Re: [Clamav-users] Major upgrade db compatibility

[Thomas Lamy]

 

Bryan Blackwell wrote:
> 
> Greetings,
> 
> We're running ClamAV at the suggestion of our vendor, and 
> they advised  
> the newest version for compatibility with the signature data.  I  
> looked around the documentation, and couldn't find an answer to the  
> required versions for the signature files.  My question is, are the  
> definitions backwards compatible for some time, or do we have to  
> upgrade as soon as a new version comes out?  For example, when 0.96  
> comes out, do we have to upgrade immediately?  How about for 
> the 0.96  
> release?  Thanks for any insight.
> 
> --Bryan
> 
> --  Bryan Blackwell --
> *nix Systems Engineer
> br...@skiblack.com

Well, that depends.
With 0.95 the signature format changed, with mirrors providing backwards
compatibility for some time. Also, with help of (up to date) freshclam
and sigtool, you should be able to create old-style signatures for a
local mirror.
I don't know what's planned for 0.96, but I'm sure there will be some
grace period of time if the signature format changes again or other
large-scale changes occur. It's always good practice to test RCs and
read the changelogs attentively.


Kind regards
Thomas


-- 
Thomas Lamy  Ingolstadt Online GmbH   thomas.l...@in-online.net
Fon: +49 841  885 212-0  Fax: +49 841  885 212-29  Web: www.in-online.net

Pflichtangaben lt. §35a GmbHG:
Ingolstadt Online GmbH, Münchener Str. 71, 85051 IngolstadtGeschäftsführer 
Gerhard Mayer
HR Ingolstadt Nr. 1950Steuernummer 124/129/30752
Umsatzsteuer-ID: DE179321207


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] nonblock_connect: connect timing out (30 secs)

[Thomas Lamy]

Agostinho Carvalho wrote:
> 
> Hello.
> 
> New Clam user here, so please be gentile  :-)
> Recently (since 4 days ago or so), I've been having some 
> issues while updating my virus definitions.
> 
> Here is the terminal output after a freshclam command:
> 
> 
> ClamAV update process started at Sun Sep 27 08:41:39 2009
> main.cvd is up to date (version: 51, sigs: 545035, f-level: 
> 42, builder: sven)
> Trying host database.clamav.net (82.195.234.148)...
> nonblock_connect: connect timing out (30 secs)
> Can't connect to port 80 of host database.clamav.net (IP: 
> 82.195.234.148)
> Trying host database.clamav.net (80.69.67.43)...
> Downloading daily-9841.cdiff [100%]
> daily.cld updated (version: 9841, sigs: 79805, f-level: 43, 
> builder: guitar)
> Database updated (624840 signatures) from database.clamav.net 
> (IP: 80.69.67.43)
> WARNING: Clamd was NOT notified: Can't connect to clamd 
> through /var/lib/clamav/clamd-socket
> connect(): No such file or directory
> 
This is normal behavior, since the mirror 82.195.234.148 is down, freshclam 
retries from a different mirror.
Freshclam should blacklist this IP somehow (haven't read the source for a 
while, blame me). Also the clamav team removes mirrors which are out of sync or 
down automatically from the DNS database.

The second symptom is from not running clamd, or having a wrong path to 
clamav's config file in freshclam.conf. If you don't have clamd running (which 
I recommend), comment out the
NotifyClamd 
or make sure the argument to NotifyClamd correctly points to clamd's config 
file.

Good Luck
  Thomas

-- 
Thomas Lamy Ingolstadt Online GmbH thomas.l...@in-online.net
Fon: +49 841 885 212-0 Fax: +49 841 885 212-0  Web: www.in-online.net
Pflichtangaben lt. §35a GmbHG:
Ingolstadt Online GmbH, Münchener Str. 71, 85051 Ingolstadt; Geschäftsführer: 
Gerhard Mayer
Eingetragen im HR Ingolstadt Nr. 1950 Steuernummer 124/129/30752 
Umsatzsteuer-ID: DE179321207



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Problems Detecting Known Viruses

[Thomas Lamy]

> 
> I just did a fresh install on Postfix, Amavisd-new, & Clamav on
> Debian. Now everything works great however I attempted to send a test
> virus from my new Postfix install running Clamd to this Gmail account
> and I never saw any sign emailed to me that a "virus was detected"
> from Clamav. I don't understand why. The message was never relayed to
> its final destination (this Gmail address) but I don't understand what
> happened. I checked my /var/log/mail.log to see if it reported
> anything strange about the message and I found the following:
> 
> Jun 24 10:08:13 ham postfix/smtp[7337]: 39CEF51B12:
> to=, relay=127.0.0.1[127.0.0.1]:10024,
> delay=1.3, delays=0.05/0.01/0/1.3, dsn=4.5.0, status=deferred (host
> 127.0.0.1[127.0.0.1] said: 451-4.5.0 Error in processing, id=02663-04,
> virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd
> av-scanner FAILED: CODE(0x24739e8) unexpected ,
> output="/var/lib/amavis/tmp/amavis-20090623T190508-02663/parts:
> lstat() failed: Permission denied. ERROR 451-4.5.0 " at (eval 86) line
> 527.; ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan unexpected
> exit 1, output="WARNING: Ignoring deprecated option --disable-summary
> 451-4.5.0 LibClamAV Warning:
> *** 451-4.5.0
> LibClamAV Warning: ***  This version of the ClamAV engine is outdated.
> *** 451-4.5.0 LibClamAV Warning: *** DON'T PANIC! Read
> http://www.clamav.net/support/faq *** 451-4.5.0 LibClamAV Warning:
> *** 451-4.5.0
> /var/lib/amavis/tmp/amavis-20090623T190508-02663/parts/p001: OK
> 451-4.5.0 /var/lib/amavis/tmp/amavis-20090623T190508-02663/parts/p005:
> Eicar-Test-Signature FOUND 451-4.5.0  451-4.5.0 --- SCAN
> SUMMARY --- 451-4.5.0 Known viruses: 575374 451-4.5.0 Engine
> version: 0.95.1 451-4.5.0 Scanned directories: 1 451-4.5.0 Scanned
> files: 2 451-4.5.0 Infected files: 1 451-4.5.0 Data scanned: 0.00 MB
> 451-4.5.0 Data read: 0.00 MB (ratio 0.00:1) 451 4.5.0 Time: 1.151 sec
> (0 m 1 s)" at (eval 86) line 527. (in reply to end of DATA command))
> 
> *END

Hi,

first, you have to configure amavis not to use clamscan, but the daemon 
"clamd". This way you save the long startup times of clamav for each mail, and 
amavis no longer gets confused by these "outdated" messages, which occur from 
time to time whenever a new clamav release is out but hasn't been released for 
debian yet.
When installing clamav-daemon, please read README.Debian in 
/usr/share/doc/clamav-daemon carefully. By default clamd runs as user "clamav", 
which has no access rights to /var/lib/amavis/... . 

Sorry for not having a howto url at hand ;-)

Thomas

-- 
Thomas Lamy  Ingolstadt Online GmbH thomas.l...@in-online.net
Fon: +49 841 95 11 041   Fax: +49 841 95 11 071   Web: www.in-online.net

Pflichtangaben lt. §35a GmbHG:
Ingolstadt Online GmbH, Bahnhofstrasse 8, 85051 IngolstadtGeschäftsführer 
Gerhard Mayer
HR Ingolstadt Nr. 1950   Steuernummer 124/129/30752   Umsatzsteuer-ID: 
DE179321207

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Using ClamAV from PHP

[Thomas Lamy]

Hi,

I've use the clamav mod for PHP5 for a while, but was pretty disappointed.
Apache reload times (envolving clam database loading) were ridiculous. I
ended up with a ~50 liner, which connects to a running clamd. Unfortunately
I can't post source here, but google should be your friend. The protocol
was pretty easy to implement.

Kind regards
  Thomas Lamy


-- 
Thomas Lamy  Ingolstadt Online GmbH   thomas.l...@in-online.net
Fon: +49 841  885 212-0  Fax: +49 841  885 212-29  Web: www.in-online.net

Pflichtangaben lt. §35a GmbHG:
Ingolstadt Online GmbH Münchener Strasse 7185051 Ingolstadt
Geschäftsführer Gerhard Mayer  HR Ingolstadt Nr. 1950 
Steuernummer 124/129/30752   Umsatzsteuer-ID: DE179321207

 

> -Original Message-
> From: clamav-users-boun...@lists.clamav.net 
> [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
> Sander Marechal
> Sent: Tuesday, May 26, 2009 12:12 PM
> To: ClamAV users ML
> Subject: [Clamav-users] Using ClamAV from PHP
> 
> Hi all,
> 
> Is there a way to use ClamAV from PHP? I would like to scan uploaded
> files with ClamAV.
> 
> The ClamAV library page [1] lists two libraries for PHP both both are
> dead, their websites gone, they fail to build from source and pretty
> much every Linux distribution has removed those packages.
> 
> [1] http://www.clamav.net/download/third-party-tools/3rdparty-library
> 
> Any alternatives? Thanks in advance,
> 
> -- 
> Sander Marechal
> ___
> Help us build a comprehensive ClamAV guide: visit 
> http://wiki.clamav.net
> http://www.clamav.net/support/ml
> 
> 
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

RE: [Clamav-users] Freshclam fail: Need to Edit config file

[Thomas Lamy]

Kurt Jensen wrote on Tuesday, August 15, 2006 7:51 AM:
> 
> Hi,
> 
>  I am an Ubuntu newbie compiling for the first time.  I have 
> sucessfully
> compiled clamav and run the program from the shell.  However, my virus
> definitions are out-of-date and when I execute freshclam I 
> receive this
> error message:
> 
> Need to edit config file /usr/local/etc/freshclam.conf
> /usr/local/etc/clamd.conf
> 
> Further, the clamav documention states that I should review 
> the document
> clamd.conf(5) for the purpose of configuration.
> 
> I have read this document on-line.  I do not understand what 
> I am looking at
> or what to do.
> If you can help, please state explicit and concrete steps 
> that I should
> perform . . .

You have to carefully read and understand each and every line of the
config files (clamd.conf and freshclam.conf). Make sure you delete or
comment out the "Example" line.

Thomas
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Development Question

[Thomas Lamy]

> 
> Thanks for your assistance. I've gotten streaming working for 
> uninfected
> files. I can now successfully stream bytes to the clamav 
> server and then
> close the stream. At that point it seems I have to wait a 
> little while,
> about 500ms at max, to read the result. This makes sense to me, that
> there's some processing that has to be done at the close of the stream
> to make a final determination.
> 
> Now for my next questions: You knew there was going to be one, didn't
> you?
> 
> 
> Question #1:
> 
> So far on a 10Meg file, which seems to be the limit I can stream, if I
> wait 500ms, I'm good to read the control stream and get a 
> status result
> of OK.
> 
> The question is, how do I know how long to wait, or should I 
> just sit on
> the stream reading till it closes on the server side?
Just sit and wait (until you get data or some application defined
timeout occurs).

> 
> 
> Question #2
> 
> How do I increase the size of the file that the server will scan? Is
> there a configuration parameter? I saw one for max archive 
> size, that's
> set to 10Meg, but I'm not sending an archive.

man 5 clamd.conf:
   StreamMaxLength SIZE
  Close the connection when this limit is exceeded.
  Default: disabled.

Perhaps your installation has some limits set here, else there may be a
bug.

> 
> Question #3
> 
> All is fine and dandy with streaming uninfected files and these are,
> thank goodness, the only files I have. So now I want to test what
> happens when an "infected" file is submitted through streaming. Now,
> obviously I don't want to have real infected files on my system. To
> solve this problem, my first thought was to stream random data to the
> port, and in the stream of data, insert a virus signature. My first
> attempt was to send the Darth Vader signature as the first 6 bytes of
> the file. This doesn't seem to work. Should it? Can someone provide me
> with a method of generating data that will set of clamav's detection
> system?

There are some test files in the source distribution. They are there for
a reason ;-)

> 
> 
> Tony Giaccone
> 
Thomas
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] oversized.zip problem

[Thomas Lamy]

saravanan ganapathy wrote:
> 
> Hi,
> 
> I am using clamav-0.84 ( Debian Version) with
> Dansguardian. My config looks like as follows
> 
> ArchiveMaxRecursion 0
> ArchiveMaxFiles 0
> ArchiveMaxFileSize 0
> ArchiveMaxCompressionRatio 0
> 
> I disabled all the above , restarted clamav &
> Dansguardian. But even after I got "Oversized.zip" in
> the log file , so I couldn't download any archive
> files properly.
> 
> what would be the problem? Pls help me
> 
> Sarav 
> 
Please upgrade to 0.87.1. That may or may not fix your problem, but 0.84
is really old.
Stephen Gran (the clamav package maintainer for Debian) keeps a backport
archive for all Debian distros at http://people.debian.org/~sgran. There
you can also find the config for your sources.list to keep your
installation up to date.


Thomas
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] What does this message mean?

[Thomas Lamy]

Ken Goods wrote:

René Bellora wrote:


Ken Goods wrote:



Jun 16 10:17:46 gw-mail MailScanner[16315]: Virus and Content
Scanning: Starting Jun 16 10:18:19 gw-mail MailScanner[16151]:
Commercial scanner clamav timed out! Jun 16 10:18:19 gw-mail
MailScanner[16151]: Virus Scanning: Denial Of Service attack
detected! 





I did (as stated above) and since I didn't get a definitive response
I assumed these messages were generated by ClamAV and passed to
MailScanner. So you're saying these are MailScanner generated
messages? 

Sorry, overlooked that.


it *is* a MailScanner message. May be virus scanning took too much
time?




Most definitely. And MailScanner seems to think from this, that the 
email contains some zip-bomb.



Thanks Rene,
That was helpful, I'll take this back to the MailScanner list.

Kind regards,
Ken

Look at your config file, and set (or add):
Virus Scanner Timeout 600 (the default is 300)

Do you have the offending (raw) mail? Which version of clamav?

Thomas
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] What does this message mean?

[Thomas Lamy]

Ken Goods wrote:

I can't find anything via Google and the MailScanner list suggested I
upgrade ClamAV which I did and I'm still seeing these.


From my maillog:


Jun 16 10:17:46 gw-mail MailScanner[16315]: Virus and Content Scanning:
Starting
Jun 16 10:18:19 gw-mail MailScanner[16151]: Commercial scanner clamav timed
out!
Jun 16 10:18:19 gw-mail MailScanner[16151]: Virus Scanning: Denial Of
Service attack detected!

Thanks,
Ken


Please ask on the MailScanner list. Or do you have some logs from clamav 
with specific error messages?


Thomas
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] freshclam watchdog?

[Thomas Lamy]

Bowie Bailey schrieb:
> From: Odhiambo Washington [mailto:[EMAIL PROTECTED]
> 
>>* Bowie Bailey <[EMAIL PROTECTED]> [20050503 18:38]: wrote:
>>
>>>From: henry j. mason [mailto:[EMAIL PROTECTED]
>>>
i need to know when freshclam fails silently.
i know freshclam includes options to alert on errors,
but i'd rather have some other process looking at it
and making sure it's doing the right thing. has anyone
tackled this problem? or is this just too obscure?
>>>
>>>[---snip---]
>>>
>>>
any ideas? i'm thinking about cobbling together something
in perl to run from a cron job.
>>>
>>>That would be my choice.  I've never had a problem with freshclam, but
>>>if I wanted to monitor it, I would probably write a perl script to run
>>>once a day and notify me if there is no entry for the current day.
>>
>>Why don't people think about the KISS principle?
>>freshclam can run in foreground, just like clamd and daemontools were
>>written by DJB, no?
>>I run clamd via daemontools, and I believe freshclam can also be run
>>same way, so no re-invention of wheels.
> 
> The original problem was that freshclam simply stopped working.  Daemontools
> would have done nothing since the process was still running.
> 
> A perl script such as this could also watch for the "OUTDATED" messages to
> remind you that you need to upgrade.
> 
Use logwatch () Not only useful for freshclam;
I found it to be an invaluable tool when one has to admin more than a
handful servers. With properly maintained filters, it sends you mail if
and only if something unusual is in your logfiles.

Thomas
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 'Too many open files' on a buzy clamd

[Thomas Lamy]

Arnaud Huret schrieb:
> Dear all,
> 
> We are running a webmail service using ClamAV and get roughtly 30.000 valid 
> mails/day.
> We run home-build SMTP servers calling clamd, emulating the client.
> 
> The problem :
> 
> After running +- 10 minutes, clamd.log reports a first message saying : 
> 'ERROR: ScanStream: accept timeout' quickly followed other ones.  After 1 or 
> 2 minutes, we get another message : 'ERROR: accept() failed: Too many open 
> files' and, I guess, clamd does not respond any more. 
> Need to restart the daemon to restore the service.
> 
> I tried the following tunning :
> 
> 1. Increase the number of threads from 10 to 30 for reducing the queue: no 
> changes, still errors.
> 2. Increase the number of MaxConnectionQueueLength to 30: no changes, still 
> errors.
> 
> 
> Other info :
> 
> Clamd runs as non-root user.
> Launch script is : /etc/init.d/clamav_daemon start (not modified from 
> orginal).
> ClamAV is currently running and a Debian Woody with 1.5 GB mem on a 2*1Ghz 
> Intel chassis.
> SpamAssassin is also running on this box. Version 3.0.2 standard (Razor, DCC, 
> ...)
> 
> 
> Mitigating factors (;-)
> 
> Running the same config on a more powerfull box does not generate the prob 
> (2*3GH + multithreading)
> 
> clamd.conf :
> 
> #Automatically Generated by clamav-base postinst
> #To reconfigure clamd run #dpkg-reconfigure clamav-base
> #LocalSocket /var/run/clamav/clamd.ctl
> FixStaleSocket
> User clamav
> AllowSupplementaryGroups
> ArchiveMaxRecursion 10
> ArchiveMaxFiles 1500
> ArchiveMaxFileSize 30M
> ArchiveMaxCompressionRatio 300
> ArchiveBlockEncrypted
> ArchiveBlockMax
> ReadTimeout 300
> 
> #Modified by AH 27/04/2005. Was : 10
> MaxThreads 30
> 
> MaxConnectionQueueLength 15
> LogFile /var/log/clamav/clamav.log
> LogTime
> LogFileMaxSize 0
> PidFile /var/run/clamav/clamd.pid
> DatabaseDirectory /var/lib/clamav
> SelfCheck 3600
> ScanMail
> ScanArchive
> ScanHTML
> ScanOLE2
> ScanPE
> TCPSocket 3310
> DetectBrokenExecutables
> 
> #added by AH 27/04/2005
> StreamMaxLength 20M
> 
> 
> Example of an error report :
> 
> cruella:/var/log# tail -f /var/log/clamav/clamav.log
> Wed Apr 27 13:38:17 2005 -> Archive support enabled.
> Wed Apr 27 13:38:17 2005 -> Archive: RAR support disabled.
> Wed Apr 27 13:38:17 2005 -> Archive: Blocking encrypted archives.
> Wed Apr 27 13:38:17 2005 -> Archive: Blocking archives that exceed limits.
> Wed Apr 27 13:38:17 2005 -> Portable Executable support enabled.
> Wed Apr 27 13:38:17 2005 -> Detection of broken executables enabled.
> Wed Apr 27 13:38:17 2005 -> Mail files support enabled.
> Wed Apr 27 13:38:17 2005 -> OLE2 support enabled.
> Wed Apr 27 13:38:17 2005 -> HTML support enabled.
> Wed Apr 27 13:38:17 2005 -> Self checking every 3600 seconds.
> Wed Apr 27 13:41:21 2005 -> stream: Exploit.HTML.IFrame FOUND
> Wed Apr 27 13:42:42 2005 -> stream: Worm.Bagle.Gen-zippwd FOUND
> Wed Apr 27 13:45:09 2005 -> stream: Worm.SomeFool.P FOUND
> Wed Apr 27 13:45:29 2005 -> stream: Worm.SomeFool.Q FOUND
> Wed Apr 27 13:45:35 2005 -> stream: Worm.Mytob.A FOUND
> Wed Apr 27 13:46:00 2005 -> stream: Exploit.HTML.IFrame FOUND
> Wed Apr 27 13:47:11 2005 -> stream: Worm.SomeFool.P FOUND
> Wed Apr 27 13:48:06 2005 -> ERROR: ScanStream: accept timeout.
> Wed Apr 27 13:48:08 2005 -> ERROR: ScanStream: accept timeout.
> Wed Apr 27 13:48:08 2005 -> ERROR: ScanStream: accept timeout.
> 
> ...
> Wed Apr 27 13:56:06 2005 -> ERROR: accept() failed: Too many open files
> Wed Apr 27 13:56:08 2005 -> ERROR: accept() failed: Too many open files
> 
> 
> 
> 
> Has anyone faced the same issue before ?
> Is there a known way to fix this problem ?
> Any advice ?
> 
> 
> Any help would be greatly appreciated.
> Thanks,
> 
> Arnaud Huret
> ContactOffice
Hi,
I've never seen this before, even on busy servers. Which clamav version
is this? And where did you get the .deb file (if any) from?

If this happens again you could do an "lsof -p `cat
/var/run/clamav/clamd.pid`", this might give some hints if there is some
file descriptor leak.


Thomas
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.83 on aix 5.2

[Thomas Lamy]

Tayfun Asker wrote:
hi,
 I'm trying to upgrade from 0.80 to 0.83. I'm using 0.83 on linux 
without any problem. but on aix 5.2, i can not get it working.
clamav-milter does not scan emails on aix 5.2. all the messages simply 
pass through unscanned. in the error log, i'm seeing lines like

clamav-milter[5537938]: mkdir /tmp/clamav-f99d68536a8a4585 failed
So the question is: why does this happen? Check permissions on /tmp...
clamav-milter is started as
clamav-milter -odq -m 100 /var/lib/clamav/clmilter.sock
any idea???
thanks..
Tayfun Asker
ThomasL
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] ClamAV is not 100% open still ?!

[Thomas Lamy]

Guillaume Arcas wrote:
Damian Menscher a écrit :

http://www.clamav.net/doc/0.75/signatures.pdf
They removed the functionality in 0.80 and above, but that's because
it's simplest for users to create md5 signatures of unknown binaries
(and the automatic signature generation depended on having another virus
scanner detect it already anyway).  Of course, you can also create
signatures by hand, which isn't that difficult once you've read the .pdf
file for the format.
About the only thing we *can't* do is create a .cvd file that is signed
by the original authors.  But if the project were forked, that would be
trivial to fix also (requires a one-line change to the source code).

What do you mean by "they removed the functionality" ?
sigtool - the command line utility used to create & manipulate
signatures - is still there in 0.83.
As already said, you cannot build CVD files by yourself but you can
create a signature and then create your own database with sigtool and
use these files.
They removed the functionality from the tool, not the tool itself, for 
two reasons:
(1) The resulting signatures weren't accurate
(2) The use violates the license of most (if not all) commercial scanners

A new method (md5 hashes) was added to clamav and sigmaker to replace 
the old functionality.

Although (2) was clearly stated in the manual, it was still used by 
people (but not the sigmakers). Sigmakers always create signatures 
maually based on the samples they receive.
If someone has the abilities (like x86 assembler, PE format knowledge 
and other stuff) one can always apply for a sigmaker "job" (or build 
their own, if they have enough samples).

Thomas
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamav update

[Thomas Lamy]

Thoralf Will schrieb:
Hello,
On a mailserver I'm running a fairly old v0.65 via amavisd-new and now 
it's about time to upgrade to a more recent version. Is there anything I 
have to pay attention to or is it sufficient to simply upgrade 
clamav/clamd and restart the service? (amavisd-new is also running in a 
fairly old version but there are no known issues, so I do not plan to 
upgrade amavisd at the moment.)

A bit late, I would say ;-)
1. Save your configs (.../etc/clamav.conf)
2. Uninstall _everything_ related to clam. Don't forget libclamav.
3. Install new.
4. Configure clamav by using the new config templates. Too much has 
changed since 0.65. Look at your old configs only for crucial paths like 
log files and socket locations.
5. Check if clamd's socket location in amavisd-new's configuration.
6. set up start scripts (and/or a crontab for freshclam)
6. You should be done.

Thomas
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] ERROR

[Thomas Lamy]

Amin Thakkar wrote:
so, what is right way to update automatic ?
Amin
1. Don't top-post. ()
2. Read the fine manual
3. Think
4. It simply works
Thomas
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] ERROR

[Thomas Lamy]

Amin Thakkar wrote:
so, what is right way to update automatic ?
Amin
- Original Message - 
From: "Tomasz Kojm" <[EMAIL PROTECTED]>
To: "ClamAV users ML" 
Sent: Monday, March 28, 2005 6:47 PM
Subject: Re: [Clamav-users] ERROR


1. Don't top-post. ()
2. Read the fine manual
3. Think
4. It simply works
Thomas
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Building his own CVD

[Thomas Lamy]

Guillaume Arcas schrieb:
Thomas Lamy a écrit :

No it's not faster. But it's more secure, because it's signed, and it's
contents is compressed.

OK, that does explain why clamscan runs a little faster with text
signatures database than with CVD files.
Shoud not be a problem with clamd for databases are loaded once but does
it mean that tools using libclamav and not clamd are "affected" by this
performance issue ?
clamd and clamscan are both built upon libclamav, so they are both 
affected :)

The penalty of loading (and parsing) virus defs is a problem common to 
all virus scanners. This is why most of them offer both cmdline tools 
and daemons. And this is why people suggest to use clamdscan in favor of 
clamscan.

ThomasL
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Building his own CVD

[Thomas Lamy]

Guillaume Arcas schrieb:
Tomasz Papszun a écrit :

in case you wanted to disable some signature because of a false
positive, the proper way of solving this is submitting the sample at
http://www.clamav.net/sendvirus.html  (selecting the button "A false
positive") so that the signature could be corrected/removed. This way,
all users will benefit.

That's sure !
My question was kind of theorical.
By the way, are there technical advantages of using CVD files instead of
text files ? I mean: is it faster ?
Regards,
No it's not faster. But it's more secure, because it's signed, and it's 
contents is compressed.

 Thomas
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] interception logs

[Thomas Lamy]

Damian Menscher schrieb:
I'm seeing logs like:
Intercepted virus from <[EMAIL PROTECTED]> to <[EMAIL PROTECTED]> 
<[EMAIL PROTECTED]>

Seems strange to me that the invalid users would have made it past 
sendmail's RCPT TO and into the AV engine.  I'm guessing it's a bug.

Sometimes the invalid user is first, sometimes not.
Damian Menscher
What's your setup (MTA, Filter)?
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd on Solaris ceases functioning after a while

[Thomas Lamy]

David Blank-Edelman schrieb:
Howdy-
I just wanted to pop in and provide the latest update on our saga (clamd 
0.83 just stops playing nice after running for a while) with some more 
interesting information like stack traces.

Last we left off I had just upped the ulimit for the clamd process from 
the default of 256 fds to 1024. I can't tell if this truly helped 
things, but the number of times a day our babysitting process restarted 
clamd because it couldn't connect went down considerably. We have whole 
stretches of days at a time with nary a restart. Things got a little 
worse today for no reason I can discern.

Since the time since people began to help us, I have periodically 
checked in on the process descriptors with pfiles and the memory on the 
machine and neither seemed to be even close to being pegged. We also 
switched from using a network socket to a local unix socket just to 
eliminate any funny business. You may take comfort knowing that we're 
going to be rev'ing everything (all dependent libraries and our MTA) on 
Wednesday to eliminate all of those possibilities as well.

Today I managed to catch clamd in a hung state and so I poked and 
prodded at it with gdb. Btw, by hung I mean that attempts to contact 
clamd on the local socket failed with "connection refused" from clamdmon.

I wasn't quite sure what I was looking for, so the following might be 
too little, two much, or the wrong info. If there was something I should 
have done, please let me know and I'll do it next time.  Here's what I 
found:

info threads
  2 LWP 271  0xfef1e878 in _read () from /usr/lib/libc.so.1
* 1 LWP 1  0xfee45dd4 in __lwp_park () from /usr/lib/libthread.so.1
Thread 1, presumably the thing that should be listening for new connects:
#0  0xfee45dd4 in __lwp_park () from /usr/lib/libthread.so.1
#1  0xfee430ec in cond_wait_queue () from /usr/lib/libthread.so.1
#2  0xfee438a8 in cond_wait () from /usr/lib/libthread.so.1
#3  0xfee438e4 in pthread_cond_wait () from /usr/lib/libthread.so.1
#4  0x0001864c in thrmgr_destroy ()
#5  0x0001a19c in acceptloop_th ()
#6  0x00017ac4 in localserver ()
#7  0x00017190 in clamd ()
#8  0x00015d5c in main ()
A truss confirmed that it just stayed parked like that.
Thread 2 (which was going like a busy bee, appearing to actually still 
be scanning based on a truss of the process):

thread 2
[Switching to thread 2 (LWP 271)]#0  0xfef1e878 in _read ()
   from /usr/lib/libc.so.1
(gdb) where
#0  0xfef1e878 in _read () from /usr/lib/libc.so.1
#1  0xfee3dd90 in read () from /usr/lib/libthread.so.1
#2  0xff30b570 in cli_scandesc ()
   from /priv/daemons/packages/clamav-0.83/lib/libclamav.so.1
[]
#58 0xff3191d4 in cli_scanmail ()
   from /priv/daemons/packages/clamav-0.83/lib/libclamav.so.1
#59 0xff319cc4 in cli_magic_scandesc ()
   from /priv/daemons/packages/clamav-0.83/lib/libclamav.so.1
#60 0xff319ee4 in cl_scandesc ()
   from /priv/daemons/packages/clamav-0.83/lib/libclamav.so.1
#61 0xff31a008 in cl_scanfile ()
   from /priv/daemons/packages/clamav-0.83/lib/libclamav.so.1
#62 0x0001a850 in dirscan ()
#63 0x0001ad20 in scan ()
#64 0x00017ca4 in command ()
#65 0x00018dc4 in scanner_thread ()
#66 0x00018a20 in thrmgr_worker ()
> [ open files omitted ]
I'm not quite sure how to interpret this information. Does this mean the 
main thread was parked waiting for the second to complete what it was 
doing? Something else entirely going on?

Thanks again for any help you can offer.
This definitely looks like a mail scan with 17 attachments (or level of 
attachments?), and a threadmanager after a database update, waiting for 
the mail scan to finish.
Tomasz? Trog?

  Thomas Lamy
PS: Sorry for the small confusion about attachments vs attachment 
levels, but I'm not too deep into Nigel's mail code for 0.82+.
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] How long will a version remain usable?

[Thomas Lamy]

Jason Haar schrieb:
Ed Stover wrote:
I am just wondering about how long will a stable release be supported
before it get tossed? The sevenX version is no longer really functional
 

The good commercial AV typically have daily pattern updates, and monthly 
engine updates. That corresponds just about right to ClamAV. The 
*engines* need updating as new types of viruses *which have to be coded 
for* emerge. You are probably asking for the impossible.

However... We also use Trend here, and I haven't touched the engine 
(i.e. the binary and libraries) for over a year - and yet it's current 
(i.e. todays) patterns still work and it still appears to catch 
everything the Windows version does (of course - it misses a LOT that 
ClamAV catches...) Sounds like they have pushed a lot of what other 
vendors put into their engines into their patterns I'd guess...


Some vendors' scanners have a scriptable scan engine AFAIK. And most 
vendors only have to support precompiled binaries on the win32 platform, 
so they can provide _one_ updated scan engine binary.  This just doesn't 
work with ClamAV, distributed in source form and being compiled on x 
platforms and (in part optionally) relying on a bunch of 3rd party 
libraries.

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Re: clamav-users Digest, Vol 4, Issue 57

[Thomas Lamy]

dlpreston wrote:

This is not the case anymore.  The Howto has been changed and now uses
the real clamdscan.
-Jim

This is still the case on freebsd,  it fixed my problem after reading 
this message,  rename clamdscan to clamdscan.org ln -s 
/usr/local/bin/clamscan /usr/local/bin/clamdscan
All of a sudden my emails are being scanned and it caught the 
test_installation.sh emails.

But you're not fixing the real problem, which is most likely
a) a communication problem between the client (clamdscan) and the 
server (clamd), eg a wrong socket path, or
b) a permissions problem, where clamd can't read the files it's 
supposed to scan. Clamd needs read privileges (qmr.org states the user 
has to be "qscand")

I can't tell which one it is without the actual error message. 
Additionally, I can't find from a quick glance thru qmr.org how they 
set up clamav's client/server communication, and if qmailscanner runs 
chrooted (and where).

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Mon Dec 20 11:02:49 2004 -> +++ Started at Mon Dec 20 11:02:49 2004
Mon Dec 20 11:02:49 2004 -> clamd daemon 0.80 (OS: freebsd4.5, ARCH: 
i386, CPU: i386)
Mon Dec 20 11:02:49 2004 -> Log file size limited to 1048576 bytes.
Mon Dec 20 11:02:49 2004 -> Running as user qscand (UID 1020, GID 1020)
Mon Dec 20 11:02:49 2004 -> Reading databases from /usr/local/share/clamav
Mon Dec 20 11:02:51 2004 -> Protecting against 28526 viruses.
Mon Dec 20 11:02:51 2004 -> Unix socket file /var/log/clamav/clamd
Mon Dec 20 11:02:51 2004 -> Setting connection queue length to 15
Mon Dec 20 11:02:51 2004 -> Archive: Archived file size limit set to 
10485760 bytes.
Mon Dec 20 11:02:51 2004 -> Archive: Recursion level limit set to 5.
Mon Dec 20 11:02:51 2004 -> Archive: Files limit set to 1000.
Mon Dec 20 11:02:51 2004 -> Archive: Compression ratio limit set to 250.
Mon Dec 20 11:02:51 2004 -> Archive: Limited memory usage.
Mon Dec 20 11:02:51 2004 -> Archive support enabled.
Mon Dec 20 11:02:51 2004 -> Archive: RAR support disabled.
Mon Dec 20 11:02:51 2004 -> Portable Executable support enabled.
Mon Dec 20 11:02:51 2004 -> Mail files support enabled.
Mon Dec 20 11:02:51 2004 -> OLE2 support enabled.
Mon Dec 20 11:02:51 2004 -> HTML support enabled.
Mon Dec 20 11:02:51 2004 -> Self checking every 600 seconds.

Looks good. clamd is listening on a unix socket though, this might give 
problems in chrooted environments.

> []
Mon, 20 Dec 2004 11:03:43 PST:15104: from='Qmail-Scanner Test 
<[EMAIL PROTECTED]>', subj='Qmail-Scanner viral test (2/4): 
checking perlscanner...', via local process 15104
Mon, 20 Dec 2004 11:03:43 PST:15104: error_condition: 
X-Antivirus-DLLD.ORG-1.24-st-qms: clamdscan: corrupt or unknown clamd 
scanner error or memory/resource/perms problem - exit status 512/2
Mon, 20 Dec 2004 11:03:43 PST:15104: -- Process 15104 finished. 
Total of 0.287283 sec

Does it change when you comment out "LocalSocket" and "FixStaleSocket" 
(if enabled) in clamd.conf, and add
TCPSocket 3310
TCPAddr 127.0.0.1
to it? This enables clamd/clamdscan to communicate over IP sockets, to 
circumvent possible chroot() problems.

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Re: clamav-users Digest, Vol 4, Issue 57

[Thomas Lamy]

dlpreston schrieb:
At 09:00 AM 12/20/2004, you wrote:
Todd Lyons wrote:
> [EMAIL PROTECTED] wanted us to know:
>
>
I am running Qmail+Qmail-Scanner+ClamAV on a FreeBSD 5.3 machine and
followed the qmailrocks.org directions to the tee.  When running
>
>
> Unless it's been fixed recently, that howto tells you to have clamdscan
> symlinked to clamscan.  That's a very inefficient way to use it on a
> mail server unless you have very low traffic.
>
> Is that in fact what you did?  If not, then ignore this email.
This is not the case anymore.  The Howto has been changed and now uses
the real clamdscan.
-Jim

This is still the case on freebsd,  it fixed my problem after reading 
this message,  rename clamdscan to clamdscan.org ln -s 
/usr/local/bin/clamscan /usr/local/bin/clamdscan

All of a sudden my emails are being scanned and it caught the 
test_installation.sh emails.
But you're not fixing the real problem, which is most likely
a) a communication problem between the client (clamdscan) and the server 
(clamd), eg a wrong socket path, or
b) a permissions problem, where clamd can't read the files it's supposed 
to scan. Clamd needs read privileges (qmr.org states the user has to be 
"qscand")

I can't tell which one it is without the actual error message. 
Additionally, I can't find from a quick glance thru qmr.org how they set 
up clamav's client/server communication, and if qmailscanner runs 
chrooted (and where).

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: AW: [Clamav-users] ScanMail

[Thomas Lamy]

Steffen Heil schrieb:
Hi
Maybe I am wrong, but I always assumes, the option to be DIABLED, if the
directive is commented out (or missing at all) and only ENABLED, if the
directive is there (and uncommented).
However, if I am wrong on this, this would explain my problems. But then,
what to do folks?
Regards,
  Steffen 

From the man page:
  DisableDefaultScanOptions
By default clamd uses scan options recommended by libclamav. This
option  disables  recommended  options  and allows  you to enable
selected options.  DO NOT ENABLE IT unless you  know what you are
doing.
Default: disabled
So by specifying "DisableDefaultScanOptions", you have to enable all 
options manually, which seems to get you where you want to.

Thomas
PS: Sorry for my last answer. I got me coffee now ;-)
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ScanMail

[Thomas Lamy]

Steffen Heil schrieb:
Hi
I came across a .eml file once again, that causes a segfault in clamd.
However, since I had that issue a few days ago and the clamav team corrected
that bug aleady, I did not post a bug report.
However, since about a week, my mail servers are configured NOT to use
ScanMail.
If I use clamscan to scan the .eml-File, I get a seg-fault.
If I use clamscan --no-mail to scan the .eml-File, I get "ok", which is
correct - the file is NOT infected.
Anyway, clamd produces a segfault entry in the log, when I scan the file
with clamdscan.
I do not understand that, since I have ScanMail option DISABLED in
clamd.conf.
Why is it ignoring ScanMail ?
Or is there something else, I forgot?
Regards,
  Steffen
Because clamscan and clamd are different programs. clamd.conf is the 
configuration file for clamd, the clamav daemon. clamscan is another 
program entirely configured from the command line.

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] What to do with files in /var/amavis?

[Thomas Lamy]

Eric Wagar schrieb:
What am I supposed to do with the files that are created and kept in 
the /var/amavis directory?  Since my virus is kinda working right now, I get 
files there.  Am I supposed to keep them for some reason, or can I cron their 
removal?

thanks
eric
I'd suggest to clean /var/amavis/virusmails every now and then.
As I run both AV and Spamassassin through amavis, I have these in my 
/etc/cron.d/amavis:
10 4 * * *	amavis	find /var/amavis/virusmails -name virus-\* -type f 
-mtime +3 -print0 | xargs -0 -r rm -f
15 4 * * *	amavis	find /var/amavis/virusmails -name spam-\* -type f 
-mtime +7 -print0 | xargs -0 -r rm -f

(Should be one line per scriptlet)
This way I keep viruses for 3 days (I have practically no false 
positives), and spam for 7 days (some false positives).

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Virus scanning not working right now

[Thomas Lamy]

Eric Wagar schrieb:
Currently my email is not being scanned for viruses.  (I have received a few 
viruses this morning.)

When I ps, I see clamd, postfix, and amavis (master, and 2 x child) running.  
But, when I look in my messages file, I see this:
Dec 12 12:28:41 sm amavis[18955]: (18955-03) WARN: all primary virus scanners 
failed, considering backups

What am I missing, or what log file have I missed?  (messages, clamd.log, 
freshclam.log.)

Thanks
eric
Check your maillog. Amavis should have logged which primary scanners 
failed, together with the reason they failed.
With clamav this has two frequent causes:
1) The daemon is not running
or
2) The socket type and path differ from clamd.conf and amavisd.conf

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] testing clamav not detecting viruses in mail

[Thomas Lamy]

Simon Crowther schrieb:
I have just installed clamav on Debian, updated and tested it at 
virustest.org. It didn't detect any of the test viruses, even those in 
the message body. I ran clamscan and clamdscan from the command line. 
Clamscan found nothing, clamdscan found them all and also the 
mydoom.gen-1 worm. Can anyone tell me why clamscan doesn't seem to be 
scanning messages or how to set clamdscan to scan messages? I'm also not 
clear what action clamav takes on viruses it finds. Is mydoom 
still there or has it been deleted? How do I know?
 
thanks,
 
Simon


Which version of Clamav and Debian? And what 'glue' do you want to use 
between your MTA and ClamAV?

The version in Debian "Sarge" (aka "Testing") is 0.80 and works like a 
charm.
The "glue" may be clamav-milter if you're using sendmail, or (for 
instance) amavisd-new: I have no personal experience with clamav-milter, 
but use amavisd-new and postfix in over a dozen servers. For this config 
some manual configuration is needed in postfix, but amavisd-new finds 
clamav without intervention.

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Freshclam + My Problem

[Thomas Lamy]

Luca Gibelli schrieb:
Hello xterm1,

	Is there any way to tell freshclam what ip to use
to get it's updates. We have a problem with our main ip 
being locked out due to an attack.

Now there is no way to do that, afaik.
As a temp. fix, add a static route for some mirrors and specify them in 
freshclam.conf using the hostnames available at
http://www.clamav.net/mirrors.html

Good luck with the DoS ...
Best regards
I have prepared a patch (against current CVS, but also applies to 0.80) 
which enables binding to a specific local IP address for HTTP downloads 
(but not for DNS at the moment). Maybe this is useful for other 
multi-homed users as well.

It is available at .
Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Problem installing clamav-0.80rc4 on TRU64 V5.1 Alpha

[Thomas Lamy]

Domingo Fonteboa Gascón schrieb:
Hello,
I have a problem in configure, clamav say that
I need install zlib and zlib-devel.
I have installed the package zlib-1.2.1.tar.Z,
that come in the CD "sources for open source
components" of TRU64 distribuition.
Error:
root> ./configure
checking build system type... alphaev6-dec-osf5.1
checking host system type... alphaev6-dec-osf5.1
checking target system type... alphaev6-dec-osf5.1
.
.
.
checking whether snprintf correctly terminates long strings... yes
checking pthread.h usability... no
checking pthread.h presence... no
checking for pthread.h... no
checking zlib.h usability... no
checking zlib.h presence... no
checking for zlib.h... no
configure: error: Please install zlib and zlib-devel packages
zlib is installed:
root> ls -l /usr/local/include/zlib.h
-rw-r--r--   1 501  80 57739 Nov 25 14:13
/usr/local/include/zlib.h
root> ls -l /usr/local/lib/libz.a /usr/lib/libz.a
lrwxrwxrwx   1 root system21 Nov 22 15:16 /usr/lib/libz.a ->
/usr/local/lib/libz.a
-rwxr-xr-x   1 root system152582 Nov 25 14:13 /usr/local/lib/libz.a
Can someone help me?
Thank you.
Domingo.
You need to install the shared libraries as well (I guess).
Trog posted this some hours ago:
On Thu, 2004-11-25 at 09:13, gregory duchesnes wrote:
might be a stupid question, but how do you i that, and if shared libraries
are not updated how do i update them?

configure --shared
Also you should make sure that /usr/local/ is searched for libraries and 
headers, like this:

CPPFLAGS="-I /usr/local/include" LDFLAGS="-L /usr/local/lib" ./configure
Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Virus report

[Thomas Lamy]

Erick Lopez Carreon schrieb:
On Tue, 2004-11-23 at 17:44 +0100, Thomas Lamy wrote:
Erick Lopez Carreon schrieb:
Hello:
Just for warn clamAv team about a new mail virus reported by "Hispasec -
una-al-dÃa" :
worm Anzae, Inzae, Pawur o Tasin
wited in visual basic subject and body in spanish.
Did you submit it at <http://www.clamav.net/sendvirus.html> ?
As soon as I have it. 

If before he has not been sent by anybody more
Thks.
Sorry. I mis-read you have one of those beasts.
Thanks
  Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Virus report

[Thomas Lamy]

Erick Lopez Carreon schrieb:
Hello:
Just for warn clamAv team about a new mail virus reported by "Hispasec -
una-al-dÃa" :
worm Anzae, Inzae, Pawur o Tasin
wited in visual basic subject and body in spanish.
Did you submit it at  ?
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Clam SSL issues

[Thomas Lamy]

[EMAIL PROTECTED] wrote:
Greetings all.  I'm still having the same problem we talked about back in
September.  The Clam make isn't find -lssl for some reason.  Every release
up to and including 0.75.1 worked perfectly with the exact same configure
options.  Anything after that gives the same error including today's 
devel.  I've been configuring Clam with this for some time now and it's 
always worked before:

./configure --prefix=/usr/local --sysconfdir=/etc/clamav 
--localstatedir=/var --disable-clamuko --no-create --no-
recursion

My server is a RH9 install that has most of RH's stupid choices and
mistakes corrected.  Most everything is current and I almost always build
from source.  OpenSSL is the latest greatest (0.9.7e) and installed in the
default location (OSSL default, not RH) of /usr/local/ssl.  ld.so.conf is
set up correctly and of course ldconfig has been run.  I've built dozens
of packages on this system against OpenSSL (and other idential systems)  
and only one other package ever had this problem (and that was a script
error in ATB).  Also, zlib is current.

gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./zziplib -I./mspack 
-I/usr/local/include -g -O2 -MT special.lo -MD -MP -MF .deps/special.Tpo 
-c special.c  -fPIC -DPIC -o .libs/special.lo
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./zziplib -I./mspack 
-I/usr/local/include -g -O2 -MT special.lo -MD -MP -MF .deps/special.Tpo 
-c special.c -o special.o >/dev/null 2>&1
mv -f .libs/special.lo special.lo
/bin/sh ../libtool --mode=link gcc  -g -O2  -lnsl -L/usr/local/lib -o 
libclamav.la -rpath /usr/local/lib -thread-safe -version-info 1:4:0 
-no-undefined matcher-ac.lo matcher-bm.lo matcher.lo md5.lo others.lo 
readdb.lo cvd.lo dsig.lo str.lo scanners.lo filetypes.lo unrarlib.lo 
zzip-dir.lo zzip-err.lo zzip-file.lo zzip-info.lo zzip-io.lo zzip-stat.lo 
zzip-zip.lo strc.lo blob.lo mbox.lo message.lo snprintf.lo strrcpy.lo 
table.lo text.lo ole2_extract.lo vba_extract.lo msexpand.lo pe.lo cabd.lo 
lzxd.lo mszipd.lo qtmd.lo system.lo upx.lo htmlnorm.lo chmunpack.lo 
rebuildpe.lo petite.lo fsg.lo line.lo untar.lo special.lo -L/usr/local/lib 
-lz -lbz2 -lgmp -lcurl -L/usr/kerberos/lib -lssl -lcrypto -lgssapi_krb5 
-lkrb5 -lcom_err -lk5crypto -lresolv -ldl -lz -L/usr/kerberos/lib -lz 
-lssl -lcrypto -lssl -lcrypto -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto 
-lresolv -ldl -lz -lz -lpthread -lnsl
rm -fr .libs/libclamav.la .libs/libclamav.* .libs/libclamav.*
gcc -shared  matcher-ac.lo matcher-bm.lo matcher.lo md5.lo others.lo 
readdb.lo cvd.lo dsig.lo str.lo scanners.lo filetypes.lo unrarlib.lo 
zzip-dir.lo zzip-err.lo zzip-file.lo zzip-info.lo zzip-io.lo zzip-stat.lo 
zzip-zip.lo strc.lo blob.lo mbox.lo message.lo snprintf.lo strrcpy.lo 
table.lo text.lo ole2_extract.lo vba_extract.lo msexpand.lo pe.lo cabd.lo 
lzxd.lo mszipd.lo qtmd.lo system.lo upx.lo htmlnorm.lo chmunpack.lo 
rebuildpe.lo petite.lo fsg.lo line.lo untar.lo special.lo  
-L/usr/local/lib -lbz2 -lgmp -lcurl -L/usr/kerberos/lib -lssl -lcrypto 
-lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto -lresolv -ldl -lz -lpthread 
-lnsl  -Wl,-soname -Wl,libclamav.so.1 -o .libs/libclamav.so.1.0.4
/usr/bin/ld: cannot find -lssl
collect2: ld returned 1 exit status
make[2]: *** [libclamav.la] Error 1
make[2]: Leaving directory 
`/usr/local/src/clamav/clamav-devel-20041118/libclamav'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/local/src/clamav/clamav-devel-20041118'
make: *** [all] Error 2

I've tried with and without
CFLAGS="-I/usr/local/include -I/usr/local/ssl/include"
CPPLAGS="-I/usr/local/include -I/usr/local/ssl/include"
The includes are found, obviously. Your problem are the libraries.
Let's have a look:
# ldd /usr/lib/libclamav.so.1.0.4
libbz2.so.1.0 => /usr/lib/libbz2.so.1.0 (0x40049000)
libgmp.so.3 => /usr/lib/libgmp.so.3 (0x40059000)
libcurl.so.3 => /usr/lib/libcurl.so.3 (0x40087000)
libidn.so.11 => /usr/lib/libidn.so.11 (0x400b7000)
libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7 (0x400e7000)
libcrypto.so.0.9.7 => /usr/lib/i686/cmov/libcrypto.so.0.9.7 (0x40118000)
libdl.so.2 => /lib/tls/libdl.so.2 (0x40215000)
libz.so.1 => /usr/lib/libz.so.1 (0x40218000)
libpthread.so.0 => /lib/tls/libpthread.so.0 (0x4022b000)
libnsl.so.1 => /lib/tls/libnsl.so.1 (0x4023a000)
libc.so.6 => /lib/tls/libc.so.6 (0x4024f000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x8000)
This is on a Debian box though. Note that at least here the ssl 
libraries are in uncommon places. Would you mind to do a
find /usr/local/lib -name libcrypto.so\* -print
and see what you get?

I'm trying to get ClamAV >=0.80 working to help take the strain off the
servers with the new DNSDatabaseInfo option.  Unfortunately I'm stuck and
not able to do that until I can get around this problem.  Has anyone else
seen anything simliar?  The rest of my system is working fine.  I compile
things all the time with OpenSSL support and never have trouble.  I didn't
mention it earlier but no there are no header or library conflicts w

Re: [Clamav-users] Re: OpenBSD and Clam

[Thomas Lamy]

john schrieb:
Hi Folks.
How many signatures does clam have in its data base for viruses and Trojans
that attack OpenBSD and the KDE/Gnome desktops?. This topic comes up
from time to time on various nix forms. Usually the consensus is that 
linux/unix
AV products only scan for Windows mallware. Is this true of Clam?

Peace,
John
Please fix your date.
Thanks.
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] OT: Spamcop.net/RBLs (Was: ClamAV should not try to detect phishing and other social engineering attacks)

[Thomas Lamy]

Trog schrieb:
On Sun, 2004-11-14 at 14:57, Julian Mehnle wrote:

3. I am using the SpamCop reporting tool[1] to file complaints to ISPs
   about spam (which specifically includes phishing attacks) that I
   receive.  SpamCop requires spam samples to be manually checked for
   spamminess before being reported.  Thus I _do_ want to receive social
   engineering messages and classify them manually in order to report
   them to SpamCop.

I am, unfortunately, familiar with SpamCop (and all the other similar
'tools'). As a listed contact for over 16million Internet IP addresses I
receive notices from such 'tools' all the time, and I've *never* had one
that is accurate yet.
They are incredibly dumb pieces of software that achieve nothing other
than annoying innocent sys admins and giving their mis-guided users a
warm feeling. Please stop using them [1].
-trog
[1] Try here for a better header tracer: http://www.3dmail.com/spam/
I have found no problems with spamcop's header parser (always reviewing 
what it finds).  I think they're doing a good job, although I won't 
trust anybody's RBL _fully_. I built my own, and don't trust even that 
fully. The drawback is that the only software I know with which I can 
"score" rbl's is spamassassin, which checks _after_ the mail is 
received. If anybody knows such a beast (at best a Postfix policy 
daemon), drop me a line...

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] clamav on woody: clamav-milter hangs when stopped

[Thomas Lamy]

Robert S schrieb:
I have just upgraded to clamav-milter_0.80-5 on my Debian Woody system. 
When I run
"/etc/init.d/clamav-milter stop" it hangs.  When I do a "ps ax" it says
"sleep 0.1".  Looks as if the offending line something like this:

if [ -n "$PID" ]; then
  start-stop-daemon -q -K -o -p $PIDFILE $DAEMON
  while [ -d /proc/"$PID" ]; do sleep 0.1; done
I think that /proc/"$PID" isn't going away and its staying in the loop
indefinitely.
I had a similar problem with the last debian release:  "start-stop-daemon"
wasn't killing the process.
I've had to go back to the old hack of killing "daemon" and all instances of
clamav-milter.
Has anybody had similar problems?  Any fixes?
Please have a look at Debian bug #278198 
() for an 
in-deep discussion of what's going on/wrong there. I'm sure Stephen Gran 
 (the pkg maintainer) will come up with a new revision (and a woody 
backport) RSN.

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Infection: W32/Kriz.4029.kernel reported by f-prot

[Thomas Lamy]

Rishi schrieb:
Better submit it through . it's
vital for Clamav's detection to get virus samples from it's users.

I did that last week. Any idea how much time it takes for it to get done?
I'm not a sigmaker, but just in case it's some polymorphic one it may 
take for samples to make a good signature.

> I'd
like to help the clam community by using sigtool to get this done.
Can you point me to some documentation?
There is extensive documentation in the source tarball or your binary 
package (look for signatures.pdf)
Rishi
Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Infection: W32/Kriz.4029.kernel reported by f-prot

[Thomas Lamy]

Rishi schrieb:
Hi
I've been receiving a new virus which f-prot reports as "W32/Kriz.4029.kernel"
Can anyone tell me how to use sigtool program to get clamav to use f-prot to 
figure out how to detect this virus and update the clamav database too?

Regards
Rishi
If you don't know how to use sigtool to make yourself a new signature, 
then I guess it's better you don't do it.
Creating signatures with sigtool may also violate your virus scanner's 
license, and is discouraged.

Better submit it through . it's 
vital for Clamav's detection to get virus samples from it's users.

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] new Wiki site

[Thomas Lamy]

Luca Gibelli wrote:
Hello Graham Toal,

What's needed is an installation script which installs a completely
independent copy in one of two locations, so you can double-buffer
the installs.

"./configure --prefix=path" can already do that. 

along with --program-prefix=test_ so clamd becomes test_clamd etc. This 
avoids later confusion...

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Clamav and the CR Vulnerability

[Thomas Lamy]

Jim Maul schrieb:
Ken Jones wrote:
Hi all,
I decided to run all of the tests located at testvirus.org 
against my
mail server.  As expected, tests 24 and 25 got through, no surprise
there.  However, test 17 also made it through.  This test is 
described as
follows :

I sent it to my server as well, and it was caught. Clamav 80.
What os are you using, how did you get / build / install clam ?

I would just like to point out that all tests were stopped by my server 
as well.  Qmail/qmail-scanner 1.24/spamassassin 2.64/clamav 0.80

I've run the tests before, and it looked like postfix normalizes 
newlines. I never saw a bare CR in the mail I intercepted directly from 
postfix.
Perhaps Ralf (Hildebrandt) know more about this one?

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Clamd.conf setting

[Thomas Lamy]

Awie wrote:
All,
I found clamd write the LOG into /var/log/message. I want clamdscan not
write LOG anymore. What parameter shoudl I remove or add in clamd.conf?
Your answer is very appreciated.
Thx & Rgds,
Awie
It is recommended to have a look at the manual page(s) before asking 
questions to the list.
Anyway, remove or disable the "LogSyslog" directive in clamd.conf will 
do what you want.

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Problem compiling clamav-0.80

[Thomas Lamy]

Ajaya Sharma wrote:
Hi,
I'm running clamav .7.5.1 and want to update to latest verion. I was able
to compile clamav-0.80rc3 without any problem but somehow I remained
unsuccessful after clamav-0.80rc3. Below was the error received when
attempted
to compile clamav-0.80rc4 and clamav-080:
# make
...
make  all-recursive
make[1]: Entering directory `/Directory/clamav-0.80'
Making all in libclamav
make[2]: Entering directory `/Directory/clamav-0.80/libclamav'
/usr/ccs/bin/ld -G -z defs -h libclamav.so.1 -o .libs/libclamav.so.1.0.4
matcher-ac.lo matcher-bm.lo matcher.lo md5.lo others.lo readdb.lo cvd.lo
dsig.lo str.lo scanners.lo filetypes.lo unrarlib.lo zzip-dir.lo zzip-err.lo
zzip-file.lo zzip-info.lo zzip-io.lo zzip-stat.lo zzip-zip.lo strc.lo
blob.lo mbox.lo message.lo snprintf.lo strrcpy.lo table.lo text.lo
ole2_extract.lo vba_extract.lo msexpand.lo pe.lo cabd.lo lzxd.lo mszipd.lo
qtmd.lo system.lo upx.lo htmlnorm.lo chmunpack.lo rebuildpe.lo petite.lo
fsg.lo line.lo untar.lo special.lo  -lz -lpthread -lsocket -lnsl -lc 
Undefined   first referenced
 symbol in file
__eprintf   strrcpy.lo
ld: fatal: Symbol referencing errors. No output written to
.libs/libclamav.so.1.0.4
make[2]: *** [libclamav.la] Error 1

Any input is appreciated. 

Thanks in advance.
Aj
From your ld path I guess it's some Slowlaris platform.  I had no 
problems compiling on Solaris 9, it was all running out of the box. You 
may also want to try the 0.80 _release_ (not some release candidate).

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Which version am I using?

[Thomas Lamy]

John Fleming schrieb:
I originally used apt-get with Debian Sarge (testing) to install ClamAV (the
version immediately before 0.80).  With the move to 0.80, not yet in the
Sarge distro, I used Webmin to update ClamAV.  This worked fine, and my
headers indicate 0.80 is being used.
Then yesterday in a routine apt-get update/upgrade of Sarge, I noticed it
was
installing clamav-0.80-2.  However, my mail headers still indicate 0.80.
I'm not sure if I have some mix of older and newer, or if I have the latest
and the mail header is just rounding off the version.  How can I tell
definitively which version is running?
Here's the clamav log when I start the daemon:
Thu Oct 21 16:53:38 2004 -> clamd daemon 0.80 (OS: linux-gnu, ARCH: i386,
CPU: i386)
Should it have shown 0.80-2 if I have the latest??  Thanks - John
No, the versions are not updated on .deb uploads, so it still shows 
0.80. Ask dpkg for what is installed (dpkg -l clamav-daemon). The pre- 
and postinst-scripts should have restarted the daemon(s) properly.
I prefer to check for daemons etc which still use old library versions via
"lsof | fgrep " DEL " | fgrep -v /SYSV | awk '{ print $1 }' | sort -u". 
This lists you all programs using deleted files (mostly upgraded, 
sometimes "files" used for shared memory purposes), which one should 
restart using the appropriate init.d script.

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV 0.80 Compilation

[Thomas Lamy]

Robin, Rob wrote:
All,
Tried to upgrade to ClamAV 0.80 from 0.75.1. Failed to compile it.
~~~ ./configure --prefix=/usr/local/clamav/0.80 's warnings -
configure: WARNING: resolv.h: present but cannot be compiled
configure: WARNING: resolv.h: check for missing prerequisite headers?
configure: WARNING: resolv.h: see the Autoconf documentation
configure: WARNING: resolv.h: section "Present But Cannot Be Compiled"
configure: WARNING: resolv.h: proceeding with the preprocessor's result
configure: WARNING: resolv.h: in the future, the compiler will take precedence
configure: WARNING: ## -- ##
configure: WARNING: ## Report this to the AC_PACKAGE_NAME lists.  ##
configure: WARNING: ## -- ##
You may either ignore this (sometimes it works despite the warning), or 
use the --disable-dns configure switch.

---
Make's error started w/:
chmunpack.c:72: syntax error before `uint64_t'
chmunpack.c:114: syntax error before `uint64_t'
Edit libclamav/cltypes.h and add
typedef unsigned long long uint64_t;
at the bottom of the file (where the other typedefs are, just above the 
latest #endif. _Perhaps_ that works; I gave this tip to another guy with 
old gcc but just can't remember if that worked it out.

Any ClamAV or C experts willing to help here.
	gcc version 2.95.2. BSDi 4.2 (i hate to be on a dead OS, moving to linux soon). 
Open Source is moving fast... ;-)
Thanks,

Rob Robin 
Network Analyst
Green Apple, Inc.

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] RE: freshclam.pid: Permission denied

[Thomas Lamy]

Jona Tallieu (T & T n.v.) schrieb:
ERROR: Clamd was NOT notified: Can't connect to clamd through
/var/clamav/clamd.sock
So it seems freshclam can not access anything in /var/clamav/.
The permissions for /var/clamav/ are:
drw-r--r--   4 lplp   136 18 Oct 10:49 clamav
And inside are:
-rw-rw  1 root  lp  4 18 Oct 10:39 clamd.pid
srwxrwxrwx  1 root  lp  0 18 Oct 10:39 clamd.sock
Anyone?
Thanks!
chmod 755 /var/clamav
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] (no subject)

[Thomas Lamy]

Max Chernogor schrieb:
Hello Nigel,
Friday, October 15, 2004, 4:02:58 PM, you wrote:
NH> On Friday 15 Oct 2004 13:59, Max Chernogor wrote:
Hello Nigel,
Friday, October 15, 2004, 2:56:00 PM, you wrote:

 clamav-milter version 0.75l
 man says "All the servers must be up when  clamav-milter  starts"
 But it happens then one of two my servers with clamd is offline when
 clamav-milter  starts. Is it possible to start clamav-milter
 successfully when one of servers cannot  be  reached?
NH> This restriction has been lifted in 0.80.
when this version will be in FreeBSD ports?
now it is security/clamav-devel (clamav-devel-20040826)

NH> You'll have to ask the FreeBSD maintainers, I can't help you with what they
NH> do. Better still, why not download from www.clamav.net?
It dosen't compile
[EMAIL PROTECTED]@17:54:51:~/clamav-0.80rc4$ uname -a
FreeBSD fw.mega.dp.ua 4.10-STABLE FreeBSD 4.10-STABLE #13: Fri Aug 20 11:47:17 EEST 
2004
./configure --enable-milter --without-libcurl
[]
../libclamav/.libs/libclamav.so: undefined reference to `mpz_powm'
../libclamav/.libs/libclamav.so: undefined reference to `mpz_get_ui'
../libclamav/.libs/libclamav.so: undefined reference to `mpz_tdiv_qr_ui'
../libclamav/.libs/libclamav.so: undefined reference to `mpz_add'
../libclamav/.libs/libclamav.so: undefined reference to `mpz_clear'
../libclamav/.libs/libclamav.so: undefined reference to `mpz_init_set_str'
../libclamav/.libs/libclamav.so: undefined reference to `mpz_mul_2exp'
../libclamav/.libs/libclamav.so: undefined reference to `mpz_init'
../libclamav/.libs/libclamav.so: undefined reference to `mpz_set_ui'
*** Error code 1
Your system does not have GnuMP installed.
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] downloading without advertising

[Thomas Lamy]

david thompson wrote:
I would like to download clamav. however using adblock in mozilla stops 
the ability to download.

Are there any other places to download from - other than sourceforge.
cheers
I (and many more) have no problems whatsoever with sf.net's downloads. 
This is the official download site. I guess it should be better to fix 
your adblocker (eg, add prdownloads.sourceforge.net to adblocker's 
whitelist)

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] SPAM[RBL] version 0.54

[Thomas Lamy]

darius wrote:
I have version 0.54 and from september 2004 i can't update clamav.
The message is:
Connected to clamav.elektrapro.com.
Reading md5 sum (viruses.md5): ERROR: Malformed md5 checksum detected.
ERROR: Can't get viruses.md5 sum from clamav.elektrapro.com
What can i do?Is possible to change the http-proxy?
Thanks!
Darius
You missed the announcement that from Sep 1 old-style virus databases 
were no longer available. Upgrade to a newer version (0.75.1 is stable, 
0.80rc4 is the latest release candidate). I'm afraid that running 0.54 
has given you a false sense of security... Remember that clamav is still 
in development, so newer versions generally fix a number of bugs and add 
new (and needed) features.

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Cobalt RaQ2 Compile Errors

[Thomas Lamy]

Jeff Ball wrote:
The Cobalt RaQ2 has the following...
gcc-c++-2.7.2-c3r2
gcc-objc-2.7.2-c3r2
gcc-2.7.2-c3r2
glibc-2.0.7-29.4C2
and  0.80rc3 will not build.  again.
I'm wondering if I should work on making a new patch, wait longer, or 
just give up because I will never have a newer compiler, etc... and 
clamav will require them?


[]
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./zziplib -I./mspack -g -O2 -c 
scanners.c -Wp,-MD,.deps/scanners.TPlo  -fPIC -DPIC -o .libs/scanners.lo
In file included from others.h:24,
from scanners.c:55:
cltypes.h:35: warning: redefinition of `int8_t'
/usr/include/sys/types.h:103: warning: `int8_t' previously declared here
cltypes.h:40: warning: redefinition of `int16_t'
/usr/include/sys/types.h:105: warning: `int16_t' previously declared here
cltypes.h:47: warning: redefinition of `int32_t'
/usr/include/sys/types.h:107: warning: `int32_t' previously declared here
Not a great problem (only warnings, and I guess they were properly 
defined. Something the configure script could be patched for.

[]
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./zziplib -I./mspack -g -O2 -c 
chmunpack.c -Wp,-MD,.deps/chmunpack.TPlo  -fPIC -DPIC -o .libs/chmunpack.lo
In file included from others.h:24,
from chmunpack.c:44:
cltypes.h:35: warning: redefinition of `int8_t'
/usr/include/sys/types.h:103: warning: `int8_t' previously declared here
cltypes.h:40: warning: redefinition of `int16_t'
/usr/include/sys/types.h:105: warning: `int16_t' previously declared here
cltypes.h:47: warning: redefinition of `int32_t'
/usr/include/sys/types.h:107: warning: `int32_t' previously declared here
chmunpack.c:72: parse error before `uint64_t'
Also something for the configure script.
Could you please add the line
typedef unsigned long long unit64_t;
before the last #endif to libclamav/cltypes.h and report if that helps?
Zeffie...
734-454-9117
http://www.zeffie.com/
Home of the Worlds Largest Collection of RaQ rpms
Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] 0.75.1->80rc3 rpm failure??

[Thomas Lamy]

Tim Rupp wrote:
Thomas Lamy wrote:
Tim Rupp wrote:
(From the qmailrocks website)
Now I'm going to throw in a small customization to Clam AV...
*mv /usr/bin/clamdscan /usr/bin/clamdscan.orig*
*ln -s /usr/bin/clamscan /usr/bin/clamdscan*
This sucks. With this setup, you're loading the virus-db for each and 
every email. Set up clamd to listen on a TCP socket (dunno if qmail 
runs in a chroot) and set the clamd user to somebody that is able to 
read qmail's queue files. This is _way_ faster.

Sorry but I'm not a qmail guy. Else I'd re-write that howto ;-). And 
up your softlimits, just to be sure (repeating a frequently given 
answer).

Thomas
Hey dont shoot the messenger, I'm just going with what that tutorial 
says and that's the same error I received when I followed that tutorial 
and forgot the sym link. Yeah it may be horribly inefficient but I tried 
to answer his question, pointing out what the potential cause of the 
error may be. Let him go about changing stuff around after he figures 
out what the error is. Bleh, sorry for the rant, I'll go back to work 
now :-)

Tim
Sorry, I didn't want to be offending. Just wanted to point out a big 
performance hole. And just in case he upgrades clamav one day, he'll get 
into the same problems again, as the symlink will get overwritten. We 
all know how long "temporary solutions" live, don't we?

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] 0.75.1->80rc3 rpm failure??

[Thomas Lamy]

Tim Rupp wrote:
Cory Megitt [ClamAV] wrote:
Hi All;
I attempted to upgrade from 0.75.1 to 80rc3 via rpms, and when running a
test script to test the mail server / clamav processes, I get the
following error.
[EMAIL PROTECTED] contrib]# ./test_installation.sh -doit
setting QMAILQUEUE to /var/qmail/bin/qmail-scanner-queue.pl for this test...
Sending standard test message - no viruses...
done!
Sending eicar test virus - should be caught by perlscanner module...
X-Antivirus-MYDOMAIN-1.22-st-qms:[megitt.com10972113996206500] clamdscan:
corrupt or unknown clamd scanner error or memory/resource/perms problem -
exit status 2
qmail-inject: fatal: qq temporary problem (#4.3.0)
Bad error. qmail-inject died
I reverted back (by uninstalling the 80rc3 rpms and reinstalled the 75.1
rpms.  I am still getting the error above.
What did I do wrong?
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
 

Any chance you're following the qmailrocks tutorial? (the 
test_installation.sh script seems to yell that to me)

If you are, especially after you've upgraded, I'd go back to the step 
below and check the sym link. When I first tried the qmailrocks tut I 
was getting that error before I made the symlink.

(From the qmailrocks website)
Now I'm going to throw in a small customization to Clam AV...
*mv /usr/bin/clamdscan /usr/bin/clamdscan.orig*
*ln -s /usr/bin/clamscan /usr/bin/clamdscan*
This sucks. With this setup, you're loading the virus-db for each and 
every email. Set up clamd to listen on a TCP socket (dunno if qmail runs 
in a chroot) and set the clamd user to somebody that is able to read 
qmail's queue files. This is _way_ faster.

Sorry but I'm not a qmail guy. Else I'd re-write that howto ;-). And up 
your softlimits, just to be sure (repeating a frequently given answer).

Thomas
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Virus not detected

[Thomas Lamy]

Kareem Mahgoub wrote:
Hello list,
I am using clamav version 0.72
qmail 1.3
Qmail-scanner-queue1.21st
I have a problem and I think it is related to clamav.
The is a virus with name W32.Netsky.p.dam ( according to Norton 
antivirus) not caught by clamav.
Is there is something wrong in my setup or it is not yet in the 
Database? Although I have got it about 10 days ago or so.
You feedback will be very much appreciated
Best Regards,
Kareem Mahgoub
Please upgrade. 0.72 was released on June 3rd, with 1470 lines in the 
ChangeLog since then...


---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] New jpeg "virus" and 0.75?

[Thomas Lamy]

Damian Menscher wrote:
On Tue, 28 Sep 2004, Tomasz Kojm wrote:
On Mon, 27 Sep 2004 23:06:40 -0400
Matthew Daubenspeck <[EMAIL PROTECTED]> wrote:
Will there be an updated signature for the new jpeg "virus" for the
0.75 series of ClamAV?

No, there will not - only 0.8x can detect JPEG exploits.

Uhh, I understand that only 0.8x can detect them heuristically (by 
looking for FFFE 000[01] in a .jpg, but there *should* be signatures for 
known exploits.  Or is the currently-known .jpg worm polymorphic?

Damian Menscher
I may be not 100% correct on this one, but the current (as of 0.75) 
database format is too limited for this, as it only supports basic 
"jokers" (1 char or any number of chars), but here you need to match at 
least the JPEG header itself _at the beginning of the file_.

Look into the archives for postings from trog on this subject, I 
remember he had similar (and maybe technically more correct) answers.

Thomas

---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] [Help] Hi - How conf clamav with postfix mailserver

[Thomas Lamy]

Sushil Gholap wrote:
Hi
This is my first mail to this list.
I want to know how to configure clamav with
postfix(linux plateform ) mail server for scanning the
mails for viruses.
Thanks in advance.
sUsHiL gHolAp.
Have a look at amavisd-new (http://www.ijs.si/software/amavisd/) and/or 
mailscanner (http://www.mailscanner.info/)

Thomas

---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav on debian stable

[Thomas Lamy]

agenteo wrote:
this is the log I get:
/home/teottie/.viminfo: Unable to open file or directory ERROR
/home/teottie/mbox: Unable to open file or directory ERROR
/home/teottie/.bash_history: Unable to open file or directory ERROR
/home/teottie/clamav-testfiles/test-failure.rar: RAR module failure
ERROR
/home/teottie/clamav-testfiles/test: ClamAV-Test-Signature FOUND
/home/teottie/clamav-testfiles/test-zip-noext: ClamAV-Test-Signature
FOUND
/home/teottie/clamav-testfiles/test.bz2: ClamAV-Test-Signature FOUND
/home/teottie/clamav-testfiles/test.msc: ClamAV-Test-Signature FOUND
/home/teottie/clamav-testfiles/test.rar: ClamAV-Test-Signature
FOUND/home/teottie/clamav-testfiles/test.zip: ClamAV-Test-Signature
FOUND
/home/carinic/.bash_history: Unable to open file or directory ERROR
I didn't understand why it gives error while tring to open thoose dotted
files, I was loggedin as teottie while the scan was working. But carinic
was not connected!
Thanks in advance,
Enrico
It seems you may want to run clamscan instead of the daemon.
The difference is: clamd runs as user clamav by default (on Debian). 
clamd and it's client program, clamdscan, were made for email scanning, 
where there are many (even concurrent) invocations in a small time. Here 
the daemon keeps the malware database in memory all the time. It also 
scans with the privileges of the daemon process, not the one who invoked 
clamdscan.
You can change the daemon's user id by running "dpkg-reconfigure 
clamav-daemon", and instruct it to run as root. You can also edit 
/etc/clamav/clamav.conf [clamd.conf in 0.80 or newer); look for the 
"User" directive.

clamscan (note the missing "d") on the other hand, loads the malware 
database each time it starts, but runs with the privileges ov the 
invoking user. This way it is better suited for scanning whole file 
shares (eg once a day).

Hope this helped you,
  Thomas

---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav on debian stable

[Thomas Lamy]

agenteo wrote:
Hi,
I've installed the clamav (clamav clamav-base clamav-deamon
clamav-freshclean alibclamav1) debian packages taken from
www.clamav.net/binary.html
At the end of the installation/configuration I've tried as root 
#clamd PING 
in the document I've read the clamav deamon should answer with
something, that didn't come back. Instead of that, I've found in the log
this:
ERROR: Socket file /var/run/clamav/clamd.ctl is in use by another
process.
From ps aux | grep clam I've got this:
clamav 640  0.0  0.1  2036  984 ?S15:35   0:00
/usr/bin/freshclam -d --quiet -p /var/run/clamav/freshclam.pid
clamav 694  0.0  3.0 16824 15836 ?   S15:35   0:00
/usr/sbin/clamd
clamav 697  0.0  3.0 16824 15836 ?   S15:36   0:00
/usr/sbin/clamd
You tried to use the server binary as a client. "Socket file in use" 
tells you that clamd is really running, as tells you the ps output.


Anyone knows what does this situation means? Is the antivirus working?
RTFM (in /usr/share/clamav or on http://www.clamav.net/). And install 
the package "clamav-testfiles", you can use clamscna and/or clamdscan to 
test if your installation was successful.

Thanks in advance,
Enrico
Thomas

---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: [Clamav-users] Windows port ?

[Thomas Lamy]

[EMAIL PROTECTED] wrote:
By the way - I checked some Backdoor (about 173 I have till now) and
results are :
Panda Antivirus : 164/173 identified ClamAV CVS version: 58/173
identified
Sadly to say there is a long way ahead :-( (or maybe ClamAV is not
against Backdoors ?)
Boguslaw Brandys
Then please submit them (http://www.clamav.net/sendvirus.html) so there 
could be build signatures for them.

Thomas
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] freshclam - clamd notity

[Thomas Lamy]

Jürgen Walch wrote:
Hi there,
we are running clamd in combination with clamdscan to scan incoming
mails for viruses on smtp level with courier-mta here. Works fine.
The signature files are updated using freshclam started via crontab.
The crontab entry used is
--8<--
#
# clamav
#
23 1,9,17 * * * root/usr/bin/freshclam >>/var/log/clamav.log 2>&1
--8<--
Will the running clamd automatically use the updated signature files
fetched by freshclam or is it necessary to restart clamd from time to 
time ?

Thanks a lot !
~juergen walch
No need to restart. Clamd checks for new/changed databases in the 
interval specified by "SelfCheck" in clamav.conf (default 3600 seconds).

You can (and should) also look at your freshclam.conf file for the 
"DaemonNotify [/path/to/clamd.sock]" keyword, or use the --daemon-notify 
option for freshclam in your crontab.
This way the database will automatically get reloaded as soon you have 
the new pattern db on your disk.

Thomas
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] kernel: Out of Memory:Killed process xxxxx (clamd).

[Thomas Lamy]

Fajar A. Nugraha wrote:
D Walsh wrote:
I sat down in front of a Solaris 9 system, installed clamav as  
instructed and yes indeed there appears to be a problem with the  
implementation of free(), in 30 mins of sending e-mail from the EICAR  
test site memory did climb to 2.87gb and did not clear itself.

[snip]
This leads me to believe that the problem is occurring in Solaris 9   
due to changes in the OS itself and perhaps clamav should consider  
using a different avenue with this OS.

I use Solaris 6, 8, and 9 with ClamAV. Problem exists in all.
Aside from that, all I can tell you is I'm not impressed with this OS  
and I guess I prefer the Darwin/FreeBSD environment because I'm used 
to  it, know what tools are available and can muck around with some  
confidence without blowing things up.

If it were up to me, I would've put Linuxes on all our Sun. However, it 
is not my decision alone to make, so I'm stuck with Solaris :)

Regards,
Fajar
I'll step done inot the cellar and reactivate my old Ultra-1 (shiver) 
with solaris 6 and purify, perhaps I find something. No promises.

Thomas

---
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] kernel: Out of Memory:Killed process xxxxx (clamd).

[Thomas Lamy]

Jason Haar wrote:
On Tue, Sep 14, 2004 at 08:38:57AM +0100, Trog wrote:
A few people (out of the thousands who run ClamAV) have reported "memory
leaks" in stable versions of clamd. 

However, none of those people have submitted a report from a memory
debugging tool to show where the leak occurs on their systems, despite
being asked to by the development team. None of the development team
have seen such a leak.

I tried to help out with valgrind as you suggested - but within 10 mins it
took 1.5Gb of RAM on my workstation (I wasn't going to put it up on
production now was I? :-) and - well - I turned it off. I really don't have
the equipment to handle running 1.5Gb debugging processes...
One of the downsides of valgrind - it doesn't free any memory at runtime 
(to check for double-free()s). I've not seen tools where one can switch 
this off yet (but I've only used valgrind on Linux and purify on Solaris 
machines).

Until one of the people complaining produces a useful report, nothing
can be done. It is just as likely a leak in a system library than in
clamd.

Could be: but I've seen it on Rh8 and Fedora-Core2 - quite different Linux
systems as far as libraries/etc go.
From the different posts here I bet there are library issues in BSD, as 
that OS is number one when it comes to leakage complains. I don't know 
current Solaris releases, but Sol7 actually was a PITA.
With Linux being my development platform, I see no runtime leaks there.
I hope someone else can help out - there is a problem that needs solving
there.
All of the team members are aware of that. But as trog already wrote: 
Until someone comes up with either a mail that triggers the leak or some 
mem debugger's output, we're stuck.

Running valgrind on a production server is a no-no, as you already observed.
For quite a while (6 weeks) I collected each and every mail on one of my 
MXes. I checked them "offline" for leaks using a shell wrapper, which 
checked clams memory usage between each feeded mail, but found really 
nothing.
I'll start that grabber again once I upgraded disk space on another MX here.

Thomas
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Upgrade clamav on Debian and now service creates error when starting

[Thomas Lamy]

Jim wrote:
After I upgraded clamav via apt-get I now get an error during restart of
/etc/init.d/clamav-daemon.
This is on a debian system and the error created is:
/etc/init.d/clamav-daemon restart
Restarting clamav daemon: clamdERROR: Parse error at line 10: Unknown
option ThreadTimeout.
ERROR: Can't open/parse the config file /etc/clamav/clamav.conf
While checking permissions I changed the persmissions on
/etc/clamav/clamav.conf
Here is the output on /etc/clamav/clamav.conf  ls -alt
/etc/clamav/clamav.conf
-rwxrwxrwx  1 amavis root 434 Jul 21 10:47 /etc/clamav/clamav.conf
The version now installed on the Debian system is 0.75.1-4
Jim
This is an old option, which is no longer used by clamav.
Just remove that line from /etc/clamav/clamav.conf and it should work.
What was your old version? Please file a detailed bug report at 
bugs.debian.org.

Thank you
  Thomas

---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] freshclam: crontab vs. daemon

[Thomas Lamy]

Daniel S. Cohen wrote:
Hello,
I am wondering if there is any advantage of running freshclam as a
daemon as oppposed to running it from the crontab a few times day?
Thanks.
Dan
It's a matter of taste. I prefer running it in daemon mode, as freshclam 
is rock solid (eg. it hasn't crashed here for months), and due to it's 
random start time does not tend to overload the mirrors.
You have to use bashisms or perl (or some really crude sh pipe) to make 
sure freshclam's cron job does not start exactly on the hour.

Thomas

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Downloading clam virus definition files automatically

[Thomas Lamy]

Julio Canto wrote:
Fajar A. Nugraha wrote:
Yes. There's nothing that prevent you running freshclam (or whatever 
your updater will be) every minute or so.
However, with the default check time of one hour (default for RPM 
packages, that is), mirrors already
uses lots of bandwitdh (over 100 GB a month each), so please consider 
that when you're running virus db updater ...

Anyway, I'm not using freshclam but a python script.

TK said newer versions of freshclam will use DNS to determine db 
versions.
For now, you could either :
-   get first few bytes of main.cvd and daily.cvd to determine current 
version, or
-   use my unofficial DNS tracker to determine virus database version.

[EMAIL PROTECTED] fajar]$ host -t txt version.daily.db.clamav.or.id
version.daily.db.clamav.or.id text "462"
Please see my previous post to see how I setup and update 
daily.db.clamav.or.id.

What I'm doing now is something simpler: I just check the dates of files 
published on one of the mirrors with the database files 
(http://clamav.fisher.hu/database/ for instance). If I detect if is 
newer than the last one I downloaded, then I get the files, and that's 
all. That way I avoid having to 'touch' the files themselves.
Probably it ain't the most elegant way to do so, but I bet it is has a 
quite low comsumption rate of resources of Clam av servers online :)
Greetings,
   Julio Canto
   Hispasec Sistemas

As I have several servers here, I run a local mirror here using wget -m, 
which does essentially the same: check modification time via HEAD 
request. This doesn't hurt performance on the server.
All local machines run freshclam as daemon, with 48 checks per day (last 
time I checked the maximum value was 50).

Thomas

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Clamav Engine upgrades?

[Thomas Lamy]

Tomasz Kojm wrote:
On Fri, 06 Aug 2004 00:08:55 +0200
Thomas Lamy <[EMAIL PROTECTED]> wrote:

IIRC freshclam doesn't even update the local database if your local 
installation has a too small "functionality level".  I guess it was 

Even if the f-level is smaller than required one freshclam still
attempts to update the database. All *.cvd databases are backward
compatible but older libclamav versions can't use some new features they
provide.

implemented with major database format changes in mind, like 0.72
simply won't load databeses with the new md5 hashes in it (it would
die).

Older versions just ignore internal hash databases in cvd files.
Sorry for the false alarm then.
Thomas

---
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Another upgrade question.

[Thomas Lamy]

Ken Goods wrote:
I'm running Sendmail, Mailscanner, Spamassasin, and Clamav (0.70rc-1). I
would like to upgrade Clamav. Tried yum but it continues to tell me there
are no updates available. So on to plan two. I'm going to install from the
RPMs but wasn't exactly sure of the process.
This is my plan.
1. Stop Mailscanner (which will effectively stop Sendmail and Clamav,
correct?)
Not sure (not my config). Better stop sendmail and clamav, too.
2. Save my current clamav.conf to /tmp
Always a wise decision ;-)
3. rpm -e clamav
4. rpm -Uvh new clamav-db rpm package
5. rpm -Uvh new clamav package
Why not: rpm -Uvh clamav-db clamav  ? Should keep track of everything 
(if the RPMs are built properly).
If you're not sure, run something like
find /etc /usr -name "*clamav*" -print
after rpm -e  and check for leftover libs or binaries and delete them 
manually. I've seen too many requests here which were tracked down to be 
old duplicate leftovers...
6. copy clamav.conf back to /etc
6. restart Mailscanner
Sorry if this is elementary but it's my first time and this is a production
server that can't afford to be down long. I've searched the web and can't
find any detailed instructions for this type of update (when one program is
depending on others being there 24/7)
Any hints, tips, tricks, and/or got-cha's would be helpful.
TIA!
Ken 

Thomas

---
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Clamav Engine upgrades?

[Thomas Lamy]

Mitch (WebCob) wrote:
Jeremy Kitchen wrote:
On Thursday 05 August 2004 12:46 pm, Ryan Moore wrote:

Such that if freshclam downloads a signature and if the
signature has a 'engine version requirement' or some attribute that can
be compared against the installed engine, if the installed engine isn't
newer, give a nasty warning in the log.

it already does this.  search the archives for 'functionality level'

WARNING: Your ClamAV installation is OUTDATED - please update
immediately !
WARNING: Current functionality level = 1, required = 2

-Jeremy
I didn't get any such warnings on any of my machines, they were all
using clamav 0.72 with freshclam daemonized (with LogVerbose in
freshclam.conf). Do you have to do anything special to get this sort of
behavior? Also did anyone get these warnings when running a version
previous to 0.75.1?
Ryan Moore
> This is predicated on the developers of the database incrementing the
> "functionality level" when they make changes like this.
>
> I'm still not sure I get it, but there seems to be some resistance to 
doing
> this consistantly.
>
> Some changes in detection seem to make it into CVS, and I think future
> versions without a change in the db functionality level - so the code is
> there, and maybe it was originally for MAJOR changes - not simply one 
or two
> viruses that need the upgrade, but it doesn't seem to make sense for 
the way
> people use this project...

IIRC freshclam doesn't even update the local database if your local 
installation has a too small "functionality level".  I guess it was 
implemented with major database format changes in mind, like 0.72 simply 
won't load databeses with the new md5 hashes in it (it would die).

Just an educated guess though. Haven't looked at the sources.
Thomas

---
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamd devel-20040728 memory usage growing

[Thomas Lamy]

Igor Brezac wrote:
On Thu, 29 Jul 2004, Mike Lambert wrote:
OS: FreeBSD 4.9-RELEASE-p2
ClamAV: devel-20040728
Build options:
--enable-milter
--disable-clamuko
--enable-bigstack
--disable-dependency-tracking
In 24 hours of running, memory usage for clamd (devel-20040728) has
steadily increased from 5MB to 63MB.
Does anyone have suggestions for building/configuring clamd on FreeBSD
to stop or at least reduce the leaks?  Version 0.70 leaked, but not
nearly as bad as this snapshot. Does version 0.75 leak much?

It leaks on Solaris 9 as well (snapshot from today).  I am not very 
intimate with the clamd code, but a quick run through a profiler 
(FncCheck) shows that the leak may come from cli_parse_add().  I cannot 
find where bm_new structure is freed.  If any of the developers is 
interested, I can email tham the memory report I produced.

I did a quick leak check (on Linux) on yesterday's CVS, and found no 
runtime leaks, only clamd not freeing the database memory before it 
quits (and mem gets freed automatically).

Could you send me your report please?
Thomas

---
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Some Mydoom.M found, not all

[Thomas Lamy]

Jona Tallieu wrote:
Hi all,
we use CLAMAV 0.75 on a OSX 10.3 server together with a McAfee
scanner.
First in line is the clamav, next is the mcafee virex scanner.
In the clamdscan logs I can see that clam catches Mydoom.M viruses:
Wed Jul 28 10:25:33 2004 -> /tmp/cgpavIOQyTk: Worm.Mydoom.M FOUND
Wed Jul 28 10:25:39 2004 -> /tmp/cgpav1iHGUW: Worm.Mydoom.M FOUND
But in the virex logs it shows clamav is not catching all:
1452225.msg/text.zip
Found the W32/[EMAIL PROTECTED] virus !!!
So it seems that clamav 0.75 + latest signature files are not
catching all
Any ideas? Thanks!

J.

Yes - submit them (from your quarantine directory) on http://www.clamav.net/
Thomas

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Clamav-users digest, Vol 1 #839 - 4 msgs

[Thomas Lamy]

[EMAIL PROTECTED] wrote:
From: Gavin Aiken [mailto:[EMAIL PROTECTED] The only case
I'm worried about is what happens if our primary MX (which is my
box and had clamav installed) is offline for whatever reason (eg
SDSL down), and the mail gets routed via our secondary MX machines,
which are at Easynet and don't do any of this checking.

This is probably more of a concern than you think.  There are plenty
of viruses out there that will connect to the highest-number MX,
rather than the lowest - precisely to get around the
most-heavily-armored servers.
I second that. Backup MXes are where ~70% of all received spam is 
catched. SA's database is 4 times larger there than on our primary MXes. 
Another nice target is a domain's webserver (where I restrict SMTP to 
localhost because of that).

Thomas

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamscan --mbox question

[Thomas Lamy]

Graham Toal wrote:
I want to use clamscan to check mail files (just one mail per file).
These are not in Unix mbox format.  Although they start with mail
headers, the first line is not "From " ...
Viruses are not recognised whether I use plain "clamscan"
or "clamscan --mbox".  They can only be recognised if I edit
a "From " line in to the first line of the file.
The structure of the mail filter is such that I would prefer not
to have to do this.  Is there any way I can scan these files without
adding that line?
Here is a typical header (from an EICAR test):
X-Originating-Ip: 24.173.85.38
Message-Id: <[EMAIL PROTECTED]>
Date: Mon, 12 Jul 2004 22:49:08 -0500
From: "TESTVIRUS.org" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Virus Scanner Test #1
Mime-Version: 1.0
Content-Type: multipart/mixed;
BounDary="=_307115168==_"
--=_307115168==_
Content-Type: text/plain; charset="us-ascii"; format=flowed
This message was sent to you because you or someone you know is testing your
mail server's virus scanner at:  http://www.testvirus.org
...
Suggestions?
thanks
Graham
PS Version is "clamscan / ClamAV version devel-20040630"
The solution is to either add "X-Originating-Ip: " to the "magic" items 
in libclamav/mbox.c (or was it scanners.c?), and/or have Nigel Horne 
commit such change in CVS.

Thomas

---
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Version 0.71 - clamdscan error

[Thomas Lamy]

Kevin Spicer wrote:
On Thu, 2004-05-27 at 09:21, Mr Mailing List wrote:
Just noticed that scanning files with clamdscan does not scan
filesthat are not world readable.

Perhaps it would be better if clamd could implement some kind of
privilege separation, so that a minimal process running as root reads
the files, but an unpriviledged process could actually do all the
processing?
Good point.
---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] compiling clamav 0.68

[Thomas Lamy]

Pad Hosmane schrieb:

Hi,
  I am compiling clamav 0.68 on HP-UX 11.00. I am getting following
error during make. 
I am using GCC 3.0.1.
 

++
gcc -g -O2 -o clamscan clamscan.o options.o getopt.o others.o manager.o
treewalk.o  -L/usr/local/lib -L/opt/gmp/lib
-L/test/down/clamav-0.68/libclamav /usr/local/lib/libclamav.sl -lz
Something strange is going on. ^
This should read libclamav.so.
-lpthread -Wl,+b -Wl,/usr/local/lib
/usr/ccs/bin/ld: Unsatisfied symbols:
   cl_mbox (first referenced in manager.o) (code)
   cl_gentemp (first referenced in manager.o) (code)
   cl_debug (first referenced in clamscan.o) (code)
   cl_strerror (first referenced in manager.o) (code)
   cli_strtok (first referenced in manager.o) (code)
collect2: ld returned 1 exit status
*** Error exit code 1
All those symbols are defined in libclamav.

And, while you're compiling, please try 0.70-rc (or, better, the latest 
CVS snapshot). As usual, the CVS version fixes many bugs...
 
Thanks in advance.
PAd

Thomas



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamd hanging on SunOS 5.8

[Thomas Lamy]

turgut kalfaoglu schrieb:

Well, even after I disable urandom, which my system does not have anyway,
I still have clamd hanging; eating up over 90% of the CPU, and doing 
nothing basically.
I am trying daily builds, but it does not help. This sometimes happen 
after five minutes of runtime, but sometimes with just 2 minutes of 
runtime.

help!
-turgut
any output from "truss -p " where  is the process id of the 
cpu eating clamd ?

Thomas

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] testvirus.org eicar tests failing w/ ClamAV version devel-20040316 on OSX+CGPro (clamav-users: addressed to exclusive sender for this address)

[Thomas Lamy]

OpenMacNews schrieb:
-- On Wednesday, March 17, 2004 1:42 PM -0800  OpenMacNews 
<[EMAIL PROTECTED]> wrote:

-- On Wednesday, March 17, 2004 9:42 PM +0100  Thomas Lamy 
<[EMAIL PROTECTED]> wrote:



I agree here. It just comes down to:
- Have you enabled the ScanMail and ScanArchive options in your 
clamav.conf, or are you using clamscan --mbox? If
not, this is the culprit.


just re-checked,

ScanMail & ScanArchive are *both* enabled in clamav.conf

and, ClamAV *is* regularly scanning/catching OTHER email viruses ...


- What is CGpro sending to clamav? Does it decompose mails? CG _may_ 
fulfill this task, erm, incompletely. Or does it
send the whole raw message to clamav? Then you definitely need to 
enable ScanMail (see above)


i'm not sure i understand enuf to answer your question adequately, 
however you should know that ...

CGPro is doing NONE of the av processing, nor is it, itself, speaking 
'directly' to ClamAV

rather, ClamAV is being invoked by a CGPro script, "cgpav-1.3a", found 
at: <http://program.farit.ru/>, built &
compiled in the presence of a successful clamav build/install.

with a little guidance, i might be able to provide you a better answer 
...

Thomas


richard
> hi,
>
> seems like there's a bunch o' questions abt this ...
>
> is there anything we (users) can do abt this issue?  is it, rather, a
> developer issue?  or is it *not* a clamav issue at all, but the calling
> script's?
>
> richard
>
This _seems_ like a development issue, as I wrote you in private 
already. It seems like an endianess issue at first glance (most 
development is done on i386, where the byte order is different than on 
PowerPC), but I'll definitely have a look at it, at latest this weekend. 
I just have to get my G4 working and a couple of small jobs done before.

Thomas



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] SFX-RAR files

[Thomas Lamy]

daniele schrieb:

From: "Michael L Torrie" <[EMAIL PROTECTED]>

On Wed, 2004-03-17 at 06:51, Tomasz Kojm wrote:

On Wed, 17 Mar 2004 12:53:43 +0100
"daniele" <[EMAIL PROTECTED]> wrote:
I've installed clamav-0.60 and also 0.65 , but when sendmail must send
a message with file .exe creates with winrar 3.x, it doesen't permite
the operation because founds a trojan.orcamento virus in in the
archive (not if created with winrar 2.x)
Update your database !

> I've upgrade the database...but it doesn't change
>
Then please submit one of those files on http://www.clamav.net/ and mark 
them as false positive.

Thank you
Thomas
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] testvirus.org eicar tests failing w/ ClamAV version devel-20040316 on OSX+CGPro

[Thomas Lamy]

Jim Maul schrieb:

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
OpenMacNews
Sent: Wednesday, March 17, 2004 11:27 AM
To: ClamAV Users List
Subject: [Clamav-users] testvirus.org eicar tests failing w/ ClamAV
version devel-20040316 on OSX+CGPro
hi,

ClamAV version devel-20040316, built on OSX 10.3.3, and
integrated into CommunigatePro 4.1.8, is consistently failing
to detect the following Eicar tests from www.testvirus.org:
I would just like to point out that MOST of these are not problems with
clamav at all.  I can not say how to get clamav to detect these because that
is dependant on how clamav is called and how it integrates with your mta.
Uhm, yes and no. It depends what your MTA sends to clamav, and how you 
set it up.

   Test #5: Eicar virus sent using BinHex encoding

   Test #8: Eicar virus sent using BinHex encoding within a
MIME segment

Clamav is catching those just fine since Feb 4.
Your system must be able to decode binhex attachments before they are passed
to clamav.  I dont believe clamav has an internal binhex decoder.  Being
that most people dont have a decoder themselves, i dont see how this is
really an issue.  symantec on my workstation doesnt even pick these up.
Sorry, but IMHO a virus scanner on a Mac that doesn't handle BinHex is a 
piece of scrap.
Clamav has a BinHex decoder, and it works.

   Test #10: Eicar virus embedded within an RFC822 message

   Test #15: Eicar string in HTML, to ensure that your mail
server scans HTML segments
This is definitely a fault with whatever program is calling clamav on your
system.  These are both blocked on my system (using qmail and
qmail-scanner).
I agree here. It just comes down to:
- Have you enabled the ScanMail and ScanArchive options in your 
clamav.conf, or are you using clamscan --mbox? If not, this is the culprit.
- What is CGpro sending to clamav? Does it decompose mails? CG _may_ 
fulfill this task, erm, incompletely. Or does it send the whole raw 
message to clamav? Then you definitely need to enable ScanMail (see above)


   Test #22: Eicar virus within zip file hidden using the
"Empty MIME Boundary Vulnerability"
I dont really know what this means but it is let through on my system as
well.  However i am not too worried about it as it was not picked up
symantec on my desktop and someone would need a base64 decoder and some
computer knowledge to be able to extract this attachment.
This is an issue I will have a look at, though I'm unsure on how to 
handle such stuff that doesn't show as attachment in client programs.

There is at least one M$ Outlook bug that makes attachments with 
specially crafted headers viewable, which are unseen by other client 
programs. But how should one handle that? ClamAV is a virus scanner. 
It's not a vulnerability scanner. I consider catching such messages a 
"nice to have", but if correctly implented it bloats clamav's config 
file (or clamscan's --help output) endless, given the number of bugs 
some mail clients have.

(Having a hard time to not flame about Symantec again)

   Test #23: Test for the "Partial (Fragmented)
Vulnerability". This does not include Eicar virus, but your mail
   server still must block this since it can break a virus
into multiple emails and reassemble it in your inbox.
See above. The test is there, but currently issues a libclamav warning IIRC.
   Test #24: Attachment with a CLSID extension which may
hide the real file extension. This does not include Eicar
   virus, but your mail server still must block this since
it can hide the true extension of a file.
See above. Thanks MS.

Thomas



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] New varient of password compressed virus

[Thomas Lamy]

Lucas Albers schrieb:
Fajar A. Nugraha said:

An interesting fact on ChangeLog:

Thu Mar 11 21:50:32 CET 2004 (tk)
-
 * libclamav: rar: added support for encrypted archive (Encrypted.RAR)
   detection


To make an obvious statement.
Clamav should add encrypted compression detection support for all formats
it supports.
As we will see more variants...
I just guess this is in the works. It was easy to add for ZIP (using a 
patch from a fellow user), but other archive types have been delayed for 
work on 0.70.

Thomas

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] MIME problem?

[Thomas Lamy]

Stuart Mycock schrieb:

Hi all,

RAV caught a bounced message sample containing Worm.SomeFool.Gen-2
(Netsky.B) but neither clamd or 'clamdscan --mbox' could find the infection,
I presume this is an issue with the MIME handling?
When I rip out the attachment manually it detects the virus fine.

Shall I submit the sample anyway? I don't want to waste anyone's time if
this is something that's already being dealt with?
I run 0.67-1 in production but have also tried an mbox scan with
clamav-devel-20040315.
Cheers,

Stuart.

Please submit the raw message either to me or to Nigel Horne 
([EMAIL PROTECTED]) for examination.

Thank you!

Thomas Lamy

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] FreshClam fail to connect database.clamav.net

[Thomas Lamy]

Tim Wilde schrieb:

On Tue, 9 Mar 2004, Ron Snyder wrote:


Just want to pipe in with another opinion/question-- have there been more A
records added for database.clamav.net recently? Freshclam had been working
just fine for me for several weeks just started reporting the same problems
that Seve reported. When I started debugging the problem (using dig) I paid
attention to the "truncated results" notice that dig gave.
This is caused because the amount of information was too big to fit in a udp
packet, and tcp dns packets were restricted from going through the firewall.
Once tcp packets were allowed through the firewall, freshclam started
working again.


Yep, I just ran across that myself.  I would advise splitting it into
multiple records and having freshclam randomly choose one of
database1-N.clamav.net each one of which contains a smaller set of servers
(with overlap of the "beefier" servers, to perform some poor-man's
weighting), or something else like an intelligent global DNS-based load
balancing solution (rather expensive :)) to prevent resolvers from needing
to fall back on TCP.  It's technically perfectly valid, but not advised
due to widespread firewall misconfigurations.
I'd vote for having one name for each continent, so I wouldn't download 
sigs from india with 2k/sec; something like
africa.clamav.net  (are there any mirrors?)
america.clamav.net
asia.clamav.net
europe.clamav.net
australia.clamav.net

These should contain the continent's mirrors, and one or two fallback 
IPs to either nearby continents or well-connected mirrors with big pipes.

Thomas



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] limiting child processes

[Thomas Lamy]

Adam Webb wrote:
Is there a way to tell clamd how many children it can spawn? I don't
want a server to allow more than 10 instances of clamd to run at any
given time.
MaxThreads in clamav.conf

Clamav is thread based, and it depends on the OSses threads 
implementation if threads are show as separate processes. Linux shows 
them as processes, Solaris not AFAIK.

Thomas

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav-0.67 hangs periodically (postfix+amavisd-new+clamav)

[Thomas Lamy]

Adam Kruszewski schrieb:

On Mon, Mar 08, 2004 at 03:38:48PM -0800, Christopher Malek wrote:
[...]
Thereafter, amavisd gets stuck waiting as soon as it tries to talk
to clamd:  Almost immediately, all the amavisd processes are stuck
waiting for clamd to respond, and mail starts piling up in the queue,
not being delivered.


 Same here. :-/ unfortunetly I can't reproduce it on testing
 environement, and gdb-ing clamd when it scans email stream before it
 goes to qmail-queue is not so nice idea :-/ (especially when I'm not
 watching it 24h/7d).

Here, too!

I started getting hit by that when amavisd-new started giving the whole 
mail to clamd (which always had ScanMail enabled but that made no use 
before).
A quick workaround is to use clamdwatch [1].
Also netsaint/nagios can do these checks, and may send an disturbing 
amount of SMSes ;-)
 My clamav versions and how often they ,,hangs'':
 (those hosts have ~100 mail users each, and small amount
 of mails daily [~1000 mails hits smtpd, but almost ~50% are viruses])
 # clamd -V
 clamd / ClamAV version 0.67+CVS20040221
 Fri Mar  5 17:20:24 CET 2004
 Mon Mar  8 09:36:26 CET 2004
Debian anybody ;-)?
I use this version too, and found that trying to find the culprit using 
amavisd-new's leftover temp dirs or gdb-ing clamd is of just no use. So 
I started to hack amavisd-new to make a backup of every raw message 
elsewhere, to get some evidence for bug tracking.
 [...]

PS. what virus is so dumb that it tries to deliver him self to recipient,
but prepends his victim's address whith "3d" ? (eg. except to
[EMAIL PROTECTED], he sends him self to [EMAIL PROTECTED])
Non-proper quoted-printable decoding. "=3d" == '='.
[1] http://mikecathey.com/code/clamdwatch/

Best regards,
 a. (a new clamav user ;-))
Thomas (a long standing one ;-))



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] FreshClam fail to connect database.clamav.net

[Thomas Lamy]

Seve Ho schrieb:

I have been unable to use freshclam to update for 2 days,
My machine is a Freebsd 5.1 with ClamAV version devel-20040306 ( This is 
a CVS version )

following are when on the screen when i run freshclam

# freshclam
ClamAV update process started at Tue Mar  9 12:20:42 2004
SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES
ERROR: Can't get information about database.clamav.net host.
ERROR: Connection with database.clamav.net (IP: ???) failed.
Trying again...
ClamAV update process started at Tue Mar  9 12:21:58 2004
SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES
ERROR: Can't get information about database.clamav.net host.
ERROR: Connection with database.clamav.net (IP: ???) failed.
Trying again...
ClamAV update process started at Tue Mar  9 12:23:14 2004
SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES
ERROR: Can't get information about database.clamav.net host.
ERROR: Connection with database.clamav.net (IP: ???) failed.
Giving up...
Could anyone suggest any reason for that? Is it problems of 
database.clamav.net or my problem?
I tried to ping database.clamav.net and I find high packet loss rate(83%)

From this output, the problem seems to be a DNS problem (on your side). 
Do you get (fast) answers to either
host database.clamav.net
or
nslookup database.clamav.net
on exactly this server, as the clamav user? Is your /etc/resolv.conf 
configured properly, and is read access turned on for the clamav user?

Thomas

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamd and Amavis-new conflict?

[Thomas Lamy]

Michael Shekman schrieb:

I have an Amavis-new - SA - Postfix installation, and for some reason have never been able to make clamd work with amavisd; it looks like they just don't see each other. At every mail checked amavisd.log has a message:

amavisd[950]: (00950-05) No anti-virus code loaded, skipping this section #(numbers, obviously, vary),

even though clamd was started manually, the path to socket name (clamd.sock) is identical in amavisd.conf and clamd.conf, both amavisd and clamd are ran as amavisd:amavisd, and all the permissions are set correctly (I hope...) .

The clamd.log (debugged to the console) looks like:

LibClamAV debug: Unpacking /tmp/74845765092f738c/COPYING
LibClamAV debug: Unpacking /tmp/74845765092f738c/viruses.db2
LibClamAV debug: Loading databases from /tmp/74845765092f738c
LibClamAV debug: Loading /tmp/74845765092f738c/viruses.db2
LibClamAV debug: set stacksize to 262144
LibClamAV debug: Stat()ing files in /usr/local/share/clamav
LibClamAV debug: Stat()ing files in /usr/local/share/clamav
and never adds to the last line - i.e., clamd doesn't take anything from amavisd.

I am running Freebsd5.2, clamav-067-1and amavisd-new-20030616-p7.

Thank you.

Maybe you have set
@bypass_virus_checks_acl
to something weird that prevents amavisd-new from loading it's av code. 
Better let this list undefined (comment it out).

Thomas



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamd is crashing

[Thomas Lamy]

Asif Iqbal schrieb:

I had to downgrade it to v 0.65 to fix the problem

Asif Iqbal wrote:

Hi All

This is the first time I am using clamd. I just installed it with
gmp-4.1.2
I am getting this error message when trying to start clamd

LibClamAV debug: Loading databases from /usr/local/share/clamav
LibClamAV debug: Loading /usr/local/share/clamav/main.cvd
LibClamAV debug: /usr/local/share/clamav/main.cvd: CVD file detected
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = a20b254aa5f6b97dcafc115a63c8af4e
LibClamAV debug: Decoded signature: a20b254aa5f6b97dcafc115a63c8af4e
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking
/var/tmp//90083ea95c8918b590083ea95c8918/COPYING
LibClamAV Error: Cannot create file
/var/tmp//90083ea95c8918b590083ea95c8918/COPYING.
LibClamAV Error: cli_cvdload(): Can't unpack CVD file.
LibClamAV debug: cl_loaddbdir(): error loading database
/usr/local/share/clamav/main.cvd
ERROR: CVD extraction failure.
Segmentation Fault
I already downloaded the CVD files using freshclam

This is how my clamav.conf file looks like

DatabaseDirectory /usr/local/share/clamav

FixStaleSocket
TCPSocket 3310
TCPAddr 127.0.0.1
FixStaleSocket has no effect on TCP sockets, but this is ok.

User clamav
Does the user clamav has write access to /var/tmp (see debug log, it 
tries to write to /var/tmp/90083ea95c8918b590083ea95c8918/COPYING)?
Any help/suggestion would be greatly appreciated




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamscan detects clamdscan does not

[Thomas Lamy]

Lucas Albers schrieb:

There are two virus's that clamscan detects, and clamdscan does not.
using clamav .67-6 via the debian package.
clamscan -r --stdout --disable-summary --mbox --infected ./
ENTIRE_MESSAGE: Worm.Mydoom.F FOUND
LibClamAV Warning: Multipart MIME message contains no boundary lines
ENTIRE_MESSAGE: Worm.SomeFool.Gen-1 FOUND
clamdscan -r --stdout --disable-summary --mbox --infected ./
./: OK
I have all the pertinent options enabled in clamav.conf, and am not sure
why it does not detect it.
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
LocalSocket /var/run/clamd.ctl
StreamMaxLength 15M
ArchiveMaxFileSize 15M
ArchiveMaxRecursion 5
ArchiveMaxFiles 1500
ScanArchive
StreamSaveToDisk
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000
ArchiveMaxFileSize 10M
ThreadTimeout 180
MaxThreads 5
MaxConnectionQueueLength 15
PidFile /var/run/clamd.pid
DataDirectory /var/lib/clamav/
SelfCheck 3600
You're missing the ScanMail directive in clamav.conf, and there's no 
option "--mbox" for clamdscan.

Thomas

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: ClamAV 0.67 memory leak

[Thomas Lamy]

Matthew Trent wrote:
On Thursday 04 March 2004 10:25 am, you wrote:

Looks good, but I've seen clamd temporarily allocate ~2x-3x a mail's
size, so be sure to not set the memory limit too low.


Yeah, I figure it's reasonable to spike some times. I'm just real squeamish 
because clamd managed to hard lock both of my load-balanced servers at once 
back before the "other" memory leak fix (actually causing an outage, which is 
the first time ever for this load-balanced, redundant setup). The OOM killer 
choked and didn't do it's job. Since then I've upgraded to a 2.6 kernel, 
which would probably handle it better...
Hopefully.
Anyway, I have the memory limit set at 7% (normal usage for clamd is 1.2%). 
However, I have seen monit report mem usage of 300+ mb (30%+ of 1gb of ram), 
and regardless of message size, that just seems like too much. What if clamd, 
Exim, tpop3d and courier-imap all allocated a few hundred megs of memory? 
Even with 2 gigs of mem+swap, I'd be out in no time. Seems like no one daemon 
should ever gobble that much, even temporarily.
Also my opinion.
I see there's a low memory usage archive option in the config file. Should I 
consider that? (although I still think 300mb is excessive under any 
circumstances...)
It won't buy you much. From a quick look at the sources it saves you 
some kBytes per blob (read: attachment).


Is the _complete_ mail (including headers) saved there? If not the
probabilty that the bug remains unrevealed is relatively high...
Yeah, Exiscan tells clamd to scan that directory, so that should be exactly 
what we need. It'll be even better than having the original email, 'cause 
Exiscan would have already done its MIME thing and dumped the files into the 
scanning dir.
Agreed.

I'm setting up some test box for my next Debian packages, and keep you
up-to-date with my findings.
Thomas


Just FYI I'm using Debian stable/testing/backports.org with Exim 4.24 + 
Exiscan13 on Linux 2.6.1.
I'm using amavisd-new (from testing) and clamav-*-0.67-[3456] on diverse 
servers.
I'm going to CC the list so other people can benefit from this thread.
Ok.

Thomas

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Some more evidence for my last mail ... - SOLVED

[Thomas Lamy]

Fajar A. Nugraha schrieb:

Thomas Lamy wrote:

May I suggest a change then please?
Either name it clamd.conf to describe for what its used
It's already called clamd.conf, and the documentation and manpages are 
up-to-date.

Eh? Really? Which version is that?
The latest CVS snapshot still calls it clamav.conf.
Although the top of clamav.conf DID say
## Example config file for the Clam AV *daemon*
Regards,

Fajar

Oops - I'm sorry.
Renaming the config file is not a small issue given the current user 
base :-(.

Thomas

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Amavisd-new and Clamav TCP

[Thomas Lamy]

Hanford, Seth schrieb:

I'm using ClamAV 0.67-1, currently using Unix sockets.

I'm not too familiar with UNIX sockets, but I'm comfortable with TCP sockets
and communication.  Is clamd any more/less reliable when running over TCP?
I started clamd briefly using TCP and was able to connect and PING it, but I
can't get it to interface appropriately with amavisd-new.  The following is
an excerpt from my amavisd.conf:
### http://clamav.elektrapro.com/
### Old socket name '/var/amavis/clamd'
['Clam Antivirus-clamd',
  \&ask_daemon, ["CONTSCAN {}\n", '/var/run/clamd/clamd.sock'],
#  \&ask_daemon, ["CONTSCAN {}\n", '127.0.0.1:3310'],
  qr/\bOK$/, qr/\bFOUND$/,
  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
The commented CONTSCAN line didn't work, but a similar one is found under
OAV and other TCP based scanners.  Is this a correct syntax here? I can't
find an example on either Amavisd-new's site or ClamAV's for using
amavisd.conf with TCP connections.
Maillog entry when using UNIX sockets:
Mar  3 11:01:09 gabriel amavis[24627]: (24627-07) Clam Antivirus-clamd:
Sending
CONTSCAN /var/amavisd/tmp/amavis-20040303T103239-24627/parts\\n to UNIX
socket /
var/run/clamd/clamd.sock
Maillog entry when using TCP sockets:
Mar  3 10:27:48 gabriel amavis[8201]: (08201-01) Clam Antivirus-clamd:
Connectin
g to socket /var/amavisd 127.0.0.1:3310
Mar  3 10:27:48 gabriel amavis[8201]: (08201-01) Clam Antivirus-clamd: Can't
con
nect to INET socket 127.0.0.1:3310: Connection refused, retrying (1)
Thanks,
Seth
You have to configure clamd with
#LocalSocket /var/run/clamav/clamd.ctl
TCPSocket 3310
TCPAddr 127.0.0.1
and restart it to make it listen to a TCP socket. Clamd uses a UNIX _or_ 
a TCP socket, not both at the same time.

Thomas

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] ClamAV 0.67 memory leak

[Thomas Lamy]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Matthew Trent schrieb:

| On Tuesday 02 March 2004 09:29 pm, Jim Gifford wrote:
|
|>Here is what I see on my system, maybe it's something in the kernel your
|>using. I'm using 2.6.3
|>
|>Name:   clamd
|>State:  S (sleeping)
|>SleepAVG:   0%
|>Tgid:   751
|>Pid:751
|>PPid:   1
|>TracerPid:  0
|>Uid:0   0   0   0
|>Gid:0   0   0   0
|>FDSize: 32
|>Groups: 0
|>VmSize:21304 kB
|>VmLck: 0 kB
|>VmRSS: 12032 kB
|>VmData:19336 kB
|>VmStk: 8 kB
|>VmExe:40 kB
|>VmLib:  1840 kB
|>Threads:2
|
|
| What's the max size clamd should ever get up to? I have 'monit'
running and
| checking the memory usage of clamd every 15 seconds. It HUPs it if the
usage
| is above 7%. On a pretty much daily basis this happens, sometimes
saying it's
| hit over 20%. I've got 1 gig of ram, so that's 200mb! I'm using
current CVS
| snapshots.
I have it running (with amavisd-new) at < 20 MB all the time.  I'll
schedule a new round of leak checks this weekend/next monday. _If_
you've got some mails sorted out making clamd grow, I'd be glad to
receive them (in private of course).
Thomas

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3-nr1 (Windows 2000)
iD8DBQFARhIdU8aXJw9I+CERAkwxAKDncCaigIfzK4yPonwpam/DdBZgMwCg/ZSP
U/eFZzDqbH7W5Ob36nVJyg4=
=RNc/
-END PGP SIGNATURE-
---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Problem with *.zip atachments!

[Thomas Lamy]

Grzegorz Staleńczyk schrieb:

Hey There!

I've got a  problem with viri on *.zip attachments in e-mails!

when I scan file.zip by hand clamscan find virus, but e-mail with this infected files
in atachment can go (IT IS NOT STOPED!)
Why? What have I wrog configured?

[EMAIL PROTECTED] ~]$/usr/local/bin/clamscan freaky.zip
freaky.zip: Worm.SomeFool.B.2 FOUND
--- SCAN SUMMARY ---
Known viruses: 20366
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
I/O buffer size: 131072 bytes
Time: 10.594 sec (0 m 10 s)
Mar  3 14:53:55 mail MailScanner[11494]: 
/export/home2/mail/incoming/11494/./i23Dps11/portmoney.zip: Worm.SomeFool.B FOUND
Mar  3 14:53:56 mail MailScanner[11494]: Virus Scanning: ClamAV found 1 infections
Mar  3 14:53:56 mail MailScanner[11494]: Virus Scanning: Found 1 viruses
Mar  3 14:53:59 mail MailScanner[11494]: Filetype Checks: Allowing i23Dps11 
portmoney.zip
Mar  3 14:54:00 mail MailScanner[11494]: Virus Scanning completed at 934 bytes per 
second
Mar  3 14:54:01 mail MailScanner[11517]: Virus Scanning completed at 86 bytes per 
second
I have  run on Solaris 8,  Clam AntiVirus Scanner 0.67 , MailScanner  4.26.8

Thank for your help!
Please fix your MailScanner configuration. I'm of no further help, since 
I don't know MailScanner, but from the logs I can see that clamAV 
actually _found_ the virus, but MailScanner is forwarding it.

Thomas

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Some more evidence for my last mail ... - SOLVED

[Thomas Lamy]

Thomas Seifert schrieb:

Tomasz Kojm wrote:

I believe clamscan don't read clamav.conf at all; It uses hard-coded 
compiled settings.
I might be wrong :)


You're right - it doesn't depend on clamav.conf at all.

May I suggest a change then please?
Either name it clamd.conf to describe for what its used
or please use the config-file for clamscan :).
I know, it was my fault but this might still help others.



thomas

It's already called clamd.conf, and the documentation and manpages are 
up-to-date.

Thomas

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Worm.Bagle.F-zippwd-3 problems

[Thomas Lamy]

Rick Macdougall schrieb:

Hi All,

We are getting hammered by Worm.Bagle.F-zippwd-3 and clamav isn't 
picking it up.

I understand that qmail-scanner breaks apart the message so that clamav 
can not pick up the signature (and I'll look into fixing that) but the 
zip file itself is NOT password protected.  Winzip and unzip on Linux 
can unzip the file without a problem.

Is this something I should submit to the team to get a signature added?

I have the full email message, the actual zip and the unzipped .exe if 
needed.

Regards,

Rick


submit them with some notes on 
http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi ???



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] db signatures

[Thomas Lamy]

[EMAIL PROTECTED] schrieb:

my virus signatures dropped from 20831 to 20346, is there only one server
I should be pointing to for updates?  Are the db servers always going to
be this much out of date?
  thanks,

 - Nick
They're not out of date (as one can see from the db versions or the 
output of sigtool --info ).
There were some false positives removed, and the database has been 
cleaned from duplicate signatures.

Thomas

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Clamd will NOT start

[Thomas Lamy]

Andrew Keuhs schrieb:

- Original Message -
From: "Thomas Lamy" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 03, 2004 3:18 AM
Subject: Re: [Clamav-users] Clamd will NOT start


Andrew Keuhs schrieb:


Clamd will not start now.. i am using version .67

It was working fine last week... we had a power outage... now when I run
/usr/sbin/clamd as root... it goes to next line but nothing is started...
Where would I look for errors? I see it has no verbose setting... So i have
no clue why it will NOT start
I used this configure:

./configure \
   --prefix=/usr \
   --sysconfdir=/etc \
   --datadir=/var/clamav \
   --enable-milter
Also followed this install
http://www.linux-sxs.org/administration/clamav-milter.html

It was fine the day I installed it... I am using slackware v9.0. 2.4.22
kernel

HELP!!!

-Andrew

Put a line
LogSyslog
into your /etc/clamav.conf. It should log errors there. If that doesn't
work for you, reconfigure with "--enable-debug" and recompile.
Thomas

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users



I tried what you said...

Here is what was in syslog:

Mar  3 04:35:42 invader clamd[15975]: Daemon started.
Mar  3 04:35:42 invader clamd[15975]: Log file size limited to 1048576
bytes.
Mar  3 04:35:42 invader clamd[15975]: Running as user clamav (UID 1005, GID
103)
Mar  3 04:35:42 invader clamd[15975]: Reading databases from /var/clamav
Mar  3 04:35:42 invader clamd[15975]: Protecting against 20359 viruses.
Thats all I see yet it never is starting :/

Also what is --enable-debug supposed to do... I tried that but I see nothing
diff when it starts up.
You should then also put a "Debug" line into the conf file.
Anyway, the log suggests that clamd _is_ running. Maybe you can find 
some evidence in clamd's native logfile (you seem to have one, see your 
config file).

Thomas

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Clamd will NOT start

[Thomas Lamy]

Andrew Keuhs schrieb:

Clamd will not start now.. i am using version .67

It was working fine last week... we had a power outage... now when I run /usr/sbin/clamd as root... it goes to next line but nothing is started... Where would I look for errors? I see it has no verbose setting... So i have no clue why it will NOT start

I used this configure:

./configure \
--prefix=/usr \
--sysconfdir=/etc \
--datadir=/var/clamav \
--enable-milter
Also followed this install http://www.linux-sxs.org/administration/clamav-milter.html

It was fine the day I installed it... I am using slackware v9.0. 2.4.22 kernel

HELP!!! 

-Andrew

Put a line
LogSyslog
into your /etc/clamav.conf. It should log errors there. If that doesn't 
work for you, reconfigure with "--enable-debug" and recompile.

Thomas

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] ClamAV 0.67 memory leak

[Thomas Lamy]

(please don't top-post!)

Nigel Kukard schrieb:
On Wed, Mar 03, 2004 at 12:42:48AM +0100, Thomas Lamy wrote:

Nigel Kukard schrieb:


Anyone seen this...

3843 ?S  0:00 clamd
3846 ?S  0:01  \_ clamd
3847 ?S  0:03  \_ clamd
when i cat the /proc/3843/status file...

Name:   clamd
State:  S (sleeping)
Tgid:   3843
Pid:3843
PPid:   1
TracerPid:  0
Uid:0   0   0   0
Gid:0   0   0   0
FDSize: 32
Groups: 0
VmSize:   210900 kB
VmLck: 0 kB
VmRSS: 22940 kB
VmData:   209128 kB
VmStk:16 kB
VmExe:36 kB
VmLib:  1672 kB

Which version exactly (I guess it's 0.67 release, but better save...), 
on which OS/Distribution ?
I've not seen huge mem leaks in clam since it's 0.65 days, and I tend to 
check this every now and then with "valgrind".

Thomas

sorry, its 0.67. seems the VM kills it when it uses up all the RAM,
couldn't this be other peoples problems aswell? I mean i see quite a few
people saying clamd just dies?
Yes, but that's another issue which is supposed to be finally fixed in 
CVS; a new release candidate should pop up soon.

Again, which Distro/Version and kernel? Did you compile from source or 
do you use some binary (from where)?

Thomas

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] ClamAV 0.67 memory leak

[Thomas Lamy]

Nigel Kukard schrieb:

Anyone seen this...

 3843 ?S  0:00 clamd
 3846 ?S  0:01  \_ clamd
 3847 ?S  0:03  \_ clamd
when i cat the /proc/3843/status file...

Name:   clamd
State:  S (sleeping)
Tgid:   3843
Pid:3843
PPid:   1
TracerPid:  0
Uid:0   0   0   0
Gid:0   0   0   0
FDSize: 32
Groups: 0
VmSize:   210900 kB
VmLck: 0 kB
VmRSS: 22940 kB
VmData:   209128 kB
VmStk:16 kB
VmExe:36 kB
VmLib:  1672 kB

Which version exactly (I guess it's 0.67 release, but better save...), 
on which OS/Distribution ?
I've not seen huge mem leaks in clam since it's 0.65 days, and I tend to 
check this every now and then with "valgrind".

Thomas

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: debian-sid package broken

[Thomas Lamy]

Derrick 'dman' Hudson schrieb:

On Tue, Mar 02, 2004 at 12:00:28PM +0800, Me Its wrote:
| I am using debian - sid, but I got error when I apt-get upgrade, when 
| it tries to install the new ClamAV

| What should I do next ?

Look for a related bug report on http://bugs.debian.org.  If there is
none, report the bug.  At any rate, this is a debian packaging issue,
not a clamav one.
-D

PS  It is a good idea to know this before running "unstable".  It's a
little safer to run "testing" instead, if you aren't that
comfortable with running into such issues at times.
This is a known bug in clamav-base_0.67-5, and 0.67-6 was uploaded last 
night.

Thomas

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Clamscan not detecting virus

[Thomas Lamy]

Matthew Daubenspeck wrote:
I am using the backported.org package of ClamAV:

$ clamscan --version
clamscan / ClamAV version 0.67+CVS20040221
So far clam has been catching 90% of the viruses that are sent to the
server, but it has missed a few others. I downloaded the specific virus
itself and tried to submit it using the online scanner
[http://www.gietl.com/test-clamav/] and the results are:
File is valid, and was successfully uploaded. 

clamav scans the file ...

Clamav-Output:

/tmp/phpDkbyoR: Worm.SomeFool.B FOUND

And found something:
Worm.SomeFool.B  

Since clamav already recognizes the content you submitted there is no
reason to resubmit it.
But my local copy is not working. I checked the syslog and it says
nothing other then the message is clean. Any ideas where to start
checking?
What is your exact setup, i.e. what is the "glue" between your mailer 
and clam? clamav-milter, amavisd-new, ... ?

If in doubt, please send me (an URL to) the sample in private (I'm the 
co-maintainer for debian packages).

Thomas

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] libclamav question

[Thomas Lamy]

Jose Marcio Martins da Cruz schrieb:



Hello,

libclamav has three functions to scan an object : cl_scanbuff, 
cl_scandesc and cl_scanfile. Only cl_scanbuff doesn't have the parameter 
"options". What kind of objects are scanned by cl_scanbuff ?

Memory buffers. This needs no "options", as it is supposed to be the 
very last function called in the scan process. The others get flags for 
"ScanMail", "ScanArchive" etc via their "options" argument.

Thomas

PS: This question had better fit to clamav-devel...

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users