Re: [Clamav-users] HELP ME.
On Mon, 2005-08-29 at 17:24 +0500, Shahzad Abid wrote: I know what error mesg says but this is FACT that when i emply specified quortine folder clamd starts with following command i.e. service clamd start. This occurs once in a week. Is there any permanent solution for this? Is /tmp/tmp on the same filesystem as your quarantine, maybe you're running into some kind of resource shortage (disk space/ inodes perhaps) = BMRB http://www.bmrb.co.uk _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. + ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] AV relay + MX backup question
On Sun, 2005-08-28 at 14:31 -0700, Roger E. Rustad, Jr. wrote: I have a ASSP antivirus relay setup (assp.sourceforge.nethttp://assp.sourceforge.net) that's currently filtering spam and viruses for one domain. I'd like for it to do the same for other domains, but would like to make sure if (for whatever reason) the relay is down, mail still gets through. I am also setting up an MX backup through DNS Made Easy for like $8/year. This is really off topic I think. You need to be aware that many spam and virus emails tend to arrive via secondary or tertiary MX, so having an incoming route for mail which bypasses any scanning on lower MX records is a bad idea. Store and forward services (lower priority MX's that queue mail and then forward to your primary when it comes back up) are not so bad, but still be aware that they tend to blindly accept all mail so this may be used to bypass certain measures such as IP blacklisting. Much better to have a second identical (in terms of software) box and run both MX's yourself - if you lose your internet connection temporarily legitimate senders will typically queue mail to you for several days anyway. = BMRB http://www.bmrb.co.uk _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. + ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav vs amavis (was: Where is the quanantine folder?)
On Sun, 2005-07-17 at 22:11 -0400, Jim Popovitch wrote: One follow-up question: I currently use clamav-milter to integrate clamav w/ sendmail. Would I be better served by using amavisd-new, or does clamav-milter cover the ground good? It sounds to me, based on your comments above, that amavisd-new provides more functionality. You might also like to take a look at MailScanner (http://www.mailscanner.info) before deciding if/where to jump. = BMRB http://www.bmrb.co.uk _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. + ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] A suggestion....
The following message seems to be the cause of one of the most frequently asked questions around here... SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES May I suggest that as this is in the FAQ that any point where this message is displayed (freshclam, configure?) it also displays the text... See the FAQ at http://www.clamav.net/faq.html for an explanation BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ERROR: JPEG.Comment
On Wed, 2004-09-29 at 05:34, Brandon Knitter wrote: I have a few images that seem to be flagged as virii, when they are not. I'm taking an image that is considered fine (no virus), then when I process it through convert (ImageMagick) it thinks it's has the virus. I have over 4000 images I've processed this way, and only 232 of them clamscan thinks has the error. Version: 0.80rc3 Any advice? Where do I post something like that? Were these by any chance taken by an Olympus camera? I've seen two false positives using my own signature for this exploit - both of which were pictures from an Olympus (run strings on the file and grep for Oly). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] stats
On Wed, 2004-09-22 at 15:17, Nikhil Parva wrote: hi, try using mailscanner-mrtg. It is available in the form of RPM and the webpage can be displayed using apache. So long as you're using MailScanner of course! If you are using MailScanner you might also like to look at vispan (the two provide different stats). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: AW: [Clamav-users] Re: Re: Re: Windows port ?
On Wed, 2004-09-22 at 14:25, [EMAIL PROTECTED] wrote: The database is not a script. It is a binary compilation. It's not a script, true, but it also is not a binary compilation. If you look inside any of the database files unpacked by sigtool (sigtool --unpack) you'll note that they are actually a plain text files, one line per entry. So I think the previous posters point about them being analagous to scripts in that they are their own source is valid. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] 0.80rc and the new .ndb sig file format
On Tue, 2004-09-21 at 02:21, Tomasz Kojm wrote: It seems there's a small type in filetypes.c. Try changing {0, \377\330\377, 4, JPEG, CL_TYPE_GRAPHICS}, to {0, \377\330\377, 3, JPEG, CL_TYPE_GRAPHICS} That did the trick, thanks very much Tomasz. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] 0.80rc and the new .ndb sig file format
I'm just playing about with this and I can't seem to get it to work quite the way I expect. I've created two signatures, to match the jpeg exploit we discussed recently. My idea is that although the signature is very small it minimises false positives by being restricted to graphics files and then looking for the jpeg magic number at the start of the file. Since we established the other day that the four byte sequence that triggers the exploit can't appear in a genuine jpeg this should be okay. Anyway, I created signatures in local.ndb as follows... Exploit.Jpeg.comment.1:5:0:ffd8*fffe Exploit.Jpeg.comment.2:5:0:ffd8*fffe0001 And tried scanning the exploit sample from here http://www.gulftech.org/?node=downloads Nothing! Trying again with --debug I see this message LibClamAV debug: Type: 501, expected: 514 (Exploit.Jpeg.comment.2) LibClamAV debug: Type: 501, expected: 514 (Exploit.Jpeg.comment.1) I only seem able to get this to work by changing the target type in the sig to 0 i.e. Exploit.Jpeg.comment.1:0:0:ffd8*fffe Exploit.Jpeg.comment.2:0:0:ffd8*fffe0001 At which point it all works, but surely it should work with a target type of 5? BTW. I tried both scanning the jpg and a message containing it same result BTW2. Symantec is now detecting this exploit as Bloodhound.exploit.13 BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] JPEG vulnerability
On Sat, 2004-09-18 at 06:25, Matt wrote: One last question, do the fffe 000(0|1) bytes always have to follow each other for this exploit, or is this just a pure example of the possibility of this exploit? they have to follow each other fffe denotes the start of a jpeg comment field and the following two bytes indicate its length. The exploit is to specify a length of zero or one byte. Inside a jpeg file the sequence fffe _always_ indicates the start of a comment, therefore any jpeg file containing the sequence fffe of fffe0001 is attempting the exploit. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] JPEG vulnerability
On Fri, 2004-09-17 at 03:02, Tomasz Kojm wrote: Okay, well I've found an easier to understand source... http://www.funducode.com/freec/Fileformats/format3/format3b.htm and it seems that the particular exploit byte sequence would be unique within jpeg files. I've also tracked down docs on how to make a signature for clam, but it doesn't appear that its possible to form a A new signature format that will be included in 0.80rc will allow on advanced offset and target type specification, including JPEG images. Cool, as ever you're one step ahead! signature by detecting two distinct patterns in a file, or anchoring With older clamav versions you can use HEX1*HEX2*...*HEXn That doesn't anchor to the start of the file though (I guess I'd need to anchor the magic number to minimise false positives). I had just about guessed, by looking at the sig files after I posted, that the * was a wildcard (matching many bytes) and the ? a single unknown byte (correct?). Perhaps this information could be added to signatures.pdf? Is there a limit (and if so what is it) to how many bytes a * will match? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] JPEG vulnerability
On Fri, 2004-09-17 at 16:21, Daniel Lord wrote: Those signatures don't catch the poc xploit found at http://www.gulftech.org/?node=downloads. But maybe it's better to leave this alone till there are real worms etc. to produce good signatures. At the moment clamav sigs don't seem good enought to catch this. (No support for absolute offsets) Yes, looking at the file there is more than one comment section, and it is the second that uses the exploit. It stands to reason that since there is some flexibility in the file format that a signature that doesn't account for that flexibility (by looking for the comment in a certain offset eg) could be easily avoided by the exploit writers. I wouldn't rely of finding very much at all, only the ffd8 at the start of the file and the ffe0 000[01] exploit (the poc doesn't even have the APP0 marker until some way in). Clearly without the ability to anchor the ffd8 to the start of the file a useful signature is impossible. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] JPEG vulnerability
I guess everyones heard about the jpeg vulnerability in certain Microsoft products? CERT have put out an advisory, and it is being ranked as critical. Now I know that strictly speaking this isn't a virus, its a vulnerability - but there have been, in the past, signatures added for some exploits (eg. the Iframe exploit). So my question is, is it practicable to create a signature for this (I have no idea how signatures are created)? AFAIK theres no public exploit circulating for this yet, but I'd guess its going to happen... This page gives more details on the actual vulnerability... http://seclists.org/lists/fulldisclosure/2004/Sep/0509.html It looks like there are two possible four byte sequences that can trigger the exploit. I guess this is probably too small to avoid an unacceptable level of false positives(?) Presumably this could be combined with the 'magic' numbers for jpeg files to improve this, but still maybe not narrow enough? I'm trying to find out whether there is a particular place the comment field occurs, but the documentation is not very easy to understand without background knowledge. From my perspective having clam detect this would be ideal, since both our email and http scanners use clam as a detection engine. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Mail antivirus help
On Fri, 2004-09-10 at 14:33, Stelian wrote: We curently have about 6 POP3 acounts stored on our ISP server. The viral trafic (incoming, of course) on them is very high, up to the point where we cannot longer use them. My task is to provide some kind of filtering server, to keep the viri out using a free antivirus like Clamav. Idealy, the server would work like this: continuously fetch the mail from the external servers, delete the infected messages, and keep a IMAP accesible local copy of the good messages. Well heres how I did it... Linux box running fetchmail as a daemon to get the mail from the pop accounts, fetchmail forwards on to sendmail running on the box itself. MailScanner (www.mailscanner.info) to scan the email (with clamav and bitdefender, both of which are free in at least one sense of the word). sendmail then delivers the mail to local accounts and courier-imap lets the users collect them using IMAP. If you don't want to create accounts for each user then you might like to think about something like cyrus IMAP which (I think) doesn't require accounts on the server (but IIRC is rather more tricky to set up) - it was a no-brainer for me as my users (family, this is my home setup - I use MailScanner as a relay to exchange at work) already had shell accounts. There are other choices too, such as AMavis and clamav-milter, however what is commonly seen as the chief advantage of them (as milters) - being able to refuse to accept a mail, rather than reject it later - is a non issue in this instance because both your ISP and fetchmail have already accepted it. Kevin BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clam newbie
On Wed, 2004-08-18 at 07:48, Tomasz Papszun wrote: Please, make sure you do NOT send notifications to senders (they are almost always spoofed nowadays), maybe except pertaining MS Office macros and test signatures (EICAR and ClamAV-Test-Signature). I completely agree with that, but... Also, do NOT send notifications to intended recipients (or they will hate you ;-) ). ...thats more subjective. We always send notifications to our internal users (within our company) when they are the intended recipient of a virus, we've never had a complaint about this as far as I know (and we certainly recieve plenty!). Our thinking is that we want our users to know that we are protecting them and understand the scale of the problem. It also reinforces the warning messages we send out when there is a new rapidly spreading message (we warn our users to encourage them to take care when checking webmail etc. and also as a courtesy to those with a PC at home). It also helps justify some of the file type blocking we do (such as not allowing .exe files) if users can see we are catching infected files of the types we block. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Freshclam errors
On Tue, 2004-08-17 at 17:04, Randall Perry wrote: ClamAV update process started at Mon Aug 16 23:22:04 2004 SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES Ok, installed the gmp package and reinstalled clamav. I'm still getting the error above stating no support for signatures -- is there a way to check the apps to see if support is built in? Depending on your OS and how you installed clam you may need to install the gmp-devel package and configure; make; make install clam again. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Freshclam errors
On Tue, 2004-08-17 at 18:43, Randall Perry wrote: on 8/17/04 12:32 PM, Kevin Spicer at [EMAIL PROTECTED] wrote: Depending on your OS and how you installed clam you may need to install the gmp-devel package and configure; make; make install clam again. I can only find gmp-devel in an RPM -- is there a src download for it somewhere (it's not at http://www.swox.com/gmp/#DOWNLOAD) ? If you installed gmp from source then you probably have the necessary files already. Check for gmp.h in /usr/include/ (maybe /usr/local/include/ maybe somewhere else). You will need to rebuild clam. (make clean; ./configure; make; make install) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] [OT] Re: KDE/MS patent and prior art (Was: Idea for more timely virusdb updates)
On Sun, 2004-08-15 at 21:02, Martin Konold wrote: IANAL... but wouldn't that count as 'prior art' ? No, basically MS patented the obvious addition not mentioned in the publically posted email. Then can't it be appealed as patents are supposed to be for non-obvious inventions? Maybe the EFF or PubPat could help? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] My.Doom.o
On Wed, 2004-07-28 at 06:51, Michael Brennen wrote: On Tue, 27 Jul 2004, Matt wrote: On Tue, 2004-07-27 at 13:28, Kevin Spicer wrote: On Tue, 2004-07-27 at 16:26, Scott Ryan wrote: I have not submitted any virii (correct word?) viruses I'm no Latin scholar, but I've heard it said that the proper Latin plural is 'vira'. FWINW But we're using English not latin, unless I accidentally subscibed to clamav-users-latin... ;) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Sigtool Build Time
On Wed, 2004-07-28 at 17:51, Denis De Messemacker wrote: It means the signature was done at 3:12 pm (15:12) , in a GMT+2 zone. So 1:12pm GMT. Assuming Central Standard Time USA is GMT-5 in summer, it makes 8:12 am. Perhaps there would be some sense in timestamping the signature databases using only UCT, this would make it much easier to compare different times, especially if they may be built in different timezones. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] My.Doom.o
On Tue, 2004-07-27 at 16:26, Scott Ryan wrote: I have not submitted any virii (correct word?) viruses BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Scanning files being uploaded via a form
On Mon, 2004-07-26 at 11:46, Suril Patel wrote: I have currently got no AV installed and want to know if installing ClamAV will let me call the virus scanner from a PHP script during the upload process and reject/accept the attachment based on the results. Yes, easily. I've done the exact same thing myself. Beware safe mode restrictions. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Gettin a return code from clamdscan in a script
On Thu, 2004-07-22 at 22:01, Kevin W. Gagel wrote: I'm confused because the docs say it will return a 1 which it does if I run them from the command line, just not in a script. Perhaps you could post your script? Are you using the same shell in your script as you use at the command line, some have different behaviour (such as using $status) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Bad Virus Signature?
On Mon, 2004-06-21 at 16:05, Benjamin Sherman wrote: I was wondering if false positives ever make it into the virus DB updates? They do Since the update on Jun18, all of my windows 2000 workstations with Service Pack 4 are showing what I beleive to be false positives for Worm.Lovgate.W-2. The file in question is spoolsv.exe and can be fond in: C:\WINNT\System32 C:\WINNT\System32\DllCache C:\WINNT\ServicePackFiles\i386 (depending on how the service pack was installed) Submit a copy of the affected file as a false positive at http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] error in cronjob
On Wed, 2004-06-16 at 22:26, List wrote: Hi, I notice some errors in my cron.daily. I am running RedHat 9 and Clam 7.2. Errors listed below :- /etc/cron.daily/clamscan: /etc/cron.daily/clamscan: line 1: clamscan: command not found /etc/cron.daily/clamscan: line 1: sigtool: command not found /etc/cron.daily/clamscan: line 1: sigtool: command not found '/' will now be scanned for viruses with ClamAV clamscan version Virus Signature Daily Database version (built at ) /etc/cron.daily/clamscan: line 1: clamscan: command not found Any idea? At a guess these tools are installed somewhere other than /bin or /usr/bin (or whatever is in the default path that cron provides). Suggest you either use the full path in your scripts or explicitly set the path environment variable at the start of the script. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Sober.H
On Sat, 2004-06-12 at 22:12, Philipp Grosswiler wrote: Now I read a news article on heise.de, that F-Secure calls those e-mails under the name of Sober.H. I would like that ClamAV could also add those signatures to the database, as there seem to be a lot of victims out there being infected by Sober.G, which can reload all kind of executable to do with the victim whatever he wants... Now it looks like the Sober author is kind of rassist and I do not tolerate that. According to the google translation of the page it looks like the signature actually detects the new varient of Sober which sends the emails, rather than the emails themselves. What can I do to help you stop this kind of e-mails? Or is your policy to not do anything against this, since it's not really harmful (means no direct virus or worm)? Lots of viruses are now used for bulk emailing of spam by compromised machines, this only appears different because of the nature of the content (theres plenty of other objectionable content in spam) and the fact its in German. In any event the filtering of objectionable and unsolicited content is a job for your anti-spam solution of choice. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Ethics Question
On Wed, 2004-06-09 at 20:10, Samuel Benzaquen wrote: I think the only way I could think is reporting the IP to some DNSBLs. That way you can stop receiving their mails and you leave the cleansing problem to their ISP. Or simply block the IP with sendmails acces database (or the equivalent for your choice of MTA) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: Freshclam not responding {Scanned}
On Fri, 2004-06-04 at 07:15, Gervase wrote: On Thu, 2004-06-03 at 15:22, Jo Mills wrote: Don't give up! Many thanks for joining in. Unfortunately I was impatient and reinstalled. But, alas, the problem did not go away. Have you tried something along the lines of: host google.co.uk I got : Google has address 216.239.59.104 If it does work, then you could try: traceroute google.co.uk I got: traceroute: command not found. What happens is you try: host db.europe.clamav.net I got: truncated; trying in TCP mode connection timed out; no servers could be reached What happens if you try: host 193.19.98.136 I got: 136.98.19.193.in-addr.arpa domain name pointer morden.dbplc.com. Does this tell you anything more? Others have said that my firewall is blocking port 53, but the problem persists when I turn the firewall off. This is strange since SuSE ship Clamav with the OS. Perhaps I should take it up with them. In the meantime, is there a command specifically to test the port? And if positive to unblock it. I see no way through the GUI. Sorry if I am asking to be spoon-fed. Immediately after doing the dig or nslookup that fails tail the syslog, messages and/or kernel log files and wee if there are any packet filter logs showing 'DPT=53' and 'PROTO=TCP' BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: Freshclam not responding
On Tue, 2004-06-01 at 22:09, Fajar A. Nugraha wrote: Gervase wrote: ERROR: Can't get information about database.clamav.net host. Seems like DNS problem. Configure your DNS server properly, or use proxy (edit freshclam.conf) Make sure your firewall allows DNS over both UDP _and_ TCP, because clam has so many mirrors the DNS response stopped fitting in a UDP packet so has to use a TCP packet instead, if your firewall doesn't allow through TCP packets it won't work. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] CommuniGate Pro and ClamAV
On Fri, 2004-05-28 at 16:29, Brandon wrote: Good Morning! Has anyone on this list had any luck running clamav with CommuniGate Pro? Our mail volume is approximately 40,000 messages per hour across two front end servers. Does anyone have any statistics they would like to share about CGPRO/ClamAV? I think there is a way of using MailScanner (which in turn can use clamav) with CGP. I don't think its mentioned on the MailScanner site, but if you ask on the MailScanner list theres a few people there who can probably help. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Version 0.71 - clamdscan error
On Thu, 2004-05-27 at 09:21, Mr Mailing List wrote: Just noticed that scanning files with clamdscan does not scan filesthat are not world readable. Perhaps it would be better if clamd could implement some kind of privilege separation, so that a minimal process running as root reads the files, but an unpriviledged process could actually do all the processing? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] blocking attachments
On Tue, 2004-05-25 at 17:12, Ken Jones wrote: Is it possible to configure clamav to block certain types of attachements even if they do not have a virus? Take a look at MailScanner http://www.mailscanner.info it offers a number of ways to apply all sorts of policy to email. signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] blocking attachments
On Tue, 2004-05-25 at 17:12, Ken Jones wrote: Is it possible to configure clamav to block certain types of attachements even if they do not have a virus? Take a look at MailScanner http://www.mailscanner.info it offers a number of ways to apply all sorts of policy to email. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] blocking attachments
On Tue, 2004-05-25 at 17:12, Ken Jones wrote: Is it possible to configure clamav to block certain types of attachements even if they do not have a virus? Take a look at MailScanner http://www.mailscanner.info it offers a number of ways to apply all sorts of policy to email. signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] name that worm: agobot,gaobot,polybot
On Wed, 2004-05-19 at 12:54, Betsy Schwartz wrote: Some PC's on our network have been flagged as having agobot,gaobot,polybot (or a sasser variant), by the perimiter security system. I have looked at Kevin's excellent database at http://www.rainingfrogs.co.uk and don't see any matches made between these names and clamav. I found loads when I tried, maybe you were searching on 'exact name' rather than 'contains'? I've changed it to do 'contains' searches by default now, as thats probably more intuitive. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Question regarding virus detection
On Thu, 2004-05-20 at 19:21, Peter Bonivart wrote: Jim Maul wrote: There is something that is causing clamav to not be able to detect this virus after the message has been bounced and now forwarded. Damaged bounces are not dangerous. Why bother making signatures for them when you don't make money showing how many viruses you detect? Well, although you might not make money its not good for the reputation of a virus scanner if other scanners detect these files and they don't. How does an end user (or for that matter most IT staff) know whether a file is not detected by one scanner but picked up by another because its not dangerous or because the scanner isn't good. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] New Address for Virus Alias Database
For those that found my virus alias database useful I have now moved it to http://www.rainingfrogs.co.uk to get0 rid of the annoying UK2 popup add and banner. This also means that it will now accept direct links to URL's of specific entries, for those that requested that facility. Kevin signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] What is this Exploit.JUnksurf.A ? (Off topic)
On Thu, 2004-05-13 at 20:53, Damian Menscher wrote: You are obviously correct in the case of an intrusion. But I don't know many 1337 h4x0rs that would mess with: //usr/share/doc/libxml2-devel-2.5.4/example.html: Exploit.Junksurf.A FOUND which is why i recommended updating clamav before reinstalling. Taking things in context helps. Its also worth noting that where the type of infection doesn't match the type of file its likely to be a false positive. For example if you find linux binaries 'infected' with a word macro virus. In this particular case (from its name, and the description of a similarly named virus on Trend's site http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=HTML_JUNKSURF.A ) I would guess this is an HTML exploit, therefore finding it in all manner of files, both binary and text would seem to suggest an error on the part of the scanner. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Re: Virus Alias Database
On Tue, 2004-05-11 at 00:58, Mitch (WebCob) wrote: I'm sure there are many (including myself) that could be convinced to host mirrors once the concept stabilizes... Or alternatively, you could allow download of the db and functions so people wouldn't have to keep hitting your server... Thats the better idea, although idealogically I'm all for open source I have no intention of releasing the code that build the database. That is for purely practical reasons, most of it works by crawling the anti-virus vendors sites - as such if lots of people started to run it there would be significant load on their sites, which not only inconsiderate of us but also could lead to them blacklisting our IP's and/or changing their page format to make it much harder to parse. I'm certainly willing to open the front end, but I need to find out how easy it is to mirror a mysql database, I suppose I could script something that writes incrementals out to some web space. But it all needs more work first... I'm away for a few days, maybe I'll find time next week. Kevin BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Alias Database
On Mon, 2004-05-10 at 18:24, jef moskot wrote: So, if I type in Netsky, I don't see any ties to SomeFool. If I put in SomeFool, I don't see any immediate reference to Netsky, but if I poke around a little, it becomes apparent that we're talking about the same thing. But if you put in Worm.somefool (which is what clam actually calls it), or click on worm.somefool vendor clamav when you search on 'contains somefool' You can see it is Netsky as reported by some other vendors Not sure how it should be implemented, Me either! My current thinking is to do it as automatically as possible, otherwise I'll just get bored / occupied doing something else and not keep the alias mapping up to date I did think about doing some kind of 'smart-search' but thats going to need some thinking about. Maybe... BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: Virus Alias Database
On Mon, 2004-05-10 at 11:38, Russ Phillips wrote: I had a look, and I have a couple of thoughts/comments. 1. Will it handle heavy loads? It may start to get a lot of hits once people start to find out about it Its running PHP MySQL on apache2, unfortunately this is my home box (that said its not a bad spec) so the response will be directly proportional to what I'm compiling at the time and the amount of bandwidth on my DSL line. 2. If it could handle heavy loads, it would be useful if the form used GET instead of POST, so that links to specific viruses could be posted. I've changed the form to GET, however direct links won't work because of the web diversion service that I use - unless you link to the IP address (of the lower frame, not the outer window), it is a static IP but could change if I get fed up with my ISP or something (not that that is at all likely right now, I'm using Eclipse and they are excellent) signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Recommendation RedHat replacement
On Mon, 2004-05-10 at 19:57, Bora wrote: Sorry, this may not be appropriate to post here, but I know many of you are using RH and are figuring new options as they are no longer offering free download for RH 7, 8 and 9. When starting a new topic please would you create a fresh message rather than replying to an existing message and changing the subject - it screws things up for those of us with threaded mail readers. Thanks BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Flase positive
I submitted a false positive of Joke.BinLaden last week (through the web interface), but I haven't heard anything of it, and its not shown up in the virusdb list. Should I resubmit? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Virus Alias Database
I've put a little more work into my virus alias database (at http://www.kevinspicer.co.uk) and it is now indexing virus definitions from Sophos, F-Prot, Norman and Vexira as well as those from F-Secure and Symantec that were indexed previously. This has nearly doubled the number of virus names and aliases known. I've also made an improvement which should get rid of some of the odd stuff that got into the database due to inadequate text processing of Symantecs site, these should disappear as they expire over the next week or so. The site has been down for the last few days due to an upgrade replacing the index.html page and me not noticing (doh!), but should be alright now. I hope people find this useful, any constructive comments or suggestions gratefully received. Kevin BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus found in virgin RHES 3 installation?
On Fri, 2004-05-07 at 18:36, Ken Morley wrote: I was surprised when clamdscan reported: //proc/kcore: Trojan.MiniCommander.dr FOUND What's the possibility that the server is really infected? It got to be somewhat unlikely that a running linux kernel would get infected with a Windows trojan. False positive methinks. Normally I'd say submit the affected file for analysis, but I'd guess the database guys don't really want a core dump of your kernel (?) More to the point why are you scanning /proc ? The easiest answer is probably just to not scan /proc. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Easiest/best sendmail integration
On Fri, 2004-05-07 at 18:27, Mike Lambert wrote: Again, the advantage is sending 5xx instead of 2xx. IMO, giving the connecting mta a status code appropriate to the message disposition is better than simply accepting _all_ messages only to drop some later (I do not consider generating a separate bounce message to be an option). The sending mta should deal with rejected messages, not the receiving (rejecting) mta. Sorry, this is really far too long! Disclaimer: I use MailScanner, I've also contributed to MailScanner and am the current lead developer on MailScanner-MRTG (a GPL'd monitoring tool for MailScanner servers). Obviously my opinion isn't unbiased (although I hope not totally one-sided), but I'd like to throw some often overlooked points into the mix. I don't think that there is necessarily a right or wrong answer to this one, nor is one solution necessarily best for everyone. I do agree that where a message is undeliverable (because of bad addressing, disabled accounts etc) this should be handled by a rejecting at the RCPT stage by the first MTA with the ability to make such a judgement (Since this is a matter of MTA configuration this shouldn't be an issue in the milter vs queue argument). Where the decision to reject is based on the application of policy to the content of a message (whether that be the application of virus scanning, spam filtering, file name/type filtering, other message content filtering, attachment size restrictions etc.) it is not necessarily so clear cut. I would not advocate bouncing spam or viruses as this causes a nuisance, however where a message is blocked due to pure policy descisions (for example we block mpegs) then a clear and helpful bounce message is a courtesy. I appreciate that for members of the list understanding a reject message generated by an MTA is trivial, but many users find it much less acccessible (not to mention getting confused about why their own mailserver appears to have rejected their message - when in fact it is merely reporting the rejection by the destination mailserver). A good proportion of mail passes through multiple MTA's on route, especially given the current spam/ virus tactics of delivering to secondary MX's many of which simply store and forward. I imagine that dealing with 5xx rejects of spam and viruses (usually with forged senders) is a growing burden for ISP's who offer a secondary MX store and forward service. I hope that at least some milters have the ability to discard rather than simply reject certain classes of unwanted mail. Its often overlooked that 5xx rejecting only pushes the problem back upstream, and this is not necessarily to the point of origin (as anyone who has ever been joe-jobbed will appreciate all too well). So by not accepting the mail you may be part of the problem rather than part of the solution [I'm not saying thats my opinion, I'm on the fence on that one - no flames please!]. There is however a fine line to walk, just discarding mail is a dangerous path to tread and certainly not one we choose to take. Our policy is not to bounce spam or virus. Spam mails are tagged (and stripped of html content to avoid offending people), so the recipient can filter in their MDA. Viruses are removed (or disinfected in the case of the now rare macro viruses) and the recipient notified with any deliverable portion of the mail included, except in the case of outgoing mail, where we can be reasonably sure who the sender is and notify them instead. There are also technical concerns with both methods. Others have raised technical concerns about MailScanner's approach so I won't duplicate them here. Because milters scan the mail during the SMTP transaction they need to be fairly swift about it, so that the sending server doesn't give up on them, and also out of courtesy to the senders organisation (who want's dozens of MTA processes all waiting while the recipient takes several minutes to do umpteen checks?) Please don't misunderstand me, I'm not saying that this is always the case - just that there is a risk of processing time becoming unacceptably long during times of unusually heavy load. MTA's generally restrict the maximum number of threads, so slow processing can result in mail not being delivered. Typically this pushes the problem back upstream again, if upstream happens to be the spammers server of the infected PC then this is good as its quite likely they won't attempt another delivery, if not then this is just creating problems for others [again, good or bad you decide]. On the other hand with MailScanner the MTA handles the mail as quickly as it can, making SMTP sessions as short a possible. This does mean at times of heavy load there can be a backlog in the incoming queue, and your server may be at full pelt trying to catch up, however mail is processed as soon as possible and in the order it arrived so mail will be delivered at the earliest opportunity (with the milter model the
Re: [Clamav-users] Problem
On Fri, 2004-04-30 at 08:05, Bernard Elbourn wrote: Unfortunately this installation is remote to me so not so easy to just update. Shame I did not get any warning! How can I find out when I should update so I can plan ahead? Subscribe to clamav-announce list. Generally speaking its a good idea to keep up with clam releases as new releases generally improve detection. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Problem
On Thu, 2004-04-29 at 21:42, Bernard Elbourn wrote: From a 1 year old installation [snip] Is it time to upgrade? Oh yes. It was probably time to upgrade some months ago! Virus scanning (and virus production) is an arms race, really well advised to keep pace. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Virus Alias Database
I've put up a proof-of-concept (read 'ugly') virus alias database at http://www.kevinspicer.co.uk Its currently rather limited in that it only fully indexes Clam, Fsecure and Symantec (although some aliases for other vendors are picked up). If people feel it is worth pursuing then I'll try and find time to add some other vendors and maybe even make it less ugly (and validate the html!) Its on a DSL line, so please be gentle with me! Kevin signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] clamav on early Linux 2.0 release
On Sun, 2004-03-28 at 15:45, Fred Flintstone wrote: Any other quick 'n' dirty suggestions for this one? :) Have you tried just building a statically linked binary on a more recent distro and seeing if it works on yours? BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] RE: Nbr of signatures
On Tue, 2004-03-16 at 17:53, Alex S Moore wrote: Has the number of virus signatures increased significantly lately? I thought there were around 21,000 but now I have this msg in clamd.log. Tue Mar 16 11:45:22 2004 - Protecting against 40969 viruses. Maybe you have both old and new style databases in place - suggest you delete the old ones. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] pipechk: [kegger:clamav-virus-list] (fwd)
On Mon, 2004-03-15 at 20:20, [EMAIL PROTECTED] wrote: Has the Ladmar.A virus been merged as a different virus? The count went down by 1 and Ladmar was removed. Any ideas? It was temporarily removed due to a false positive. You can keep track of additions and removals by subscribing to the clamav-virusdb list, or by checking the archive at http://news.gmane.org/gmane.comp.security.virus.clamav.virusdb (Also in the case of this false positive there was a discussion about it on this list a few hours ago). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] FAO. List admins -- clamav-announce
Would it be possible for posts to clamav-announce to be cross-posted here please. I imagine I'm not the only one here that didn't know about 0.68. Cross posting to the users list seems to be fairly common among other projects (it makes sense that anyone on the users list is going to want to know about new releases). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] some little questions
On Wed, 2004-03-03 at 02:28, Rembrandt wrote: I know guys wich are working as administrators at a newspaper. They make backups.. yes.. But they make it only for 1 week (couse there's too much data). So they're able to restore all files wich changed since date X. But what's about a virii wich infects the files and waits until a special date? Or what's about logic-bombs? Its not the job of an anti-virus solution to compensate for inadequate backups. This is inadequate because if you may need a file from a month ago your backup solution should be able to deliver that. A weekly rotation is only any good if the files you are backing up will genuinely not be needed for longer than a week. There are plenty of adequate ways to minimise the amount of media needed to perform much longer term backups (for example the Tower of Hanoi method). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Problem with *.zip atachments!
On Wed, 2004-03-03 at 20:57, Grzesiek Staleczyk wrote: MailScanner users need to upgrade to MailScanner 4.28.4 (just out), which can block password-protected .zip files. RP MailScanner users need to upgrade to MailScanner 4.28.4 (just out), which RP can block password-protected .zip files. It only says that the filename rules would allow it - it doesn't say that the attachment will be allowed as a result of all checks. Is the attachment actually reaching the recipient? You should really try posting on the MailScanner list, as this clearly isn't a clam issue. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70alloc_id638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to handle quarantined SPAM
On Wed, 2004-02-18 at 00:19, Luc de Louw wrote: Hi all, Does someone know a software, that allows users to browse and handle quarantined Mails? Preferably a Web-interface... You don't say what you are using to quarantine, but if using MailScanner then I think Mailwatch for MailScanner might do what you want BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] unrar
On Sat, 2004-02-14 at 00:00, Chris Conn wrote: Hello, I get the following error after installing unrar-3.3.6 (from a unrar-3.3.6-0.lvn.1.rh90 rpm I built for RH9) Feb 13 18:33:25 MailScanner[5160]: ProcessClamAVOutput: unrecognised line UNRAR 3.30 freeware Copyright (c) 1993-2004 Eugene Roshal. Please contact the authors! Feb 13 18:33:25 MailScanner[5160]: No files to extract Feb 13 18:33:25 MailScanner[5160]: ProcessClamAVOutput: unrecognised line No files to extract. Please contact the authors! These are MailScanner errors, you should really post them to the MailScanner list. The unrecognised line errors don't matter (just unexpected output that is being ignored, however the 'no files to extract' is probably a symptom of running clam as root. It tries to use /root/tmp as temporary space - but because it drops privileges it cannot write to there. I've attached my own updated clamav-wrapper which addresses this issue. You will need to uncomment the lines about unrar in it. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. #!/bin/sh # clamav-wrapper -- invoke ClamAV for use with mailscanner # # Adrian Bridgett [EMAIL PROTECTED], 14/12/01 # # MailScanner - SMTP E-Mail Virus Scanner # Copyright (C) 2001 Julian Field # # $Id: clamav-wrapper,v 1.4.2.3 2003/08/15 16:30:58 jkf Exp $ # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # The author, Julian Field, can be contacted by email at # [EMAIL PROTECTED] # or by paper mail at # Julian Field # Dept of Electronics Computer Science # University of Southampton # Southampton # SO17 1BJ # United Kingdom # # # Modifications by Kevin Spicer [EMAIL PROTECTED] to get # external unpackers working correctly. 9 Nov 2003 # Removed --unzip from ScanOptions, as its already in ExtraScanOptions # (Clam usually uses own unzipper, -unzip just allows it to use external # program so should be in ExtraScanOptions as it could cause a failure) # Separate all unpackers and add missing ones. # Add tmpdir (and check for it) in MailScanner incoming dir # (to take advantage of ramdisk) - needed by external unpacker ## IF YOU ARE RUNNING MAILSCANNER AS ROOT ## # You need to set the following in MailScanner.conf so that external # unpackers can be used... # Incoming Work Group = clamav # Incoming Work Permissions = 0640 # You may want to check this script for bash-isms MailScannerWorkDir=/var/spool/MailScanner/incoming ClamUser=clamav ClamGroup=clamav ScanOptions= ExtraScanOptions= # Extra options we try to pass to clam but we handle it failing # For each option there are two alternatives... # --option # if the required program is in the PATH # --option=/path/to/program # If its in a non standard location # If you use the second option make sure you set the correct path in each case # Note that clam internally supports Zip, Gzip and Rar (v2.0) files, # so for these the extra options are just a fallback should the internal # unpacker fail (the internal unzipper should also support .jar files). # Common external unpackers you probably have installed (hence # enabled by default) # Uncomment ONE of the following lines if you have unzip installed ExtraScanOptions=$ExtraScanOptions --unzip #ExtraScanOptions=$ExtraScanOptions --unzip=/path/to/unzip # Uncomment ONE of the following lines if you have unzip installed # And want to be able to use it to scan jar files should the internal # unzipper fail ExtraScanOptions=$ExtraScanOptions --jar #ExtraScanOptions=$ExtraScanOptions --jar=/path/to/unzip # Uncomment ONE of the following lines if you have tar installed ExtraScanOptions=$ExtraScanOptions --tar #ExtraScanOptions=$ExtraScanOptions --tar=/path/to/tar
OT: Re: [Clamav-users] calling rbellora@tecnoaccion.com.ar
On Fri, 2004-02-13 at 22:19, Craig Daters wrote: Maybe it's cool for you but surely not for a sender who receives that auto spam. How is it spam? The sender is simply receiving an email asking for them to confirm that they sent the message? All they do is reply to it. It is no different that subscribing to a Mail-List these days. One that works a lot like the Mailman Mail-List software. Assuming they are the sender, anyone who has ever been the victim of a joe-job knows that anything that responds to spam is just as much a part of the problem. Anyway, this is supposed to be a list about anti-virus - maybe this isn't the most appropriate place for this discussion? People have subscribed to a list about anti-virus, and don't necessarily want to wade through a load of _unsolicited_mail_ (!) about spam. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: OT: Re: [Clamav-users] calling rbellora@tecnoaccion.com.ar
On Fri, 2004-02-13 at 23:17, Antony Stone wrote: What's a joe-job? As with all jargon see ESR's excellent jargon lexicon! http://catb.org/~esr/jargon/html/J/joe-job.html BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] libunrar.so support?
On Thu, 2004-02-12 at 17:02, Randal, Phil wrote: And the license.txt reads: snip! IANAL but I believe points 2, 3, and maybe 6 would make this license GPL incompatible. 2. The unRAR sources may be used in any software to handle RAR archives without limitations free of charge, but cannot be used to re-create the RAR compression algorithm, which is proprietary. Distribution of modified unRAR sources in separate form or as a part of other software is permitted, provided that it is clearly stated in the documentation and source comments that the code may not be used to develop a RAR (WinRAR) compatible archiver. 3. The unRAR utility may be freely distributed. No person or company may charge a fee for the distribution of unRAR without written permission from the copyright holder. 6. If you don't agree with terms of the license you must remove unRAR files from your storage devices and cease to use the utility. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Sco.a again
This is another post about the problems that some people have been having with sco.a seemingly making it past clam due to doggy mime structure in bounce messages. I noticed that Symantec on our exchange servers (which are behind a mailscanner box running clam and sophos) is picking up a few Sco's in bounce messages inside 'Message Body', it is detecting it as [EMAIL PROTECTED] If I understand Symantec's naming scheme correctly this signature is matching the encoded body part, rather than after unencoding an attachment. Therefore I'm suggesting that Clam should follow Symantec's lead and include a signature for the encoded data. I understand that some may have an issue with this as the message is broken and may be harmless (assuming no mail clients are fault tolerant enough to unpack it), but please consider the following... The messages are a nuisance at best, as the sender address is forged they cause confusion and fear amongst users (we have had a number of false alarms with users reporting an infection that was in fact just a bounce due to a forged sender address). Other scanners are detecting them, which does not make clam look good in comparison - perceptions are often more important than technology (especially for non-technical senior management). I seem to remember this was done before (maybe Gibe-F? or Sobig??) - following a long discussion. In fact, given that we have had this discussion before (I think...) perhaps it should be a matter of policy to create an additional sig for the encoded message on all mass mailing worms. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] clamav-milter compilation problems again
On Wed, 2004-02-04 at 23:29, Stevens, John wrote: and sorry for this stupid disclaimer. We also have a stupid disclaimer, but one question about yours - can you have omissions that are present? I did think about making it a very small font, or white text on a white background - but then you get flamed for using HTML. sigh... BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] [Fwd: Handling zip files]
(Posting this again as it seem not to have reached the list) I encountered some behavior that was not as I expected with some zip files and clamscan (I'm not saying it is a bug - it may be by design). One of our clients attempted to send us a zipfile or data which had been compressed down to around 1.5% of its original size. Not surprisingly this triggered the oversize zip rule which in turn caused it to be rejected by MailScanner. Or response to this was to advise the client to password protect it (so that clam could not unzip it) - but this still triggered the oversize warning. Thinking more on this I'm guessing that clam does the equivalent of running zipinfo to work out the compression ratio and/or unzipped size before attempting to unpack (?). Since clam will be unable to unpack encrypted files within an archive should it really apply the oversize tests to them? I know that zipinfo is able to determine that a file is encrypted, so I presume this information should be available to clam. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Worm.SCO.A
On Wed, 2004-01-28 at 16:01, Patricia Viana wrote: Hi. My SMTP filter running ClamAV is blocking a huge amount of messages with the Worm.SCO.A. It seams to be the same virus as MyDoom or Novarg. Can anyone confirm this?! That is correct. Clam had a signature whilst the commercial vendors were still busy thinking up names, hence the difference. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Mailscanner, sendmail 8.12, split input queues
On Wed, 2004-01-21 at 22:19, Peter Bonivart wrote: Leif Neland wrote: How does this fit in with sendmail 8.12 already having two queues, mqueue and mqueue-client? You really should have posted this on the MailScanner list since nothing of this is Clam related. I'll second that, I'd certainly recommend joining the MailScanner list. However the mqueue-client does not have a physical queue, Peter, I'm going to have to slightly disagree with you on that, certainly as far as my MailScanner Mandrake boxes are concerned. The bahaviour I see is that mail sent by programs that call sendmail directly (as opposed to having their own SMTP engine) is queued in the clientmqueue (on Mandrake, maybe thats mqueue-client on other systems) before being picked up by the incoming sendmail, which in turns queues it in mqueue.in (where it is picked up by MailScanner). As far as I can see the incoming (i.e. listening) sendmail keeps an eye on the clientmqueue and grabs anything it finds there. instead it's a way of picking up local mail transmitting them through your MTA. It does not affect MailScanner at all, Agreed. And how do I do this with Debian's /etc/mail/sendmail.conf? You shouldn't need to mess with any configuration settings (disclaimer: I'm not a Debian user so maybe they do something differently?), MailScanner passes the necesary instructions to sendmail on the command line. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Bagle Virus/Worm Status?
On Mon, 2004-01-19 at 20:57, Tom Walsh wrote: Anybody seen these yet? http://www.viruslist.com/eng/alert.html?id=783050 There has been some discussion on bugtraq about it's payload today. Just curious... Yeah, we had about 30 today so far. It seems to be spreading quite rapidly. Good news is its supposed to deactivate on the 28th. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Bagle Virus/Worm Status?
On Mon, 2004-01-19 at 21:31, Tim Wilde wrote: On Mon, 19 Jan 2004, Kevin Spicer wrote: Yeah, we had about 30 today so far. It seems to be spreading quite rapidly. Good news is its supposed to deactivate on the 28th. Only 30? I've seen over 500 on my mail systems since getting the new sigs late last night. Kudos to Diego for getting the sigs updated quickly. I guess it depends on how much mail you handle! To put mine in perspective I'm talking a daily load of only about 7000 messages of which only about 3-4000 will be incoming. So probably about 1% of incoming mail is Bagle (thats pretty much in line with the figures message labs are reporting of 1 in 136). --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Zoo archives
Could someone confirm whether the correct argument for handling zoo archives is --zoo or --unzoo, clamdoc.pdf and man clamscan don't agree on this. --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: dealing with zips with corrupted headers
I'm cross-posting this message from the MailScanner mailing list because I think folks here might be interested in it. If anyone needs a copy of that zip please let me know. Kevin On Wed, 2003-11-05 at 02:04, Chris Yuzik wrote: Hi everyone, No sooner do we (well...Julian) come out a workaround for the extra status line that ClamAV was spitting out than another virus using similar zip-header trickery to sneak through our scanners. Worm.Mimail.G arrives in a zip file called readnow.zip that strangely gets a simple OK from clamscan, and the virus goes right through. After some experimenting, I've figured out that the virus will happily unzip with the console unzip tool, but complains with the following message: # unzip readnow.zip Archive: readnow.zip warning [readnow.zip]: 3 extra bytes at beginning or within zipfile (attempting to process anyway) file #1: bad zipfile offset (local header sig): 3 (attempting to re-compensate) extracting: readnow.doc.scr After reading the man page for clamscan, I came across an option that disables clamscan's internal archive tools. When I typed clamscan --disable-archive readnow.zip I got the expected response of readnow.zip: Worm.Mimail.G FOUND. Is there a disadvantage to editing /usr/lib/MailScanner/clamav-wrapper and removing the --unzip option and replacing it with --disable-archive? Am I on the right track? Thanks, Chris -- BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] postfix + clamav + clamdmail
On Sat, 2003-10-25 at 00:08, Noel Jones wrote: At 05:46 PM 10/24/03, Walgamotte, David wrote: I didn't have luck with amavisd-net mailscanner is the way to go ... Don't use MailScanner with postfix. MailScanner manipulates the postfix queue in an unsupported manner and will cause loss of mail without warning or notice. I'm sure MailScanner works great with other MTAs, just don't use it with postfix. There is a difference of opinion between the postfix folks and the mailscanner folks on that issue. There were some initial problems with MailScanner on postfix but there are now many happy MailScanner/Postfix users. It is true that the method of intercepting the emails is not the one recommended by by the postfix guys, but so long as you follow the install instructions on the MailScanner site you shouldn't have a problem. The biggest cause of problems is people who think they can put the incoming queue and outgoing queue on different disks - that doesn't work because postfix relies on knowing the inode number of the file. If that doesn't convince you then, unless you have some complex mail requirements, its easy to switch Mandrake to use sendmail (thats what I did, because MailScanner didn't support postfix back when I first installed it). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] clam-update log file...
On Thu, 2003-10-16 at 12:09, Informacion wrote: Hi, Check the: /etc/cron.hourly/msec and /etc/cron.daily/msec ... This is the problem, the script msec, chown all files in /var/log to root user. Rather than turning those scripts off you can easily customise how they behave... You need to set up /etc/security/msec/perm.local to customise the permissions assigned to these files/directories. see man msec and man mseclib for details and the files in /usr/share/msec/perm.* for examples of the file format. Note that msec only reduces permissions so you need to manually open the permissions once you create the above file. (Also worth noting - only include the permissions for which the defaults are not what you want in the file, it is just changes against the standard for that permission level) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav CVS version
On Mon, 2003-10-13 at 05:57, Odhiambo Washington wrote: I am behind a firewall, but this has not been an issue for non-Sourceforge CVS servers such as the BSD-Airtools project, etc. Check the status page of sf.net, theres been problems with pserver based cvs access for a while. SF expect to get this all fixed up over the next week or so. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Email results
On Fri, 2003-09-19 at 23:59, Antony Stone wrote: Try clamscan --help I already did (after your previous post) and it is there, I just think it should be added to the man page as well, that is what man pages are for after all. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Email results
On Thu, 2003-09-18 at 23:30, Antony Stone wrote: On Thursday 18 September 2003 10:58 pm, Kevin Spicer wrote: clamscan ${YOUR_OPTIONS} --stdout | grep -v OK | mail -s Clamscan results [EMAIL PROTECTED] Achieve the same thing by including -i or --infected in ${YOUR_OPTIONS} You know, I thought that there was an option that did that - but couldn't find it in the man page. I thought it was that I had an old version, but I just upgraded to 20030829 and its still missing. Perhaps someone could add it. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Proxy and Scanning?
On Wed, 2003-08-27 at 00:20, Mark wrote: Is it possible to scan the traffic (via plug in or so) with SQUID or an SOCKS-Proxy (like Dante)? If not: Feature Request - TrafficScan via PlugIN, own mod or Daemon :) Dansguardian (http://www.dansguardian.org) is a content filter for squid which has an extension available (http://www.pcxperience.org/dgvirus/) that virus scans files passing through the proxy (it can use Clam or F-prot). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamscan: how to tell which message number in anmbox?
On Wed, 2003-08-20 at 17:12, Martin-Éric Racine wrote: Greetings, I installed clamav to scan mails from work (I telework and the stupid company doesn't scan emails for possible viruses) and doing a quick run of clamscan indeed found one virus. The problem is we're dealing with a mailfile (mbox) and I simply cannot afford to delete the whole inbox file; I need clamscan to be precise as to which e-mail message contains the virus, so that I can simply delete that specific message. Giving the offending message's Subject line would be enough to at least locate it. Is this possible and how? Thanks! I guessing (from its name) that you could use this tool... http://sageshome.net/oss/mbox2mdir.php to extract all the messages to seperate files, which you could then scan with clamscan. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] FOO.EXE
sigtool -c clamscan --stdout -f message.zip -s message Someone correct me if I'm wrong but I'm pretty sure you can't use sigtool to extract the virus signature from a zip (no matter what scanner you use). The zip itself is not infected, you need to unzip the file and extract the signature from the infected file within. Quite why you're trying to do this however I can't see, as you've already proven that clamscan can detect the infection. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users