RE: [Declude.Virus] ClamAv / ClamWin with Declude
http://oss.netfarm.it/clamav/ -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Gary Steiner Sent: Wednesday, November 24, 2010 12:32 PM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAv / ClamWin with Declude What version or port of ClamAV are you using with Declude? I've been reading on the SmarterTools forums about the problems with ClamWin, and was wondering if the majority are using this port or a different one? SmarterTools has been referring people to this link: http://www.h-online.com/open/news/item/Free-ClamWin-virus-scanner-moves-most -of-Windows-into-quarantine-1139430.html Which port of ClamAV does Declude recommend? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
Nothing really changed with the current version - other than making sure that you have the proper version of the VC runtime installed. It absolutely HAS to match - so it's worth mentioning as an "installation step". From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt Sent: Thursday, April 29, 2010 6:05 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] ClamAV Michael, I created a step-by-step guide a little over a year ago for the proper installation. It's pretty simple to do. I can't say however if the steps have changed in the latest release, and obviously the version that I linked to is old now and should be updated. So here are my abridged directions for a standard install. 1) You need 7zip installed (http://www.7-zip.org/), and to open files in 7zip, you open the file manager and double click the 7z or ZIP files. 2) Download the "Current Stable" code from http://oss.netfarm.it/clamav/ For Windows 32bit, it would be clamav-win32-0.94.2.7z 3) Create a directory structure with C:\ClamAV and also create a sub-directory of C:\ClamAV\DB Put the files from the above 7z file into C:\ClamAV 4) Run C:\ClamAV\clamav.reg to put some directory entries into the registry. These are by default pointing to the directory structure that I am using. 5) From a command prompt run C:\ClamAV\freshclam.exe --datadir="C:\ClamAV\DB" --daemon-notify This will download the latest definitions and let the service know to reload them if new ones are found. You want to schedule a task to run this every 15 minutes (there is virtually no load if no updates are available). There is no need to install freshclam as a service. 6) From a command prompt run C:\ClamAV\clamd --install This will install the "ClamWin Free Antivirus Scanner Service" You then want to edit the service properties to start automatically, and set your recovery options to restart the service. 7) Download the "ClamAV GUI Wrapper" from http://oss.netfarm.it/clamav/ You only need one file from this zip, ClamAV-GUI.exe, and yo uwant to place that in C:\ClamAV This is a simple GUI for scanning files and directories and can be useful. You can create a short-cut for it if you want. 8) Configure Declude for ClamAV with the following (it is probably best to have this as the first scanner since it is the fastest): SCANFILE1 C:\ClamAV\ClamDScan.exe --quiet --no-summary -l report.txt VIRUSCODE1 1 REPORT1. 9) Check your virus logs for "Virus scanner 1 reports" in order to verify that it is running. Note, if you want to use a non-default location, you will need to change the location in the following three things (don't quote me on this) 1) clamav.reg 2) clamd.conf 3) The freshclam.exe --datadir argument Matt On 4/29/2010 4:14 PM, Michael Cummins wrote: The official download from Clam wouldn't install on my Windows 2003 box. It said it only supports Windows 7, Vista, told me to go pound sand, yada yada. The stuff at oss.netfarm.it didn't come with very much in the way of instructions, but the ClamAID stuff did and it was also familiar with Declude so it gave me a warm and fuzzy feeling. It also didn't look like clamav-win32-0.96.7z was going to set up FreshClam as a service, or at least didn't mention it, and I hate installing random product just to see what it does. Not dissing anything, just explaining why I chose it. You're completely right. I'm completely clam-n00b. I've never worked with ClamAV, don't know its parts and pieces from a racoon skin hat, and was grateful to have a nice page of instructions (thanks, ARM!), especially on how to test it before configuring Declude.Also, the ClamAID example used the .conf file in their Declude config, while the Declude example didn't. I thought that was handy, too. It at least gave me a place I could kludge from, and now I know a lot more about how the product works. Just splaining where my head was and leaving a trail here in the archives in case it helps someone else. :) - Michael Cummins From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, April 29, 2010 3:14 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV There really is no need for ClamAid, because the recent builds (including oss.netfarm.it) already are able to install themselves as services, and the additional ClamAid DLLs will obsolete once you install the "official" version. So unless you need help adding the 3 lines to the Virus.cfg, ClamAid probably makes things unnecessary complicated... From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Thursday, April 29, 2010 2:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV In case this is helpful for someone else that isn't
Re: [Declude.Virus] ClamAV
Michael, I created a step-by-step guide a little over a year ago for the proper installation. It's pretty simple to do. I can't say however if the steps have changed in the latest release, and obviously the version that I linked to is old now and should be updated. So here are my abridged directions for a standard install. 1) You need 7zip installed (http://www.7-zip.org/), and to open files in 7zip, you open the file manager and double click the 7z or ZIP files. 2) Download the "Current Stable" code from http://oss.netfarm.it/clamav/ For Windows 32bit, it would be clamav-win32-0.94.2.7z 3) Create a directory structure with C:\ClamAV and also create a sub-directory of C:\ClamAV\DB Put the files from the above 7z file into C:\ClamAV 4) Run C:\ClamAV\clamav.reg to put some directory entries into the registry. These are by default pointing to the directory structure that I am using. 5) From a command prompt run C:\ClamAV\freshclam.exe --datadir="C:\ClamAV\DB" --daemon-notify This will download the latest definitions and let the service know to reload them if new ones are found. You want to schedule a task to run this every 15 minutes (there is virtually no load if no updates are available). There is no need to install freshclam as a service. 6) From a command prompt run C:\ClamAV\clamd --install This will install the "ClamWin Free Antivirus Scanner Service" You then want to edit the service properties to start automatically, and set your recovery options to restart the service. 7) Download the "ClamAV GUI Wrapper" from http://oss.netfarm.it/clamav/ You only need one file from this zip, ClamAV-GUI.exe, and yo uwant to place that in C:\ClamAV This is a simple GUI for scanning files and directories and can be useful. You can create a short-cut for it if you want. 8) Configure Declude for ClamAV with the following (it is probably best to have this as the first scanner since it is the fastest): SCANFILE1 C:\ClamAV\ClamDScan.exe --quiet --no-summary -l report.txt VIRUSCODE1 1 REPORT1. 9) Check your virus logs for "Virus scanner 1 reports" in order to verify that it is running. Note, if you want to use a non-default location, you will need to change the location in the following three things (don't quote me on this) 1) clamav.reg 2) clamd.conf 3) The freshclam.exe --datadir argument Matt On 4/29/2010 4:14 PM, Michael Cummins wrote: The official download from Clam wouldn't install on my Windows 2003 box. It said it only supports Windows 7, Vista, told me to go pound sand, yada yada. The stuff at oss.netfarm.it didn't come with very much in the way of instructions, but the ClamAID stuff did and it was also familiar with Declude so it gave me a warm and fuzzy feeling. It also didn't look like clamav-win32-0.96.7z was going to set up FreshClam as a service, or at least didn't mention it, and I hate installing random product just to see what it does. Not dissing anything, just explaining why I chose it. You're completely right. I'm completely clam-n00b. I've never worked with ClamAV, don't know its parts and pieces from a racoon skin hat, and was grateful to have a nice page of instructions (thanks, ARM!), especially on how to test it before configuring Declude.Also, the ClamAID example used the .conf file in their Declude config, while the Declude example didn't. I thought that was handy, too. It at least gave me a place I could kludge from, and now I know a lot more about how the product works. Just splaining where my head was and leaving a trail here in the archives in case it helps someone else. :) - Michael Cummins *From:* supp...@declude.com [mailto:supp...@declude.com] *On Behalf Of *Andy Schmidt *Sent:* Thursday, April 29, 2010 3:14 PM *To:* declude.virus@declude.com *Subject:* RE: [Declude.Virus] ClamAV There really is no need for ClamAid, because the recent builds (including oss.netfarm.it) already are able to install themselves as services, and the additional ClamAid DLLs will obsolete once you install the "official" version. So unless you need help adding the 3 lines to the Virus.cfg, ClamAid probably makes things unnecessary complicated... *From:* supp...@declude.com [mailto:supp...@declude.com] *On Behalf Of *Michael Cummins *Sent:* Thursday, April 29, 2010 2:50 PM *To:* declude.virus@declude.com *Subject:* RE: [Declude.Virus] ClamAV In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me) http://www.armresearch.com/tools/arm/clamAID.jsp This installs Clam 0.92, wraps it up as a service, wraps
RE: [Declude.Virus] ClamAV
Thanks Michael for the effort to 'splain! I appreciated it. Make sure you are using the sanesecurity sigs as well as the MSRBL's -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: "Michael Cummins" Sent: Thursday, April 29, 2010 3:02 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me) http://www.armresearch.com/tools/arm/clamAID.jsp This installs Clam 0.92, wraps it up as a service, wraps up FreshClam as a service and gets everything pointed and configured for Declude to use. It includes pthreadVC2.dll , but I don't know if it uses it once we replace the files here in a bit, because. .when FreshClam goes to update the DB, it mangles the DB dies, because version 0.92 isn't supported anymore. Immediately after installing ClamAID I stopped the ClamAVSvc and FreshClam services and I commented out the lines it added in virus.cfg so I could get it all running properly again. I downloaded the clamav-win32-0.96.7z from http://oss.netfarm.it/clamav/ and extracted the files to a folder. I grabbed all the .exe and .dll files and replaced the old ones in \Program Files\Clam AV. I edited \conf\clamd.conf and commented out the deprecated MailFollowURLs on line 226. I deleted the files in \data\ and crated a \db\. I set the log levels in clamd.conf and freshclam.conf to high so I could see things chugging along until I was comfortable. I hard set the database to \db\ in the conf files, and set verbose logging. I cranked up the services, and watched FreshClam download new profiles to \db\. Once the db was downloaded, I tested Clam from the command prompt as described on the armresearch page, and everything looked like it was working fine. I uncommented the lines in Declude, restarted Declude, and watched it all start humming. Now I am just keeping an eye on things, and waiting for Clam to catch a virus. -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
The official download from Clam wouldn't install on my Windows 2003 box. It said it only supports Windows 7, Vista, told me to go pound sand, yada yada. The stuff at oss.netfarm.it didn't come with very much in the way of instructions, but the ClamAID stuff did and it was also familiar with Declude so it gave me a warm and fuzzy feeling. It also didn't look like clamav-win32-0.96.7z was going to set up FreshClam as a service, or at least didn't mention it, and I hate installing random product just to see what it does. Not dissing anything, just explaining why I chose it. You're completely right. I'm completely clam-n00b. I've never worked with ClamAV, don't know its parts and pieces from a racoon skin hat, and was grateful to have a nice page of instructions (thanks, ARM!), especially on how to test it before configuring Declude.Also, the ClamAID example used the .conf file in their Declude config, while the Declude example didn't. I thought that was handy, too. It at least gave me a place I could kludge from, and now I know a lot more about how the product works. Just splaining where my head was and leaving a trail here in the archives in case it helps someone else. :) - Michael Cummins From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, April 29, 2010 3:14 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV There really is no need for ClamAid, because the recent builds (including oss.netfarm.it) already are able to install themselves as services, and the additional ClamAid DLLs will obsolete once you install the "official" version. So unless you need help adding the 3 lines to the Virus.cfg, ClamAid probably makes things unnecessary complicated... From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Thursday, April 29, 2010 2:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me) http://www.armresearch.com/tools/arm/clamAID.jsp This installs Clam 0.92, wraps it up as a service, wraps up FreshClam as a service and gets everything pointed and configured for Declude to use. It includes pthreadVC2.dll , but I don't know if it uses it once we replace the files here in a bit, because. .when FreshClam goes to update the DB, it mangles the DB dies, because version 0.92 isn't supported anymore. Immediately after installing ClamAID I stopped the ClamAVSvc and FreshClam services and I commented out the lines it added in virus.cfg so I could get it all running properly again. I downloaded the clamav-win32-0.96.7z from http://oss.netfarm.it/clamav/ and extracted the files to a folder. I grabbed all the .exe and .dll files and replaced the old ones in \Program Files\Clam AV. I edited \conf\clamd.conf and commented out the deprecated MailFollowURLs on line 226. I deleted the files in \data\ and crated a \db\. I set the log levels in clamd.conf and freshclam.conf to high so I could see things chugging along until I was comfortable. I hard set the database to \db\ in the conf files, and set verbose logging. I cranked up the services, and watched FreshClam download new profiles to \db\. Once the db was downloaded, I tested Clam from the command prompt as described on the armresearch page, and everything looked like it was working fine. I uncommented the lines in Declude, restarted Declude, and watched it all start humming. Now I am just keeping an eye on things, and waiting for Clam to catch a virus. -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
There really is no need for ClamAid, because the recent builds (including oss.netfarm.it) already are able to install themselves as services, and the additional ClamAid DLLs will obsolete once you install the "official" version. So unless you need help adding the 3 lines to the Virus.cfg, ClamAid probably makes things unnecessary complicated... From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Thursday, April 29, 2010 2:50 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] ClamAV In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me) http://www.armresearch.com/tools/arm/clamAID.jsp This installs Clam 0.92, wraps it up as a service, wraps up FreshClam as a service and gets everything pointed and configured for Declude to use. It includes pthreadVC2.dll , but I don't know if it uses it once we replace the files here in a bit, because. .when FreshClam goes to update the DB, it mangles the DB dies, because version 0.92 isn't supported anymore. Immediately after installing ClamAID I stopped the ClamAVSvc and FreshClam services and I commented out the lines it added in virus.cfg so I could get it all running properly again. I downloaded the clamav-win32-0.96.7z from http://oss.netfarm.it/clamav/ and extracted the files to a folder. I grabbed all the .exe and .dll files and replaced the old ones in \Program Files\Clam AV. I edited \conf\clamd.conf and commented out the deprecated MailFollowURLs on line 226. I deleted the files in \data\ and crated a \db\. I set the log levels in clamd.conf and freshclam.conf to high so I could see things chugging along until I was comfortable. I hard set the database to \db\ in the conf files, and set verbose logging. I cranked up the services, and watched FreshClam download new profiles to \db\. Once the db was downloaded, I tested Clam from the command prompt as described on the armresearch page, and everything looked like it was working fine. I uncommented the lines in Declude, restarted Declude, and watched it all start humming. Now I am just keeping an eye on things, and waiting for Clam to catch a virus. -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
In case this is helpful for someone else that isn't so great at rolling their own Clams from the source code: First, I installed ClamAID using the default options. (SmarterMail / Declude install for me) http://www.armresearch.com/tools/arm/clamAID.jsp This installs Clam 0.92, wraps it up as a service, wraps up FreshClam as a service and gets everything pointed and configured for Declude to use. It includes pthreadVC2.dll , but I don't know if it uses it once we replace the files here in a bit, because. .when FreshClam goes to update the DB, it mangles the DB dies, because version 0.92 isn't supported anymore. Immediately after installing ClamAID I stopped the ClamAVSvc and FreshClam services and I commented out the lines it added in virus.cfg so I could get it all running properly again. I downloaded the clamav-win32-0.96.7z from http://oss.netfarm.it/clamav/ and extracted the files to a folder. I grabbed all the .exe and .dll files and replaced the old ones in \Program Files\Clam AV. I edited \conf\clamd.conf and commented out the deprecated MailFollowURLs on line 226. I deleted the files in \data\ and crated a \db\. I set the log levels in clamd.conf and freshclam.conf to high so I could see things chugging along until I was comfortable. I hard set the database to \db\ in the conf files, and set verbose logging. I cranked up the services, and watched FreshClam download new profiles to \db\. Once the db was downloaded, I tested Clam from the command prompt as described on the armresearch page, and everything looked like it was working fine. I uncommented the lines in Declude, restarted Declude, and watched it all start humming. Now I am just keeping an eye on things, and waiting for Clam to catch a virus. -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
Thanks John, Yes, that'll work too. Of course, rather than you having to modify the source code of 2 or 3 modules for every build - or me having to write a report file parser, the REAL solution is for Declude to provide at least a minimum amount of flexibility in parsing report files (or - to integrate the ClamLib and eliminate any command line needs). Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Cert Sent: Wednesday, April 28, 2010 7:26 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] ClamAV Hello! The "sherpya" Clam port at oss.netfarm.it is very easy to build and use, and there are only about 10 lines of code in 2 or 3 modules where you need to add a "VirusName->" prefix before the actual name of the virus so Declude can pick it up in the report file. I just mod the code and recompile instead of trying to manipulate the report file. I do not use any sort of installer. I just setup the conf files, spawn a clamd process on startup, schedule a freshclam run periodically, and point Declude to the clamdscan scanner. I also grab the MSRBL Images spam database for use with Clam. The clamd/clamdscan combo are very light and fast. Take care! John On 4/28/2010 1:13 PM, Andy Schmidt wrote: > Generally, ClamD catches most viruses that AVG misses (during those times > when it actually runs), and McAfee catches the occasional virus that ClamD > misses. ClamD downloads updates automatically (using the FreshClam). > > > > I found the http://oss.netfarm.it/clamav build very useful. I don't recall > any installation difficulty. It did have a successful installer and is able > to install itself as a service. > > There is a .REG file that sets up a registry entry where the path is stored. > > > > In their registry, I use the following: > > > > [HKEY_LOCAL_MACHINE\SOFTWARE\ClamAV] > > "ConfigDir"="C:\\Progra~1\\ClamAV\\conf" > > "DataDir"="C:\\Progra~1\\ClamAV\\db" > > > > For FreshClam.conf, I changed these parameters: > > > > DatabaseDirectory "C:\Program Files\clamAV\db" > > UpdateLogFile "C:\Program Files\clamAV\log\freshclam.log" > > LogTime yes > > > > For ClamD.conf, I changed these: > > > > LogFile "C:\Program Files\clamAV\log\clamd.log" > > LogTime yes > > TemporaryDirectory C:\Temp > > DatabaseDirectory "C:\Program Files\clamAV\db" > > > > For the service, I removed the spaces from the path (not sure if this was > > needed): > > > > "C:\Progra~1\ClamAV\clamd.exe" --daemon > > > > In Declude, you'd use: > > > > #ClamAV > > SCANFILE1 C:\Progra~1\ClamAV\ClamDScan.exe > > VIRUSCODE1 1 > > > > Of course, that still leaves the problem of the virus report file. I had > contacted Declude and they said they would check if they can natively parse > the report file. For now I still use a simple script to reformat the Report > file to suit Declude. > > > > ClamAV now has an official Windows build AND compiles under Visual Studio. > So, ideally, Declude would just integrate ClamAV as an internal scanner > instead of having to deal with all this command-line jazz. > > > > Best Regards, > > Andy > > > > > > > > From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael > Cummins > Sent: Wednesday, April 28, 2010 1:30 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] Internal Scanner - Nonfunctional? > > > > What's the best way to look into using Clam as a second scanner? > > > > I found this at ARM, does anyone else use this install aid? > > > > http://www.armresearch.com/tools/arm/clamAID.jsp > > > > What's your general opinion of Clam when compared to McAffee, or another > favorite scanner? > > > > How do you update your Clam database files? > > > > Thanks for the discussion and feedback! > > > > -- Michael Cummins > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to imail...@declude.com, and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV
Hello! The "sherpya" Clam port at oss.netfarm.it is very easy to build and use, and there are only about 10 lines of code in 2 or 3 modules where you need to add a "VirusName->" prefix before the actual name of the virus so Declude can pick it up in the report file. I just mod the code and recompile instead of trying to manipulate the report file. I do not use any sort of installer. I just setup the conf files, spawn a clamd process on startup, schedule a freshclam run periodically, and point Declude to the clamdscan scanner. I also grab the MSRBL Images spam database for use with Clam. The clamd/clamdscan combo are very light and fast. Take care! John On 4/28/2010 1:13 PM, Andy Schmidt wrote: Generally, ClamD catches most viruses that AVG misses (during those times when it actually runs), and McAfee catches the occasional virus that ClamD misses. ClamD downloads updates automatically (using the FreshClam). I found the http://oss.netfarm.it/clamav build very useful. I don't recall any installation difficulty. It did have a successful installer and is able to install itself as a service. There is a .REG file that sets up a registry entry where the path is stored. In their registry, I use the following: [HKEY_LOCAL_MACHINE\SOFTWARE\ClamAV] "ConfigDir"="C:\\Progra~1\\ClamAV\\conf" "DataDir"="C:\\Progra~1\\ClamAV\\db" For FreshClam.conf, I changed these parameters: DatabaseDirectory "C:\Program Files\clamAV\db" UpdateLogFile "C:\Program Files\clamAV\log\freshclam.log" LogTime yes For ClamD.conf, I changed these: LogFile "C:\Program Files\clamAV\log\clamd.log" LogTime yes TemporaryDirectory C:\Temp DatabaseDirectory "C:\Program Files\clamAV\db" For the service, I removed the spaces from the path (not sure if this was needed): "C:\Progra~1\ClamAV\clamd.exe" --daemon In Declude, you'd use: #ClamAV SCANFILE1 C:\Progra~1\ClamAV\ClamDScan.exe VIRUSCODE1 1 Of course, that still leaves the problem of the virus report file. I had contacted Declude and they said they would check if they can natively parse the report file. For now I still use a simple script to reformat the Report file to suit Declude. ClamAV now has an official Windows build AND compiles under Visual Studio. So, ideally, Declude would just integrate ClamAV as an internal scanner instead of having to deal with all this command-line jazz. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Wednesday, April 28, 2010 1:30 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Internal Scanner - Nonfunctional? What's the best way to look into using Clam as a second scanner? I found this at ARM, does anyone else use this install aid? http://www.armresearch.com/tools/arm/clamAID.jsp What's your general opinion of Clam when compared to McAffee, or another favorite scanner? How do you update your Clam database files? Thanks for the discussion and feedback! -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
Generally, ClamD catches most viruses that AVG misses (during those times when it actually runs), and McAfee catches the occasional virus that ClamD misses. ClamD downloads updates automatically (using the FreshClam). I found the http://oss.netfarm.it/clamav build very useful. I don't recall any installation difficulty. It did have a successful installer and is able to install itself as a service. There is a .REG file that sets up a registry entry where the path is stored. In their registry, I use the following: [HKEY_LOCAL_MACHINE\SOFTWARE\ClamAV] "ConfigDir"="C:\\Progra~1\\ClamAV\\conf" "DataDir"="C:\\Progra~1\\ClamAV\\db" For FreshClam.conf, I changed these parameters: DatabaseDirectory "C:\Program Files\clamAV\db" UpdateLogFile "C:\Program Files\clamAV\log\freshclam.log" LogTime yes For ClamD.conf, I changed these: LogFile "C:\Program Files\clamAV\log\clamd.log" LogTime yes TemporaryDirectory C:\Temp DatabaseDirectory "C:\Program Files\clamAV\db" For the service, I removed the spaces from the path (not sure if this was needed): "C:\Progra~1\ClamAV\clamd.exe" --daemon In Declude, you'd use: #ClamAV SCANFILE1 C:\Progra~1\ClamAV\ClamDScan.exe VIRUSCODE1 1 Of course, that still leaves the problem of the virus report file. I had contacted Declude and they said they would check if they can natively parse the report file. For now I still use a simple script to reformat the Report file to suit Declude. ClamAV now has an official Windows build AND compiles under Visual Studio. So, ideally, Declude would just integrate ClamAV as an internal scanner instead of having to deal with all this command-line jazz. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Wednesday, April 28, 2010 1:30 PM To: declude.virus@declude.com Subject: RE: [Declude.Virus] Internal Scanner - Nonfunctional? What's the best way to look into using Clam as a second scanner? I found this at ARM, does anyone else use this install aid? http://www.armresearch.com/tools/arm/clamAID.jsp What's your general opinion of Clam when compared to McAffee, or another favorite scanner? How do you update your Clam database files? Thanks for the discussion and feedback! -- Michael Cummins --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV
Andy, I must be blind as I try to install this ... I looked at the link below, and found multiple versions, but none of them have an installer ... are you installing the ClamWin version and not the versions are oss.netfarm.it ??? When I take about the archive, I find all of the files, but no setup.exe etc ... Am I missing something from your instructions. I also noticed when I put a logfile path in the freshclam.conf file directly, it stops working ... it just doesn't like that link ... very perplexed. david On Jun 8, 2009, at 7:37 AM, Andy Schmidt wrote: Hi David: The best is http://oss.netfarm.it/clamav - because it's the same one ClamWin is using and it's kept up-to-date. I don't recall any installation difficulty. It did have a successful installer and is able to install itself as a service. There is a .REG file that sets up a registry entry where the path is stored. In their registry, I chose to change the following (because I wanted to keep the CONF files and the DB files out of the program code): [HKEY_LOCAL_MACHINE\SOFTWARE\ClamAV] "ConfigDir"="C:\\Progra~1\\ClamAV\\conf" "DataDir"="C:\\Progra~1\\ClamAV\\db" For FreshClam.conf, I changed these parameters to match my preference: DatabaseDirectory "C:\Program Files\clamAV\db" UpdateLogFile "C:\Program Files\clamAV\log\freshclam.log" LogTime yes For ClamD.conf, I changed these: LogFile "C:\Program Files\clamAV\log\clamd.log" LogTime yes TemporaryDirectory C:\Temp DatabaseDirectory "C:\Program Files\clamAV\db" For the service, I removed the spaces from the path (not sure if this was needed): "C:\Progra~1\ClamAV\clamd.exe" --daemon In Declude, I used: #ClamAV SCANFILE1 C:\Progra~1\ClamAV\ClamDScan.exe VIRUSCODE1 1 Of course, that still leaves the problem of Declude having no decent virus report file parser (if you care about seeing the proper virus name in the proper location of the log files). For now, I still use a "middleware" to reformat the Report file before feeding it to Declude. If you don't care about names, then this isn't necessary. Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Dodell Sent: Monday, June 08, 2009 12:26 AM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV I'm using an older version of ClamAV that needs to be updated as a backup scanner.Unfortunately, it is no longer being developed. Has anyone tried the ClamID from ArmResearch or any other version of ClamAV that is current that works with Declude? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV
Hi David: The best is http://oss.netfarm.it/clamav - because it's the same one ClamWin is using and it's kept up-to-date. I don't recall any installation difficulty. It did have a successful installer and is able to install itself as a service. There is a .REG file that sets up a registry entry where the path is stored. In their registry, I chose to change the following (because I wanted to keep the CONF files and the DB files out of the program code): [HKEY_LOCAL_MACHINE\SOFTWARE\ClamAV] "ConfigDir"="C:\\Progra~1\\ClamAV\\conf" "DataDir"="C:\\Progra~1\\ClamAV\\db" For FreshClam.conf, I changed these parameters to match my preference: DatabaseDirectory "C:\Program Files\clamAV\db" UpdateLogFile "C:\Program Files\clamAV\log\freshclam.log" LogTime yes For ClamD.conf, I changed these: LogFile "C:\Program Files\clamAV\log\clamd.log" LogTime yes TemporaryDirectory C:\Temp DatabaseDirectory "C:\Program Files\clamAV\db" For the service, I removed the spaces from the path (not sure if this was needed): "C:\Progra~1\ClamAV\clamd.exe" --daemon In Declude, I used: #ClamAV SCANFILE1 C:\Progra~1\ClamAV\ClamDScan.exe VIRUSCODE1 1 Of course, that still leaves the problem of Declude having no decent virus report file parser (if you care about seeing the proper virus name in the proper location of the log files). For now, I still use a "middleware" to reformat the Report file before feeding it to Declude. If you don't care about names, then this isn't necessary. Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Dodell Sent: Monday, June 08, 2009 12:26 AM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV I'm using an older version of ClamAV that needs to be updated as a backup scanner.Unfortunately, it is no longer being developed. Has anyone tried the ClamID from ArmResearch or any other version of ClamAV that is current that works with Declude? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAv with Declude
Here is a comment by the SOSDG ClamAV author on the SmarterMail forum: http://www.smartertools.com/forums/p/22257/59718.aspx#59718 Original Message > From: "Gary Steiner" > Sent: Monday, December 29, 2008 3:20 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] ClamAv with Declude > > There is an announcement on the SOSDG web site saying they will no longer > support their version of ClamAV. > > http://www.sosdg.org/clamav-win32 > > Is anyone using a different port of ClamAV with Declude? Has anyone had > success with http://www.clamwin.com/ ? > > > > > Original Message > > From: "Scott Fisher" > > Sent: Monday, December 29, 2008 7:39 AM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] ClamAv with Declude > > > > I use the runclamscan program to call clamav. Here's my virus.cfg lines > > > > SCANFILE1 c:\clamav\runclamscan.exe log=1 C:\clamav\clamdscan.exe --quiet > -l > > report.txt > > VIRUSCODE1 1 > > REPORT1 FOUND > > > > -Original Message- > > From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of > David > > Dodell > > Sent: Sunday, December 28, 2008 11:29 AM > > To: declude.virus@declude.com > > Subject: [Declude.Virus] ClamAv with Declude > > > > > > On Dec 28, 2008, at 8:36 AM, Hirthe, Alexander wrote: > > > > > http://www.mail-archive.com/declude.virus@declude.com/msg14082.html > > > > Ok, thanks for the excellent beginning ... I'm using the Clamav-win32 > > from sosdg.org > > > > Freshclam installed all the latest files just fine > > > > Got it all installed ... but something still not working: > > > > (1) I got clamd installed as a service > > > > (2) In my virus.cfg I have > > > > scanfile c:\imail\declude\clamav\clamdscan.exe --quiet -l report.txt > > viruscode 1 > > report FOUND > > > > > > (3) In my logs it reports > > > > Could Not Parse String FOUND in report.txt > > Error 2 in virus scanner 1 > > Scanned: Error in Virus scanner [MIME: 1 991] > > > > - > > > > So I'm assuming I need another type code or way for freshclam to exit > > cleanly if it doesn't find a virus? > > > > David > > > > > > > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to imail...@declude.com, and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to imail...@declude.com, and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to imail...@declude.com, and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAv with Declude
There is an announcement on the SOSDG web site saying they will no longer support their version of ClamAV. http://www.sosdg.org/clamav-win32 Is anyone using a different port of ClamAV with Declude? Has anyone had success with http://www.clamwin.com/ ? Original Message > From: "Scott Fisher" > Sent: Monday, December 29, 2008 7:39 AM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] ClamAv with Declude > > I use the runclamscan program to call clamav. Here's my virus.cfg lines > > SCANFILE1 c:\clamav\runclamscan.exe log=1 C:\clamav\clamdscan.exe --quiet -l > report.txt > VIRUSCODE1 1 > REPORT1 FOUND > > -Original Message- > From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David > Dodell > Sent: Sunday, December 28, 2008 11:29 AM > To: declude.virus@declude.com > Subject: [Declude.Virus] ClamAv with Declude > > > On Dec 28, 2008, at 8:36 AM, Hirthe, Alexander wrote: > > > http://www.mail-archive.com/declude.virus@declude.com/msg14082.html > > Ok, thanks for the excellent beginning ... I'm using the Clamav-win32 > from sosdg.org > > Freshclam installed all the latest files just fine > > Got it all installed ... but something still not working: > > (1) I got clamd installed as a service > > (2) In my virus.cfg I have > > scanfile c:\imail\declude\clamav\clamdscan.exe --quiet -l report.txt > viruscode 1 > report FOUND > > > (3) In my logs it reports > > Could Not Parse String FOUND in report.txt > Error 2 in virus scanner 1 > Scanned: Error in Virus scanner [MIME: 1 991] > > - > > So I'm assuming I need another type code or way for freshclam to exit > cleanly if it doesn't find a virus? > > David > > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to imail...@declude.com, and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to imail...@declude.com, and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAv with Declude
I use the runclamscan program to call clamav. Here's my virus.cfg lines SCANFILE1 c:\clamav\runclamscan.exe log=1 C:\clamav\clamdscan.exe --quiet -l report.txt VIRUSCODE1 1 REPORT1 FOUND -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Dodell Sent: Sunday, December 28, 2008 11:29 AM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAv with Declude On Dec 28, 2008, at 8:36 AM, Hirthe, Alexander wrote: > http://www.mail-archive.com/declude.virus@declude.com/msg14082.html Ok, thanks for the excellent beginning ... I'm using the Clamav-win32 from sosdg.org Freshclam installed all the latest files just fine Got it all installed ... but something still not working: (1) I got clamd installed as a service (2) In my virus.cfg I have scanfile c:\imail\declude\clamav\clamdscan.exe --quiet -l report.txt viruscode 1 report FOUND (3) In my logs it reports Could Not Parse String FOUND in report.txt Error 2 in virus scanner 1 Scanned: Error in Virus scanner [MIME: 1 991] - So I'm assuming I need another type code or way for freshclam to exit cleanly if it doesn't find a virus? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAv with Declude
On Dec 28, 2008, at 10:28 AM, David Dodell wrote: (2) In my virus.cfg I have scanfile c:\imail\declude\clamav\clamdscan.exe --quiet -l report.txt viruscode 1 report FOUND (3) In my logs it reports Could Not Parse String FOUND in report.txt Error 2 in virus scanner 1 Scanned: Error in Virus scanner [MIME: 1 991] Ok, found Error 2 is a problem in the scanner.The scanner is working fine from the command line, so I'm now assume declude is not passing something correctly, or I'm missing something fundamental? David --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
re: [Declude.Virus] ClamAV
I've been using the SOSDG version of ClamAV (http://www.sosdg.org/clamav-win32) with no problem. The is the same version/port of ClamAV that SmarterMail ships with their product. The trick is setting it up to run as a service with runclamscan and runclamd. These are included with ClamAV in the "thirdparty" directory. This is what I have in virus.cfg: SCANFILE1 C:\clamav-devel\thirdparty\runclamscan\runclamscan.exe log=2 C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt VIRUSCODE1 1 REPORT1 FOUND Original Message > From: "Bonno Bloksma" <[EMAIL PROTECTED]> > Sent: Thursday, June 05, 2008 1:45 PM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] ClamAV > > Hi, > > Been using the old F-prot v3 as a second scanner but I disabled it today. As > the new F-prot 6 scanner is not allowed with Declude, well sort of but I > don't want to pay that mucht ;-) I wanted to use ClamAV asn an extra scanner. > > In the past it was a bit dificult I seem to remember but Is it realy as > easy as 1-2-3 today? > Go to http://w32.clamav.net/ and download > - The Windows msi file > - The initial virus sigantures > - Pthreads (I seem to need it). > Install the msi > Copy the initial signature files to C:\Program Files\clamAV\data or something > like it. > > But then > Make sure the sig files are updated... but how? > > Let Declude (according to http://www.declude.com/searchresults.asp?Cat=124) > call ClamAV using: > SCANFILE [Drive:]\[Path]\bin\clamscan.exe --quiet --log-verbose --no-summary > --max-ratio 0 -l report.txt > Which would probably translate to > SCANFILE C:\Program Files\bin\clamscan.exe --quiet --log-verbose > --no-summary --max-ratio 0 -l report.txt > or would > SCANFILE C:\IMail\Declude\Scanners\clamscan.exe --quiet --log-verbose > --no-summary --max-ratio 0 -l report.txt > be a better solution. > > There is also a clamscam.txt file in the C:\IMail\declude\scanners\ClamAV > directory that seems to suggest something else. > > So where is a HOWTO to get it up and running with Declude? I'm sure I'm not > the first to look at the combination, so how dit YOU do it. :-) > > > > > Met vriendelijke groet, > Bonno Bloksma > hoofd systeembeheer > > > > tio hogeschool hospitality en toerisme > begijnenhof 8-12 / 5611 el eindhoven > t 040 296 28 28 / f 040 237 35 20 > [EMAIL PROTECTED] / www.tio.nl > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV and Declude problem
I had this same problem and had to stop using clam. I believe someone said that it was a problem with that version of clam. I don't remember what the fix for it was' but would be interested to know as well. Jared (from my phone) -Original Message- From: "Imail Admin" <[EMAIL PROTECTED]> To: "declude.virus@declude.com" Sent: 7/14/07 3:42 AM Subject: [Declude.Virus] ClamAV and Declude problem Hi All, We've been testing ClamAV with Declude AVA on our new mail server (running 2006.2). We only have a few mailboxes on this server because we're still testing it. Today, I ran into a problem where the D: drive ran out of space (100GB). It turns out the d:\temp folder was very large (90GB) and that was due to a large number of folders named .clamtmp or some such. Each of those folders was full of very files, some quite large. My take is that these are temp folders created by ClamAV, but I can't figure out why they're being left behind. The lines for ClamAV in virus.cfg are: CLAMAV SCANFILE2 D:\Progra~1\clamwin\bin\clamscan.exe --verbose --database="C:\docume~1\alluse~1.win\clamwi~1\db" --tempdir="D:\Temp" --no-summary -l report.txt VIRUSCODE2 1 REPORT2FOUND I also noticed some strange lines in the virus log files: 07/13/2007 00:31:17.439 q2a03033d58e6.smd ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating. 07/13/2007 00:31:17.439 q2a03033d58e6.smd Virus scanner 2 reports exit code of 0 07/13/2007 00:31:17.439 q2a03033d58e6.smd Couldn't delete D:\IMail\spool\proc\work\D2a03033d58e6.vir\report.txt: 32. Error String: [The process cannot access the file because it is being used by another process.] 07/13/2007 00:31:47.440 q2a03033d58e6.smd Scanned: Virus Free [MIME: 1 26] 07/13/2007 00:32:31.597 q2a8a035958eb.smd Vulnerability flags = 0 07/13/2007 00:33:32.551 q2a8a035958eb.smd ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating. 07/13/2007 00:33:32.551 q2a8a035958eb.smd Virus scanner 2 reports exit code of 0 07/13/2007 00:33:32.551 q2a8a035958eb.smd Couldn't delete D:\IMail\spool\proc\work\D2a8a035958eb.vir\report.txt: 32. Error String: [The process cannot access the file because it is being used by another process.] 07/13/2007 00:36:57.961 q2b58038758f4.smd ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating. 07/13/2007 00:36:58.008 q2b58038758f4.smd Virus scanner 2 reports exit code of 0 07/13/2007 00:36:58.008 q2b58038758f4.smd Couldn't delete D:\IMail\spool\proc\work\D2b58038758f4.vir\report.txt: 32. Error String: [The process cannot access the file because it is being used by another process.] 07/13/2007 00:37:03.149 q2b5e036258f7.smd ERROR: Virus scanner 2 didn't finish after 60 seconds; terminating. 07/13/2007 00:37:03.149 q2b5e036258f7.smd Virus scanner 2 reports exit code of 0 07/13/2007 00:37:03.149 q2b5e036258f7.smd Couldn't delete D:\IMail\spool\proc\work\D2b5e036258f7.vir\report.txt: 32. Error String: [The process cannot access the file because it is being used by another process.] Any suggestions? I'm also concerned about the lines where is says "the process cannot acces the file because it is being used...". Thanks, Ben BC Web --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
re: [Declude.Virus] ClamAV with a strong aroma
I'm using the SOSDG port which is currently at version 0.90.3-3c and have not encountered the problem you describe. Then again, I'm also using SmarterMail, so don't know if this may be an IMail compatibility problem. Original Message > From: "John Shacklett" <[EMAIL PROTECTED]> > Sent: Tuesday, June 26, 2007 8:25 AM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] ClamAV with a strong aroma > > Is anyone using ClamWin 0.90.2.1 with Declude AV? I was, using the following > line from the virus.cfg: > > SCANFILE4 C:\Progra~1\ClamWin\bin\clamscan.exe --verbose > --database=C:\Docume~1\AllUse~1\.clamwin\db > --tempdir=C:\PROGRA~1\IPSWITCH\IMAIL\Declude\Scanners\ClamAV --no-summary -l > report.txt > > All of a sudden last week, it started filling my > C:\PROGRA~1\IPSWITCH\IMAIL\Declude\Scanners\ClamAV folder with *.clamtmp > folders that wouldn't clear [and chewed up 100GB of free space in a couple > of days], and I also started getting "did not finish in time" messages in > the vir.logs, and it threw my CPU usage to 100% constantly. I commented > clam back out and the performance went right back to normal. > > Has anyone else seen anything unusual with clamav performance recently? > > > John S. > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV with a strong aroma
John, I dropped ClamWin 0.90 a month or so ago due to similar performance issues. George > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John > Shacklett > Sent: Tuesday, June 26, 2007 8:11 AM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] ClamAV with a strong aroma > > Is anyone using ClamWin 0.90.2.1 with Declude AV? I was, using the > following > line from the virus.cfg: > > SCANFILE4 C:\Progra~1\ClamWin\bin\clamscan.exe --verbose > --database=C:\Docume~1\AllUse~1\.clamwin\db > --tempdir=C:\PROGRA~1\IPSWITCH\IMAIL\Declude\Scanners\ClamAV --no-summary > -l > report.txt > > All of a sudden last week, it started filling my > C:\PROGRA~1\IPSWITCH\IMAIL\Declude\Scanners\ClamAV folder with *.clamtmp > folders that wouldn't clear [and chewed up 100GB of free space in a couple > of days], and I also started getting "did not finish in time" messages in > the vir.logs, and it threw my CPU usage to 100% constantly. I > commented > clam back out and the performance went right back to normal. > > Has anyone else seen anything unusual with clamav performance recently? > > > John S. > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV lstat() failed. ERROR
I'll try to be more specific. What I have in my virus.cfg file is essentially what has been posted here on the list by several different people as the accepted info to put in the file. SCANFILE1 C:\clamav-devel\thirdparty\runclamscan\runclamscan.exe log=2 C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt VIRUSCODE1 1 REPORT1 FOUND So I should be able to type the following at a command prompt and have it work: C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt 123456789.eml It used to work, but now it doesn't. It generates the lstat error. After some experimentation, I found that typing the following does work: C:\clamav-devel\bin\clamdscan.exe --quiet -l C:\temp\report.txt C:\temp\123456789.eml and so does this: C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt C:\temp\123456789.eml In setting virus.cfg to DEBUG, it shows Declude creating the long pathname. But since it deletes the report.txt file, I can't see what is being generated. When I reprocess the new RAR file worm, the Declude log lines show ClamAV giving a return code of zero. When I do it from the command prompt, ClamAV says Email.Phishing.RB-686 FOUND. When I test another message that is an image spam that is picked up by the Sanesecurity phishing files, Declude finds it with ClamAV, and ClamAV finds it using the command prompt. So maybe this problem and the lstat error are unrelated. Original Message > From: "Andy Schmidt" <[EMAIL PROTECTED]> > Sent: Wednesday, April 25, 2007 8:33 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] ClamAV lstat() failed. ERROR > > Gary, > > I'm not sure I understand your point. > > What you define in Virus.cfg, e.g.: > > SCANFILEC:\Progra~1\Common~1\Networ~1\Engine\SCAN.EXE /LOAD > D:\IMAIL\Declude\SCAN.CFG > > is only the START of the command line, to which Declude appends the full > path for the file it tries to scan. > > So, if you defined: > > SCANFILEC:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt > > and the Declude is processing the file c:\temp\123456789.eml then it would > issue the command > > c:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt > c:\temp\123456789.eml > > > I recommend you turn on the debug mode for Declude virus and then inspect > the relevant lines of the log (or send them to the list so that we can take > a look at it). Obviously, you'd also need to share your virus.cfg > configuration so that we understand the context. > > Best Regards, > Andy > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary > Steiner > Sent: Wednesday, April 25, 2007 6:39 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] ClamAV lstat() failed. ERROR > > In pursuing the problem of the new worm with a password-protected RAR file, > I found a problem with ClamAV. > > I'm running the SOSDG ClamAV Windows port version 0.90.2-2 (along with > runclamd and runclamscan). > > Declude uses the following string: > C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt > > If I try to use it at a command prompt, I get the lstat() failed error. If I > type in the full path for my command string, such as > C:\clamav-devel\bin\clamdscan.exe --quiet -l C:\temp\report.txt > C:\temp\123456789.eml > > it works. The problem is that Declude scans a file in a different directory > each time, so the path changes. So for Declude to work now, it would require > a significant change in Declude. > > But ClamAV worked before. What changed? Can it be changed back? Is this a > problem with ClamAV in general, or just with the SOSDG Windows port? Do the > other ClamAV ports have this problem? > > Any suggestions you might have are greatly appreciated. > > Gary Steiner > > > > > > > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV lstat() failed. ERROR
Gary, I'm not sure I understand your point. What you define in Virus.cfg, e.g.: SCANFILEC:\Progra~1\Common~1\Networ~1\Engine\SCAN.EXE /LOAD D:\IMAIL\Declude\SCAN.CFG is only the START of the command line, to which Declude appends the full path for the file it tries to scan. So, if you defined: SCANFILE C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt and the Declude is processing the file c:\temp\123456789.eml then it would issue the command c:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt c:\temp\123456789.eml I recommend you turn on the debug mode for Declude virus and then inspect the relevant lines of the log (or send them to the list so that we can take a look at it). Obviously, you'd also need to share your virus.cfg configuration so that we understand the context. Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, April 25, 2007 6:39 PM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV lstat() failed. ERROR In pursuing the problem of the new worm with a password-protected RAR file, I found a problem with ClamAV. I'm running the SOSDG ClamAV Windows port version 0.90.2-2 (along with runclamd and runclamscan). Declude uses the following string: C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt If I try to use it at a command prompt, I get the lstat() failed error. If I type in the full path for my command string, such as C:\clamav-devel\bin\clamdscan.exe --quiet -l C:\temp\report.txt C:\temp\123456789.eml it works. The problem is that Declude scans a file in a different directory each time, so the path changes. So for Declude to work now, it would require a significant change in Declude. But ClamAV worked before. What changed? Can it be changed back? Is this a problem with ClamAV in general, or just with the SOSDG Windows port? Do the other ClamAV ports have this problem? Any suggestions you might have are greatly appreciated. Gary Steiner --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV lstat() failed. ERROR
Gary, In order to scan the file I am sure Declude has to append the path to the files to scan otherwise how would the virus scanner know what to scan? It needs some type of path. Unless possibly it sets a working directory and expects the scanner to scan all the files in the working directory. I suspect it gets a path much like it calls an external application. Flip your logs to debug what does it show? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "Gary Steiner" <[EMAIL PROTECTED]> To: Sent: Wednesday, April 25, 2007 6:39 PM Subject: [Declude.Virus] ClamAV lstat() failed. ERROR In pursuing the problem of the new worm with a password-protected RAR file, I found a problem with ClamAV. I'm running the SOSDG ClamAV Windows port version 0.90.2-2 (along with runclamd and runclamscan). Declude uses the following string: C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt If I try to use it at a command prompt, I get the lstat() failed error. If I type in the full path for my command string, such as C:\clamav-devel\bin\clamdscan.exe --quiet -l C:\temp\report.txt C:\temp\123456789.eml it works. The problem is that Declude scans a file in a different directory each time, so the path changes. So for Declude to work now, it would require a significant change in Declude. But ClamAV worked before. What changed? Can it be changed back? Is this a problem with ClamAV in general, or just with the SOSDG Windows port? Do the other ClamAV ports have this problem? Any suggestions you might have are greatly appreciated. Gary Steiner --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV 0.90.1-2 problems
Do you know what is the impact of removing that --mbox parameter?Is anyone using this new version yet (0.90.1-3)? Do you know if it fixes the left over .vir directory bug?Stephan-Original Message-From: "Gary Steiner" <[EMAIL PROTECTED]>Sent 3/14/2007 3:53:24 PMTo: declude.virus@declude.comSubject: RE: [Declude.Virus] ClamAV 0.90.1-2 problemsA new version (0.90.1-3) was posted on the SOSDG web site. Bri Bruns told me that the --mbox parameter no longer works, so you should remove it from the line in your virus.cfg file before installing 0.90.1-3. Gary Original Message > From: "Gary Steiner" <[EMAIL PROTECTED]> > Sent: Tuesday, March 13, 2007 3:13 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] ClamAV 0.90.1-2 problems > > The following was just posted to clamav-announce: > > > > Original Message > > From: "Bri Bruns" <[EMAIL PROTECTED]> > > Sent: Tuesday, March 13, 2007 2:43 PM > > To: [EMAIL PROTECTED] > > Subject: [clamav-announce] Problems with ClamAV/SOSDG For WIndows 0.90. 1-1 and -2 > > > > Okay, been getting reports of people having problems with the 0.90.1 > > builds of ClamAV/SOSDG For Windows I've been releasing lately. > > > > Please do not use 0.90.1-1, as the clamd.exe it has is outdated, I'm no t > > quite sure how such an old version got into the build, but it is > > unreliable, and you probably are getting errors if you are using it. > > > > 0.90.1-2 is also having problems for some people, which I'm looking int o > > now. I'm not sure of the cause, but there appears to have been alot of > > underlying changes in ClamAV over the past few months. > > > > For now, if you are having problems with -2, I suggest going back to > > 0.90-1, which you can grab from here: > > > > http://downloads.sosdg.org/clamav/clamav-0.90-1.exe > > > > And is known to work well for most people. > > > > Please keep any bug reports for -2 coming in, as its helping me narrow > > down the cause of the issues. > > > > -- > > Brie Bruns > > The Summit Open Source Development Group > > http://www.sosdg.org / http://www.ahbl.org > > > > > > ___ > > ClamAV For Windows Announcement Mailing List > > http://lists.sosdg.org/mailman/listinfo/clamav-announce > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV 0.90.1-2 problems
A new version (0.90.1-3) was posted on the SOSDG web site. Bri Bruns told me that the --mbox parameter no longer works, so you should remove it from the line in your virus.cfg file before installing 0.90.1-3. Gary Original Message > From: "Gary Steiner" <[EMAIL PROTECTED]> > Sent: Tuesday, March 13, 2007 3:13 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] ClamAV 0.90.1-2 problems > > The following was just posted to clamav-announce: > > > > Original Message > > From: "Bri Bruns" <[EMAIL PROTECTED]> > > Sent: Tuesday, March 13, 2007 2:43 PM > > To: [EMAIL PROTECTED] > > Subject: [clamav-announce] Problems with ClamAV/SOSDG For WIndows 0.90.1-1 > > and -2 > > > > Okay, been getting reports of people having problems with the 0.90.1 > > builds of ClamAV/SOSDG For Windows I've been releasing lately. > > > > Please do not use 0.90.1-1, as the clamd.exe it has is outdated, I'm not > > quite sure how such an old version got into the build, but it is > > unreliable, and you probably are getting errors if you are using it. > > > > 0.90.1-2 is also having problems for some people, which I'm looking into > > now. I'm not sure of the cause, but there appears to have been alot of > > underlying changes in ClamAV over the past few months. > > > > For now, if you are having problems with -2, I suggest going back to > > 0.90-1, which you can grab from here: > > > > http://downloads.sosdg.org/clamav/clamav-0.90-1.exe > > > > And is known to work well for most people. > > > > Please keep any bug reports for -2 coming in, as its helping me narrow > > down the cause of the issues. > > > > -- > > Brie Bruns > > The Summit Open Source Development Group > > http://www.sosdg.org / http://www.ahbl.org > > > > > > ___ > > ClamAV For Windows Announcement Mailing List > > http://lists.sosdg.org/mailman/listinfo/clamav-announce > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV 0.90.1-2 problems
The following was just posted to clamav-announce: Original Message > From: "Bri Bruns" <[EMAIL PROTECTED]> > Sent: Tuesday, March 13, 2007 2:43 PM > To: [EMAIL PROTECTED] > Subject: [clamav-announce] Problems with ClamAV/SOSDG For WIndows 0.90.1-1 > and -2 > > Okay, been getting reports of people having problems with the 0.90.1 > builds of ClamAV/SOSDG For Windows I've been releasing lately. > > Please do not use 0.90.1-1, as the clamd.exe it has is outdated, I'm not > quite sure how such an old version got into the build, but it is > unreliable, and you probably are getting errors if you are using it. > > 0.90.1-2 is also having problems for some people, which I'm looking into > now. I'm not sure of the cause, but there appears to have been alot of > underlying changes in ClamAV over the past few months. > > For now, if you are having problems with -2, I suggest going back to > 0.90-1, which you can grab from here: > > http://downloads.sosdg.org/clamav/clamav-0.90-1.exe > > And is known to work well for most people. > > Please keep any bug reports for -2 coming in, as its helping me narrow > down the cause of the issues. > > -- > Brie Bruns > The Summit Open Source Development Group > http://www.sosdg.org / http://www.ahbl.org > > > ___ > ClamAV For Windows Announcement Mailing List > http://lists.sosdg.org/mailman/listinfo/clamav-announce --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV 0.90.1-2 problems
I uninstalled 0.90.1-2 and reinstalled 0.90.1. It seems to be working okay. I ran the program (0.90.1-2) but removed the --mbox parameter. It then gave me an error message about --max-ratio. I removed that one, and it then gave me an error about --max-space. I removed that one as well, and it was finally able to run. But there was an error in the report.txt file: 62376245.eml: lstat() failed. ERROR For now I am just going to keep running with 0.90.1 and see how it goes. The message I received on the clamav-announce mailing list about 0.90.1-2 stated, "Basically, this version corrects some build problems and incorrect linkage to cygclamav1.dll by clamd." Gary Original Message > From: "Mark Reimer" <[EMAIL PROTECTED]> > Sent: Tuesday, March 13, 2007 11:21 AM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] ClamAV 0.90.1-2 problems > > Gary, > I had the same problem after upgrading to 0.90.1-2. I had to go back to > 0.90-1. I was getting the same error code. After this upgrade if I go back > to 0.90.1-1 I get error code 40. I have not been able to figure out what is > going on. > > Mark Reimer > IT System Admin > American CareSource > 972-308-6887 > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick > Hayer > Sent: Tuesday, March 13, 2007 8:01 AM > To: declude.virus@declude.com > Subject: Re: [Declude.Virus] ClamAV 0.90.1-2 problems > > Exit code of 2 means ClamAV had an error - Is clamd running? will > clamdscan.exe work? eg no parameters? > > -Nick > > Gary Steiner wrote: > > Ever since I upgraded to ClamAV 0.90.1-2 (the SOSDG windows port), I've > been unable to get it to work. The Declude log files show an error like > this: > > > > 03/12/2007 19:17:29.359 62376245 Vulnerability flags = 861 > > 03/12/2007 19:17:29.359 62376245 MIME file: [text/html][7bit; Length=429 > Checksum=38095] > > 03/12/2007 19:17:30.171 62376245 Virus scanner 1 reports exit code of 2 > > 03/12/2007 19:17:32.218 62376245 Virus scanner 1 reports exit code of 2 > > 03/12/2007 19:17:34.265 62376245 Virus scanner 1 reports exit code of 2 > > 03/12/2007 19:17:36.312 62376245 Virus scanner 1 reports exit code of 2 > > 03/12/2007 19:17:38.359 62376245 Virus scanner 1 reports exit code of 2 > > 03/12/2007 19:17:40.359 62376245 Could not find report file > c:\SmarterMail\Spool\proc\work\62376245.vir\report.txt. > > 03/12/2007 19:17:40.359 62376245 Error 2 in virus scanner 1. > > 03/12/2007 19:17:40.562 62376245 Virus scanner 2 reports exit code of 0 > > 03/12/2007 19:17:40.562 62376245 Scanned: Error in virus scanner. [MIME: 2 > 815] > > > > > > If I try to run it from the command line using the parameters from my > virus.cfg file, I get the following: > > > > C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space > 1M -l report.txt 62376245.eml > > > > /cygdrive/c/clamav-devel/bin/clamdscan: unrecognized option `--mbox' > > ERROR: Unknown option passed. > > ERROR: Can't parse the command line > > > > > > Anyone else seeing anything like this? Did something change in 0.90 to > make these paramenters invalid? > > > > Thanks, > > > > Gary Steiner > > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV 0.90.1-2 problems
Gary, I had the same problem after upgrading to 0.90.1-2. I had to go back to 0.90-1. I was getting the same error code. After this upgrade if I go back to 0.90.1-1 I get error code 40. I have not been able to figure out what is going on. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, March 13, 2007 8:01 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] ClamAV 0.90.1-2 problems Exit code of 2 means ClamAV had an error - Is clamd running? will clamdscan.exe work? eg no parameters? -Nick Gary Steiner wrote: > Ever since I upgraded to ClamAV 0.90.1-2 (the SOSDG windows port), I've been unable to get it to work. The Declude log files show an error like this: > > 03/12/2007 19:17:29.359 62376245 Vulnerability flags = 861 > 03/12/2007 19:17:29.359 62376245 MIME file: [text/html][7bit; Length=429 Checksum=38095] > 03/12/2007 19:17:30.171 62376245 Virus scanner 1 reports exit code of 2 > 03/12/2007 19:17:32.218 62376245 Virus scanner 1 reports exit code of 2 > 03/12/2007 19:17:34.265 62376245 Virus scanner 1 reports exit code of 2 > 03/12/2007 19:17:36.312 62376245 Virus scanner 1 reports exit code of 2 > 03/12/2007 19:17:38.359 62376245 Virus scanner 1 reports exit code of 2 > 03/12/2007 19:17:40.359 62376245 Could not find report file c:\SmarterMail\Spool\proc\work\62376245.vir\report.txt. > 03/12/2007 19:17:40.359 62376245 Error 2 in virus scanner 1. > 03/12/2007 19:17:40.562 62376245 Virus scanner 2 reports exit code of 0 > 03/12/2007 19:17:40.562 62376245 Scanned: Error in virus scanner. [MIME: 2 815] > > > If I try to run it from the command line using the parameters from my virus.cfg file, I get the following: > > C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt 62376245.eml > > /cygdrive/c/clamav-devel/bin/clamdscan: unrecognized option `--mbox' > ERROR: Unknown option passed. > ERROR: Can't parse the command line > > > Anyone else seeing anything like this? Did something change in 0.90 to make these paramenters invalid? > > Thanks, > > Gary Steiner > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV 0.90.1-2 problems
Exit code of 2 means ClamAV had an error - Is clamd running? will clamdscan.exe work? eg no parameters? -Nick Gary Steiner wrote: Ever since I upgraded to ClamAV 0.90.1-2 (the SOSDG windows port), I've been unable to get it to work. The Declude log files show an error like this: 03/12/2007 19:17:29.359 62376245 Vulnerability flags = 861 03/12/2007 19:17:29.359 62376245 MIME file: [text/html][7bit; Length=429 Checksum=38095] 03/12/2007 19:17:30.171 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:32.218 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:34.265 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:36.312 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:38.359 62376245 Virus scanner 1 reports exit code of 2 03/12/2007 19:17:40.359 62376245 Could not find report file c:\SmarterMail\Spool\proc\work\62376245.vir\report.txt. 03/12/2007 19:17:40.359 62376245 Error 2 in virus scanner 1. 03/12/2007 19:17:40.562 62376245 Virus scanner 2 reports exit code of 0 03/12/2007 19:17:40.562 62376245 Scanned: Error in virus scanner. [MIME: 2 815] If I try to run it from the command line using the parameters from my virus.cfg file, I get the following: C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt 62376245.eml /cygdrive/c/clamav-devel/bin/clamdscan: unrecognized option `--mbox' ERROR: Unknown option passed. ERROR: Can't parse the command line Anyone else seeing anything like this? Did something change in 0.90 to make these paramenters invalid? Thanks, Gary Steiner --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV Exit codes
Looking at the physical/virtual memory utilization for this server displays a peak for this date/time (see attached mrtg graph - growleft) But the graph shows a similar peak for today around 16:00PM and clamd is still running without any result code 2. I will watch this. Thank you. Markus > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of george kulman > Sent: Friday, September 29, 2006 6:06 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] ClamAV Exit codes > > > Strange. It sounds like a resource depletion problem such as > a memory leak that may not even be directly related to clamd. > > George > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Markus Gufler > > Sent: Friday, September 29, 2006 10:58 AM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] ClamAV Exit codes > > > > Thank you > > > > The strange thing is that the error doesn't appeared > constantly at a > > certain point. At 06:50PM there was the first dozen result codes 2. > > Then the next one appeared at 11:00PM but still not > contantly. There > > was always 0 and 1 codes. > > But then it become more and more, and then at a certain > point the only > > result code was 2. > > > > Does this mean that clamd can also decease slowly? > > > > Markus > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of > > > george kulman > > > Sent: Friday, September 29, 2006 4:22 PM > > > To: declude.virus@declude.com > > > Subject: RE: [Declude.Virus] ClamAV Exit codes > > > > > > > > > Markus, > > > > > > Here are the Return Codes from the ClamAV Documentation. > > > > > > George > > > > > > >From http://www.clamav.net/doc/0.88.4/man/clamdscan.1 > > > > > > .SH "RETURN CODES" > > > .LP > > > 0 : No virus found. > > > .TP > > > 1 : Virus(es) found. > > > .TP > > > 2 : An error occured. > > > > > > >From http://www.clamav.net/doc/0.88.4/man/clamscan.1 > > > > > > .SH "RETURN CODES" > > > .LP > > > Note: some return codes may only appear in a one file > mode (clamscan > > > is started with file argument). Those are marked with \fB(ofm)\fR. > > > > > > 0 : No virus found. > > > .TP > > > 1 : Virus(es) found. > > > .TP > > > 40: Unknown option passed. > > > .TP > > > 50: Database initialization error. > > > .TP > > > 52: Not supported file type. > > > .TP > > > 53: Can't open directory. > > > .TP > > > 54: Can't open file. (ofm) > > > .TP > > > 55: Error reading file. (ofm) > > > .TP > > > 56: Can't stat input file / directory. > > > .TP > > > 57: Can't get absolute path name of current working directory. > > > .TP > > > 58: I/O error, please check your file system. > > > .TP > > > 59: Can't get information about current user from /etc/passwd. > > > .TP > > > 60: Can't get information about user 'clamav' (default name) from > > > /etc/passwd. > > > .TP > > > 61: Can't fork. > > > .TP > > > 62: Can't initialize logger. > > > .TP > > > 63: Can't create temporary files/directories (check permissions). > > > .TP > > > 64: Can't write to temporary directory (please specify > another one). > > > .TP > > > 70: Can't allocate and clear memory (calloc). > > > .TP > > > 71: Can't allocate memory (malloc). > > > > > > > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf > > > > Of Markus Gufler > > > > Sent: Friday, September 29, 2006 5:59 AM > > > > To: declude.virus@declude.com > > > > Subject: [Declude.Virus] ClamAV Exit codes > > > > > > > > Does anyone know what exit codes ClamAV has and what they mean? > > > > > > > > >From 2006-09-27 06:50PM on I can see a huge number of > > > > > > > > "Virus scanner 2 reports exit code of 2" > > > > > > > > ...in the virus-logfile. > > > > >
RE: [Declude.Virus] ClamAV Exit codes
Strange. It sounds like a resource depletion problem such as a memory leak that may not even be directly related to clamd. George > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus > Gufler > Sent: Friday, September 29, 2006 10:58 AM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] ClamAV Exit codes > > Thank you > > The strange thing is that the error doesn't appeared constantly at a > certain > point. At 06:50PM there was the first dozen result codes 2. Then the next > one appeared at 11:00PM but still not contantly. There was always 0 and 1 > codes. > But then it become more and more, and then at a certain point the only > result code was 2. > > Does this mean that clamd can also decease slowly? > > Markus > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of george kulman > > Sent: Friday, September 29, 2006 4:22 PM > > To: declude.virus@declude.com > > Subject: RE: [Declude.Virus] ClamAV Exit codes > > > > > > Markus, > > > > Here are the Return Codes from the ClamAV Documentation. > > > > George > > > > >From http://www.clamav.net/doc/0.88.4/man/clamdscan.1 > > > > .SH "RETURN CODES" > > .LP > > 0 : No virus found. > > .TP > > 1 : Virus(es) found. > > .TP > > 2 : An error occured. > > > > >From http://www.clamav.net/doc/0.88.4/man/clamscan.1 > > > > .SH "RETURN CODES" > > .LP > > Note: some return codes may only appear in a one file mode > > (clamscan is started with file argument). Those are marked > > with \fB(ofm)\fR. > > > > 0 : No virus found. > > .TP > > 1 : Virus(es) found. > > .TP > > 40: Unknown option passed. > > .TP > > 50: Database initialization error. > > .TP > > 52: Not supported file type. > > .TP > > 53: Can't open directory. > > .TP > > 54: Can't open file. (ofm) > > .TP > > 55: Error reading file. (ofm) > > .TP > > 56: Can't stat input file / directory. > > .TP > > 57: Can't get absolute path name of current working directory. > > .TP > > 58: I/O error, please check your file system. > > .TP > > 59: Can't get information about current user from /etc/passwd. > > .TP > > 60: Can't get information about user 'clamav' (default name) > > from /etc/passwd. > > .TP > > 61: Can't fork. > > .TP > > 62: Can't initialize logger. > > .TP > > 63: Can't create temporary files/directories (check permissions). > > .TP > > 64: Can't write to temporary directory (please specify another one). > > .TP > > 70: Can't allocate and clear memory (calloc). > > .TP > > 71: Can't allocate memory (malloc). > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > > Markus Gufler > > > Sent: Friday, September 29, 2006 5:59 AM > > > To: declude.virus@declude.com > > > Subject: [Declude.Virus] ClamAV Exit codes > > > > > > Does anyone know what exit codes ClamAV has and what they mean? > > > > > > >From 2006-09-27 06:50PM on I can see a huge number of > > > > > > "Virus scanner 2 reports exit code of 2" > > > > > > ...in the virus-logfile. > > > > > > Markus > > > > > > > > > > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV Exit codes
Thank you The strange thing is that the error doesn't appeared constantly at a certain point. At 06:50PM there was the first dozen result codes 2. Then the next one appeared at 11:00PM but still not contantly. There was always 0 and 1 codes. But then it become more and more, and then at a certain point the only result code was 2. Does this mean that clamd can also decease slowly? Markus > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of george kulman > Sent: Friday, September 29, 2006 4:22 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] ClamAV Exit codes > > > Markus, > > Here are the Return Codes from the ClamAV Documentation. > > George > > >From http://www.clamav.net/doc/0.88.4/man/clamdscan.1 > > .SH "RETURN CODES" > .LP > 0 : No virus found. > .TP > 1 : Virus(es) found. > .TP > 2 : An error occured. > > >From http://www.clamav.net/doc/0.88.4/man/clamscan.1 > > .SH "RETURN CODES" > .LP > Note: some return codes may only appear in a one file mode > (clamscan is started with file argument). Those are marked > with \fB(ofm)\fR. > > 0 : No virus found. > .TP > 1 : Virus(es) found. > .TP > 40: Unknown option passed. > .TP > 50: Database initialization error. > .TP > 52: Not supported file type. > .TP > 53: Can't open directory. > .TP > 54: Can't open file. (ofm) > .TP > 55: Error reading file. (ofm) > .TP > 56: Can't stat input file / directory. > .TP > 57: Can't get absolute path name of current working directory. > .TP > 58: I/O error, please check your file system. > .TP > 59: Can't get information about current user from /etc/passwd. > .TP > 60: Can't get information about user 'clamav' (default name) > from /etc/passwd. > .TP > 61: Can't fork. > .TP > 62: Can't initialize logger. > .TP > 63: Can't create temporary files/directories (check permissions). > .TP > 64: Can't write to temporary directory (please specify another one). > .TP > 70: Can't allocate and clear memory (calloc). > .TP > 71: Can't allocate memory (malloc). > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Markus Gufler > > Sent: Friday, September 29, 2006 5:59 AM > > To: declude.virus@declude.com > > Subject: [Declude.Virus] ClamAV Exit codes > > > > Does anyone know what exit codes ClamAV has and what they mean? > > > > >From 2006-09-27 06:50PM on I can see a huge number of > > > > "Virus scanner 2 reports exit code of 2" > > > > ...in the virus-logfile. > > > > Markus > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV Exit codes
Markus, Here are the Return Codes from the ClamAV Documentation. George >From http://www.clamav.net/doc/0.88.4/man/clamdscan.1 .SH "RETURN CODES" .LP 0 : No virus found. .TP 1 : Virus(es) found. .TP 2 : An error occured. >From http://www.clamav.net/doc/0.88.4/man/clamscan.1 .SH "RETURN CODES" .LP Note: some return codes may only appear in a one file mode (clamscan is started with file argument). Those are marked with \fB(ofm)\fR. 0 : No virus found. .TP 1 : Virus(es) found. .TP 40: Unknown option passed. .TP 50: Database initialization error. .TP 52: Not supported file type. .TP 53: Can't open directory. .TP 54: Can't open file. (ofm) .TP 55: Error reading file. (ofm) .TP 56: Can't stat input file / directory. .TP 57: Can't get absolute path name of current working directory. .TP 58: I/O error, please check your file system. .TP 59: Can't get information about current user from /etc/passwd. .TP 60: Can't get information about user 'clamav' (default name) from /etc/passwd. .TP 61: Can't fork. .TP 62: Can't initialize logger. .TP 63: Can't create temporary files/directories (check permissions). .TP 64: Can't write to temporary directory (please specify another one). .TP 70: Can't allocate and clear memory (calloc). .TP 71: Can't allocate memory (malloc). > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus > Gufler > Sent: Friday, September 29, 2006 5:59 AM > To: declude.virus@declude.com > Subject: [Declude.Virus] ClamAV Exit codes > > Does anyone know what exit codes ClamAV has and what they mean? > > >From 2006-09-27 06:50PM on I can see a huge number of > > "Virus scanner 2 reports exit code of 2" > > ...in the virus-logfile. > > Markus > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV Exit codes
> Failure I do believe, probably ClamD is not running? Correct. Thank you. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV Exit codes
Failure I do believe, probably ClamD is not running? -Nick Markus Gufler wrote: Does anyone know what exit codes ClamAV has and what they mean? >From 2006-09-27 06:50PM on I can see a huge number of "Virus scanner 2 reports exit code of 2" ...in the virus-logfile. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] CLAMAV - 88.3-1 - 7/11/2006 Release
Well since you noticed it and I am setting up a new serverI will try it tomorrow. Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Darrell ([EMAIL PROTECTED]) > Sent: Sunday, July 30, 2006 9:18 PM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] CLAMAV - 88.3-1 - 7/11/2006 Release > > > I noticed a new build from the SOSDG group has been released (88.3-1). > http://www.sosdg.org/clamav-win32/index.php > > Anyone running it yet? > > Darrell > > Check out http://www.invariantsystems.com for utilities for Declude And > Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, > MRTG > Integration, and Log Parsers. > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV error
Only if he is running an older version of Declude, which does not include the built-in AVG scanner, which runs as scanner 0. Bill - Original Message - From: "Goran Jovanovic" <[EMAIL PROTECTED]> To: Sent: Friday, July 14, 2006 12:13 PM Subject: RE: [Declude.Virus] ClamAV error Gary, You said CLAM was your third AV yet your config shows it is your second one SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Change the SCANFILE2, VIRUSCODE2, REPORT2 to 3. That might help Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, July 14, 2006 1:16 PM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV error I recently installed ClamAv as my third scanner after AVG and F-Prot. For some reason it indicates an error related to the attachment when it detects a virus (Attachment=[Unknown: Err]). Here is an example from the Declude virus log file: 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64; Length=17424 Checksum=1974090] 07/13/2006 19:32:18.843 366626185 Banning file with pif extension [application/octet-stream]. 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-Worm/Netsky.D: 7] 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=your_letter.pif [1] I 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185 (366626185.eml,366626) 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D Attachment=[Unknown: Err] [1] I 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2 17604] 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 72.82.177.22] 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter It doesn't seem to matter what kind of virus is involved. Even when it detects a phishing attempt you still see the same error. Here is what I have in the virus.cfg: SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Is anyone else experiencing this, or have any ideas? Thanks, Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV error
AVG is my first one (it's everybody's first one, it's built in). Original Message > From: "Goran Jovanovic" <[EMAIL PROTECTED]> > Sent: Friday, July 14, 2006 3:26 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] ClamAV error > > Gary, > > You said CLAM was your third AV yet your config shows it is your second > one > > SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 > C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 > --max-space 1M -l report.txt > VIRUSCODE2 1 > REPORT2 FOUND > > Change the SCANFILE2, VIRUSCODE2, REPORT2 to 3. That might help > > Goran Jovanovic > Omega Network Solutions > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary > Steiner > Sent: Friday, July 14, 2006 1:16 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] ClamAV error > > > I recently installed ClamAv as my third scanner after AVG and F-Prot. > For some reason it indicates an error related to the attachment when it > detects a virus (Attachment=[Unknown: Err]). Here is an example from > the Declude virus log file: > > 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861 > 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64; > Length=17424 Checksum=1974090] > 07/13/2006 19:32:18.843 366626185 Banning file with pif extension > [application/octet-stream]. > 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D > 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-Worm/Netsky.D: > 7] > 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3 > 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED] > Attachment=your_letter.pif [1] I > 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1 > 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185 > (366626185.eml,366626) > 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D > Attachment=[Unknown: Err] [1] I > 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability > 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file > 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2 > 17604] > 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To: > [EMAIL PROTECTED] [incoming from 72.82.177.22] > 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter > > It doesn't seem to matter what kind of virus is involved. Even when it > detects a phishing attempt you still see the same error. > > Here is what I have in the virus.cfg: > > SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 > C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 > --max-space 1M -l report.txt > VIRUSCODE2 1 > REPORT2 FOUND > > Is anyone else experiencing this, or have any ideas? > > Thanks, > > Gary > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV error
Gary, You said CLAM was your third AV yet your config shows it is your second one SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Change the SCANFILE2, VIRUSCODE2, REPORT2 to 3. That might help Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, July 14, 2006 1:16 PM To: declude.virus@declude.com Subject: [Declude.Virus] ClamAV error I recently installed ClamAv as my third scanner after AVG and F-Prot. For some reason it indicates an error related to the attachment when it detects a virus (Attachment=[Unknown: Err]). Here is an example from the Declude virus log file: 07/13/2006 19:32:18.843 366626185 Vulnerability flags = 861 07/13/2006 19:32:18.843 366626185 MIME file: your_letter.pif [base64; Length=17424 Checksum=1974090] 07/13/2006 19:32:18.843 366626185 Banning file with pif extension [application/octet-stream]. 07/13/2006 19:32:19.328 366626185 AVG Reports VIRUS: I-Worm/Netsky.D 07/13/2006 19:32:19.328 366626185 File(s) are INFECTED [I-Worm/Netsky.D: 7] 07/13/2006 19:32:19.625 366626185 Virus scanner 1 reports exit code of 3 07/13/2006 19:32:19.625 366626185 Scanner 1: Virus= W32/[EMAIL PROTECTED] Attachment=your_letter.pif [1] I 07/13/2006 19:32:19.718 366626185 Virus scanner 2 reports exit code of 1 07/13/2006 19:32:19.718 366626185 Warning: file#=366626185 (366626185.eml,366626) 07/13/2006 19:32:19.718 366626185 Scanner 2: Virus= Worm.SomeFool.D Attachment=[Unknown: Err] [1] I 07/13/2006 19:32:19.718 366626185 Invalid PIF Vulnerability 07/13/2006 19:32:19.718 366626185 Found a bogus .pif file 07/13/2006 19:32:19.718 366626185 Scanned: CONTAINS A VIRUS [MIME: 2 17604] 07/13/2006 19:32:19.718 366626185 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [incoming from 72.82.177.22] 07/13/2006 19:32:19.718 366626185 Subject: Re: Your letter It doesn't seem to matter what kind of virus is involved. Even when it detects a phishing attempt you still see the same error. Here is what I have in the virus.cfg: SCANFILE2 C:\SmarterMail\Declude\Scanners\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Is anyone else experiencing this, or have any ideas? Thanks, Gary --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV leaving locked files?
Noticed the following in my logs What is happening here??? It does not happen for every virus check, just some 03/09/2006 16:39:55.671 qa08b02cc0e00.smd WARNING: Couldn't remove .vir directory D:\IMail\spool\proc\work\Da08b02cc0e00.vir\: EXTRA FILES THERE. [145] Error String: [The directory is not empty.] 03/09/2006 16:39:55.671 qa08b02cc0e00.smd Likely problem: Your virus scanner is leaving extra files/directories behind, so Declude can't delete the directory. 03/09/2006 16:39:55.671 qa08b02cc0e00.smd Scanned: Virus Free Harry Vanderzand inTown Internet & Computer Services 519-741-1222 > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand > Sent: Thursday, March 09, 2006 3:22 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] ClamAV leaving locked files? > > Any one have an idea on this one yet? > > I am getting all kinds of .vir directories left in my work > folder that I cannot delete. "access denied, source file may > be in use" > > It is the result of adding clamav as my second scanner > > Any help would be greatly appreciated > > Thank you > > Harry Vanderzand > inTown Internet & Computer Services > 519-741-1222 > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Harry > Vanderzand > > Sent: Wednesday, March 08, 2006 1:35 PM > > To: Declude.Virus@declude.com > > Subject: RE: [Declude.Virus] ClamAV leaving locked files? > > > > Me too! > > > > I have the same issue and have been trying to figure out > what's going > > on > > > > Harry Vanderzand > > inTown Internet & Computer Services > > 519-741-1222 > > > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Ken Weise > > > Sent: Wednesday, March 08, 2006 1:27 PM > > > To: Declude.Virus@declude.com > > > Subject: [Declude.Virus] ClamAV leaving locked files? > > > > > > I have a problem with ClamAV apparently leaving locked pdf files > > > behind. I get these messages the the virus log: > > > > > > 03/08/2006 11:50:34.721 262309704382 WARNING: Couldn't > remove .vir > > > directory > > > e:\SmarterMail\Spool\proc\work\262309704382.vir\: EXTRA > > FILES THERE. > > > [145] Error String: [The directory is not empty.] > > > 03/08/2006 11:50:34.721 262309704382 Likely problem: Your virus > > > scanner is leaving extra files/directories behind, so > Declude can't > > > delete the directory. > > > > > > The files that are remaining are named "0.pdf" or "1.pdf". > > > Any ideas where these are coming from? Why are they > staying behind > > > after clam finishes? > > > What's locking them? > > > > > > Using the newest versions of all, SmarterMail, clamav, > and Declude > > > Virus/Junkmail. > > > > > > _ > > > Ken Weise > > > Econocaribe Consolidators, Inc. > > > 2401 NW 69th ST * Miami, FL 33147 > > > (p) 305.693.5133 * (f) 305.894.3666 > > > > > > --- > > > [This E-mail scanned for viruses by Declude EVA] > > > > > > > > > --- > > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, > > > just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.Virus".The archives can be found > > > at http://www.mail-archive.com. > > > > > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV leaving locked files?
Any one have an idea on this one yet? I am getting all kinds of .vir directories left in my work folder that I cannot delete. "access denied, source file may be in use" It is the result of adding clamav as my second scanner Any help would be greatly appreciated Thank you Harry Vanderzand inTown Internet & Computer Services 519-741-1222 > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand > Sent: Wednesday, March 08, 2006 1:35 PM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] ClamAV leaving locked files? > > Me too! > > I have the same issue and have been trying to figure out > what's going on > > Harry Vanderzand > inTown Internet & Computer Services > 519-741-1222 > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Ken Weise > > Sent: Wednesday, March 08, 2006 1:27 PM > > To: Declude.Virus@declude.com > > Subject: [Declude.Virus] ClamAV leaving locked files? > > > > I have a problem with ClamAV apparently leaving locked pdf files > > behind. I get these messages the the virus log: > > > > 03/08/2006 11:50:34.721 262309704382 WARNING: Couldn't remove .vir > > directory > > e:\SmarterMail\Spool\proc\work\262309704382.vir\: EXTRA > FILES THERE. > > [145] Error String: [The directory is not empty.] > > 03/08/2006 11:50:34.721 262309704382 Likely problem: Your virus > > scanner is leaving extra files/directories behind, so Declude can't > > delete the directory. > > > > The files that are remaining are named "0.pdf" or "1.pdf". > > Any ideas where these are coming from? Why are they staying behind > > after clam finishes? > > What's locking them? > > > > Using the newest versions of all, SmarterMail, clamav, and Declude > > Virus/Junkmail. > > > > _ > > Ken Weise > > Econocaribe Consolidators, Inc. > > 2401 NW 69th ST * Miami, FL 33147 > > (p) 305.693.5133 * (f) 305.894.3666 > > > > --- > > [This E-mail scanned for viruses by Declude EVA] > > > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, > > just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus".The archives can be found > > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV leaving locked files?
Me too! I have the same issue and have been trying to figure out what's going on Harry Vanderzand inTown Internet & Computer Services 519-741-1222 > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ken Weise > Sent: Wednesday, March 08, 2006 1:27 PM > To: Declude.Virus@declude.com > Subject: [Declude.Virus] ClamAV leaving locked files? > > I have a problem with ClamAV apparently leaving locked pdf > files behind. I get these messages the the virus log: > > 03/08/2006 11:50:34.721 262309704382 WARNING: Couldn't remove > .vir directory > e:\SmarterMail\Spool\proc\work\262309704382.vir\: EXTRA FILES > THERE. [145] Error String: [The directory is not empty.] > 03/08/2006 11:50:34.721 262309704382 Likely problem: Your > virus scanner is leaving extra files/directories behind, so > Declude can't delete the directory. > > The files that are remaining are named "0.pdf" or "1.pdf". > Any ideas where these are coming from? Why are they staying > behind after clam finishes? > What's locking them? > > Using the newest versions of all, SmarterMail, clamav, and > Declude Virus/Junkmail. > > _ > Ken Weise > Econocaribe Consolidators, Inc. > 2401 NW 69th ST * Miami, FL 33147 > (p) 305.693.5133 * (f) 305.894.3666 > > --- > [This E-mail scanned for viruses by Declude EVA] > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV leaving locked files?
Very similiar problem here. I have a vir folder left over with a filename of "0". Imail 8.22 , clamav 0.88-2 (SOSDB Cygwin version), Declude 3.06. Using runclamd and runclamscan wrapper - Original Message - From: "Ken Weise" <[EMAIL PROTECTED]> To: Sent: Wednesday, March 08, 2006 12:26 PM Subject: [Declude.Virus] ClamAV leaving locked files? I have a problem with ClamAV apparently leaving locked pdf files behind. I get these messages the the virus log: 03/08/2006 11:50:34.721 262309704382 WARNING: Couldn't remove .vir directory e:\SmarterMail\Spool\proc\work\262309704382.vir\: EXTRA FILES THERE. [145] Error String: [The directory is not empty.] 03/08/2006 11:50:34.721 262309704382 Likely problem: Your virus scanner is leaving extra files/directories behind, so Declude can't delete the directory. The files that are remaining are named "0.pdf" or "1.pdf". Any ideas where these are coming from? Why are they staying behind after clam finishes? What's locking them? Using the newest versions of all, SmarterMail, clamav, and Declude Virus/Junkmail. _ Ken Weise Econocaribe Consolidators, Inc. 2401 NW 69th ST * Miami, FL 33147 (p) 305.693.5133 * (f) 305.894.3666 --- [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV & sanesecurity definitions
Andrew: After the post I did the same and it is working great. I have done as Scott has stated. I review all the messages and none of our Declude filters are being triggered anymore. All the phishing attempts used to get caught by our filters.. with ClamAV and the phish.ndb all are being caught. One issue we have is the identification.. this is what a typical message looks like. = Declude Virus [Ver: 4.0.9] caught: -Virus: Unknown Virus-In: Unknown File-From: * DELETED -To: * DELETED -Direction: incoming -Date: 02 Mar 2006 12:33:16-Subject: Account review-Spool File: D2c44018bdb48.smd-Remote IP: 193.254.190.119= Extremely nice test and many thanks for posting it. Regards, - Kami
Re: [Declude.Virus] ClamAV & sanesecurity definitions
Personally I haven't seen any false positives. I
spot checked a few messages, and they were phish. All of the subject lines are
definitely phishy.
I whitelisted the Declude support lists, so I don't
have any concerns about blocking the support lists.
What I also liked was that it only took about 15
minutes to get it working with a scheduled task to update itself.
- Original Message -
From:
Colbeck,
Andrew
To: Declude.Virus@declude.com
Sent: Wednesday, March 01, 2006 2:46
PM
Subject: RE: [Declude.Virus] ClamAV &
sanesecurity definitions
Thanks, Scott.
I appreciate your posts on this topic. I have been
following the hows and whys of using the phish.ndb and getting updates for
it.
I was thinking that for my own usage, I'd rather worry
about false positives and run it as a Declude JunkMail antispam external
test.
It is certainly working for you to catch scams, but have
you checked for false positives? I was thinking that in
particular, I might miss posts to the support lists regarding
Declude text filters to fight 419 scams, and more generally, my users might be
affected.
I am looking forward to implementing this when I have
more time to spare in the office. (At my current rate, probably in
April. Seriously.)
Andrew 8)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott
FisherSent: Wednesday, March 01, 2006 12:29 PMTo:
Declude.Virus@declude.comSubject: Re: [Declude.Virus] ClamAV
& sanesecurity definitions
I running clamav as one of my scanners. The
SaneSecurity is an additional defintion database named
phish.ndb.
I put the phish.ndb into my
c:\clamav-devel\share\clamav folder and it does all of the
rest.
- Original Message -
From:
Colbeck,
Andrew
To: Declude.Virus@declude.com
Sent: Wednesday, March 01, 2006 2:15
PM
Subject: RE: [Declude.Virus] ClamAV
& sanesecurity definitions
Scott,
Are you running ClamAV with the SaneSecurity
antiphishing signatures as an external spam test in Declude Pro, or as an
antivirus engine in Declude Virus Pro?
Andrew 8)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott
FisherSent: Wednesday, March 01, 2006 12:06 PMTo:
Declude.Virus@declude.comSubject:
[Declude.Virus] ClamAV & sanesecurity
definitions
As a followup on last week's
discussions on the SaneSecurity phish definitions for
ClamAv.
ClamAv (without SaneSecurity) caught 273
phish for me in February (all 28 days).
SaneSecurity definitions caught 178 phish
for me in the last 8 days of February.
McAfee caught 118 and none after I
installed the SaneSecurity definitions.
SaneSecurity has done a wonderful job
here.
Thanks again Bill!
-Scott
FisherDirector of ITFarm Progress Companies191 S Gary
AveCarol Stream, IL 60188630-462-2323
This email message, including any attachments, is for the sole use
of the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply email and destroy all copies of the original message.
Although Farm Progress Companies has taken reasonable precautions to
ensure no viruses are present in this email, the company cannot accept
responsibility for any loss or damage arising from the use of this email
or attachments.
RE: [Declude.Virus] ClamAV & sanesecurity definitions
Thanks, Scott. I appreciate your posts on this topic. I have been following the hows and whys of using the phish.ndb and getting updates for it. I was thinking that for my own usage, I'd rather worry about false positives and run it as a Declude JunkMail antispam external test. It is certainly working for you to catch scams, but have you checked for false positives? I was thinking that in particular, I might miss posts to the support lists regarding Declude text filters to fight 419 scams, and more generally, my users might be affected. I am looking forward to implementing this when I have more time to spare in the office. (At my current rate, probably in April. Seriously.) Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Wednesday, March 01, 2006 12:29 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] ClamAV & sanesecurity definitions I running clamav as one of my scanners. The SaneSecurity is an additional defintion database named phish.ndb. I put the phish.ndb into my c:\clamav-devel\share\clamav folder and it does all of the rest. - Original Message - From: Colbeck, Andrew To: Declude.Virus@declude.com Sent: Wednesday, March 01, 2006 2:15 PM Subject: RE: [Declude.Virus] ClamAV & sanesecurity definitions Scott, Are you running ClamAV with the SaneSecurity antiphishing signatures as an external spam test in Declude Pro, or as an antivirus engine in Declude Virus Pro? Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Wednesday, March 01, 2006 12:06 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] ClamAV & sanesecurity definitions As a followup on last week's discussions on the SaneSecurity phish definitions for ClamAv. ClamAv (without SaneSecurity) caught 273 phish for me in February (all 28 days). SaneSecurity definitions caught 178 phish for me in the last 8 days of February. McAfee caught 118 and none after I installed the SaneSecurity definitions. SaneSecurity has done a wonderful job here. Thanks again Bill! -Scott FisherDirector of ITFarm Progress Companies191 S Gary AveCarol Stream, IL 60188630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
Re: [Declude.Virus] ClamAV & sanesecurity definitions
I running clamav as one of my scanners. The SaneSecurity is an additional defintion database named phish.ndb. I put the phish.ndb into my c:\clamav-devel\share\clamav folder and it does all of the rest. - Original Message - From: Colbeck, Andrew To: Declude.Virus@declude.com Sent: Wednesday, March 01, 2006 2:15 PM Subject: RE: [Declude.Virus] ClamAV & sanesecurity definitions Scott, Are you running ClamAV with the SaneSecurity antiphishing signatures as an external spam test in Declude Pro, or as an antivirus engine in Declude Virus Pro? Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Wednesday, March 01, 2006 12:06 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] ClamAV & sanesecurity definitions As a followup on last week's discussions on the SaneSecurity phish definitions for ClamAv. ClamAv (without SaneSecurity) caught 273 phish for me in February (all 28 days). SaneSecurity definitions caught 178 phish for me in the last 8 days of February. McAfee caught 118 and none after I installed the SaneSecurity definitions. SaneSecurity has done a wonderful job here. Thanks again Bill! -Scott FisherDirector of ITFarm Progress Companies191 S Gary AveCarol Stream, IL 60188630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
RE: [Declude.Virus] ClamAV & sanesecurity definitions
Scott, Are you running ClamAV with the SaneSecurity antiphishing signatures as an external spam test in Declude Pro, or as an antivirus engine in Declude Virus Pro? Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Wednesday, March 01, 2006 12:06 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] ClamAV & sanesecurity definitions As a followup on last week's discussions on the SaneSecurity phish definitions for ClamAv. ClamAv (without SaneSecurity) caught 273 phish for me in February (all 28 days). SaneSecurity definitions caught 178 phish for me in the last 8 days of February. McAfee caught 118 and none after I installed the SaneSecurity definitions. SaneSecurity has done a wonderful job here. Thanks again Bill! -Scott FisherDirector of ITFarm Progress Companies191 S Gary AveCarol Stream, IL 60188630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
Re: [Declude.Virus] ClamAV Footer ...
Andrew, Sandy is Sanford Whiteman. He is a regular, knowlegeable, and very appreciated contributor to this list. If you have been a member of this list for very long, you have certainly already seen some of his submissions. Sandy's submissions always have full contact information at the bottom. More importantly, I believe, is that Matt was alluding to the link at the bottom of this and every list submission. Using the mail-archive, you can look for one of Sandy's submissions, or search for past submissions about Sandy's Footer Application and inform yourself. The archives take a little getting used to, but they are a great wealth of information. Best of all, you don't have to wait for a list responce over the weekend. :-) Bill Green dfn Systems - Original Message - From: "Andrew Peskin" <[EMAIL PROTECTED]> To: Sent: Friday, February 17, 2006 10:34 PM Subject: Re: [Declude.Virus] ClamAV Footer ... Who is Sandy, and how can I get in touch with her? Matt wrote: Andrew, There is no native capability to do this dynamically. Adding a footer is also a difficult task since it must be integrated properly and selectively into multiple MIME segments, and without breaking certain types of messages that rely on strict formating (such as calendaring). Sandy has a free app that allows for inserting footers into messages, but I don't believe it supports dynamic content. Look at the footer of one of Sandy's posts for a link. Matt Andrew Peskin wrote: Hello all ... I am trying to do the following: On each message scanned by Declude and ClamAV, I would like to add a footer, specifying that the message has been scanned and found to be free of any virus, which version of ClamAV scanned it, which virus database was used, and what the date of the last update was to the virus database. Here is an example of a footer I would like ... --- No Virus Found Scanned by ClamAV ClamAV 0.88/1290/Thu Feb 16 04:14:53 2006 Does anyone know how to accomplish this with Declude and ClamAV? Your help would be greatly appreciated. Thanks. Andrew --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [Checked by ClamAV -- No virus found in this message.] -- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. --- [Checked by ClamAV -- No virus found in this message.] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude EVA] --- [This E-mail scanned for viruses by Declude EVA] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV Footer ...
Who is Sandy, and how can I get in touch with her? Matt wrote: Andrew, There is no native capability to do this dynamically. Adding a footer is also a difficult task since it must be integrated properly and selectively into multiple MIME segments, and without breaking certain types of messages that rely on strict formating (such as calendaring). Sandy has a free app that allows for inserting footers into messages, but I don't believe it supports dynamic content. Look at the footer of one of Sandy's posts for a link. Matt Andrew Peskin wrote: Hello all ... I am trying to do the following: On each message scanned by Declude and ClamAV, I would like to add a footer, specifying that the message has been scanned and found to be free of any virus, which version of ClamAV scanned it, which virus database was used, and what the date of the last update was to the virus database. Here is an example of a footer I would like ... --- No Virus Found Scanned by ClamAV ClamAV 0.88/1290/Thu Feb 16 04:14:53 2006 Does anyone know how to accomplish this with Declude and ClamAV? Your help would be greatly appreciated. Thanks. Andrew --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [Checked by ClamAV -- No virus found in this message.] -- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. --- [Checked by ClamAV -- No virus found in this message.] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV Footer ...
Andrew, There is no native capability to do this dynamically. Adding a footer is also a difficult task since it must be integrated properly and selectively into multiple MIME segments, and without breaking certain types of messages that rely on strict formating (such as calendaring). Sandy has a free app that allows for inserting footers into messages, but I don't believe it supports dynamic content. Look at the footer of one of Sandy's posts for a link. Matt Andrew Peskin wrote: Hello all ... I am trying to do the following: On each message scanned by Declude and ClamAV, I would like to add a footer, specifying that the message has been scanned and found to be free of any virus, which version of ClamAV scanned it, which virus database was used, and what the date of the last update was to the virus database. Here is an example of a footer I would like ... --- No Virus Found Scanned by ClamAV ClamAV 0.88/1290/Thu Feb 16 04:14:53 2006 Does anyone know how to accomplish this with Declude and ClamAV? Your help would be greatly appreciated. Thanks. Andrew --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV?
If so, that's one to add to the Declude Virus manualScott? Matt Scott Fisher wrote: Try adding this to your command line: --max-ratio 0 The support compression ratio feature (--max-ratio). Overly compressed files may get falsely detected. I believe the 0 turns it off. it worked for me. - Original Message - From: "Hirthe, Alexander" <[EMAIL PROTECTED]> To: Sent: Thursday, February 17, 2005 11:34 AM Subject: [Declude.Virus] ClamAV? Hello, I'm getting errors with Zip Files larger than about 10 MB. In the virus.log: 02/17/2005 17:12:03 Qbede796f012201de MIME file: 123.zipxxx [base64; Length=13024694 Checksum=1676135806] 02/17/2005 17:12:07 Qbede796f012201de Scanner 3: Virus= Attachment= [6] O 02/17/2005 17:12:07 Qbede796f012201de File(s) are INFECTED [: 1] 02/17/2005 17:12:07 Qbede796f012201de Scanned: CONTAINS A VIRUS [MIME: 2 13024860] The file is without any virus. Sure :) from virus.cfg: SCANFILE3 C:\clamav-devel\bin\clamscan.exe --quiet --log-verbose --no-summary -l report.txt VIRUSCODE3 1 REPORT3 FOUND Has anyone else such errors? The user told me, this could/would happen with all zipped files larger than 6 MB. Alex --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] ClamAV?
Try adding this to your command line: --max-ratio 0 The support compression ratio feature (--max-ratio). Overly compressed files may get falsely detected. I believe the 0 turns it off. it worked for me. - Original Message - From: "Hirthe, Alexander" <[EMAIL PROTECTED]> To: Sent: Thursday, February 17, 2005 11:34 AM Subject: [Declude.Virus] ClamAV? > Hello, > > I'm getting errors with Zip Files larger than about 10 MB. > > In the virus.log: > 02/17/2005 17:12:03 Qbede796f012201de MIME file: 123.zipxxx [base64; > Length=13024694 Checksum=1676135806] > 02/17/2005 17:12:07 Qbede796f012201de Scanner 3: Virus= Attachment= [6] O > 02/17/2005 17:12:07 Qbede796f012201de File(s) are INFECTED [: 1] > 02/17/2005 17:12:07 Qbede796f012201de Scanned: CONTAINS A VIRUS [MIME: 2 > 13024860] > The file is without any virus. Sure :) > > from virus.cfg: > SCANFILE3 C:\clamav-devel\bin\clamscan.exe --quiet --log-verbose > --no-summary -l report.txt > VIRUSCODE3 1 > REPORT3 FOUND > > Has anyone else such errors? > The user told me, this could/would happen with all zipped files larger than > 6 MB. > > Alex > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV?
Manually perform the scan, and look @ the report.txt file. - Original Message - From: "Hirthe, Alexander" <[EMAIL PROTECTED]> To: Sent: Thursday, February 17, 2005 12:34 PM Subject: [Declude.Virus] ClamAV? Hello, I'm getting errors with Zip Files larger than about 10 MB. In the virus.log: 02/17/2005 17:12:03 Qbede796f012201de MIME file: 123.zipxxx [base64; Length=13024694 Checksum=1676135806] 02/17/2005 17:12:07 Qbede796f012201de Scanner 3: Virus= Attachment= [6] O 02/17/2005 17:12:07 Qbede796f012201de File(s) are INFECTED [: 1] 02/17/2005 17:12:07 Qbede796f012201de Scanned: CONTAINS A VIRUS [MIME: 2 13024860] The file is without any virus. Sure :) from virus.cfg: SCANFILE3 C:\clamav-devel\bin\clamscan.exe --quiet --log-verbose --no-summary -l report.txt VIRUSCODE3 1 REPORT3 FOUND Has anyone else such errors? The user told me, this could/would happen with all zipped files larger than 6 MB. Alex --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- This email has been scanned for possible viruses by Declude Antivirus. For more information on Declude Antivirus, Visit www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] clamAV - OT ClamAV For Windows 0.80-10
I just received the folloing from the Clam list - there appears to be an issue with UDP ports and cygwin -Nick On 6 Dec 2004 at 9:24, Brian Bruns wrote: From: "Brian Bruns" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Date sent: Mon, 6 Dec 2004 09:24:37 -0500 Subject:[clamav-announce] ClamAV For Windows 0.80-10 > Hello all, > > Its been a while since I sent out a notice of a new version, so here > it is - v0.80-10 of ClamAV. Its fresh off the compiler and should be > working well. > > However, I've been notified of a serious issue surrounding ClamAV and > Cygwin. Apparently, clamd.exe causes UDP ports to be opened for no > reason, and they hang in the open state. The only way to really fix > this is to kill off clamd.exe and restart it. I use a program from > http://www.beyondlogic.org/consulting/processutil/processutil.htm > which makes it rather easy to kill off clamd.exe cleanly. > > Using the regular clamscan.exe is the only way to completely avoid > this issue - but you end up taking a major performance hit. We > believe this problem is with Cygwin and not ClamAV, so theres limited > I can do on my end until I can hash out the issue with a Cygwin > developer. > > Anyways, latest version is up at: > > http://www.sosdg.org/clamav-win32 > > Enjoy! > > > > -- > Brian Bruns > The Summit Open Source Development Group > Open Solutions For A Closed World / The AHBL > http://www.sosdg.org / http://www.ahbl.org > > > ___ > ClamAV For Windows Announcement Mailing List > http://lists.sosdg.org/mailman/listinfo/clamav-announce > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV fyi
For those that use ClamAV the latest ver appears to be Nov20 - I had the Oct24 ver which would randomly crash - in this latest ver in the release notes there is reference to fixing this -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAv
That's why I trying it out. I'm still trying to figure a few things out. I can say that Clam updated and caught things quick today. Their virus updates came out before F-Prot did. I still like F-Prot so that's why I'm just watching for now. Jeff Kratka -- Original Message -- From: Jonathan <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 19 Nov 2004 20:36:31 -0600 >Running ClamAV under cygwin? Wow, that seems like a horrible performance >hit on any type of high volume mail server. > >Jonathan > >At 06:22 PM 11/19/2004, you wrote: >>Sorry, I figured it out... >> >>Thanks >> >>Jeff Kratka >> >>TymeWyse Internet >>P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 >>tel/fax: (541) 839-6027 - [EMAIL PROTECTED] >> >> >> >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] Behalf Of Jeff Kratka >>Sent: Friday, November 19, 2004 4:04 PM >>To: [EMAIL PROTECTED] >>Subject: [Declude.Virus] ClamAv >> >> >>I just started to try out Clam AV and so far it's been catching more than >>F-Prot did. Is there a switch to have Declude add the virus name to the >>Declude logs.My config in the virus .cfg is >> >>SCANFILE C:\imail\declude\runclamscan.exe log=1 >>C:\clamav-devel\bin\clamdscan.exe --quiet --mbox -l report.txt >>VIRUSCODE 1 >>REPORT FOUND >> >>Jeff Kratka >> >>TymeWyse Internet >>P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 >>tel/fax: (541) 839-6027 - [EMAIL PROTECTED] >> >> >>--- >>[This E-mail was scanned for viruses by Declude Virus >>(http://www.declude.com)] >> >>--- >>This E-mail came from the Declude.Virus mailing list. To >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>type "unsubscribe Declude.Virus".The archives can be found >>at http://www.mail-archive.com. >> >>--- >>[This E-mail was scanned for viruses by Declude Virus >>(http://www.declude.com)] >> >>--- >>This E-mail came from the Declude.Virus mailing list. To >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>type "unsubscribe Declude.Virus".The archives can be found >>at http://www.mail-archive.com. > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. > -- ** TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] ** -- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAv
Running ClamAV under cygwin? Wow, that seems like a horrible performance hit on any type of high volume mail server. Jonathan At 06:22 PM 11/19/2004, you wrote: Sorry, I figured it out... Thanks Jeff Kratka TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jeff Kratka Sent: Friday, November 19, 2004 4:04 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] ClamAv I just started to try out Clam AV and so far it's been catching more than F-Prot did. Is there a switch to have Declude add the virus name to the Declude logs.My config in the virus .cfg is SCANFILE C:\imail\declude\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox -l report.txt VIRUSCODE 1 REPORT FOUND Jeff Kratka TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAv
Sorry, I figured it out... Thanks Jeff Kratka TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jeff Kratka Sent: Friday, November 19, 2004 4:04 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] ClamAv I just started to try out Clam AV and so far it's been catching more than F-Prot did. Is there a switch to have Declude add the virus name to the Declude logs.My config in the virus .cfg is SCANFILE C:\imail\declude\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox -l report.txt VIRUSCODE 1 REPORT FOUND Jeff Kratka TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV scan time
FYI – 1st scanner is F-Prot. 2nd is ClamAV. I am using the “runclamscan” wrapper found at http://www.smartbusiness.com/imail/declude/. Today I haven’t had any left over directories and vir*.log is clean of errors. It may have been the particular load at that time and message size as someone mentioned yesterday. John From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, November 16, 2004 10:21 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] ClamAV scan time Terry, Maybe if you could clarify. You are running ClamAV in daemon mode, am I correct? My point was that as of several months ago, the non-daemon installation was a processor hog and took a lot of time compared to F-Prot, the best performing scanner. Things might have changed since then. I also noted that when run in daemon mode, ClamAV was virtually as fast as F-Prot, and used less resources. I'm not running ClamAV because I had issues with the stability/management of their daemon at that time. I suspect that things have changed since then. Regardless, I would not be surprised to see the per-process launched ClamAV causing excessive load on a busy server. It wasn't clear if John was running one way or another. Hitting a 60 second timeout suggests that his server was being redlined for a prolonged period of time, and going to the daemon mode might provide substantial relief. If his other scanner isn't F-Prot, he should also think about switching because there is nothing as efficient as F-Prot, and it hardly uses any resources. Matt Terry Fritts wrote: ClamAV when not run in daemon mode is very slow in comparison to othervirus scanners. If your server is getting pushed to it's limits, the first sign will likely be their vir directories piling up as a result of ClamAV not finishing within the specified time configured in Declude Virus. I played around with daemon mode several months back, but there was an issue with the service not shutting down when you told it to, so I abandoned it for the time being. Maybe some others have information about how to do this properly now with newer builds. My log records the scan times. I did check when I read this and there are a few excessively long scan times. I checked about 10,000 entries. There were 360 scans that took longer than .5 sec. There were 206 that took 1 sec or longer. Also, I record the total time, the time to check to see if the service is running, and then the actual scan time. In my worst case these numbers were recorded: 13.3490,11.947,1.402. But notice that the middle number is the time to check to see if the service is running. This indicates to me that the issue is not with ClamAV but with the server load at the time of the scan. I know the server is being hammered anyway. I did check to see if there were any correlation between the file size and the long elapsed times and I really could not find any. But then again we are not handling huge numbers of messages either. My programs are available for download at: http://www.smartbusiness.com/imail/declude/ Terry Fritts ---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus". The archives can be foundat http://www.mail-archive.com. -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
Re: [Declude.Virus] ClamAV scan time
Terry, Maybe if you could clarify. You are running ClamAV in daemon mode, am I correct? My point was that as of several months ago, the non-daemon installation was a processor hog and took a lot of time compared to F-Prot, the best performing scanner. Things might have changed since then. I also noted that when run in daemon mode, ClamAV was virtually as fast as F-Prot, and used less resources. I'm not running ClamAV because I had issues with the stability/management of their daemon at that time. I suspect that things have changed since then. Regardless, I would not be surprised to see the per-process launched ClamAV causing excessive load on a busy server. It wasn't clear if John was running one way or another. Hitting a 60 second timeout suggests that his server was being redlined for a prolonged period of time, and going to the daemon mode might provide substantial relief. If his other scanner isn't F-Prot, he should also think about switching because there is nothing as efficient as F-Prot, and it hardly uses any resources. Matt Terry Fritts wrote: ClamAV when not run in daemon mode is very slow in comparison to other virus scanners. If your server is getting pushed to it's limits, the first sign will likely be their vir directories piling up as a result of ClamAV not finishing within the specified time configured in Declude Virus. I played around with daemon mode several months back, but there was an issue with the service not shutting down when you told it to, so I abandoned it for the time being. Maybe some others have information about how to do this properly now with newer builds. My log records the scan times. I did check when I read this and there are a few excessively long scan times. I checked about 10,000 entries. There were 360 scans that took longer than .5 sec. There were 206 that took 1 sec or longer. Also, I record the total time, the time to check to see if the service is running, and then the actual scan time. In my worst case these numbers were recorded: 13.3490,11.947,1.402. But notice that the middle number is the time to check to see if the service is running. This indicates to me that the issue is not with ClamAV but with the server load at the time of the scan. I know the server is being hammered anyway. I did check to see if there were any correlation between the file size and the long elapsed times and I really could not find any. But then again we are not handling huge numbers of messages either. My programs are available for download at: http://www.smartbusiness.com/imail/declude/ Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.Virus] ClamAV scan time
> ClamAV when not run in daemon mode is very slow in comparison to other > virus scanners. If your server is getting pushed to it's limits, the > first sign will likely be their vir directories piling up as a result of > ClamAV not finishing within the specified time configured in Declude Virus. > > I played around with daemon mode several months back, but there was an > issue with the service not shutting down when you told it to, so I > abandoned it for the time being. Maybe some others have information > about how to do this properly now with newer builds. My log records the scan times. I did check when I read this and there are a few excessively long scan times. I checked about 10,000 entries. There were 360 scans that took longer than .5 sec. There were 206 that took 1 sec or longer. Also, I record the total time, the time to check to see if the service is running, and then the actual scan time. In my worst case these numbers were recorded: 13.3490,11.947,1.402. But notice that the middle number is the time to check to see if the service is running. This indicates to me that the issue is not with ClamAV but with the server load at the time of the scan. I know the server is being hammered anyway. I did check to see if there were any correlation between the file size and the long elapsed times and I really could not find any. But then again we are not handling huge numbers of messages either. My programs are available for download at: http://www.smartbusiness.com/imail/declude/ Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV scan time
On 15 Nov 2004 at 16:44, John Carter wrote: I have had some issues as well. I edited clamd.conf with so far non- detrimental results.. I changed ReadTimeout 40 [120] MaxConnectionQueueLength 50 [30] MaxThreads 30 [10] I wanted to change this setting but was unclear if it referred to time or size. SO I left it to see if other changes helped - # Close the connection if this limit is exceeded. StreamMaxLength 3M -Nick From: "John Carter" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject:[Declude.Virus] ClamAV scan time Date sent: Mon, 15 Nov 2004 16:44:35 -0600 Send reply to: [EMAIL PROTECTED] > Has anyone using ClamAV had problems with it taking longer than 60 > seconds to run? After installing it last week and working out a few > problems, it has done well. Today I noticed a number of *.vir folders > left on the drive. The VIR*.log showed that ClamAV was not completing > in 60 seconds. This has happened about three different times when we > were hit with a lot of mail at once. > > John > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV scan time
ClamAV when not run in daemon mode is very slow in comparison to other virus scanners. If your server is getting pushed to it's limits, the first sign will likely be their vir directories piling up as a result of ClamAV not finishing within the specified time configured in Declude Virus. I played around with daemon mode several months back, but there was an issue with the service not shutting down when you told it to, so I abandoned it for the time being. Maybe some others have information about how to do this properly now with newer builds. Matt John Carter wrote: Has anyone using ClamAV had problems with it taking longer than 60 seconds to run? After installing it last week and working out a few problems, it has done well. Today I noticed a number of *.vir folders left on the drive. The VIR*.log showed that ClamAV was not completing in 60 seconds. This has happened about three different times when we were hit with a lot of mail at once. John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV scan time
I have noticed this problem with large files, usually TIFFs. No solutions though... -- Original Message -- From: "John Carter" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Mon, 15 Nov 2004 16:44:35 -0600 >Has anyone using ClamAV had problems with it taking longer than 60 seconds >to run? After installing it last week and working out a few problems, it >has done well. Today I noticed a number of *.vir folders left on the drive. >The VIR*.log showed that ClamAV was not completing in 60 seconds. This has >happened about three different times when we were hit with a lot of mail at >once. > >John > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] clamav
On a related topic, during my testing I found that while I was logged into my server with pcANYWHERE instead of Terminal Services, I kept seeing CMD windows pop up when AVG was scanning despite the /silent switch. I don't ever recall seeing that before, but it's rare that I log in with pcANYWHERE. Maybe there is something else happening here that isn't necessary. The folks from Grissoft were nice enough to add the return codes and maybe they could help make the command line more efficient??? Actually, that will occur if you use the DEBUG mode in Declude Virus (it allows the console windows to be visible, in case there are messages there that need to be read). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] clamav
Thanks for the explanation. I was hoping for something miraculous that might be of benefit, but it looks like Declude does all of this already. On a related topic, during my testing I found that while I was logged into my server with pcANYWHERE instead of Terminal Services, I kept seeing CMD windows pop up when AVG was scanning despite the /silent switch. I don't ever recall seeing that before, but it's rare that I log in with pcANYWHERE. Maybe there is something else happening here that isn't necessary. The folks from Grissoft were nice enough to add the return codes and maybe they could help make the command line more efficient??? I also tried AVG without a bunch of the switches and didn't notice any difference, though apparently adding the heuristic switch will increase the scan time. One of my thoughts to increase the efficiency of the environment would be to add a handler application for Declude Virus to call instead of doing it directly. You could for instance have the handler call the first scanner, wait for the code, and then only call the second scanner if it was a negative result, or also only if the attachment was below a certain size (large attachments are a big hit and viruses are very rare with such things). I also found a sample of one such batch program in the archives with a helper that reconfigured the report file into a format that Declude accepted. I'm not sure about how much overhead this would add, but it would probably be a net benefit. http://www.mail-archive.com/[EMAIL PROTECTED]/msg03101.html I've been looking to do something similar with Sniffer (escape on existing high weight) but couldn't get the vbscript to work that supposedly would capture return codes. I'm thinking that this code sample might do the trick. I'm an awful hack though when it comes to programming though :) If anyone out there has interest in helping me do this, please don't hesitate to chime in. I'm on an efficiency kick as of late (if folks haven't noticed) based both on need and on my desire to not just throw more servers at the mix, primarily because after you outgrow the capacity that one machine can handle, you are forced into a more complicated load balancing methodology which is harder to manage and much more expensive after you add in the licensing. So far I've managed to trim a good deal of froth from my system without compromising the effectiveness by doing things such as moving mailfrom and ipfile filters into DNS, and even trimming massive blocks of comments from my custom filters. It's the good mail though that hogs the most processing power (thanks to SKIPIFWEIGHT) despite the lower volume, and tests like file size can be used to defeat expensive tests that aren't likely to be of use in such E-mail by using handler scripts and the new TESTSFAILED filter element. Matt Terry Fritts wrote: Terry, if you could explain the demime thing, that would be appreciated. I'm sorry - I've been tied up all day working on name server issues. The application I referenced earlier was an xmail mail server. Declude is not available for it so I wrote my own program that is called by xmail for messages. My program does something similar to what declude does but not nearly as well. Giving a message to either NAI or ClavAV is inconsequential because both of those programs will not dismantle the message into its mime parts (demime). As I said Fprot actually does a certain amount of demime itself. I don't know how declude accomplishes this but I know declude does something to make NAI and others scan the pieces of the message. In my case I use an external program (munpack I think it is). My program creates a temporary directory and then calls munpack with that directory and message path. munpack then takes the message and splits into the various mime segments. For instance there might be a text segment, an html segment, and a zip file attachment. It is quite common to have 4 or more files. Then my program next calls fprot, nai, and clamav in turn for that directory. Each of those programs scan all the files in the temp folder and create a report file. My program extracts the virus name from the report files if an infection is indicated, logs it, quarantines the message, and tells the mail server to delete the message (if infected). Finally my program does some spam checking including a call to the sniffer engine. I don't do a lot of stuff that declude does however. As for the daemon issue I'm going to look a that and see if I can figure some way to keep the thing loaded - just no time today. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- =
Re: [Declude.Virus] clamav
I've spent another few hours playing around with this and when I call things correctly by starting clamd.exe and then configured Declude to run clamdscan.exe, the scan times went from 1 second to between 0.08 seconds up to 0.6 seconds across about a dozen scans. I also tracked this in performance monitor for an hour and found the average utilization of clamd.exe and clamdscan.exe combined to be about equal to that of F-Prot, but it had a couple very large peaks possibly hitting 100% momentarily, not sure what that was about. Note that Performance Monitor screws up the numbers and I consider it unreliable to assume something from just one hour of monitoring/stats. Clamd though is definitely a contender if some issues could be cleared up. I tried to use the Resource Kit's SRVANY.exe to create a service out of clamd.exe in a method similar to how the persistent version of Sniffer is run, but that doesn't work. Clamd.exe doesn't show up on the list of processes in Task Manager and the scan times go back to 1 second each. I have almost no experience in Unix environments, so I would be stabbing in the dark to figure out what was necessary to get this to work, but I would guess at it being a context issue. ClamAV would be a great backup scanner for Declude it seems if the daemon could be run without a kludge, and the reporting was modified to be compliant, or Declude was modified to accept various formats instead of just what follows a particular string. I suppose this could be done by having a before and an after definition instead of just a before. Terry, if you could explain the demime thing, that would be appreciated. Thanks, Matt Charles Frolick wrote: I never updated after I posted that. I need to find a way to start and check the clamd service. Since it runs Unix style under Cygwin, it creates an instance and is out of sight, it doesn't fire correctly from a service manager like fire daemon, at least not in the config I used. I have been real busy with migrating 2 acquired companies into our network, so I haven't played with it much. Something I thought I might try is a batch file or Perl script that is fired by Task Scheduler and runs Cygwin ps to see if it is running, and restart it if it is not. Thanks, Chuck Frolick ArgoLink.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Terry Fritts Sent: Thursday, April 01, 2004 6:54 AM To: Charles Frolick Subject: Re[2]: [Declude.Virus] clamav BTW, run clamd.exe and clamdscan.exe and notice a difference in speed Charles, Did you start clamd and then leave the server logged on? Terry --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.Virus] ClamAV settings in virus.cfg
> There isn't. The problem is that ClamAV doesn't report the virus name in
> the standard format. We are, however, looking into finding a way
> around this.
There's a standard format? Can I get a copy of the standard? ClamAV is
open source so it might be easier to submit a fix to the source than to work
around it.
The standard format is to include the filename, followed by an identifier
of some sort ("virus found", "infected", or anything that indicates that
the E-mail isn't clean), and then the virus name.
I believe the code that should be changed is in the checkfile( ) function
in the manager.c file, where there are two references to "%s: %s FOUND\n",
which could be changed to "%s: infected with %s\n" or "%s: FOUND
%s\n". That would do the trick.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.
RE: [Declude.Virus] ClamAV settings in virus.cfg
> There isn't. The problem is that ClamAV doesn't report the virus name in > the standard format. We are, however, looking into finding a way > around this. There's a standard format? Can I get a copy of the standard? ClamAV is open source so it might be easier to submit a fix to the source than to work around it. Regards, Brad --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV settings in virus.cfg
Are the settings for ClamAV in the Declude Virus Manual complete? Yes, but: SCANFILE C:\clamav-devel\bin\clamscan.exe --quiet --log-verbose --no-summary -l report.txt VIRUSCODE 1 I would have thought there would be a REPORT line. There isn't. The problem is that ClamAV doesn't report the virus name in the standard format. We are, however, looking into finding a way around this. I had to put --mbox on the command line to find the viruses listed above. I assume that I don't need it in virus.cfg because Declude Virus will have already extracted everything. Correct. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] ClamAV
Have you considered adding the ClamAV to the list of scanners on your site? We should have it there soon. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] clamav
I've been running ClamAV as an additional scanner for a couple weeks, been great. BTW, run clamd.exe and clamdscan.exe and notice a difference in speed (from what I can tell you'd have to compile it yourself to run clamd on another server, but it can be done). Scott, it would be nice to be able to tell declude the reporting order or something like that for scanners that use different report formats. I use the following in my config. SCANFILEc:\clamav-devel\bin\clamdscan.exe --quiet --disable-summary -l report.txt VIRUSCODE 1 #REPORT FOUND Thanks, Chuck Frolick ArgoLink.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terry Fritts Sent: Sunday, February 29, 2004 3:25 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] clamav Update on ClamAV Got the "freshclam" updater working. Pretty simple actually. Just browse one of the mirrors for the db updates - see http://www.clamav.net/mirrors.html for a list - Pick one of them - say - http://clamav.sonic.net/database/ - download the .md5 files to your virus db folder (eg c:\clamav-devel\share\clamav\ ) I got all of them while I was there just in case. Then go to c:\clamav-devel\bin and run freshclam from cmd line and it should update. See freshclam --help for more. You can run it as a daemon if you stay logged on otherwise you'll have to do something different. There is a .conf file. Results are pretty decent for me once I got the virus db updated. Basically ClamAv is catching everything so far that f-prot is catching. Log snippet at end - although this is pretty light day. Where NAI is not indicating a virus and the other 2 are I think the attachments may be corrupted but haven't verified that. You can create our own virus signatures, too. If you don't want to wait on someone else. There is also a web page to report viruses: http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi Pretty nice really for "free" and an additional scanner. Only real disadvantage I see is the virus name and that's not too significant. Terry Fritts Log Snippet: === 13:10:24 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 13:10:25 Scanner 2: Virus= the W32/[EMAIL PROTECTED] virus 13:10:26 Scanner #3 detected a virus 13:55:08 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 13:55:09 Scanner 2: Virus= the W32/[EMAIL PROTECTED] 13:55:10 Scanner #3 detected a virus 13:55:59 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 13:56:00 Scanner 2: Virus= the W32/[EMAIL PROTECTED] 13:56:01 Scanner #3 detected a virus 13:57:13 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 13:57:15 Scanner #3 detected a virus 14:20:08 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 14:20:08 Scanner 2: Virus= the W32/[EMAIL PROTECTED] 14:20:10 Scanner #3 detected a virus 14:34:57 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 14:34:58 Scanner 2: Virus= the W32/[EMAIL PROTECTED] 14:34:59 Scanner #3 detected a virus 14:51:10 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 14:51:12 Scanner #3 detected a virus 14:51:55 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 14:51:58 Scanner #3 detected a virus 14:52:50 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 14:52:52 Scanner #3 detected a virus 14:52:58 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 14:53:00 Scanner #3 detected a virus 14:53:36 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 14:53:38 Scanner #3 detected a virus === --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] clamav
Update on ClamAV Got the "freshclam" updater working. Pretty simple actually. Just browse one of the mirrors for the db updates - see http://www.clamav.net/mirrors.html for a list - Pick one of them - say - http://clamav.sonic.net/database/ - download the .md5 files to your virus db folder (eg c:\clamav-devel\share\clamav\ ) I got all of them while I was there just in case. Then go to c:\clamav-devel\bin and run freshclam from cmd line and it should update. See freshclam --help for more. You can run it as a daemon if you stay logged on otherwise you'll have to do something different. There is a .conf file. Results are pretty decent for me once I got the virus db updated. Basically ClamAv is catching everything so far that f-prot is catching. Log snippet at end - although this is pretty light day. Where NAI is not indicating a virus and the other 2 are I think the attachments may be corrupted but haven't verified that. You can create our own virus signatures, too. If you don't want to wait on someone else. There is also a web page to report viruses: http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi Pretty nice really for "free" and an additional scanner. Only real disadvantage I see is the virus name and that's not too significant. Terry Fritts Log Snippet: === 13:10:24 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 13:10:25 Scanner 2: Virus= the W32/[EMAIL PROTECTED] virus 13:10:26 Scanner #3 detected a virus 13:55:08 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 13:55:09 Scanner 2: Virus= the W32/[EMAIL PROTECTED] 13:55:10 Scanner #3 detected a virus 13:55:59 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 13:56:00 Scanner 2: Virus= the W32/[EMAIL PROTECTED] 13:56:01 Scanner #3 detected a virus 13:57:13 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 13:57:15 Scanner #3 detected a virus 14:20:08 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 14:20:08 Scanner 2: Virus= the W32/[EMAIL PROTECTED] 14:20:10 Scanner #3 detected a virus 14:34:57 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 14:34:58 Scanner 2: Virus= the W32/[EMAIL PROTECTED] 14:34:59 Scanner #3 detected a virus 14:51:10 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 14:51:12 Scanner #3 detected a virus 14:51:55 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 14:51:58 Scanner #3 detected a virus 14:52:50 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 14:52:52 Scanner #3 detected a virus 14:52:58 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 14:53:00 Scanner #3 detected a virus 14:53:36 Scanner 1: Virus=: W32/[EMAIL PROTECTED] 14:53:38 Scanner #3 detected a virus === --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
