doesn't anchor to the start of the file though (I guess I'd need to
anchor the magic number to minimise false positives). I had just about
guessed, by looking at the sig files after I posted, that the * was a
wildcard (matching many bytes) and the ? a single unknown byte
(correct?).  Perhaps this information could be added to signatures.pdf? 
Is there a limit (and if so what is it) to how many bytes a * will
match?  




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] JPEG vulnerability

[Kevin Spicer]

On Fri, 2004-09-17 at 16:21, Daniel Lord wrote:
 Those signatures don't catch the poc xploit found at
 http://www.gulftech.org/?node=downloads. But maybe it's better to
 leave this alone till there are real worms etc. to produce good
 signatures. At the moment clamav sigs don't seem good enought to
 catch this. (No support for absolute offsets)

Yes, looking at the file there is more than one comment section, and it
is the second that uses the exploit.  It stands to reason that since
there is some flexibility in the file format that a signature that
doesn't account for that flexibility (by looking for the comment in a
certain offset eg) could be easily avoided by the exploit writers.  I
wouldn't rely of finding very much at all, only the ffd8 at the start of
the file and the ffe0 000[01] exploit  (the poc doesn't even have the
APP0 marker until some way in).  Clearly without the ability to anchor
the ffd8 to the start of the file a useful signature is impossible.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] JPEG vulnerability

[Kevin Spicer]

I guess everyones heard about the jpeg vulnerability in certain
Microsoft products?  CERT have put out an advisory, and it is being
ranked as critical. 

Now I know that strictly speaking this isn't a virus, its a
vulnerability - but there have been, in the past, signatures added for 
some exploits (eg. the Iframe exploit).  So my question is, is it
practicable to create a signature for this (I have no idea how
signatures are created)?  AFAIK theres no public exploit circulating for
this yet, but I'd guess its going to happen...

This page gives more details on the actual vulnerability...
http://seclists.org/lists/fulldisclosure/2004/Sep/0509.html  

It looks like there are two possible four byte sequences that can
trigger the exploit.  I guess this is probably too small to avoid an
unacceptable level of false positives(?)  Presumably this could be
combined with the 'magic' numbers for jpeg files to improve this, but
still maybe not narrow enough?  I'm trying to find out whether there is
a particular place the comment field occurs, but the documentation is
not very easy to understand without background knowledge.

From my perspective having clam detect this would be ideal, since both
our email and http scanners use clam as a detection engine.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Mail antivirus help

[Kevin Spicer]

On Fri, 2004-09-10 at 14:33, Stelian wrote:
 We curently have about 6 POP3 acounts stored on our ISP server. The
 viral trafic (incoming, of course) on them is very high, up to the
 point where we cannot longer use them.
 My task is to provide some kind of filtering server, to keep the viri
 out using a free antivirus like Clamav. Idealy, the server would work
 like this: continuously fetch the mail from the external servers,
 delete the infected messages, and keep a IMAP accesible local copy of
 the good messages. 
Well heres how I did it...
Linux box running fetchmail as a daemon to get the mail from the pop
accounts, fetchmail forwards on to sendmail running on the box itself. 
MailScanner (www.mailscanner.info) to scan the email (with clamav and
bitdefender, both of which are free in at least one sense of the word). 
sendmail then delivers the mail to local accounts and courier-imap lets
the users collect them using IMAP.
If you don't want to create accounts for each user then you might like
to think about something like cyrus IMAP which (I think) doesn't require
accounts on the server (but IIRC is rather more tricky to set up) - it
was a no-brainer for me as my users (family, this is my home setup - I
use MailScanner as a relay to exchange at work) already had shell
accounts.
There are other choices too, such as AMavis and clamav-milter, however
what is commonly seen as the chief advantage of them (as milters) -
being able to refuse to accept a mail, rather than reject it later - is
a non issue in this instance because both your ISP and fetchmail have
already accepted it.  

Kevin




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clam newbie

[Kevin Spicer]

On Wed, 2004-08-18 at 07:48, Tomasz Papszun wrote:
 Please, make sure you do NOT send notifications to senders (they are
 almost always spoofed nowadays), maybe except pertaining MS Office
 macros and test signatures (EICAR and ClamAV-Test-Signature).

I completely agree with that, but...

 Also, do NOT send notifications to intended recipients (or they will
 hate you ;-) ).

...thats more subjective.  We always send notifications to our internal
users (within our company) when they are the intended recipient of a
virus, we've never had a complaint about this as far as I know (and we
certainly recieve plenty!).  Our thinking is that we want our users to
know that we are protecting them and understand the scale of the
problem.  It also reinforces the warning messages we send out when there
is a new rapidly spreading message (we warn our users to encourage them
to take care when checking webmail etc. and also as a courtesy to those
with a PC at home).  It also helps justify some of the file type
blocking we do (such as not allowing .exe files) if users can see we are
catching infected files of the types we block.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Freshclam errors

[Kevin Spicer]

On Tue, 2004-08-17 at 17:04, Randall Perry wrote:
  ClamAV update process started at Mon Aug 16 23:22:04 2004
  SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES
  Ok, installed the gmp package and reinstalled clamav.
 I'm still getting the error above stating no support for signatures -- is
 there a way to check the apps to see if support is built in?

Depending on your OS and how you installed clam you may need to install
the gmp-devel package and configure; make; make install clam again.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Freshclam errors

[Kevin Spicer]

On Tue, 2004-08-17 at 18:43, Randall Perry wrote:
 on 8/17/04 12:32 PM, Kevin Spicer at [EMAIL PROTECTED] wrote:
  Depending on your OS and how you installed clam you may need to install
  the gmp-devel package and configure; make; make install clam again.
  
 I can only find gmp-devel in an RPM -- is there a src download for it
 somewhere (it's not at http://www.swox.com/gmp/#DOWNLOAD) ?

If you installed gmp from source then you probably have the necessary
files already.  Check for gmp.h in /usr/include/ (maybe
/usr/local/include/  maybe somewhere else).  You will need to rebuild
clam.  (make clean; ./configure; make; make install)




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] [OT] Re: KDE/MS patent and prior art (Was: Idea for more timely virusdb updates)

[Kevin Spicer]

On Sun, 2004-08-15 at 21:02, Martin Konold wrote:
  IANAL... but wouldn't that count as 'prior art' ?
 
 No, basically MS patented the obvious addition not mentioned in the publically 
 posted email.

Then can't it be appealed as patents are supposed to be for non-obvious
inventions?  Maybe the EFF or PubPat could help?




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] My.Doom.o

[Kevin Spicer]

On Wed, 2004-07-28 at 06:51, Michael Brennen wrote:
 On Tue, 27 Jul 2004, Matt wrote:
 
   On Tue, 2004-07-27 at 13:28, Kevin Spicer wrote:
On Tue, 2004-07-27 at 16:26, Scott Ryan wrote:
 I have not submitted any virii (correct word?)
   
viruses
 I'm no Latin scholar, but I've heard it said that the proper Latin
 plural is 'vira'.  FWINW

But we're using English not latin, unless I accidentally subscibed to
clamav-users-latin... ;)




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Sigtool Build Time

[Kevin Spicer]

On Wed, 2004-07-28 at 17:51, Denis De Messemacker wrote:

 It means the signature was done at 3:12 pm (15:12) , in a GMT+2 zone.
 So 1:12pm GMT.
 
 Assuming Central Standard Time USA is GMT-5 in summer, it makes 8:12 am.
 
Perhaps there would be some sense in timestamping the signature
databases using only UCT, this would make it much easier to compare
different times, especially if they may be built in different timezones.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] My.Doom.o

[Kevin Spicer]

On Tue, 2004-07-27 at 16:26, Scott Ryan wrote:
 I have not submitted any virii (correct word?) 

viruses





BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Scanning files being uploaded via a form

[Kevin Spicer]

On Mon, 2004-07-26 at 11:46, Suril Patel wrote:
 I have currently got no AV installed and want to know if installing
 ClamAV will let me call the virus scanner from a PHP script during
 the upload process and reject/accept the attachment based on the
 results.

Yes, easily.  I've done the exact same thing myself.  Beware safe mode
restrictions.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Gettin a return code from clamdscan in a script

[Kevin Spicer]

On Thu, 2004-07-22 at 22:01, Kevin W. Gagel wrote:
 I'm confused because the docs say it will return a 1 which it does if I run
 them from the command line, just not in a script.

Perhaps you could post your script?
Are you using the same shell in your script as you use at the command
line, some have different behaviour (such as using $status)




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Bad Virus Signature?

[Kevin Spicer]

On Mon, 2004-06-21 at 16:05, Benjamin Sherman wrote:
 I was wondering if false positives ever make it into the virus DB updates?

They do

 Since the update on Jun18, all of my windows 2000 workstations with 
 Service Pack 4 are showing what I beleive to be false positives for 
 Worm.Lovgate.W-2. The file in question is spoolsv.exe and can be fond in:
 C:\WINNT\System32
 C:\WINNT\System32\DllCache
 C:\WINNT\ServicePackFiles\i386  (depending on how the service pack was 
 installed)

Submit a copy of the affected file as a false positive at
http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi





BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] error in cronjob

[Kevin Spicer]

On Wed, 2004-06-16 at 22:26, List wrote:
 Hi,
 
 I notice some errors in my cron.daily. I am running RedHat 9 and Clam 7.2.
 Errors listed below :-
 
 /etc/cron.daily/clamscan:
 
 /etc/cron.daily/clamscan: line 1: clamscan: command not found
 /etc/cron.daily/clamscan: line 1: sigtool: command not found
 /etc/cron.daily/clamscan: line 1: sigtool: command not found
 '/' will now be scanned for viruses with ClamAV clamscan version
 Virus Signature Daily Database version  (built at )
 /etc/cron.daily/clamscan: line 1: clamscan: command not found
 
 Any idea?

At a guess these tools are installed somewhere other than /bin or
/usr/bin (or whatever is in the default path that cron provides). 
Suggest you either use the full path in your scripts or explicitly set
the path environment variable at the start of the script.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Sober.H

[Kevin Spicer]

On Sat, 2004-06-12 at 22:12, Philipp Grosswiler wrote:
 Now I read a news article on heise.de, that F-Secure calls those e-mails
 under the name of Sober.H. I would like that ClamAV could also add those
 signatures to the database, as there seem to be a lot of victims out there
 being infected by Sober.G, which can reload all kind of executable to do
 with the victim whatever he wants... Now it looks like the Sober author is
 kind of rassist and I do not tolerate that.
 

According to the google translation of the page it looks like the
signature actually detects the new varient of Sober which sends the
emails, rather than the emails themselves.

 What can I do to help you stop this kind of e-mails? Or is your policy to
 not do anything against this, since it's not really harmful (means no direct
 virus or worm)?

Lots of viruses are now used for bulk emailing of spam by compromised
machines, this only appears different because of the nature of the
content (theres plenty of other objectionable content in spam) and the
fact its in German.  In any event the filtering of objectionable and
unsolicited content is a job for your anti-spam solution of choice.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the
one installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Ethics Question

[Kevin Spicer]

On Wed, 2004-06-09 at 20:10, Samuel Benzaquen wrote:

 I think the only way I could think is reporting the IP to some DNSBLs.
 That way you can stop receiving their mails and you leave the cleansing
 problem to their ISP.

Or simply block the IP with sendmails acces database (or the equivalent
for your choice of MTA)




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Freshclam not responding {Scanned}

[Kevin Spicer]

On Fri, 2004-06-04 at 07:15, Gervase wrote:
 On Thu, 2004-06-03 at 15:22, Jo Mills wrote:
 
  Don't give up!
 
 Many thanks for joining in. Unfortunately I was impatient and
 reinstalled. But, alas, the problem did not go away.
Have you tried something along the lines of:
host google.co.uk
 
 I got : Google has address 216.239.59.104
 
   If it does work, then you could try:
   traceroute google.co.uk
 
 I got: traceroute: command not found.
 
  What happens is you try:
  host db.europe.clamav.net
 I got: truncated; trying in TCP mode
connection timed out; no servers could be reached

  What happens if you try:
  host 193.19.98.136
 
 I got: 136.98.19.193.in-addr.arpa domain name pointer morden.dbplc.com.
 
 Does this tell you anything more?  Others have said that my firewall is
 blocking port 53, but the problem persists when I turn the firewall
 off.  This is strange since SuSE ship Clamav with the OS.  Perhaps I
 should take it up with them.
 
 In the meantime, is there a command specifically to test the port? And
 if positive to unblock it.  I see no way through the GUI.  Sorry if I am
 asking to be spoon-fed.

Immediately after doing the dig or nslookup that fails tail the syslog,
messages and/or kernel log files and wee if there are any packet filter
logs showing 'DPT=53' and 'PROTO=TCP'




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Freshclam not responding

[Kevin Spicer]

On Tue, 2004-06-01 at 22:09, Fajar A. Nugraha wrote:
 Gervase wrote:
 
 ERROR: Can't get information about database.clamav.net host.
   
 
 Seems like DNS problem. Configure your DNS server properly,
 or use proxy (edit freshclam.conf)

Make sure your firewall allows DNS over both UDP _and_ TCP, because clam
has so many mirrors the DNS response stopped fitting in a UDP packet so
has to use a TCP packet instead, if your firewall doesn't allow through
TCP packets it won't work.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] CommuniGate Pro and ClamAV

[Kevin Spicer]

On Fri, 2004-05-28 at 16:29, Brandon wrote:
 Good Morning!
 
 Has anyone on this list had any luck running clamav with CommuniGate Pro? 
 Our mail volume is approximately 40,000 messages per hour across two front
 end servers.  Does anyone have any statistics they would like to share
 about CGPRO/ClamAV?

I think there is a way of using MailScanner (which in turn can use
clamav) with CGP.  I don't think its mentioned on the MailScanner site,
but if you ask on the MailScanner list theres a few people there who can
probably help. 




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Version 0.71 - clamdscan error

[Kevin Spicer]

On Thu, 2004-05-27 at 09:21, Mr Mailing List wrote:
 Just noticed that scanning files with clamdscan does not scan
 filesthat are not world readable.

Perhaps it would be better if clamd could implement some kind of
privilege separation, so that a minimal process running as root reads
the files, but an unpriviledged process could actually do all the
processing?




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] blocking attachments

[Kevin Spicer]

On Tue, 2004-05-25 at 17:12, Ken Jones wrote:
 Is it possible to configure clamav to block certain 
 types of attachements even if they do not have a virus?
 
Take a look at MailScanner http://www.mailscanner.info it offers a
number of ways to apply all sorts of policy to email.


signature.asc
Description: This is a digitally signed message part

Re: [Clamav-users] blocking attachments

[Kevin Spicer]

On Tue, 2004-05-25 at 17:12, Ken Jones wrote:
 Is it possible to configure clamav to block certain 
 types of attachements even if they do not have a virus?
 
Take a look at MailScanner http://www.mailscanner.info it offers a
number of ways to apply all sorts of policy to email.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] blocking attachments

[Kevin Spicer]

On Tue, 2004-05-25 at 17:12, Ken Jones wrote:
 Is it possible to configure clamav to block certain 
 types of attachements even if they do not have a virus?
 
Take a look at MailScanner http://www.mailscanner.info it offers a
number of ways to apply all sorts of policy to email.


signature.asc
Description: This is a digitally signed message part

Re: [Clamav-users] name that worm: agobot,gaobot,polybot

[Kevin Spicer]

On Wed, 2004-05-19 at 12:54, Betsy Schwartz wrote:
 Some PC's on our network have been flagged as having 
 agobot,gaobot,polybot (or a sasser variant), by the perimiter security 
 system.  I have looked at Kevin's excellent database at 
 http://www.rainingfrogs.co.uk and don't see any matches made between these 
 names and clamav.

I found loads when I tried, maybe you were searching on 'exact name'
rather than 'contains'?  I've changed it to do 'contains' searches by
default now, as thats probably more intuitive.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Question regarding virus detection

[Kevin Spicer]

On Thu, 2004-05-20 at 19:21, Peter Bonivart wrote:
 Jim Maul wrote:
  There is something that is causing clamav to not be able to detect this
  virus after the message has been bounced and now forwarded.
 
 Damaged bounces are not dangerous. Why bother making signatures for them 
 when you don't make money showing how many viruses you detect?

Well, although you might not make money its not good for the reputation
of a virus scanner if other scanners detect these files and they don't. 
How does an end user (or for that matter most IT staff) know whether a
file is not detected by one scanner but picked up by another because its
not dangerous or because the scanner isn't good.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] New Address for Virus Alias Database

[Kevin Spicer]

For those that found my virus alias database useful I have now moved it
to http://www.rainingfrogs.co.uk to get0 rid of the annoying UK2 popup
add and banner.  This also means that it will now accept direct links to
URL's of specific entries, for those that requested that facility.

Kevin


signature.asc
Description: This is a digitally signed message part

Re: [Clamav-users] What is this Exploit.JUnksurf.A ? (Off topic)

[Kevin Spicer]

On Thu, 2004-05-13 at 20:53, Damian Menscher wrote:
 You are obviously correct in the case of an intrusion.  But I don't know
 many 1337 h4x0rs that would mess with:
 //usr/share/doc/libxml2-devel-2.5.4/example.html: Exploit.Junksurf.A FOUND
 which is why i recommended updating clamav before reinstalling.
 
 Taking things in context helps.

Its also worth noting that where the type of infection doesn't match the
type of file its likely to be a false positive.  For example if you find
linux binaries 'infected' with a word macro virus.  

In this particular case (from its name, and the description of a
similarly named virus on Trend's site
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=HTML_JUNKSURF.A ) I 
would guess this is an HTML exploit, therefore finding it in all manner of files, both 
binary and text would seem to suggest an error on the part of the scanner.





BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: Virus Alias Database

[Kevin Spicer]

On Tue, 2004-05-11 at 00:58, Mitch (WebCob) wrote:
 I'm sure there are many (including myself) that could be convinced to host
 mirrors once the concept stabilizes...
 
 Or alternatively, you could allow download of the db and functions so people
 wouldn't have to keep hitting your server...

Thats the better idea, although idealogically I'm all for open source I
have no intention of releasing the code that build the database.  That
is for purely practical reasons, most of it works by crawling the
anti-virus vendors sites - as such if lots of people started to run it
there would be significant load on their sites, which not only
inconsiderate of us but also could lead to them blacklisting our IP's
and/or changing their page format to make it much harder to parse.  I'm
certainly willing to open the front end, but I need to find out how easy
it is to mirror a mysql database, I suppose I could script something
that writes incrementals out to some web space.  But it all needs more
work first...  I'm away for a few days, maybe I'll find time next week.

Kevin




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson  Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Alias Database

[Kevin Spicer]

On Mon, 2004-05-10 at 18:24, jef moskot wrote:
 So, if I type in Netsky, I don't see any ties to SomeFool.  If I put in
 SomeFool, I don't see any immediate reference to Netsky, but if I poke
 around a little, it becomes apparent that we're talking about the same
 thing.
But if you put in Worm.somefool (which is what clam actually calls it),
or click on worm.somefool vendor clamav when you search on 'contains
somefool' You can see it is Netsky as reported by some other vendors

 Not sure how it should be implemented, 

Me either!  My current thinking is to do it as automatically as
possible, otherwise I'll just get bored / occupied doing something else
and not keep the alias mapping up to date

I did think about doing some kind of 'smart-search' but thats going to
need some thinking about.  Maybe... 




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson  Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Virus Alias Database

[Kevin Spicer]

On Mon, 2004-05-10 at 11:38, Russ Phillips wrote:
 I had a look, and I have a couple of thoughts/comments.
 
 1. Will it handle heavy loads? It may start to get a lot of hits once 
 people start to find out about it

Its running PHP  MySQL on apache2, unfortunately this is my home box
(that said its not a bad spec) so the response will be directly
proportional to what I'm compiling at the time and the amount of
bandwidth on my DSL line.

 2. If it could handle heavy loads, it would be useful if the form used 
 GET instead of POST, so that links to specific viruses could be posted.

I've changed the form to GET, however direct links won't work because of
the web diversion service that I use - unless you link to the IP address
(of the lower frame, not the outer window), it is a static IP but could
change if I get fed up with my ISP or something (not that that is at all
likely right now, I'm using Eclipse and they are excellent)



signature.asc
Description: This is a digitally signed message part

Re: [Clamav-users] Recommendation RedHat replacement

[Kevin Spicer]

On Mon, 2004-05-10 at 19:57, Bora wrote:
 Sorry, this may not be appropriate to post here, but I know many of you are
 using RH and are figuring new options as they are no longer offering free
 download for RH 7, 8 and 9.

When starting a new topic please would you create a fresh message rather
than replying to an existing message and changing the subject - it
screws things up for those of us with threaded mail readers.

Thanks





BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson  Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Flase positive

[Kevin Spicer]

I submitted a false positive of Joke.BinLaden last week (through the web
interface), but I haven't heard anything of it, and its not shown up in
the virusdb list.  Should I resubmit?




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson  Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Virus Alias Database

[Kevin Spicer]

I've put a little more work into my virus alias database (at
http://www.kevinspicer.co.uk) and it is now indexing virus definitions
from Sophos, F-Prot, Norman and Vexira as well as those from F-Secure
and Symantec that were indexed previously.  This has nearly doubled the
number of virus names and aliases known.  I've also made an improvement
which should get rid of some of the odd stuff that got into the database
due to inadequate text processing of Symantecs site, these should
disappear as they expire over the next week or so.  The site has been
down for the last few days due to an upgrade replacing the index.html
page and me not noticing (doh!), but should be alright now.

I hope people find this useful, any constructive comments or suggestions
gratefully received.

Kevin




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson  Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus found in virgin RHES 3 installation?

[Kevin Spicer]

On Fri, 2004-05-07 at 18:36, Ken Morley wrote:
 I was surprised when clamdscan reported:
 
 //proc/kcore: Trojan.MiniCommander.dr FOUND
 
 What's the possibility that the server is really infected?  

It got to be somewhat unlikely that a running linux kernel would get
infected with a Windows trojan.  False positive methinks.  Normally I'd
say submit the affected file for analysis, but I'd guess the database
guys don't really want a core dump of your kernel (?)

More to the point why are you scanning /proc ?  The easiest answer is
probably just to not scan /proc.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson  Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Easiest/best sendmail integration

[Kevin Spicer]

On Fri, 2004-05-07 at 18:27, Mike Lambert wrote:
 Again, the advantage is sending 5xx instead of 2xx. IMO, giving the
 connecting mta a status code appropriate to the message disposition is
 better than simply accepting _all_ messages only to drop some later (I
 do not consider generating a separate bounce message to be an option).
 The sending mta should deal with rejected messages, not the receiving
 (rejecting) mta.
Sorry, this is really far too long!

Disclaimer: I use MailScanner, I've also contributed to MailScanner and
am the current lead developer on MailScanner-MRTG (a GPL'd monitoring
tool for MailScanner servers).  Obviously my opinion isn't unbiased
(although I hope not totally one-sided), but I'd like to throw some
often overlooked points into the mix. I don't think that there is
necessarily a right or wrong answer to this one, nor is one solution
necessarily best for everyone.  

I do agree that where a message is undeliverable (because of bad
addressing, disabled accounts etc) this should be handled by a rejecting
at the RCPT stage by the first MTA with the ability to make such a
judgement (Since this is a matter of MTA configuration this shouldn't be
an issue in the milter vs queue argument).  Where the decision to reject
is based on the application of policy to the content of a message
(whether that be the application of virus scanning, spam filtering, file
name/type filtering, other message content filtering, attachment size
restrictions etc.) it is not necessarily so clear cut.  I would not
advocate bouncing spam or viruses as this causes a nuisance, however
where a message is blocked due to pure policy descisions (for example we
block mpegs) then a clear and helpful bounce message is a courtesy.  I
appreciate that for members of the list understanding a reject message
generated by an MTA is trivial, but many users find it much less
acccessible (not to mention getting confused about why their own
mailserver appears to have rejected their message - when in fact it is
merely reporting the rejection by the destination mailserver).

A good proportion of mail passes through multiple MTA's on route,
especially given the current spam/ virus tactics of delivering to
secondary MX's many of which simply store and forward.  I imagine that
dealing with 5xx rejects of spam and viruses (usually with forged
senders) is a growing burden for ISP's who offer a secondary MX store
and forward service.  I hope that at least some milters have the ability
to discard rather than simply reject certain classes of unwanted mail. 
Its often overlooked that 5xx rejecting only pushes the problem back
upstream, and this is not necessarily to the point of origin (as anyone
who has ever been joe-jobbed will appreciate all too well).  So by not
accepting the mail you may be part of the problem rather than part of
the solution [I'm not saying thats my opinion, I'm on the fence on that
one - no flames please!].

There is however a fine line to walk, just discarding mail is a
dangerous path to tread and certainly not one we choose to take.  Our
policy is not to bounce spam or virus.  Spam mails are tagged (and
stripped of html content to avoid offending people), so the recipient
can filter in their MDA.  Viruses are removed (or disinfected in the
case of the now rare macro viruses) and the recipient notified with any
deliverable portion of the mail included, except in the case of outgoing
mail, where we can be reasonably sure who the sender is and notify them
instead.

There are also technical concerns with both methods.  Others have raised
technical concerns about MailScanner's approach so I won't duplicate
them here.  Because milters scan the mail during the SMTP transaction
they need to be fairly swift about it, so that the sending server
doesn't give up on them, and also out of courtesy to the senders
organisation (who want's dozens of MTA processes all waiting while the
recipient takes several minutes to do umpteen checks?)  Please don't
misunderstand me, I'm not saying that this is always the case - just
that there is a risk of processing time becoming unacceptably long
during times of unusually heavy load.  MTA's generally restrict the
maximum number of threads, so slow processing can result in mail not
being delivered.  Typically this pushes the problem back upstream again,
if upstream happens to be the spammers server of the infected PC then
this is good as its quite likely they won't attempt another delivery, if
not then this is just creating problems for others [again, good or bad
you decide].  On the other hand with MailScanner the MTA handles the
mail as quickly as it can, making SMTP sessions as short a possible. 
This does mean at times of heavy load there can be a backlog in the
incoming queue, and your server may be at full pelt trying to catch up,
however mail is processed as soon as possible and in the order it
arrived so mail will be delivered at the earliest opportunity (with the
milter model the 

Re: [Clamav-users] Problem

[Kevin Spicer]

On Fri, 2004-04-30 at 08:05, Bernard Elbourn wrote:

 Unfortunately this installation is remote to me so not so easy to just 
 update. Shame I did not get any warning!
 
 How can I find out when I should update so I can plan ahead?
 
Subscribe to clamav-announce list.  Generally speaking its a good idea
to keep up with clam releases as new releases generally improve
detection.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Problem

[Kevin Spicer]

On Thu, 2004-04-29 at 21:42, Bernard Elbourn wrote:
  From a 1 year old installation 
[snip]
 Is it time to upgrade?

Oh yes.  It was probably time to upgrade some months ago!

Virus scanning (and virus production) is an arms race, really well
advised to keep pace.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Virus Alias Database

[Kevin Spicer]

I've put up a proof-of-concept (read 'ugly') virus alias database at
http://www.kevinspicer.co.uk  Its currently rather limited in that it
only fully indexes Clam, Fsecure and Symantec (although some aliases for
other vendors are picked up).  If people feel it is worth pursuing then
I'll try and find time to add some other vendors and maybe even make it
less ugly (and validate the html!)

Its on a DSL line, so please be gentle with me!

Kevin


signature.asc
Description: This is a digitally signed message part

Re: [Clamav-users] clamav on early Linux 2.0 release

[Kevin Spicer]

On Sun, 2004-03-28 at 15:45, Fred Flintstone wrote:
 Any other quick 'n' dirty suggestions for this one? :)
 
Have you tried just building a statically linked binary on a more recent
distro and seeing if it works on yours?




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] RE: Nbr of signatures

[Kevin Spicer]

On Tue, 2004-03-16 at 17:53, Alex S Moore wrote:
 Has the number of virus signatures increased significantly lately?  I
 thought there were around 21,000 but now I have this msg in clamd.log.
 
 Tue Mar 16 11:45:22 2004 - Protecting against 40969 viruses.
 
Maybe you have both old and new style databases in place - suggest you
delete the old ones.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] pipechk: [kegger:clamav-virus-list] (fwd)

[Kevin Spicer]

On Mon, 2004-03-15 at 20:20, [EMAIL PROTECTED] wrote:
 
 Has the Ladmar.A virus been merged as a different virus?  The count went 
 down by 1 and Ladmar was removed.  Any ideas?
 
It was temporarily removed due to a false positive.  You can keep track
of additions and removals by subscribing to the clamav-virusdb list, or
by checking the archive at
http://news.gmane.org/gmane.comp.security.virus.clamav.virusdb 

(Also in the case of this false positive there was a discussion about it
on this list a few hours ago).




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] FAO. List admins -- clamav-announce

[Kevin Spicer]

Would it be possible for posts to clamav-announce to be cross-posted
here please.  I imagine I'm not the only one here that didn't know about
0.68.

Cross posting to the users list seems to be fairly common among other
projects (it makes sense that anyone on the users list is going to want
to know about new releases).






BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] some little questions

[Kevin Spicer]

On Wed, 2004-03-03 at 02:28, Rembrandt wrote:
 I know guys wich are working as administrators at a newspaper.
 They make backups.. yes.. 
 But they make it only for 1 week (couse there's too much data).
 So they're able to restore all files wich changed since date X.
 But what's about a virii wich infects the files and waits until a
 special date?
 Or what's about logic-bombs?
Its not the job of an anti-virus solution to compensate for inadequate
backups.  This is inadequate because if you may need a file from a month
ago your backup solution should be able to deliver that.  A weekly
rotation is only any good if the files you are backing up will genuinely
not be needed for longer than a week.  There are plenty of adequate ways
to minimise the amount of media needed to perform much longer term
backups (for example the Tower of Hanoi method).  




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Problem with *.zip atachments!

[Kevin Spicer]

On Wed, 2004-03-03 at 20:57, Grzesiek Staleczyk wrote:
  MailScanner users need to upgrade to MailScanner 4.28.4 (just out), which
  can block password-protected .zip files.
 RP MailScanner users need to upgrade to MailScanner 4.28.4 (just out), which
 RP can block password-protected .zip files.
 
It only says that the filename rules would allow it - it doesn't say
that the attachment will be allowed as a result of all checks.  Is the
attachment actually reaching the recipient?

You should really try posting on the MailScanner list, as this clearly
isn't a clam issue.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] How to handle quarantined SPAM

[Kevin Spicer]

On Wed, 2004-02-18 at 00:19, Luc de Louw wrote:
 Hi all,
 
 Does someone know a software, that allows users to browse and handle 
 quarantined Mails?
 
 Preferably a Web-interface...
 

You don't say what you are using to quarantine, but if using MailScanner
then I think Mailwatch for MailScanner might do what you want




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] unrar

[Kevin Spicer]

On Sat, 2004-02-14 at 00:00, Chris Conn wrote:
 Hello,
 
 I get the following error after installing unrar-3.3.6 (from a 
 unrar-3.3.6-0.lvn.1.rh90 rpm I built for RH9)
 
 Feb 13 18:33:25 MailScanner[5160]: ProcessClamAVOutput: unrecognised 
 line UNRAR 3.30 freeware  Copyright (c) 1993-2004 Eugene Roshal. 
 Please contact the authors!
 Feb 13 18:33:25 MailScanner[5160]: No files to extract
 Feb 13 18:33:25 MailScanner[5160]: ProcessClamAVOutput: unrecognised 
 line No files to extract. Please contact the authors!
 
These are MailScanner errors, you should really post them to the
MailScanner list.  The unrecognised line errors don't matter (just
unexpected output that is being ignored, however the 'no files to
extract' is probably a symptom of running clam as root.  It tries to use
/root/tmp as temporary space - but because it drops privileges it cannot
write to there.  I've attached my own updated clamav-wrapper which
addresses this issue.  You will need to uncomment the lines about unrar
in it.



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


#!/bin/sh

# clamav-wrapper --	invoke ClamAV for use with mailscanner
#
# Adrian Bridgett [EMAIL PROTECTED], 14/12/01
#
#   MailScanner - SMTP E-Mail Virus Scanner
#   Copyright (C) 2001  Julian Field
#
#   $Id: clamav-wrapper,v 1.4.2.3 2003/08/15 16:30:58 jkf Exp $
#
#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2 of the License, or
#   (at your option) any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program; if not, write to the Free Software
#   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
#   The author, Julian Field, can be contacted by email at
#  [EMAIL PROTECTED]
#   or by paper mail at
#  Julian Field
#  Dept of Electronics  Computer Science
#  University of Southampton
#  Southampton
#  SO17 1BJ
#  United Kingdom
#
#
# Modifications by Kevin Spicer [EMAIL PROTECTED] to get
# external unpackers working correctly.  9 Nov 2003
# Removed --unzip from ScanOptions, as its already in ExtraScanOptions
# (Clam usually uses own unzipper, -unzip just allows it to use external
# program so should be in ExtraScanOptions as it could cause a failure)
# Separate all unpackers and add missing ones.
# Add tmpdir (and check for it) in MailScanner incoming dir 
# (to take advantage of ramdisk) - needed by external unpacker

##  IF YOU ARE RUNNING MAILSCANNER AS ROOT ##
# You need to set the following in MailScanner.conf so that external 
# unpackers can be used...
#   Incoming Work Group = clamav
#   Incoming Work Permissions = 0640

# You may want to check this script for bash-isms

MailScannerWorkDir=/var/spool/MailScanner/incoming
ClamUser=clamav
ClamGroup=clamav

ScanOptions=
ExtraScanOptions=

# Extra options we try to pass to clam but we handle it failing
# For each option there are two alternatives...
# --option   # if the required program is in the PATH
# --option=/path/to/program  # If its in a non standard location
# If you use the second option make sure you set the correct path in each case

# Note that clam internally supports Zip, Gzip and Rar (v2.0) files,
# so for these the extra options are just a fallback should the internal 
# unpacker fail (the internal unzipper should also support .jar files).

# Common external unpackers you probably have installed (hence 
# enabled by default)
# Uncomment ONE of the following lines if you have unzip installed
ExtraScanOptions=$ExtraScanOptions --unzip  
#ExtraScanOptions=$ExtraScanOptions --unzip=/path/to/unzip 

# Uncomment ONE of the following lines if you have unzip installed
# And want to be able to use it to scan jar files should the internal
# unzipper fail
ExtraScanOptions=$ExtraScanOptions --jar  
#ExtraScanOptions=$ExtraScanOptions --jar=/path/to/unzip 

# Uncomment ONE of the following lines if you have tar installed 
ExtraScanOptions=$ExtraScanOptions --tar  
#ExtraScanOptions=$ExtraScanOptions --tar=/path/to/tar

OT: Re: [Clamav-users] calling rbellora@tecnoaccion.com.ar

[Kevin Spicer]

On Fri, 2004-02-13 at 22:19, Craig Daters wrote:
 Maybe it's cool for you but surely not for a sender who receives that
 auto spam.
 
 How is it spam? The sender is simply receiving an email asking for 
 them to confirm that they sent the message? All they do is reply to 
 it. It is no different that subscribing to a Mail-List these days. 
 One that works a lot like the Mailman Mail-List software.

Assuming they are the sender, anyone who has ever been the victim of a
joe-job knows that anything that responds to spam is just as much a part
of the problem.  

Anyway, this is supposed to be a list about anti-virus - maybe this
isn't the most appropriate place for this discussion?  People have
subscribed to a list about anti-virus, and don't necessarily want to
wade through a load of _unsolicited_mail_ (!) about spam.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: OT: Re: [Clamav-users] calling rbellora@tecnoaccion.com.ar

[Kevin Spicer]

On Fri, 2004-02-13 at 23:17, Antony Stone wrote:
 What's a joe-job?
 
As with all jargon see ESR's excellent jargon lexicon!

http://catb.org/~esr/jargon/html/J/joe-job.html






BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] libunrar.so support?

[Kevin Spicer]

On Thu, 2004-02-12 at 17:02, Randal, Phil wrote:

 And the license.txt reads:

snip!
IANAL but I believe points 2, 3, and maybe 6 would make this license GPL
incompatible. 

2. The unRAR sources may be used in any software to handle RAR
   archives without limitations free of charge, but cannot be used
   to re-create the RAR compression algorithm, which is proprietary.
   Distribution of modified unRAR sources in separate form or as a
   part of other software is permitted, provided that it is clearly
   stated in the documentation and source comments that the code may
   not be used to develop a RAR (WinRAR) compatible archiver.
 
3. The unRAR utility may be freely distributed. No person or company 
   may charge a fee for the distribution of unRAR without written
   permission from the copyright holder.
 

6. If you don't agree with terms of the license you must remove
   unRAR files from your storage devices and cease to use the
   utility.
 





BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Sco.a again

[Kevin Spicer]

This is another post about the problems that some people have been
having with sco.a seemingly making it past clam due to doggy mime
structure in bounce messages.

I noticed that Symantec on our exchange servers (which are behind a
mailscanner box running clam and sophos) is picking up a few Sco's in
bounce messages inside 'Message Body', it is detecting it as
[EMAIL PROTECTED]

If I understand Symantec's naming scheme correctly this signature is
matching the encoded body part, rather than after unencoding an
attachment.

Therefore I'm suggesting that Clam should follow Symantec's lead and
include a signature for the encoded data.

I understand that some may have an issue with this as the message is
broken and may be harmless (assuming no mail clients are fault tolerant
enough to unpack it), but please consider the following...
The messages are a nuisance at best, as the sender address is forged
they cause confusion and fear amongst users (we have had a number of
false alarms with users reporting an infection that was in fact just a
bounce due to a forged sender address).  Other scanners are detecting
them, which does not make clam look good in comparison - perceptions are
often more important than technology (especially for non-technical
senior management).  I seem to remember this was done before (maybe
Gibe-F? or Sobig??) - following a long discussion.

In fact, given that we have had this discussion before (I think...)
perhaps it should be a matter of policy to create an additional sig for
the encoded message on all mass mailing worms.





BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clamav-milter compilation problems again

[Kevin Spicer]

On Wed, 2004-02-04 at 23:29, Stevens, John wrote:
 and sorry for this stupid disclaimer.
 
We also have a stupid disclaimer, but one question about yours - can you
have omissions that are present?

I did think about making it a very small font, or white text on  a white
background - but then you get flamed for using HTML.  sigh...




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] [Fwd: Handling zip files]

[Kevin Spicer]

(Posting this again as it seem not to have reached the list)

I encountered some behavior that was not as I expected with some zip
files and clamscan (I'm not saying it is a bug - it may be by design).

One of our clients attempted to send us a zipfile or data which had been
compressed down to around 1.5% of its original size.  Not surprisingly
this triggered the oversize zip rule which in turn caused it to be
rejected by MailScanner.  Or response to this was to advise the client
to password protect it (so that clam could not unzip it) - but this
still triggered the oversize warning.

Thinking more on this I'm guessing that clam does the equivalent of
running zipinfo to work out the compression ratio and/or unzipped size
before attempting to unpack (?).  Since clam will be unable to unpack
encrypted files within an archive should it really apply the oversize
tests to them?  I know that zipinfo is able to determine that a file is
encrypted, so I presume this information should be available to clam.






BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Worm.SCO.A

[Kevin Spicer]

On Wed, 2004-01-28 at 16:01, Patricia Viana wrote:
 Hi.
  
 My SMTP filter running ClamAV is blocking a huge amount of messages with the 
 Worm.SCO.A.
 It seams to be the same virus as MyDoom or Novarg.
 Can anyone confirm this?!
  
That is correct.

Clam had a signature whilst the commercial vendors were still busy
thinking up names, hence the difference.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Mailscanner, sendmail 8.12, split input queues

[Kevin Spicer]

On Wed, 2004-01-21 at 22:19, Peter Bonivart wrote:
 Leif Neland wrote:
  How does this fit in with sendmail 8.12 already having two queues, mqueue
  and  mqueue-client?
 
 You really should have posted this on the MailScanner list since nothing 
 of this is Clam related. 

I'll second that, I'd certainly recommend joining the MailScanner list.

 However the mqueue-client does not have a 
 physical queue, 


Peter, I'm going to have to slightly disagree with you on that,
certainly as far as my MailScanner Mandrake boxes are concerned.  The
bahaviour I see is that mail sent by programs that call sendmail
directly (as opposed to having their own SMTP engine) is queued in the
clientmqueue (on Mandrake, maybe thats mqueue-client on other systems)
before being picked up by the incoming sendmail, which in turns queues
it in mqueue.in (where it is picked up by MailScanner).  As far as I can
see the incoming (i.e. listening) sendmail keeps an eye on the
clientmqueue and grabs anything it finds there. 

  instead it's a way of picking up local mail transmitting 
 them through your MTA. It does not affect MailScanner at all,

Agreed.

  And how do I do this with Debian's /etc/mail/sendmail.conf?
 
You shouldn't need to mess with any configuration settings (disclaimer:
I'm not a Debian user so maybe they do something differently?),
MailScanner passes the necesary instructions to sendmail on the command
line.




---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Bagle Virus/Worm Status?

[Kevin Spicer]

On Mon, 2004-01-19 at 20:57, Tom Walsh wrote:
 Anybody seen these yet?
 
 http://www.viruslist.com/eng/alert.html?id=783050
 
 There has been some discussion on bugtraq about it's payload today.
 
 Just curious... 
 
Yeah, we had about 30 today so far.  It seems to be spreading quite
rapidly.  Good news is its supposed to deactivate on the 28th.



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Bagle Virus/Worm Status?

[Kevin Spicer]

On Mon, 2004-01-19 at 21:31, Tim Wilde wrote:
 On Mon, 19 Jan 2004, Kevin Spicer wrote:
 
  Yeah, we had about 30 today so far.  It seems to be spreading quite
  rapidly.  Good news is its supposed to deactivate on the 28th.
 
 Only 30?  I've seen over 500 on my mail systems since getting the new sigs
 late last night.  Kudos to Diego for getting the sigs updated quickly.
 
I guess it depends on how much mail you handle!  To put mine in
perspective I'm talking a daily load of only about 7000 messages of
which only about 3-4000 will be incoming.  So probably about 1% of
incoming mail is Bagle  (thats pretty much in line with the figures
message labs are reporting of 1 in 136).  



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Zoo archives

[Kevin Spicer]

Could someone confirm whether the correct argument for handling zoo
archives is --zoo or --unzoo, clamdoc.pdf and man clamscan don't agree
on this.



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: dealing with zips with corrupted headers

[Kevin Spicer]

I'm cross-posting this message from the MailScanner mailing list because
I think folks here might be interested in it.  If anyone needs a copy of
that zip please let me know.

Kevin

On Wed, 2003-11-05 at 02:04, Chris Yuzik wrote:
 Hi everyone,
 
 No sooner do we (well...Julian) come out a workaround for the extra status
 line that ClamAV was spitting out than another virus using similar zip-header
 trickery to sneak through our scanners.
 
 Worm.Mimail.G arrives in a zip file called readnow.zip that strangely gets a
 simple OK from clamscan, and the virus goes right through. After some
 experimenting, I've figured out that the virus will happily unzip with the
 console unzip tool, but complains with the following message:
 
 # unzip readnow.zip
 Archive:  readnow.zip
 warning [readnow.zip]:  3 extra bytes at beginning or within zipfile
   (attempting to process anyway)
 file #1:  bad zipfile offset (local header sig):  3
   (attempting to re-compensate)
  extracting: readnow.doc.scr
 
 After reading the man page for clamscan, I came across an option that disables
 clamscan's internal archive tools. When I typed clamscan --disable-archive
 readnow.zip I got the expected response of readnow.zip: Worm.Mimail.G
 FOUND.
 
 Is there a disadvantage to editing /usr/lib/MailScanner/clamav-wrapper and
 removing the --unzip option and replacing it with --disable-archive? Am I
 on the right track?
 
 Thanks,
 Chris
 --





BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] postfix + clamav + clamdmail

[Kevin Spicer]

On Sat, 2003-10-25 at 00:08, Noel Jones wrote:
 At 05:46 PM 10/24/03, Walgamotte, David wrote:
 
 I didn't have luck with amavisd-net mailscanner is the way to go ...
 
 Don't use MailScanner with postfix.  MailScanner manipulates the postfix 
 queue in an unsupported manner and will cause loss of mail without warning 
 or notice.  I'm sure MailScanner works great with other MTAs, just don't 
 use it with postfix.

There is a difference of opinion between the postfix folks and the
mailscanner folks on that issue.  There were some initial problems with
MailScanner on postfix but there are now many happy MailScanner/Postfix
users.  It is true that the method of intercepting the emails is not the
one recommended by by the postfix guys, but so long as you follow the
install instructions on the MailScanner site you shouldn't have a
problem.  The biggest cause of problems is people who think they can put
the incoming queue and outgoing queue on different disks - that doesn't
work because postfix relies on knowing the inode number of the file. If
that doesn't convince you then, unless you have some complex mail
requirements, its easy to switch Mandrake to use sendmail (thats what I
did, because MailScanner didn't support postfix back when I first
installed it).






BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clam-update log file...

[Kevin Spicer]

On Thu, 2003-10-16 at 12:09, Informacion wrote:
 Hi,
 
 Check the: /etc/cron.hourly/msec and /etc/cron.daily/msec ...
 
 This is the problem, the script msec, chown all files in /var/log to root
 user.

Rather than turning those scripts off you can easily customise how they
behave...

You need to set up /etc/security/msec/perm.local to customise the
permissions assigned to these files/directories.  see man msec and man
mseclib for details and the files in /usr/share/msec/perm.* for examples
of the file format.  Note that msec only reduces permissions so you need
to manually open the permissions once you create the above file.

(Also worth noting - only include the permissions for which the defaults
are not what you want in the file, it is just changes against the
standard for that permission level)





BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav CVS version

[Kevin Spicer]

On Mon, 2003-10-13 at 05:57, Odhiambo Washington wrote:

  I am behind a firewall, but this has not been an issue for
  non-Sourceforge CVS servers such as the BSD-Airtools project, etc.  

Check the status page of sf.net, theres been problems with pserver based 
cvs access for a while.  SF expect to get this all fixed up over the next week
or so.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Email results

[Kevin Spicer]

On Fri, 2003-09-19 at 23:59, Antony Stone wrote:

 Try clamscan --help
 
I already did (after your previous post) and it is there, I just think
it should be added to the man page as well, that is what man pages are
for after all.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Email results

[Kevin Spicer]

On Thu, 2003-09-18 at 23:30, Antony Stone wrote:
 On Thursday 18 September 2003 10:58 pm, Kevin Spicer wrote:

  clamscan ${YOUR_OPTIONS} --stdout | grep -v OK | mail -s Clamscan
  results [EMAIL PROTECTED]
 
 Achieve the same thing by including -i or --infected in ${YOUR_OPTIONS}
 
You know, I thought that there was an option that did that - but
couldn't find it in the man page.  I thought it was that I had an old
version, but I just upgraded to 20030829 and its still missing.  Perhaps
someone could add it.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Proxy and Scanning?

[Kevin Spicer]

On Wed, 2003-08-27 at 00:20, Mark wrote:
 Is it possible to scan the traffic (via plug in or so) with SQUID or an
 SOCKS-Proxy (like Dante)?
 If not: Feature Request - TrafficScan via PlugIN, own mod or Daemon :)
 
Dansguardian (http://www.dansguardian.org) is a content filter for squid
which has an extension available (http://www.pcxperience.org/dgvirus/)
that virus scans files passing through the proxy (it can use Clam or
F-prot).




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Clamscan: how to tell which message number in anmbox?

[Kevin Spicer]

On Wed, 2003-08-20 at 17:12, Martin-Éric Racine wrote:
 Greetings,
 
 I installed clamav to scan mails from work (I telework and the stupid company
 doesn't scan emails for possible viruses) and doing a quick run of clamscan
 indeed found one virus.  The problem is we're dealing with a mailfile (mbox) and
 I simply cannot afford to delete the whole inbox file; I need clamscan to be
 precise as to which e-mail message contains the virus, so that I can simply
 delete that specific message. Giving the offending message's Subject line would
 be enough to at least locate it. Is this possible and how? Thanks!
 
I guessing (from its name) that you could use this tool...
http://sageshome.net/oss/mbox2mdir.php
to extract all the messages to seperate files, which you could then scan
with clamscan.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] FOO.EXE

[Kevin Spicer]

 sigtool -c clamscan --stdout -f message.zip -s message

Someone correct me if I'm wrong but I'm pretty sure you can't use
sigtool to extract the virus signature from a zip (no matter what
scanner you use).  The zip itself is not infected, you need to unzip the
file and extract the signature from the infected file within. Quite why
you're trying to do this however I can't see, as you've already proven
that clamscan can detect the infection.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users