Re: [clamav-users] Windows packaging
On 06/25/12 15:55, Tom Judge wrote: Exclusion of the necessary msvc* runtime libraries The inclusion of them helps lower the barrier to entry for people to try ClamAV on windows. So why have you removed them? Inclusion of the previously separate libclamunrar libs There is no reason for us to package these separately, by including them we again reduce the barrier to entry for people. FYI unrar license is incompatible with the GPL. That was the rationale in the packaging. -- acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Identifying all infections in a file...
On 06/08/12 15:26, Matt Olney wrote: Maarten, There currently isn't a way to do this. We could look at doing that in a future release. Feel free to put a bug in https://bugzilla.clamav.net/ and we'll consider it. Hey Matt, As per the ML rules[*] please avoid top posting or quote excessively large chunks when replying. Thanks, -- acab [*] http://lists.clamav.net/mailman/listinfo/clamav-users http://wiki.clamav.net/Main/TopPost ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-users] problem with clamav-milter recipient notification
On 05/24/12 16:54, Giles Coochey wrote: Was a bug / feature request ever opened for this? Was it ever fixed? Yup, https://bugzilla.clamav.net/show_bug.cgi?id=2879 Cheers, -- aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] How can I whitelist certain sender with clamav-milter
On 04/26/12 14:53, Gary Yao wrote: is there a way I can tell postfix to whitelist this sender? Gary, I don't know about Postfix but you can do some whitelisting in the milter. There is a dedicated Exclusions section in its config file[*]. You may want to give a look at it. Cheers, -- aCaB [*] http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob;f=etc/clamav-milter.conf;h=decf06bca33265a66f1482e25782161f7f1e6039;hb=HEAD#l96 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Google Chrome infected?
On 04/24/12 01:31, Frank Chan wrote: 5974bc2d26dc0f1e9755ccc2806cfda2 chrome.dll 9652e7d2d40f72c4f4acec0e2dea28a1 chrome.7z I'm sorry Frank, it appears the upload wasn't successful. I can't find neither :/ Cheers, -- acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Google Chrome infected?
On 04/18/12 23:10, Frank Chan wrote: 9652e7d2d40f72c4f4acec0e2dea28a1 chrome.7z 5974bc2d26dc0f1e9755ccc2806cfda2 chrome.dll Hi Frank, Have you submitted them on http://www.clamav.net/sendvirus/submit-fp/ ? I can't seem to find them in our zoo. If you haven't yet please do, so they can be processed ASAP. Cheers, -- aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] trouble compiling clamav 0.97.4
On 04/17/12 17:19, Jasowicz, Artur wrote: cat /etc/redhat-release CentOS release 5.8 (Final) uname -a Linux xx.xx.com 2.6.18-128.1.16.el5xen #1 SMP Tue Jun 30 07:20:15 EDT 2009 i686 athlon i386 GNU/Linux Trying to configure calmav with: configure --enable-milter --disable-zlib-vcheck Jasowicz, You forced configure to skip a check which is there in order to avoid us being flooded with clamd crashed bug reports where bzip2 really fails. Configure obeys but it tells you that you are on your own. If you clamd crashes, good luck. Of course if you go through the trouble of tracing the crash and be sure that it's not related to bzip2 (or other configure things you might have messed around with) then you are still welcome to submit a bug report :) Cheers, -- aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAv 0.97.4 win32/64 binaries
On 03/16/12 10:54, Steve Basford wrote: Hi, Any eta on an update to v0.97.4 here... http://sourceforge.net/projects/clamav/files/clamav/win32/ I'm building them right now, so probably your late afternoon. BTW, please don't hijack other threads... -- aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Exempting certain users from scanning
On 02/03/12 14:48, Jerry wrote: sasl_username=t...@pc.network.net [...] SkipAuthenticated file:/etc/good_guys /etc/good_guys tom Hi Jerry, This will have to be: t...@pc.network.net Also, is case folding being used in this scenario by the clamav-milter? Yes, the matching is case insensitive. --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] How can I have clamd reject items that can't be scanned?
On 11/08/11 17:41, Peter Bradeen wrote: I see that there are ways to limit the level of archive that will be scanned as well as the size of the entities to be scanned. Is there a way for CLAMAV to then flag them as not allowed? Seem that if you can't scan it, it should be rejected. Hi Peter, Long ago there were as set of options going under the name of ArchiveBlockMaxXXX. They were really intended to keep the engine safe from loops and abuse, but in the end they did more or less what you ask. The options were dropped because they gave us a lot of headaches with complaints and FP reports (you can still google oversized.zip and enjoy the flames). Before dropping the said options a poll was conducted on this very board and the general consensus was that the option was pointless and to be dropped. Long story short, we understand exactly the scenario you describe and the question you raise. However it's very unlikely that suck a feature is going to be added in the future. Cheers, --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] git.clamav.net down?
Luca, My commit seems to have been pushed [*]. But it seems it didn't propagate to git.clamav.net. Also no commit email is showing up and the bbot wasn't triggered. Is there anything wrong? [*] acab@1337ness:~/git$ git push origin HEAD Counting objects: 12, done. Delta compression using up to 8 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 844 bytes, done. Total 7 (delta 5), reused 0 (delta 0) ssh: connect to host git.clamav.net port 22: Connection timed out fatal: The remote end hung up unexpectedly To a...@git.clam.sourcefire.com:/var/lib/git/clamav-devel.git 47aae0e..ce048a0 HEAD - master acab@1337ness:~/git$ git push origin HEAD Everything up-to-date acab@1337ness:~/git$ git pull Already up-to-date. Cheers, Albe ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] git.clamav.net down?
Sorry folks, wrong ML. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] How to distinguish phiching signatures?
On 09/05/11 16:18, Matus UHLAR - fantomas wrote: Do you have an idea how should I detect if a mail is a phish, or any other content (which?) that should our abuse@ teram know about? Hi Matus, You are supposed to recognize phishing from the virus names, for example using a regex like: ^(Email|HTML)\.Phishing Mind you, there are currently 2 spurious entries which are likely not intended to be there. I'm gonna fix them this week: acab@barney:~$ sigtool -l | grep -i phish | egrep -v '^(HTML|Email)[.]Phishing' Catphish.698.A Catphish.698.B E-Mail.Phishing.SMT PDF.Phishing HtH, Albe ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] The error log message milter=clmilter, tempfail
On 08/19/11 19:13, Michael Wu wrote: We will see the following messages in the clamav milter's logs : ERROR: clamfi_eom: FD send failed: Broken pipe ERROR: FD send failed Michael, Looks like clamd went down. Or was bored for the long wait time and shut the socket down. Either way you probably have some corresponding error in clamd.log. Can you look them up as well? Cheers, --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus database in tarball
On 06/24/11 11:09, Sergey wrote: Whether to place the virus database in tarball ? It become obsolete very quickly and take up space. Update is required after installation in any case. Hi Sergey, this has been discussed many times already. Rationale is: shipping the db in the tarball helps a lot in reducing load and bw usage on our mirrors (which are provided for free to all our userbase) and still allows for quick incremental updates. Cheers, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] 0.97.1 rumor pile? bad safebrowsing update file?
On 06/21/11 20:25, Michael Scheidell wrote: I can't reproduce it, but installed clamav 097.1 on several amd64 boxes, and i386 boxes running freebsd 7.3 Hi Michael, do you have any chance to attach gdb to the stuck clamd? Cheers, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Solaris 10 compile / unit_tests unrar problem
On 06/21/11 22:54, Paul Kraus wrote: I suspect that this is either a unit_tests issue -or- and issue with how the static executables get built. [...] $ ./configure --disable-clamav --enable-check --enable-static --disable-shared Hi Paul, Static unrar is unlikely to work since libclamav dlopen()'s it due to license restrictions and incompatibilities. Do you really need a static build? Cheers, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] announcing ClamAV 0.97.1
On 06/10/11 12:18, Steve Basford wrote: Can't see the windows binaries for 0.97.1 yet? http://sourceforge.net/projects/clamav/files/clamav/win32/ Hi Steve, Luca's on holidays. He'll upload them as soon as he reaches a PC, probably later today. Cheers, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] problem with clamav-milter recipient notification
On 05/24/11 17:48, Annette Jaekel wrote: If I understood right, the script gets the recipients from the sendmail macro rcpt_addr. Now clean mails go trough clamav-milter and deliver to all recipients. But always if a virus is found for a mail with more than one recipient, only the last recipient gets a notification. Hi Annette, You understand it right. The macro likely gets overwritten at each new recipient. I should really hook xxfi_envrcpt and build a dynamic list for each message... But then I also need to rework the VirusAction handler and logging to go through it and act accordingly without breaking legacy apps. In a words, it's no quick fix :( Please open a bug/feature request on the bugzilla. I'll take care of it when time permits. Thanks, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Access has been denied page
On 04/16/11 16:48, Nathan Gibbs wrote: Do you mean something like. cat daily.cvd | sigtool -mdb daily.mdb That won't work. If you want to use an official db you should you sigtool --unpack. Alternatively you can forge your own custom db. E.g.: acab@1337ness:/tmp$ echo this is an example scanme acab@1337ness:/tmp$ sigtool --md5 scanme sig.hdb acab@1337ness:/tmp$ clamscan -d sig.hdb scanme scanme: scanme.UNOFFICIAL FOUND --- SCAN SUMMARY --- Known viruses: 1 Engine version: devel-clamav-0.97-65-g82c8e33 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 0.006 sec (0 m 0 s) or Just get a 3rd party DB already. That would work too. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Access has been denied page
On 04/17/11 05:05, Dennis Peterson wrote: Adding the hard-coded UNOFFICIAL reduces some liability from the Clamav team. That! And lots of daily annoyances with FP reports too. Which is why the suffix won't go away nor an option will be available to get rid of it. Cheers, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Access has been denied page
On 04/16/11 06:14, Nathan Gibbs wrote: Is there some test data that will cause clamd to to emit the .UNOFFICIAL output without loading any 3rd party DB's Just load any db file in non cvd/cld format. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Access has been denied page
On 04/16/11 03:56, Nathan Gibbs wrote: I don't think passing conf options all the way down into the library is going to work out too well. I'll try ambushing the virus name on its way back up. As it is I edit the source code at each build and turn it off. As it is I edit the source code at each build and turn bug 1754 fixes on. :-) Thanks for the idea, its a good one, now if I can just catch it. FYI you can use callbacks, in particular clcb_post_scan. See clamav.h for details. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] freshclam proxy configuration
On 04/06/11 15:41, Leonardo Rodrigues wrote: is that possible ? Nope, just one. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Database reload improvement
On 03/11/11 14:23, Török Edwin wrote: I also looked at a couple of servers where the hardware is 3-4 years old and they took 5-7 seconds to reload. But they have a high load from all mail related services they do, probably they could shave off a second or two if tested separately. Thanks Peter! That's in line with my expectations. Hmm, Martin Preen has quite a few 3rdparty DBs (in clamconf output), maybe those cause the load-time slowdown? Is it any faster without them? Whatever. Still 90 secs is unreasonable especially considering the older version was way better. Let alone 3 minutes... --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] To SUSE users - configure infloops
Hi, SUSE apparently ships a custom patched libbz2 v. 1.0.5. That is the vulnerable libbz2 but, instead of crashing it infloops on the bz2 PoC. SUSE has not yet provided a non vulnerable libbz2 (v.1.0.6). In the meantime the quick and dirty patch found at https://wwws.clamav.net/bugzilla/attachment.cgi?id=1498 allows configure to continue. Cheers, --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] What ever happened to the Release Candidate for 0.96.3??
George Kasica wrote: In any case its a past event and something to keep in mind next time probably. Hi George, thanks for sharing your thoughts and sorry for any trouble we might have caused. There are just a copuple of things I'd like to add. The bzip bug was circulating among all the involved parties for a month or more. Additionally the original disclosure date was shifted ahead by two weeks. In such a scenario, I'd personally expect that distro packages are all ready but kept on hold until the disclosure date. Now, even if that wasn't the case, I think it's quite unreasonable to suggest that we (3 developers) hunt down each and every distro maintainer to ack their schedules. As I see it the process is the other way around. In fact there is a clamav mailing list explicitly dedicated to package maintainers where we post the to-be-released tarball some (admittedly small) time in advance. Anyone willing to coordinate or ask for a delay can certainly do through this channel. If it wasn't a security release we would certainly have gone with an RC... which certainly would have mitigated most of the issues. Cheers, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VirusAction Question
Nathan Gibbs wrote: * Nathan Gibbs wrote: How can I get the clamav-milter to call a virusaction scipt that accepts a cmd line argument? [snip] By looking at the code it appears that this common task is being implemented in three different ways. The clamav-milter way is definitely incompatible with the other two. Hi Nathan, The main reason the code is different is due to the fact that OnXXX executes a script (with some params) via the shell and VirusEvent does the same but additionally expands %v to the virus name. With the milter I had to face a few more issues. On one hand I decided to drop mail notifications, which suddently made VirusAction the most immediate and obvious work around. On the other hand, everything in the milter is arbitrary, unsanitized and potentially nasty. I conisdered that, for some reason, quite a few OS's/distros run the milter as root and that the old milter had security issues related to insufficient validation[1], and the decision was not to rely on the shell for executing the external scripts. At that point i could reuse the %v logic used employed by VirusEvent except that in this case I had quite a few arguments to manage and not just one. The simpler solution was to avoid % expansion and simply feed all the info I have to the invoked script. From there, the admin can do whatever s/he likes: use some params, use all of them, disregard them all. Hope that sheds some light on the code. Cheers, --aCaB [1] http://www.securityfocus.com/archive/1/477723/30/0/threaded ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] recipient notification
Chris wrote: So, I wrote a nice little script, and it would work fine too, except that the 4th argument (the destination, which I took to mean the recipient) is always UNKNOWN. So, the message always fails. Maybe destination isn't supposed to mean recipient -- if that is so, what does? Hi Chris, I think you're doing it right. You only need to configure sendmail to fill in those macroes, which, by default, it leaves blank. It's generally only a matter of adding the following line to your .cf: define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i') HtH, aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] recipient notification
Chris wrote: I am not sure I follow your logic here though, because I thought it was clamav-milter that passes those 7 arguments (not sendmail), all of which look good, except the 4th: destination. That's correct. But clamav-milter is just a stupid streaming bridge which knows nothing about mails. And that's by design. All the info it passes on to your script it gets from sendmail. If sendmail doesn't fill in some, you get 'UNKNOWN'. Sendmail, by default, doesn't fill in all of the fields passed to your script, hence, you get 'UNKNOWN'. To get sendmail to fill in all the fields you need, you have to explicitly instruct it to do so. And this is done via its configuration file, using the confMILTER_MACROS_EOM as I wrote above. Any clearer now? -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Problem with lha, lzh, uuencode and pgp files
DAVID BERTHIAU wrote: I don't know how, but my current system do, I will look if it is because the encrypted files are blocked. Is it possible to do it with clamav? It is. Look for ArchiveBlockEncrypted in clamd.conf. Cheers, -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Including DB in tarball
Jorge Valdes wrote: Just a suggestion: Can we also have a tarball that does not include a database? Hi Jorge, This has been discussed several times. The tarball includes the db in order to save some bandwidth on our mirrors. If you don't want to download the whole tarball, just pull the code via git. HtH, --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] safebrowsing updates CPU hog
Wolfgang Breyha wrote: In the last week I noticed several times that freshclam needs up to 30 minutes using a full CPU to update safebrowsing database. Most of the time the next update shows Empty script safebrowsing-20426.cdiff, need to download entire database What's wrong with safebrowsing? There's a bug for that: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2017 --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] False Positives on PDF-Files
Andreas Krauß wrote: Hi, ClamAV 0.96 on our mail server is running very well. We ship every day many PDf files and have some false positive detections How can we solve the problem? Hi Andreas, Have you submitted the false positive files on http://cgi.clamav.net/sendvirus.cgi ? --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] freshclam, updates and EOL.
Jobst Schmalenbach wrote: Hi. I have been following the thread about EOL and Move to next version of clamav which stopped a few mailservers ... I do not want to take sides here, this is NOT what this email is about. This is a suggestion. Mind posting your suggestions to the bugzilla? So other can contribute and there are less chances that it'll be forgotten? Thanks, --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Update problem on daily.cld
Test Andrea wrote: http://nopaste.info/6ce68caae7.html Ciao Andrea, I assume from you address that you are based in Italy. The problem is very likely related to db.it.clamav.net failing to properly sync the database files. These kind of issues are generally only temporary and are fixed within a few days. In the meantime you can either ignore the error or temporarly add another DatabaseMirror directive in freshclam.conf (specify another european mirror like db.de.clamav.net). If you choose to add a mirror make sure that you also remove mirrors.dat as by now freshclam has probably blacklisted all the servers. HtH, -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Update problem on daily.cld
Adam Stephens wrote: I'm seeing a similar problem, and I believe it's another issue caused by ClamAV's aggressive policy of disabling older software versions. If I run freshclam with debug options I see errors like this: As stated multiple times ClamAV's aggressive policy of disabling older software versions has got nothing to do with what mirrors do. In fact, as stated multiple times, the clamav project has got no control over the mirrors nor their admins which are left completely free to make use of THEIR bandwith as THEY prefer. Banning old version is THEIR option as is THEIR choice to serve older clients. If you're running an OS that hasn't packaged 0.96 yet, I think you now need to build ClamAV from source if you want timely signature updates. The odd thing is the ClamAV website still recommends using the Debian Volatile packages. Right. Because, as everybody knows, the clamav guys maintain Debian and have control over volatile... ...and world hunger must be the clamav folks fault as well. Anyway, that being said (for the milionth time), feel free to keep complaining about free services and people behind them as much as you like. This thread is dead for me. --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Update problem on daily.cld
Adam Stephens wrote: This thread is dead for me. I'm delighted to hear it. Your contribution to date has been ill-informed, rude, and completely unhelpful. I apologize for being dense and overreacting. The echoes of the recent flames are still in my mind... Back to topic 0.96+dfsg-4~volatile1 was accepted a couple of days ago and it's digging its way to the mirrors. It shouldn't take long till all archs are built and the debs are available. --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus
Paul Whelan wrote: I think your amavis tried to decode the message, and pass only parts of it to ClamAV. In general then, clamav may only recognise some malware when it is still attached to a mail message and not after it has been separately stored. Is that correct? It may or may not, depending on the message and the signature that catches it. Since clamav internally process the mail message and all its attachments anyway, having this done twice (by amavis and by clamav) is probably pointless... ---acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
h...@dip-systems.de wrote: Is there no more support for this Debian Release? Debian Woody became old-stable in Jun 2005 and support was discontinued since June 2006. Your version of ClamAV is also obsolete. --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
Paul Reading wrote: I am using OSX Server 10.4.11 and it is at least five years old and the latest version of Snow Leopard server includes a more recent version of clamav. I assumed that the use of clamav was negotiated by Apple and Clamav and that there would have been some direct contact. The Apple boards of full of users with dead mail servers. No negotiation needed, it's free software. Apple takes it and package it as they like. They decide what version to ship and if/when to deliver updates. No question asked. --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The news keeps getting better
lists wrote: Multiple vulnerabilities has been found and corrected in clamav: Guys, just a bit of generic (i.e. not specific to the above) background about such evasion advisories. How it works aka how to get fame and glory with no effort (nor skills): 1. Pick up eicar.com and pack it up with the chosen archive type 2. Fuzz it into several thousand different files 3. Run N unpacking utilities and M AV toolkits against the above fileset 4. Find any tool in N succeeding against a sample for which at least one AV in M fails 5. Get yourself a 1337 name and post your 3v4510n!!1 advisory 6. Wait for mitre to pick it up and assign a CVE id to it (don't worry no matter how crappy or inaccurate your description is, they surely will) Now this sounds quite severe, doesn't it? Since an antivirus is a security tool, if we can bypass it then we have a security bug. And that's quite correct. However (and that's what most people don't realise), is an archive handler bypass sufficient to bypass the AV as a whole? Fortunately no. ClamAV (but I'm sure this is the case with every other AV on the planet) uses archive and runtime packers handlers as mere helpers. They simply make it easier and more efficient to write signatures. But nothing stops us from publishing signatures against the raw archive. In fact, that's exactly what we do against archive formats and runtime packers that we don't currently handle. So, what's the practical impact of evasion sploits? In most cases, close to zero. How many malicious samples have we seen that actively exploit archive evasion? Zero. What happens if, in the future, we'll see malware exploiting them? We'll simply catch them with a signature (or bytecode) based on the raw archive file. What happens when we receive such advisories? We file comments to the reporter and, in the next stable version, we improve the code to handle more bastardized samples. We then notify the reporter which in no case have ever bothered to integrate our comments. Oh and one final note about the accuracy: ClamAV before 0.96 does not properly handle the (1) CAB and (2) 7z file formats, which allows remote attackers to bypass virus detection via It's quite funny to hear that the 7z handler is vulnerable in versions 0.96 because it was, in fact, introduced in 0.96... :) Cheers, --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] LibClamAV Error: Can't load /usr/share/clamav/daily.cvd: Malformed database
Christian Gonzalez wrote: Hi list, As many, I've been affected by 0.94 EOL process. I successfully upgraded Clamav to 0.96 version but I'm still suffering from not being able to use it. I got this error: Hi Christian, please open a ticket at http://bugs.clamav.net Just copy/paste the info in your email and also state your zlib version and attach the problematic daily.cvd. Cheers, acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-0.96rc1-19.1.i586.rpm
Si St wrote: Whats the difference between: clamav-0.96rc1-19.1.i586.rpm and: clamav-0.96-27.1.i586.rpm ? The RC is a release canditate package. It was issued before the final 0.96 release (the non-RC package). I am thinking of the RC specification of the package. Which one should I choose for my SLED_10_SP3? There you go http://software.opensuse.org/search?baseproject=SUSE%3ASLE-10p=1q=clamav ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ClamAV over Network
Michelle Konzack wrote: SpamAssassin works already, but what must I do if I like to use ClamAV over network with 4-12 scanning machines?. Hi Michelle, a definite answer would require a better knowledge about your environment. Also I'm not a courier-mta user. However here are some generic suggestions that may help you. First of all, ClamAV is generally faster and much less resource hungry than SpamAssassin. The obvious choice is to set ClamAV first, SA next. Second, avoid middleware generated overhead whenever possible. As an example if your MTA can interface natively with SA and clam, then don't use amavis. If it can't then just use amavis as a glue and disable all its checks. Of course both suggestions imply that you don't care about amavis functionalities and just use it as a glue. Since I've discussed amavis, please also be aware that, under the most common config, it will cause each message to be basically scanned twice: each attachment separately first, then the full message (with all the attachments). If you can just let clamav scan only the full message. Third, carefully balance latency and performance. You can control the number of scanning threads in clamd via the MaxThreads directive. Performance wise, the optimal number of threads is something between N and N*2 (with N+1 or N+2 being likely the absolute best) where N is the total number of cpu cores. Please note however that when all the scan threads are busy, further requests will be queued and possibly refused. You certainly want to have enough threads available so that scan requests from the mta are not refused or delayed for too long. At the same time avoid an excessive amount of threads as this only wastes resources. Fourth, avoid IO as much as possible. Despite the fact that clamav mostly bottlenecks on the cpu, disk IO can very badly impact the performance of clamd in busy environments. Besides reading the files to be checked, clamd may internally generate quite a few temporary files. Under small load these files are very short lived and never really touch the disk, hence no time is spent on IO. However, under heavy load, the kernel may decide to actually commit them to the disk (or to the journal) in order to free some memory. This increases iowait and negatively affects the scan performance. If you have the choice, pick a box with more ram and slower disks and use tmpfs for the clamd tempdir and the mta (or amavis) scan spool (not the mail spool directory!). Back to your specific issue, clamd can scan streams from the network. All you have to do is to set up a tcp socket instead of (or in addition to) the unix socket. Then you need a clamd client that can properly communicate to a remote clamd. Since clamav-milter is not an option in your case, the most obvious choice is probably clamdscan via a tiny courier perlfilter script or via amavisd. Finally if you have more clamd's than mta's then you may want to fairly distribute (load balance and fail over) scan requests to all the available scanners. Again you have several options here ranging from writing a piece of perl filter to do manage the scan requests, to routing mails to a second line of mta's (or amavisd's) in a (possibly dns based) round robin fashion. HtH, --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Sender and recipient of blocked messages not appearing in logs, only UNKNOWN
Nathan Gibbs wrote: * Dennis Peterson wrote: This simple idea can be added to the clamd.conf configuration as a VirusEvent script. Now thats a pretty cool idea ( since the milter can't send email anymore ) and would work in his config. Guys, please open a ticket. It's too late for 0.96, but will likely make it into 0.96.1. Thanks, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamd, clamav-milter: socket permissions
Noah Sheppard wrote: When I start clamav-milter, it creates clmilter.socket like so: $ ls -l /var/clamav/clmilter.socket srwxr-xr-x 1 clamav clamav 0 Dec 29 16:02 /var/clamav/clmilter.socket Because of the mode 755, postfix cannot write to clamav-milter's socket, so I have to manually 'chmod 755 /var/clamav/clmilter.socket' in order to make virus checking work. Unless somebody tells me otherwise, I am sure the modes are the default, at least for my distribution. Hi Noah, the milter socket is created by libmilter, which should obey the umask. Just set it to suit your needs. As for adding a dedicated option to clamav-milter, that's sure something that can be done. Please open a feature request ticket so it doesn't get forgotten. Cheers, -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ExcludePath, defining absolute path
dev.ad...@ntlworld.com wrote: Hi, I know this is an old topic that seems to have caused some problems in the past and has apparently been fixed in version .3, but I still can't get it to work. I'm using OSX and I would like to scan the boot volume but one of the directories is called 'Volumes' which contains directories and links to other volumes which I scan separately. Is it possible to exclude an absolute path using the configure variable ExcludePath? A. Not sure I got the right picture but is --cross-fs=no what you are looking for? -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ClamAV Memory Usage
Gordan Bobic wrote: Hi, Can anyone explain why clamd 0.95.3 might use 190MB of RAM after 5 days The figure is normal. In those 190MB there are likely ~110MB of database and ~80MB of unused memory which is retained (by either libc or the kernel) inside the process. Unfortunately it's not very easy to determine the exact amount of *really* used memory: you should subtract all unused maps (i.e. /proc/PID/maps) and libc non-returned heaps from the above figure. You may be able to see a more ram usage figure via clamdtop. The database files under /var/lib/clamav use about 70MB. So, even assuming this is kept in memory at all times, where does the other 120MB come from? Database files are not stored in ram as they are on disk. In fact, for performance reasons, signatures are mostly arranged in tries. This involves lots of pointers, structure alignment and other nasty things. 70MB are roughly equivalent to 90-100MB on 32 bit systems and 110-10MB on a 64bit system. -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Quarantine issue with new 0.95.x clamav-milter
Mark Costlow wrote: Prior to 0.95, I had my clamav-milter configured to quarantine messages and reject them. So the sender got a 550 SMTP response, and we got a copy of the payload they were trying to send. In 0.95.3, I have the choice to tell the milter to Reject the message (which results in no quarantine) or to quarantine the message (which results in sendmail giving the sender a 200 message accepted response). Hi, This was requested and tried before. However it never worked and the code was reverted. Despite libmiter api's theorically allowing quarantine+reject, in practice, sendmail doesn't obey and only performs one of the actions (reject but not quarantine, IIRC). -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Thoughts on software QA Testing (or lack thereof...)
George R. Kasica wrote: In any case, if you're looking for a test spot for FC10, Solaris 9, RHEL4 I'd be happy to try to run some stuff here on a box - I'm not a programmer but I can do basic things if given clear steps or test the ability to at least get it to make etc in our QA/Test environment. Hi George, That would be cool! There are basically two options. The least intrusive is a small shell script to be run daily or so from cron which posts resuts available here: http://farm.0xacab.net/ This only requires git, a compatible compiler and an ftp client. The other one is to run a buildbot slave. Results are available at http://www.0xacab.net:8010/waterfall If you want to help with either, please mail Edwin or me off list. Thanks, -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [Fwd: [sanesecurity] x86_64 users: possible malformed database problems]
G.W. Haywood wrote: I suspect that rather than QA, what you do is just a lot of hap-hazard testing. That's why, whenever I see a new release of ClamAV, first I will suppress a groan and then, before I risk it on any of my servers, I'll wait a while and watch the users' list to see how much trouble it causes. This approach serves me well, although I can't say I'm proud of the fact that I'm letting a lot of poor innocents do my acceptance testing for me. Hi G.W. Haywood, My mail was about custom databases provided by 3rd parties, not about ClamAV release cycles. Besides, you miss another point: ClamAV is an open source software, consisting of roughly 150K lines of C code and 65 signatures, currently maintained by three full time developers, one and a half full time sigmakers and a system administrator. We ALWAYS ask our users to test the development head and provide feedbacks because we cannot do it all on our own: we lack the man power and we lack the infrastructure, but, most importantly we lack YOUR setup, YOUR deployment and YOUR envirnonment. With some very notable exceptions (which I would really like to thank), it is a fact that, despite the repeated requests, not many people test the code. You can look at the bugzilla being all quiet for weeks, then, as soon as we release a new version, it suddently gets flooded with tickets. So, to conclude, if you want to get better releases, do your bit. The only alternative is that we release what WE think is ok and we re-release when YOU tell us it's not. Thanks for the lesson, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] load issues due to sanesecurity signatures
Steve, I see more and more custom db related issues on this list... Last week I offered some help to early diagnose possible problems before they hit the end users and I was trying to establish some cooperation with you and the other db providers in order to improve your QA process. Just in case you missed that mail... -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav Postfix unix socket integration
clamavl...@encambio.com wrote: Hello list, Excuse the beginner question please. Hi Brian, To answer your final question: yes, it is possible. Yes you don't need amavis. However you seem a bit confused about postix interfaces. In particular the content_filter interface is not the same as the milter interface. I'd suggest you to start from http://www.postfix.org/MILTER_README.html which will answer all your other questions. Cheers, -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [Fwd: [sanesecurity] x86_64 users: possible malformed database problems]
Steve Basford wrote: LibClamAV Error: mpool_malloc(): Attempt to allocate 2097152 bytes. Please report to http://bugs.clamav.net LibClamAV Error: cli_ac_addpatt: Can't realloc ac_pattable LibClamAV Error: cli_parse_add(): Thanks to the ClamAV team, the bug was fixed in the clamav-devel version: clamav-devel: +Sat Oct 24 15:06:50 CEST 2009 (acab) + * libclamav/mpool.c: increase max pool to 8M to allow loading huge custom dbs Hi Steve, The (now) increased pool size is around 16 times bigger than the largest pool used by the offical db, so it'll probably be ok for a while. That said, we should still figure out a way to avoid this kind of troubles in the future (same goes for the infamous clamd crashes while loading 3rd party db's bug which plagued the early 0.95's). On our side we do a lot of QA over our own signatures to make sure things like that won't happen, but of course we can't guarantee the same for 3rd party databases. At the end of the day, any service disruption, even if caused by the use custom databases, is problematic and affects the entire ClamAV user community. I'm wondering if it would make sense for us to open up the QA side of our infrastructure to you guys, in order to minimize this kind of inconvenence. I really believe something needs to happen here so that these type of bugs can be caught quickly before they affect a number of users. Thoughts? aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Help with clamav-milter white list
Jerry wrote: I am getting some legitimate mail tagged as SPAM. Below is the header from one such e-mail. Return-Path: owner-freebsd-sta...@freebsd.org [...] From: freebsd-stable-requ...@freebsd.org [...] Now, if I understand it correctly, just putting the following: From:freebsd-stable-requ...@freebsd.org sans quotation marks in a text Jerry, You should use something like From:owner-freebsd-sta...@freebsd.org Now, would this work: from:hub.freebsd.org? I am having a hard time figuring out exactly what needs to be in that file to white-list mail. :-( No. Whitelisting based on the Received header is not supported as it doesn't make much sense. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VirusEvent based on signature file
li...@truthisfreedom.org.uk wrote: I guess my question is two-fold: a) Is this possible with ClamAV or do I need to look elsewhere? b) What's the best way to achieve this. Hi, It is certainly possible. As for the HOW, that mostly depends on how you interface with the ftp server. If your ftpd accepts only a YES/NO type of answer (which I presume), and can't take actions based on the reported virus name then you'll need to be a bit creative. For example you run a main clamd with the full db loaded which reports to the ftpd. This should keep away most of the known badware. Then you scan each uploaded file a second time but with only one or a few custom signatures (e.g. base64_decode) and report the suspect file to yourself. How to trigger this second scan depends again on your ftpd. If it's got post-upload hooks, then you should probably use them. Otherwise you can setup a small cron job using find -mtime and clamscan to check the whole ftp space. HtH, -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter whitelist not always working
Jerry wrote: OK, I see. I am not sure who created the default clamav-milter.conf for FreeBSD; however, the instruction could have been clearer. As you can see from the snippet I supplied in the original post, the only specifications are either 'To:' or 'From:', not the MAIL FROM or RCPT TO commands. Hi Jerry, The wording can sure be improved however it seems pretty clear to me that From: and To: are referred to the whitelist file format and not to the mail headers: Optionally each line can start with the string From: or To: (note: no whitespace after the colon) indicating if it is, respectively, the sender or recipient that is to be whitelisted. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter whitelist not always working
Jerry wrote: FreeBSD-7.2 I am having a problem getting the clamav-milter whitelist to work correctly. This is a snippet of the clamav-whitelist.txt file: To:freebsd-questi...@freebsd.org Whitelisting is NOT based on the mail header fields (To:, From:) but on the MAIL FROM and RCPT TO SMTP commands. In this very case, from a wild guess, it looks like they are: From: vvv Return-Path: owner-freebsd-questi...@freebsd.org Received: from scorpio.seibercom.net (localhost [127.0.0.1]) by scorpio.seibercom.net (Postfix) with ESMTP id 41CFB2290F for ger...@localhost; Thu, 3 Sep 2009 09:04:30 -0400 (EDT) TO: HtH, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Configuring SkipAuthenticated users in clamav-milter
Jerry wrote: If not, would this syntax work in the clamav-milter.conf file? SkipAuthenticated ^(m...@hostname.mydomain.net \ y...@hostname.mydomain.net \ ot...@hostname.mydomain.net)$ Unfortunately not. The feature was requested by a single person (who also provided a draft patch to whitelist *all* auth'ed users). I took the idea and made it use a regex as i thought it would allow to whitelist things like @domain with ease. If this doesn't work for you (i can certainly see why) then please open a ticket on the bugzilla to optionally make it read entries from a file. When time permits I'll work on that. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Configuring SkipAuthenticated users in clamav-milter
Jerry wrote: How clamav-milter would handle an external file is also a concern. Would it read it only upon start up, or reread it whenever it is modified? The latter method would eliminate the need to restart the milter if the file is modified making system management easier. Perhaps having it reread the file a preset interval like clamd does with it's definition files would be acceptable. That would not be the unix way. The unix way is to read config files on startup and on HUP or USR. However signaling in the milter is problematic because libmilter does its own signal catching; that's braindead, if you ask me, but that's the way it is. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] HAVP + Linux RAMdisk errors
Strykar wrote: Good question, could ClamAV developers comment on this? Would TmpFS be more effective as it would start writing to /swap if the system runs out of memory instead of stating Out of memory and stopping the process? Hi, My suggestion is that, if you are using sane limits in havp, which is BTW a good idea, tmpfs is the best approach. Let's put it this way... If your system is swapping due to a few 5-10 megs tmpfs files, then it's likely that it's going to be swapping anyway. In fact, in most cases, scanning any file is going to take up more memory that it's bare size. Cheers, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How do I send a link to a site with virus?
elias alves wrote: I received an email saying to be called a bank Bradesco, he is a Brazilian bank, the more it does not link to the site of Bradesco, is most often contains malware, to capture the password of users, how do I send the link? Because here I can send it without problems? Please save the mail and upload it to http://www.clamav.net/sendvirus/ Thanks, -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Permission changes and STREAM command depreciation
Thiyaga wrote: Hi, We are using Clamd in our organization for catching viruses. It would be very helpful if you consider doing the following few minor changes or suggestions Hi, Please open 2 feature request tickets on the bugzilla. Also, could you please let us know if STREAM command will be completely removed from Clamd in future versions (as it has been deprecated recently)? We use STREAM command through load balancer (VIP) and it is very useful to us. This is totally undecided, anyway not anytime soon. Maybe in one year from now or so. This should give anyone enough time to switch to INSTREAM or FILDES. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter with postfix
Jerry wrote: I am about to set up a new installation of Postfix and clamav-milter on a FreeBSD-7.2 system. On my present system I have clamsmtp installed. I was thinking that clamav-milter might be a better choice. Can anyone supply me with a basic template for getting clamav-milter working with Postfix? I have the latest version of Postfix-2.6x and clamav installed. For the postfix side, all you need is something like: smtpd_milters = unix:/path/to/clamav-milter.socket non_smtpd_milters = unix:/path/to/clamav-milter.socket in your main.cf. For the clamav-milter side I'd suggest to start from the provided sample config, fix the sockets and paths and try running it. If things work, you can get back to it and tweak the other options so that it suits your needs. also, am I correct in assuming that clamav-milter will only add a header to the the infected email but not modify the SUBJECT: line? You are correct. -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Suggestion - make the source package available without the main.cvd database
Per Jessen wrote: Any chance of making the source package available without the current cvd databases? The current package is 24Mb, without the CVD it's only 3Mb. Just a suggestion, but it might just save some bandwidth. Hi Per, we packe main cvd into the tarball to alleviate some load from the mirrors. If you only want the code you can simply grab a branch off the svn. -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Upgrade very old Clamav
M. Lewis wrote: I have a client who for a variety of reasons is still running Fedora Core 3. I know he has worse problems that Clamav being out of date with this, but I'm wondering if there is a way to get Clamav up to date on this system. Previously all upgrades were done via RPM, which of course has not been possible for a long time. If I were to remove the existing clamav (clamav-0.88.7-1) and install the current version from source, are the libraries and all there that are needed to compile the current version on this old machine? I would think probably they are not, but I'd like to confirm this with someone more knowledgable. Hi, you you have gcc 2.95 or less, then forget about compiling it. You will get any sort of compilation errors. Working them around is not trivial BTW. If you can somehow get a gcc 3.x installed then you should be able to compile clamav without major problems. Old libraries should link ok (although most of them are probably exploitable), with the exception of libmilter. If you don't need clamav-milter that shouldn't really bother you. -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus submission timing
Dan wrote: Hi, After submitting something to VirusTotal, and getting the response back that shows only one or two products detected it as a virus... VirusTotal then automatically forwards the item to all the vendors? Yes, if the vendor asks for the stuff. Yes we do receive samples we miss at VT. Or is there further action required by me to initiate this? Since VT feeds are pretty massive and contains very random files (including false positives from other vendors, lots of tests - the bad guys know about VT as well) we generally classify those samples as low priority. On the other hand, user sumbissions have a much higher priority and are generally processed first. Once the ClamAV team receives the virus, on average currently how long before its sig is added to the database? Due to the huge number of submissions we have to process it is really hard to tell. It mostly depends on the severity of the threat, that is, how many of such samples we've already received. Big outbreaks generally take less than one hour. Unique samples may need several days to be processed. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus submission timing
Dan wrote: So you would prefer we submit directly to ClamAV at http://cgi.clamav.net/sendvirus.cgi Yes, we do. -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] disable milter syslog
martinnitram wrote: and at maillog, milter always log like this (set LogClean no at clamd.conf): sendmail[3783]: Milter change (add): header: X-Virus-Scanned: clamav-milter 0.95.1 at localhost sendmail[3783]: Milter change (add): header: X-Virus-Status: Clean so, the milter message at maillog related to sendmail or clamav-milter? Note the sendmail[3783]: prefix. This stuff doesn't come from the milter, otherwise it would read clamav-milter: Any milter loglevel setting 8 in *sendmail* makes those line appear in your logs. HtH, acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] disable milter syslog
martinnitram wrote: Becasue just want milter to log message to file that specify at 'LogFile', so set LogSyslog no to disable syslog logging. But found that milter still log to the maillog file (at FC9) no matter the email is infected or clean one. Is it normail for clamav 0.95.1? Thank for helping Hi, It is not. However make sure the loglevel *in sendmail* is setup properly. -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VIRUS? PHISH? Western Union Transfer MTCN: 0258258718
Charles Gregory wrote: Greetings! Hi, The right place for malware and suspected malware submissions is: http://www.clamav.net/sendvirus/ aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Problems with upgrade to 0.95.1
Frank Bures wrote: May 4 09:13:13 alchemy sendmail[27492]: n44DDBf8027492: Milter (clamav): write(L) returned -1, expected 61: Broken pipe May 4 09:13:13 alchemy sendmail[27492]: n44DDBf8027492: Milter (clamav): to error state May 4 09:13:13 alchemy sendmail[27454]: n44DDAda027454: Milter (clamav): write(L) returned -1, expected 91: Broken pipe May 4 09:13:13 alchemy sendmail[27454]: n44DDAda027454: Milter (clamav): to error state May 4 09:13:19 alchemy sendmail[27261]: n44DCvN5027261: Milter (clamav): write(D) returned -1, expected 201: Broken pipe May 4 09:13:19 alchemy sendmail[27261]: n44DCvN5027261: Milter (clamav): to error state May 4 09:13:37 alchemy sendmail[27057]: n44DCaW0027057: Milter (clamav): write(Q) returned -1, expected 5: Broken pipe May 4 09:13:37 alchemy sendmail[27057]: n44DCaW0027057: Milter (clamav): to error state May 4 09:13:57 alchemy sendmail[27255]: n44DCvuW027255: Milter (clamav): write(Q) returned -1, expected 5: Broken pipe May 4 09:13:57 alchemy sendmail[27255]: n44DCvuW027255: Milter (clamav): to error state May 4 09:14:11 alchemy sendmail[27332]: n44DD1nU027332: Milter (clamav): write(Q) returned -1, expected 5: Broken pipe May 4 09:14:11 alchemy sendmail[27332]: n44DD1nU027332: Milter (clamav): to error state May 4 09:14:51 alchemy sendmail[28578]: n44DEpeg028578: Milter (clamav): error connecting to filter: Connection refused by /var/run/clamd/clamav-milter.sock May 4 09:14:57 alchemy sendmail[28611]: n44DEvw8028611: Milter (clamav): error connecting to filter: Connection refused by /var/run/clamd/clamav-milter.sock May 4 09:15:03 alchemy sendmail[28661]: n44DF34I028661: Milter (clamav): error connecting to filter: Connection refused by /var/run/clamd/clamav-milter.sock Up to this point ^^^ clamav milter was not running or hung or the socket privs were not right. May 4 09:15:07 alchemy clamav-milter[28717]: Local socket unix:/var/run/clamd/clamav.sock added to the pool (slot 1) May 4 09:15:07 alchemy clamav-milter[28717]: Probe for slot 1 returned: success This ^^^ is clamav milter talking to clamd. Usually you get this kind of messages at startup so my guess is that before 9:15 clamav-milter was not running at all. May 4 09:15:20 alchemy sendmail[28865]: n44DFI7f028865: Milter change: header X-Virus-Scanned: from by amavisd-new at nmrweb.chem.utoronto.ca to clamav-milter 0.95.1 at alchemy.chem.utoronto.ca May 4 09:16:37 alchemy sendmail[29470]: n44DGbHN029470: Milter change: header X-Virus-Scanned: from Debian amavisd-new at ldl.fc.hp.com to clamav-milter 0.95.1 at alchemy.chem.utoronto.ca These ^^^ are the sign that clamav-milter is alive and working fine. However these lines are NOT coming from clamav milter but rather from sendmail. There were many incoming messages between 09:15:20 and 09:16:37 that were silently ignored by the Milter. No idea TBH... Were they whitelisted? Try setting LogVerbose yes or increase verbosity in confMILTER_LOG_LEVEL. --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus Infected Message for recipient
martinnitram wrote: At clamav 0.94, it can config clamav-milter that send a Virus Infected notify email to recipient when a virus scanned. But from 0.95.1, the milter only had 'Blackhole' option that direct drop the virus email without any user notification like 0.94. Is that had any option for milter at 0.95.1 to do this? Thank. http://lurker.clamav.net/message/20090326.132413.b9e348ec.hu.html -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Using milter_watch
cla...@pcez.com wrote: clamav-milter[3037]: ClamAV: st_optionneg[-162030672]: 0x1f does not fulfill action requirements 0x30 Anyone have an idea on how to fix this problem? Not really but from the look of it I believe it's a protocol version mismatch between the milter tan the watcher. Maybe check if a newer version of milter watch is available. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-0.95.1/clamav-milter does not insert headers in messages
Robert S wrote: Can this be changed to the original detailed form? An altered header could potentially cause a mail system to break. Hi, Sorry, Not at this point. Next time please submit such requests during the RC stage. Where can I find a list of _all_ the options for /etc/clamav-milter.conf? For 0.95.1: http://svn.clamav.net/svn/clamav-devel/tags/clamav-0.95.1/etc/clamav-milter.conf -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-0.95.1/clamav-milter does not insert headers in messages
Robert S wrote: Is there a missing option in my configs or You are probably looking for the AddHeader option. --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter 0.95.1 logging deficiencies
Kevin Clark wrote: Craig is correct - I would like clamav-milter to log clean files as well as infected ones much like it used to. Hi Kevin, I think this is pretty pointless as that would basically duplicate any line already in the logs. That's expecially true if you are logging via syslog. Try opening a request on the bugzilla. It may or may not be considered, mostly depending on how many people need such a feature. Also, I like having the log entries in /var/log/maillog because then I have a single log file from which I can determine that a message was scanned by all (or maybe none because of whitelisting) of the Milters we have running on the system. Clamav-milter already gives you enough logging options to achieve that. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter 0.95.1 logging deficiencies
Kevin Clark wrote: I appreciate the quick response but I'm sorry to say that making the changes you suggested to clamav-milter.conf does not have the desired effect. With these values in clamav-milter.conf... LogFile /var/log/clamav/clamav-milter.log LogSyslog yes LogFacility LOG_MAIL LogInfected Full ...clamav-milter still does not log every scanning event to either /var/log/maillog or its own logfile /var/log/clamav/clamav-milter.log Hi Kevin, As you may guess, LogInfected logs infected messages. Your mail log should already have logs for each mail passed through your box. With the above setup Clamav milter additionally tells you which of those mails were infected. What am I missing? -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How do I prevent ClamAV from renaming quarantined files?
Aditya Nag wrote: Hi, I'm running ClamAV on a Samba server. It's working fine, doing everything it's supposed to and all that, but I have a small problem. I've configured it to quarantine suspected files, but it automatically renames the files to vir-XYZABC, where XYZABC is a random string. I'd like to preserve the original filename, so that I know what has been infected. How do I go about doing this? Hi Aditya, Please clarify how you are running clamav to scan your files. This sounds like a 3rd party tool. --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter 0.95.1 logging deficiencies
Kevin Clark wrote: I'm following up on a previous post about logging to maillog: http://lurker.clamav.net/message/20090408.063308.16623e5a.en.html I am using Sendmail 8.13 on CentOS-4 but whereas previously with 0.94.2 I would get a log entry in /var/log/maillog for every scanned message I now only get a log event for infected messages or those with an existing X-Virus-Scanned or X-Virus-Status header. This won't happen with: LogSyslog disabled LogFacility = LOG_LOCAL6 If you want messages logged to syslog, please config those options properly. I have configured clamd to log every scanning event to /var/log/clamav/clamd.log but whereas before it would log a message ID and status I can now only get entries like these: Clamd has got no idea about message ids. Clamav-milter does. The place to look for them is therefore clamav-milter.log (or syslog if you follow the advice above). I would appreciate some guidance on whether I am missing something obvious in the configuration that would allow me to: See above. 1) log every scanning event in /var/log/maillog In *clamav-milter.conf* set: LogSyslog yes LogFacility LOG_MAIL LogInfected Basic or LogInfected Full 2) get more detailed log entries in /var/log/clamav/clamd.log If more detailed means i want the message id's then forget about that. Clamd does not know what a message id is. Again, the place for id's is clamav-milter's log. HtH, --acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter 0.95 ReadTimeout
James Kosin wrote: Everyone, Ok, new thread. The ReadTimeout description in the configuration file for clamav-milter.conf says that setting this value to 0 disables the timeout. This appears not to be the case and actually honors a timeout value of 0-seconds, meaning clamav-milter is reporting that clamd is not responding or failed. Fixed in r5030. Thanks, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How do I handle quarantined messages on clamav-milter-0.95?
Robert S wrote: I've just installed 0.95. The quarantine system seems to have changed - messages are in /var/spool/mqueue and the sendmail queue now. It used to be possible to use the --quarantine-dir command-line option to set a quarantine directory but this is no longer available. What is the best way to handle these? Should I set up a cron job to delete these after a certain number of days or does sendmail do this for me? Hi Robert, the idea with the quarantine feature is that it gives the SA a chance to review virus or otherwise tagged messages instead of rejecting/dev-nulling them right away. The quarantine queue is pretty much like the main message queue, except it is generally managed with the '-qQ' option to mailq and sendmail. Refer to the manpage for a complete description and usage examples. A quick google search also reveals a few ready made sendmail quarantine managers. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter 0.95
Ed Kasky wrote: Any idea when a new release can be expected? My 0.95 milter install has found nothing since upgrading and was quarantining between 8 and 20 weekly (small company) since my first installation. Hi Ed, 0.95.1 is currently being tested and is planned to be released later today or tomorrow, unless some of the tests fail. -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] logging to maillog
Ebrahim Abrahams wrote: Hi I am having trouble getting the clamav-milter to log what has been scanned or infected to the maillog. I have enable the following settings in clamav-milter.conf AddHeader yes LogSyslog yes LogFacility LOG_MAIL LogVerbose yes Can someone please assist. Regards Hi Ebrahim, What's the problem? It works fine here: 1337ness:/home/acab# grep clamav-milter /var/log/mail.log Apr 6 15:28:13 1337ness clamav-milter[3546]: Local socket unix:/tmp/clamd.socket added to the pool (slot 1) Apr 6 15:28:13 1337ness clamav-milter[3546]: Remote socket tcp:192.168.0.105:3310 added to the pool (slot 2) Apr 6 15:28:13 1337ness clamav-milter[3546]: Remote socket tcp:192.168.0.107:44203 added to the pool (slot 3) Apr 6 15:28:13 1337ness clamav-milter[3546]: Probe for slot 1 returned: success Apr 6 15:28:13 1337ness clamav-milter[3546]: Failed to establish a connection to clamd Apr 6 15:28:13 1337ness clamav-milter[3546]: Probe for slot 2 returned: failed Apr 6 15:28:13 1337ness clamav-milter[3546]: Failed to establish a connection to clamd Apr 6 15:28:13 1337ness clamav-milter[3546]: Probe for slot 3 returned: failed Apr 6 15:29:09 1337ness clamav-milter[3546]: Message D3BC2126B54 from a...@darqness to a...@1337tness with subject 'eicar' message-id '20090406132909.ga4...@darqness' date 'Mon, 6 Apr 2009 15:29:09 +0200' infected by ClamAV-Test-File Cheers, -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamAV-0.95 0n Solaris 10 x86 Build
John Goubeaux wrote: Has anyone done a successful build of clamAV-0.95 0n Solaris 10 x86 ? Builds fine for me with gcc: http://farm.0xacab.net/build/show/2335 -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] I386--FreeBSD7.1-RELEASE-p4--Sendmail-8.14.3 Clamav-milter 0.95 doesn't scan emails
lyubom...@cablebg.net wrote: I decided to upgrade and clmilter stopped to scan email messages. There was also no SMTP header modification from ClamAV. I decided to fresh install clamav-0.95 on another box and the effect was exactly the same. It seems milter works as a simple loopback without any scan functionality. Could you, please, advise how to solve this problem? [...] clamav-milter.conf: ... FixStaleSocket yes User clamav MilterSocket /var/run/clamav/clmilter.sock PidFile /var/run/clamav/clamav-milter.pid ClamdSocket unix:/var/run/clamav/clamd.sock LogFile /var/log/clamav/clamav-milter.log Hi Lyubomir, If you want X-Virus-XXX headers set AddHeader Yes. If you want some more info logged from the milter, use LogVerbose yes. HtH, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] MaxQueue in clamd.conf?
Odhiambo Washington wrote: Thu Apr 2 08:33:07 2009 - ERROR: Configuration error: MaxQueue should be at least twice MaxThreads Thu Apr 2 08:33:07 2009 - ERROR: thrmgr_new failed ...yet there is no such param as MaxQueue in clamd.conf, but FreeBSD-7# find clamav-0.95 -type f -exec grep -li 'MaxQueue' {} \; clamav-0.95/clamd/server-th.c clamav-0.95/clamd/thrmgr.c clamav-0.95/unit_tests/test-clamd.conf clamav-0.95/shared/optparser.c clamav-0.95/clamdtop/clamdtop.c Did someone forget to add a new config variable in clamd.conf with 0.95?? Hi Odhiambo, There is already an open bug on the bugzilla. Problem will be fixed in 0.95.1. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] I386--FreeBSD7.1-RELEASE-p4--Sendmail-8.14.3Clamav-milter 0.95 doesn't scan emails
lyubom...@cablebg.net wrote: I am executing the following command: [lyubo...@evaluate ~]$ cat test1.txt | mail -s Test root Where test1.txt is an Eicar test file See: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1531 Can you please test the SVN version? Thanks, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Missing option on freshclam 0.95?
Charles Gregory wrote: Oh, and FTR, I could not find a change log or version notes on the main clamav website, or I could have answered this question myself A link in the left-side menu would be nice. :) It's not that hard... http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] AIX support
Hi List, On the bugzilla we see a raising amount of AIX related tickets. According to them, stuff that works on every other *nix tends to fail miserably and randomly on AIX. For those who care about AIX support, please be aware that we currently have no chance to hunt these bugs down due to lack of such platform in our compile/test farm. This means that most of those bug reports will not be processed at all. If you feel like opening up a *permanent* shell access to your AIX box for the clamav developers please contact me or edwin privately. As with other borrowed resources we are careful not to disrupt running services. We also take limited cpu and ram only when actively compiling or running tests. Thanks, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
Matus UHLAR - fantomas wrote: Hmm, there could be an option for not rejecting signatures like *.Phishing.* or Safebrowsing.* Hi, If you want to fine tune detection based on malware names you can either do the tuning in clamd (as explained above) or use OnInfected=Accept and AddHeader=Yes and postprocess the message based on the X-Virus- headers. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
Matus UHLAR - fantomas wrote: What I've meant is, can it (instruct sendmail to) reject mail only viruses, not phishing nor unsafe pages, or do I need two instances of clamd for this? Hi Matus, If you are using clamd for different purposes as well as for serving the milters and if you require different config options for these (notably phish detection enabled) then you need two instances. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] NULL dereference in clamav-milter 0.95
Hi, A bug has been reported affecting clamav-milter 0.95. If LogInfected is set to Full and the message being processed lacks either the Subject, Message-ID or Date headers a NULL pointer is dereferenced which will cause the program to be aborted. For SVN users the issue is fixed in r4991. For Stable users, the issue will be fixed in the upcoming 0.95.1 version which is to be released soon. In the meantime it is recommended to set LogInfected to Off (the default) or Basic in clamav-milter.conf. For full details see: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1522 Thanks, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Why 0.95 doesn't have contrib/init/RedHat/clamd?
Edilmar LISTAS wrote: Hi, I have used clamd for many years with Fedora, RedHat and CentOS. And I have a updating script that always copy clamd init script file for current version to init.d subdir. This script always worked fine, but now in 0.95 this contrib file isn't there. I put the script from a previous version 0.93 and it worked fine. Hi Edilmar, We believe that init scripts are not our job. There are simply too many unices and distros and versions and configurations out there to be able to keep up with all of them. Package maintainers and sysadmins can usually do a much better job. Moreover many scripts were flawed, not very tunable and none of them got upgraded to the new milter... At some point people started complaining (search this very ML archives) and so they got removed. Incidentally the /contrib dir is never included in the tarball release. --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] NULL dereference in clamav-milter 0.95
James Kosin wrote: Was the patch provided in the link the only change to fix the issue? Or were other files affected? Hi James, The patch from Dimitar Pashev in the bugzilla should work ok. The official patch in svn is a bit different. I've attached it for your convenience to the same bug. Grab it here: https://wwws.clamav.net/bugzilla/attachment.cgi?id=991 --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] make-clamav-milter-conf syntax
Jason Bertoch wrote: I'm trying to build my clamav-milter conf file prior to installing 0.95 as 0.94.2 must be uninstalled before make check will work for 0.95 (Bug 1491). If I execute make-clamav-milter-conf.pl, I get the following error: FAIL: No socket provided at make-clamav-milter-conf.pl What is the correct syntax for running this script? https://wiki.clamav.net/Main/UpgradeNotes095 Just invoke the script with the same parameters you were passing to the old milter and then review all the preset options to make sure everything is sane. -acab ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav 0.95- fd[10]: OK
Nathan Brink wrote: I'm guessing that your clamdclient or clamav-milter is using fd-passing. My speculation: This means that clamd wouldn't know the name of the file (and that what clamd is scanning may not be a file). The only way clamd can identify the file it is scanning is by the number of the filedescriptor it is passed. Evidently, it was passed fd #10. I'm not sure if your clamd's client is able to tell clamd the name of the file it is scanning. All correct. In STREAM, INSTREAM and FILDES mode clamd doesn't know the original filename and its ouptut results in fd[N]: status --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Email notifications in clamav-milter 0.95
Vincent Aniello wrote: I know that the new clamav-milter is a work in progress. Is there any chance of email notifications to an administrator when a virus is detected being added back into clamav-milter in the future? Hi Vincent, I'm not particularly hot about notifications in the milter. The reason is that the milter interface is more or less a yes/no/maybe filter with not direct control over any other aspect of the mail handling process. On the other hand such aspects can be controlled directly and more properly in the sendmail configuration itself. On the technical side, since libmilter offers no options for creating and delievieng mails, clamav-milter would need to invoke an external process to do that. (For the records, clamav-milter was in the past affected by a remote root vulnerability exactly in the code to invoke sendmail to deliever the notifications). Now if you do need notifications you can still have them, in some other not terribly complex ways. In random order: - Use VirusEvent in clamd - Set AddHeader and use a sitewide procmail recipe - Set LogInfected and write a small script to parse the logfiles - Use the quarantine option and parse the quantine queue - probably more... As you see nothing that can't be done with about 10 lines in a (shell|perl|python|...) script. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
Matus UHLAR - fantomas wrote: You can then filter based on the virusname, if you want to treat phishing/safebrowsing-blacklisted entries as spam. Yes, that wil be important. Does clamav-milter support this for now? Hi, clamav-milter has been nerfed and it now relies on clamd. All you have to do is to tune clamd.conf so that it suits your needs. --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml