Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

how to release 16K FPs from quarantine?

 

 

ClamAV users RSS feed   Index | Next | Previous | View Threaded


lconrad at Go2France

Aug 8, 2012, 6:17 AM

Post #1 of 15 (1659 views)
Permalink
how to release 16K FPs from quarantine?

postfix + clamsmtpd + clam

Received a bad sig from MBL.

stef the clamsmtpd guy says it was clam that quarantined, not his software.

I installed amavisd to try to use amavisd-release, but it's not working.

Is there any clam tool to release from quarantine?

thanks
Len

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


rickm at ummm-beer

Aug 8, 2012, 6:20 AM

Post #2 of 15 (1622 views)
Permalink
Re: how to release 16K FPs from quarantine? [In reply to]

On 08/08/2012 9:17 AM, Len Conrad wrote:
> postfix + clamsmtpd + clam
>
> Received a bad sig from MBL.
>
> stef the clamsmtpd guy says it was clam that quarantined, not his software.
>
> I installed amavisd to try to use amavisd-release, but it's not working.
>
> Is there any clam tool to release from quarantine?
>

Hi,

Clamav does not do any quarantining. Maybe ask on the clamsmtpd mailing
list.

Regards,

Rick


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


bdm at fenrir

Aug 8, 2012, 6:23 AM

Post #3 of 15 (1618 views)
Permalink
Re: how to release 16K FPs from quarantine? [In reply to]

On Wed, 8 Aug 2012 15:17:03 +0200
"Len Conrad " <lconrad [at] Go2France> wrote:

> Is there any clam tool to release from quarantine?

Surely it was postfix that actually quarantined these messages?

--

Brian Morrison
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


lconrad at Go2France

Aug 8, 2012, 7:02 AM

Post #4 of 15 (1623 views)
Permalink
Re: how to release 16K FPs from quarantine? [In reply to]

---------- Original Message ----------------------------------
From: Rick Macdougall <rickm [at] ummm-beer>
Reply-To: ClamAV users ML <clamav-users [at] lists>
Date: Wed, 08 Aug 2012 09:20:18 -0400

>On 08/08/2012 9:17 AM, Len Conrad wrote:
>> postfix + clamsmtpd + clam
>>
>> Received a bad sig from MBL.
>>
>> stef the clamsmtpd guy says it was clam that quarantined, not his software.
>>
>> I installed amavisd to try to use amavisd-release, but it's not working.
>>
>> Is there any clam tool to release from quarantine?
>>
>
>Hi,
>
>Clamav does not do any quarantining. Maybe ask on the clamsmtpd mailing
>list.

Stef of clamsmtpd said it would take custom software to release quarantine msgs.

amavis-release doesn't like it:

#amavisd-release virus.dyFYrx

Invalid quarantine ID: virus.dyFYrx

amavisd-release version 1.51
Usage: $ amavisd-release mail_file [secret_id [alt_recip1 alt_recip2 ...]]
or to read request lines from stdin: $ amavisd-release -

Len

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


njones at megan

Aug 8, 2012, 7:13 AM

Post #5 of 15 (1624 views)
Permalink
Re: how to release 16K FPs from quarantine? [In reply to]

On 8/8/2012 9:02 AM, Len Conrad wrote:
> ---------- Original Message ----------------------------------
> From: Rick Macdougall <rickm [at] ummm-beer>
> Reply-To: ClamAV users ML <clamav-users [at] lists>
> Date: Wed, 08 Aug 2012 09:20:18 -0400
>
>> On 08/08/2012 9:17 AM, Len Conrad wrote:
>>> postfix + clamsmtpd + clam
>>>
>>> Received a bad sig from MBL.
>>>
>>> stef the clamsmtpd guy says it was clam that quarantined, not his software.
>>>
>>> I installed amavisd to try to use amavisd-release, but it's not working.
>>>
>>> Is there any clam tool to release from quarantine?
>>>
>>
>> Hi,
>>
>> Clamav does not do any quarantining. Maybe ask on the clamsmtpd mailing
>> list.
>
> Stef of clamsmtpd said it would take custom software to release quarantine msgs.
>
> amavis-release doesn't like it:
>
> #amavisd-release virus.dyFYrx
>
> Invalid quarantine ID: virus.dyFYrx
>
> amavisd-release version 1.51
> Usage: $ amavisd-release mail_file [secret_id [alt_recip1 alt_recip2 ...]]
> or to read request lines from stdin: $ amavisd-release -
>
> Len


What software put the mail in quarantine? What's in the mail log?




_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


lconrad at Go2France

Aug 8, 2012, 9:22 AM

Post #6 of 15 (1635 views)
Permalink
Re: how to release 16K FPs from quarantine? [In reply to]

---------- Original Message ----------------------------------
From: Noel Jones <njones [at] megan>
Reply-To: ClamAV users ML <clamav-users [at] lists>
Date: Wed, 08 Aug 2012 09:13:20 -0500

>On 8/8/2012 9:02 AM, Len Conrad wrote:
>> ---------- Original Message ----------------------------------
>> From: Rick Macdougall <rickm [at] ummm-beer>
>> Reply-To: ClamAV users ML <clamav-users [at] lists>
>> Date: Wed, 08 Aug 2012 09:20:18 -0400
>>
>>> On 08/08/2012 9:17 AM, Len Conrad wrote:
>>>> postfix + clamsmtpd + clam
>>>>
>>>> Received a bad sig from MBL.
>>>>
>>>> stef the clamsmtpd guy says it was clam that quarantined, not his software.
>>>>
>>>> I installed amavisd to try to use amavisd-release, but it's not working.
>>>>
>>>> Is there any clam tool to release from quarantine?
>>>>
>>>
>>> Hi,
>>>
>>> Clamav does not do any quarantining. Maybe ask on the clamsmtpd mailing
>>> list.
>>
>> Stef of clamsmtpd said it would take custom software to release quarantine msgs.
>>
>> amavis-release doesn't like it:
>>
>> #amavisd-release virus.dyFYrx
>>
>> Invalid quarantine ID: virus.dyFYrx
>>
>> amavisd-release version 1.51
>> Usage: $ amavisd-release mail_file [secret_id [alt_recip1 alt_recip2 ...]]
>> or to read request lines from stdin: $ amavisd-release -
>>
>> Len
>
>
>What software put the mail in quarantine? What's in the mail log?

Aug 7 08:13:22 mx1.hctc.net/mx1.hctc.net clamd[60202]: /var/virus/clamsmtpd.qIdg8l: MBL_303159.UNOFFICIAL FOUND

Aug 7 08:13:22 mx1.hctc.net/mx1.hctc.net clamsmtpd: 3EA221: from=bounce-tjmhmbzlppwckzzhcljkpcrdpjjmllrjbhsppztjsplchbptzwzv [at] email, to=xxx [at] xxx, status=VIRUS:MBL_303159.UNOFFICIAL

which file the msg is quarantined as is not logged.

the quarantined msgs are stored to

/var/virus/

and the filenames are like:

-rwxrwxrwx 1 vscan vscan 12180 Aug 7 13:58 virus.Ywa18d
-rwxrwxrwx 1 vscan vscan 14021 Aug 7 13:58 virus.6kExcB
-rwxrwxrwx 1 vscan vscan 35554 Aug 7 13:58 virus.bhGcDz
-rwxrwxrwx 1 vscan vscan 18245 Aug 7 13:58 virus.6AGMaP
-rwxrwxrwx 1 vscan vscan 6759 Aug 7 13:58 virus.Ki5mSG
-rwxrwxrwx 1 vscan vscan 9688 Aug 7 13:58 virus.DTOlT1
-rwxrwxrwx 1 vscan vscan 10608 Aug 7 13:58 virus.NoTzGF
-rwxrwxrwx 1 vscan vscan 74853 Aug 7 13:58 virus.IaJbkv
-rwxrwxrwx 1 vscan vscan 2346 Aug 7 13:58 virus.33y2uG
-rwxrwxrwx 1 vscan vscan 10147 Aug 7 13:58 virus.ePW2g2
-rwxrwxrwx 1 vscan vscan 12675 Aug 7 13:58 virus.vXs0k3
-rwxrwxrwx 1 vscan vscan 57334 Aug 7 13:58 virus.bDZwAB
-rwxrwxrwx 1 vscan vscan 9262 Aug 7 13:58 virus.jJGgkI
-rwxrwxrwx 1 vscan vscan 17457 Aug 7 13:58 virus.ad8lZW

in trying to get amavisd-release to work, I changed permissions and owner:group, brutally.

in amavisd-release, there is a file name filtering which rejects:

sub release_file($$$@) {
my($sock,$mail_file,$secret_id,@alt_recips) = @_;
my($fn_path,$fn_prefix,$mail_id,$fn_suffix,$part_tag); local($1,$2,$3,$4);
$part_tag = $1 if $mail_file =~ s/ \[ ( [^\]]* ) \] \z//xs;
if ($mail_file =~ m{^ ([^/].*/)? ([A-Z0-9][A-Z0-9._-]*[_-])?
([A-Z0-9][A-Z0-9_+-]{10,14}[A-Z0-9]) (\.gz)? \z}xsi) {
($fn_path,$fn_prefix,$mail_id,$fn_suffix) = ($1,$2,$3,$4);
} elsif ($mail_file =~ m{^ ([^/].*/)? () ([A-Za-z0-9$._=+-]+?) (\.gz)?\z}xs){
($fn_path,$fn_prefix,$mail_id,$fn_suffix) = ($1,$2,$3,$4); # old style
} else {
usage("Invalid quarantine ID: $mail_file");
}

eg:

amavisd-release virus.dyFYrx
Invalid quarantine ID: virus.dyFYrx

Len


Len




_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


cswiger at mac

Aug 8, 2012, 9:49 AM

Post #7 of 15 (1622 views)
Permalink
Re: how to release 16K FPs from quarantine? [In reply to]

On Aug 8, 2012, at 9:22 AM, Len Conrad wrote:
>> What software put the mail in quarantine? What's in the mail log?
>
> Aug 7 08:13:22 mx1.hctc.net/mx1.hctc.net clamd[60202]: /var/virus/clamsmtpd.qIdg8l: MBL_303159.UNOFFICIAL FOUND
>
> Aug 7 08:13:22 mx1.hctc.net/mx1.hctc.net clamsmtpd: 3EA221: from=bounce-tjmhmbzlppwckzzhcljkpcrdpjjmllrjbhsppztjsplchbptzwzv [at] email, to=xxx [at] xxx, status=VIRUS:MBL_303159.UNOFFICIAL
>
> which file the msg is quarantined as is not logged.
[ ... ]
> in trying to get amavisd-release to work, I changed permissions and owner:group, brutally.

If you're using clamsmtpd to quarantine, why would you expect amavisd-release to be involved?

(AFAIK, clamsmtpd doesn't have a way of releasing stuff from quarantine,
which is a major reason why I use amavisd instead of clamsmtpd....)

Regards,
--
-Chuck

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


njones at megan

Aug 8, 2012, 10:57 AM

Post #8 of 15 (1634 views)
Permalink
Re: how to release 16K FPs from quarantine? [In reply to]

On 8/8/2012 11:22 AM, Len Conrad wrote:

>>
>> What software put the mail in quarantine? What's in the mail log?
>
> Aug 7 08:13:22 mx1.hctc.net/mx1.hctc.net clamd[60202]: /var/virus/clamsmtpd.qIdg8l: MBL_303159.UNOFFICIAL FOUND
>
> Aug 7 08:13:22 mx1.hctc.net/mx1.hctc.net clamsmtpd: 3EA221: from=bounce-tjmhmbzlppwckzzhcljkpcrdpjjmllrjbhsppztjsplchbptzwzv [at] email, to=xxx [at] xxx, status=VIRUS:MBL_303159.UNOFFICIAL
>
> which file the msg is quarantined as is not logged.
>
> the quarantined msgs are stored to
>
> /var/virus/
>
> and the filenames are like:
>
> -rwxrwxrwx 1 vscan vscan 12180 Aug 7 13:58 virus.Ywa18d

OK, so the quarantine file is created by clamsmtp.

>
> in trying to get amavisd-release to work, I changed permissions and owner:group, brutally.
>
> in amavisd-release, there is a file name filtering which rejects:

amavisd-release expects the message to be in the specific quarantine
format used by amavisd-new. I would expect it to fail spectacularly
on "foreign" files.

> Stef of clamsmtpd said it would take custom software to release quarantine msgs.

That sounds grim. I wonder about the purpose of a quarantine that
can't be released. Regardless, since clamsmtp created the
quarantine, it seems that's the place to start looking for a release
mechanism. Surely someone else has encountered this.

As a last-ditch effort, if you put a couple of quarantine files in a
pastebin, *maybe* someone here (or clamsmtp, or postfix-users, since
this is getting OT for this list) can give a hand.



-- Noel Jones
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


mysqlstudent at gmail

Aug 9, 2012, 9:49 AM

Post #9 of 15 (1614 views)
Permalink
Re: how to release 16K FPs from quarantine? [In reply to]

Hi,

>> and the filenames are like:
>>
>> -rwxrwxrwx 1 vscan vscan 12180 Aug 7 13:58 virus.Ywa18d

I think your solution is to rename the files from virus.Ywa18d to just
Ywa18d. It should be the same as the name used in the X-Quarantine-ID
header in the file itself. Make sure it isn't compressed.

I'm also now noticing there are hundreds or thousands of messages
erroneously quarantined as a result of this rule. It appears to expand
to:

# sigtool --find-sigs MBL_303159 | sigtool --decode-sigs
VIRUS NAME: MBL_303159
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
www.inexglobal.com/downloads

Does anyone know what's going on with this domain? It doesn't look
like a domain thousands of my users would be including in their email
on Aug 7th, so I don't know whether the emails were really spam...

Hope this helps.

Regards,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


steveb_clamav at sanesecurity

Aug 9, 2012, 10:35 AM

Post #10 of 15 (1612 views)
Permalink
Re: how to release 16K FPs from quarantine? [In reply to]

> I'm also now noticing there are hundreds or thousands of messages
> erroneously quarantined as a result of this rule. It appears to expand
> to:
>
> # sigtool --find-sigs MBL_303159 | sigtool --decode-sigs
> Does anyone know what's going on with this domain? It doesn't look
> like a domain thousands of my users would be including in their email
> on Aug 7th, so I don't know whether the emails were really spam...

Hi Alex,

The problem I think was that the sig was bad and it matching anything
"www." hence the huge number of FP's....

Cheers,

Steve
Sanesecurity

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


mysqlstudent at gmail

Aug 9, 2012, 11:07 AM

Post #11 of 15 (1609 views)
Permalink
Re: how to release 16K FPs from quarantine? [In reply to]

Hi,

>> # sigtool --find-sigs MBL_303159 | sigtool --decode-sigs
>> Does anyone know what's going on with this domain? It doesn't look
>> like a domain thousands of my users would be including in their email
>> on Aug 7th, so I don't know whether the emails were really spam...
>
> Hi Alex,
>
> The problem I think was that the sig was bad and it matching anything
> "www." hence the huge number of FP's....

I thought the signatures were fixed? In other words, simple pattern
matching for a fixed string.

I didn't realize it was dynamic and could match an expression, or am I
missing something?

Thanks again,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


hege at hege

Aug 9, 2012, 11:23 AM

Post #12 of 15 (1611 views)
Permalink
Re: how to release 16K FPs from quarantine? [In reply to]

On Thu, Aug 09, 2012 at 02:07:22PM -0400, Alex wrote:
> Hi,
>
> >> # sigtool --find-sigs MBL_303159 | sigtool --decode-sigs
> >> Does anyone know what's going on with this domain? It doesn't look
> >> like a domain thousands of my users would be including in their email
> >> on Aug 7th, so I don't know whether the emails were really spam...
> >
> > Hi Alex,
> >
> > The problem I think was that the sig was bad and it matching anything
> > "www." hence the huge number of FP's....
>
> I thought the signatures were fixed? In other words, simple pattern
> matching for a fixed string.
>
> I didn't realize it was dynamic and could match an expression, or am I
> missing something?

MBL's signature download (http) is unreliable and sometimes gives out
incomplete files. Obviously if the file cuts out in the middle of signature
this can happen.

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


crap at the-tiddler

Aug 9, 2012, 11:32 AM

Post #13 of 15 (1613 views)
Permalink
Re: how to release 16K FPs from quarantine? [In reply to]

On 9 Aug 2012, at 19:23, Henrik K <hege [at] hege> wrote:

> On Thu, Aug 09, 2012 at 02:07:22PM -0400, Alex wrote:
>> Hi,
>>
>>>> # sigtool --find-sigs MBL_303159 | sigtool --decode-sigs
>>>> Does anyone know what's going on with this domain? It doesn't look
>>>> like a domain thousands of my users would be including in their email
>>>> on Aug 7th, so I don't know whether the emails were really spam...
>>>
>>> Hi Alex,
>>>
>>> The problem I think was that the sig was bad and it matching anything
>>> "www." hence the huge number of FP's....
>>
>> I thought the signatures were fixed? In other words, simple pattern
>> matching for a fixed string.
>>
>> I didn't realize it was dynamic and could match an expression, or am I
>> missing something?
>
> MBL's signature download (http) is unreliable and sometimes gives out
> incomplete files. Obviously if the file cuts out in the middle of signature
> this can happen.
>

Sorry off subject, but...

Really? Surely no engine would allow incomplete signatures to load and be used?

> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


hege at hege

Aug 9, 2012, 10:08 PM

Post #14 of 15 (1607 views)
Permalink
Re: how to release 16K FPs from quarantine? [In reply to]

On Thu, Aug 09, 2012 at 07:32:32PM +0100, Anthony Dickinson wrote:
>
> Sorry off subject, but...
>
> Really? Surely no engine would allow incomplete signatures to load and be used?

Well yes you should not make any assumptions. Clamav doesn't care if there
isn't any newline at the end of the file, it doesn't even seem to complain
if the signature hex isn't complete (even number of characters).

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


hege at hege

Aug 9, 2012, 10:13 PM

Post #15 of 15 (1605 views)
Permalink
Re: how to release 16K FPs from quarantine? [In reply to]

On Fri, Aug 10, 2012 at 08:08:48AM +0300, Henrik K wrote:
> On Thu, Aug 09, 2012 at 07:32:32PM +0100, Anthony Dickinson wrote:
> >
> > Sorry off subject, but...
> >
> > Really? Surely no engine would allow incomplete signatures to load and be used?
>
> Well yes you should not make any assumptions. Clamav doesn't care if there
> isn't any newline at the end of the file

> it doesn't even seem to complain if the signature hex isn't complete (even
> number of characters).

Sorry it's morning, it does complain..

Anyways the facts remain, MBL can send incomplete files because the http
server does not report Content-Length (they don't seem to serve static files
which is just stupid). Also their signature backend could have any number
of problems if they can't even get that right. I've been personally
filtering out any signatures less than 7 chars for a long time.

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.