My machine make connection to sites without my control, Please help!!!

It's not required for normal day to day running. My main use for it is to test the occasional download. I start clamav, update it if it hasn't been done for a month or so, test the file or files, stop it and carry on.

Mike P

Thanks for pointing that out (connections to sites when you turned off updates).

I uninstalled ClamAV and KlamAV.

Jim C.

How do you start and stop clamav?

Did you install another antivirus? Any recomandation of an alternative to ClamAV and KlamAV?

Jim,

Do you mind my refreshing my memory as to what you've been using Clam/Klam-AV for?

kamikaze:

I don't know much about Linux, and I couldn't get it to work right anyway. So, your post gave me a good reason to get rid of it (I just used Synaptic to comletely remove KlamAV and ClamAV earlier this morning).

See my posts about it not working in this thread (at least I couldn't get it to work).

http://www.mepis.org/node/9890

So, I can't offer any solutions. Perhaps someone else can comment on alternatives.

Jim C.

EnigmaOne:

I think it's a darn good idea to have one, if for no other reason than to prevent sending a file to someone else that may contain a virus, even if Linux isn't impacted by it (and I'm not so sure I buy that either, since I log in as root pretty often).

Jim C.

Predicated upon the susceptability, of windoze or Mac systems, to various exploits; I'm in general agreement with you on that one. Provided, of course, that the object "foreign OS host" happens to be in my own infrastructure; then, the responsibility lies with me to control the spread of such things.

If the machine is a customer machine, and they cannot afford something like NAV (the profoundly Low-SES are pretty common in my neck of the woods), I generally install the win-port of Clam for them: http://prdownloads.sourceforge.net/clamwin/clamwin-0.88.4-setup.exe?download . If they aren't hurting for cash, I generally elect to have the customer bear the cost of their OS chioce. As a result, my Linux conversion rate is higher than most, and on the up-swing.

I think you can be a bit more relaxed about the issue; simply because Linux is a highly diverse OS ecosystem and a fast-moving target. I'm certain that, as things settle-down in the future and, as we see a higher up-take by people with overly-lax security habits, the situation will change somewhat.

::: grinning :::
You wouldn't have mentioned that, if you didn't know that it's not the best of practices. Since I'm not your mother, I'll refrain from shaking my finger and clucking my tongue over it.

I'll go nag my kids, instead. They simply love such displays of affection.

~~~~~~~~~~~~~~~~~~~~
[ HUGE ASIDE ]
I'm becoming increasingly convinced that it will soon be necessary to adopt an AARL-like philosophy of licensing individuals and organizations; to permit them to connect to the Internet.

IMHO, The ICDL really doesn't go far enough.

[ /HUGE ASIDE ]

Again, I don't know much about Linux.

But, I don't see why it would be so hard to write malware.

Even if it's not impacting the system and only impacting what I've got access to as a user, that could be a lot of stuff.

Heck, it appears to be easy enough to break systems by accident.

Look through the Ubuntu forums for what just happened to xorg (and a warning not to upgrade was even posted here at mepis.org).

http://www.mepis.org/node/10934

Heck, when I was digging around on another forum this morning, I found out that it was not just Ubuntu. It was a mistake that impacted some the other Debian based distros (but, Ubuntu is the one that you see making the headlines).

http://lists.debian.org/debian-devel/2006/08/msg01007.html

I don't think anyone even bothered to test the thing to make sure it worked (speculation, but that's the way it looks to me on the surface).

I think it's more likely that the distro maintainers just assumed that it worked, and passed it on to their repositories with different naming/numbering schemes.

Again, I don't even know the process for this type of thing. But, it looks pretty darn vulnerable from the outside looking in.

That's terrific security if a disgruntled individual with enough authority involved in project decided to create havok. It could be something that decides to wipe all of your data disguised as a simple file driver update that a typical user would feel comfortable installing as root.

Remind me not to update anything without a reason. As the old saying goes, "if it ain't broke, don't try to fix it".

Forgive me for being paranoid. But, I still think Linux users have a false sense of security.

So, when I see a user posting info on sites being connected to without permission in a thread like this one, alarm bells ring with me.

Just how much to you trust Canonical and it's employees and volunteers, and everyone involved in developing and deploying software for the packages in the distro?

What would be a better way to disguise malware compared to making it part of a system update?

I trust them just as much as I trust Microsoft. But, since I don't have the time and expertise to write my own operating system, I'll have to take my chances with Linux, since most people seem to think it's more secure (at least from typical vulnerabilities that impact Windows users).

Jim C.

Jim,
You are using WindowsThink again. Linux is NOT Windows.

http://linuxmafia.com/~rick/faq/index.php?page=virus

Also, you do not appear to understand the Open Source development model. Contributors do not contribute binaries to Ubuntu, or other FOSS projects. They offer SOURCE CODE. Before it is accepted certain conditions must be met. I won't go into the details here be suffice it to say that it would be easier for a cracker to break into the Ubuntu file server and plant an evil deb paackage than it would be for a disgruntled coder to get bad code accepted into a project without vetting and testing.
--
GreyGeek

Rats. I started-out just answering quickly a couple of points, but the wife and kids are asleep and I'm feeling chatty. Lucky you.

Writing malware is easy. Getting it to run with sufficient rights to fully compromise correctly configured Linux-system? That's a much taller order. The layers between kernel space and userland are pretty tough to traverse without authorization.

Then you have the fact that Linux-based systems can vary widely from one another, in terms of the binaries they run, the libraries available on the system, the filesystem structure...it goes on and on... It is a very diverse ecosystem that pretty much guarantees that you will not be able to craft an exploit that is going to do very much damage on a significant number of machines.

Apache has been driving web traffic at more than a 2:1 ratio, as compared to IIS. Using microsoft-logic, they chould be getting hammered twice as much as IIS is, but that's not the case. I doubt that there's a truly safe IIS system out there, and they take it in the shorts at something like (IIRC...it's been a while since I've consulted the stats) 5 times the rate of even compromise attempts on Apache-based servers.

Yes, as a user, you can hose a lot of files in your home directory, and that can be darned inconvenient if it happens.

I've done as much myself...plenty of times; which teaches you the value of moving things into directories on the root of the filesystem, for which root only has write access, and archiving things like your digital photos, mail directories, and important documents (dissertations, etc.) in those locations. This is trivially automated with cron jobs.

I refuse to install programs as a user. Proggies get installed system-wide--as root and disconnected from the local net & I'net.

A mistake as a user (correctly configured, that is), is an "Oh Crud Puppy!" situation.

A mistake as root? It's usually a disaster.

Completely break, as a user? Probably not.

As root? Well, that's what test systems are for, before you roll-out things, like the newest x, onto production machines.

::: shrug ::: Yeah. It wasn't the most expected thing in the world, but stuff like that happens. Heck...I've seen more msft machines hosed by update oopsies than I've ever seen in the Unix/Linux world.

Ca-Ca occurs.

Try as I might, I can't think of a single time that's happened; although it is not impossible. Were something like that to actually take place, it would probably spell professional death for the individual involved.

Most folks involved in these projects are possessed of reasonably healthy self-concepts, and social taboos. I'd wager that it never occured to most involved. It's not like they're script kiddies, y'know. Most F/L-OSS folks have a pretty good handle on things like ethics, if they aren't outright rabid about it.

A reasonably good practice; which I indulge in myself.

Coming from the windoze world, paranoia is natural. Hell, it's a healthy survival mechanism.

Moving to Linux is a major paradigm-shift. You'll get used to it.

Of course you do. You're probably used to hearing of, or seeing personally, windoze machines which are trojaned fifteen ways to Hell and back--some of the back doors are in place at msfts own instigation (I can't count the number of times I've seen flakey win-boxen phoning home to Bill and Stevie). And the subsequent spin of, "Oops! We didn't mean to do that...you can trust us!" never passed muster with me. Gates is too paranoid about somebody pirating his precious, stolen technology; and too enamored with unrestrained data mining the entire globe.

With that said, let's look at the flip-side of the coin for a mament. Who really freaks-out when NAV, MacAffeeAV or AdAware downloads new defs from the online database? Defs need to be freshened-up occasionally, and why shouldn't an Open Source AV scanner do the same?

If it didn't--I can hear it now--the indictment would then be that they aren't up to date; and are, therefore, of inferior quality.

(Option #1.)Shuttleworth seems to be of good reputation, and has a lot on the ball. He has the usual checks-n-balances in place, including source review. It usually works pretty well.

(Option #2.)Bill Gates has comitted perjury multiple times; has lied to his own customers pretty-much non-stop; stolen or bullied good projects away from their rightful owners; over-charged for crappy quality product; relies on some of the most transparently-vile marketing tactics to keep sales up; and is the head of a multiply-convicted criminal monopoly corporation.

Why don't you pick who, out of the two options above, I trust more?

I really don't have a low degree of trust for them (Canonical, et al), because they've given me (so far) no reason to distrust them. This is, of course, no indicator of my being stupid, either. I keep tabs on what all of my systems are doing on an ongoing, real-time basis. In over 10 years of using Linux, I've yet to see something that gives me genuine pause.

If you could slide it by the checks and balances in place, yeah...you'd make a splash...and probably be hunted by goth-like-pale, near-sighted, Dorito and Twinkie chomping coders for the rest of your very short, miserable life. Read Simon Travaglia's material; which some of us take quite to heart--anything is fair game when the other guy is dead-wrong.

Then again, there was that supposed RedHat update (LOL...I just know that GreyGeek remembers this one!) that the msft sycophants in the press made way too much ado.

It was, IIRC, emailed to some folks [yes, I got one too, but deleted it after trying to wade through the bloken Engrish], instructing them to compile the attached (or maybe you had to download it from a dotted-decimal addy) source code, as root, and 'make install' it.

Gee! Must be pretty important to bypass the up2date channels, huh?

We laughed our butts-off over it.
Some half-fast tech reporters damaged their already borderline reputations over it.
And it went absolutely nowhere.

I still have yet to hear of somebody who actually fell for it, and we're talking quite a few years-back, now.

I do not believe that you've made an unwise choice at all. I simply think that you'll become a bit more accustomed to the paradigm, and will find that trust either comes easier, or has been duly earned.

In my book, microsoft has spent more than two decades proving themselves profoundly untrustworthy. I even beta tested for them, back in the 80's, and they taught me that they are the most untrustworthy bunch of money-grubbers this planet has ever seen. "Quality" is nothing but ad copy for them; and "innovation" is merely a synonym for "theft."

OSS has proven themselves, time and time again, worth my circumspect trust.

I changed to Linux because I was sick of that my machine connected to Bill (or anywhere) else without my knowlegde.

I changed to Linux because I felt confortable with the feeling of fully controlling my network traffic.

This feeling is blown away now. My machine starts connection to sites without my control. The traffic is "heavy". The only way to stop the traffic is to disconnect my internet conextion.

Even if I disconnect the connexion appears as established in netstat and the only way to make it disappear is to restart my machine. After restarting my machine works ok during a while(may vary from 5 min to 30 min) but at the end the "heavy" trafic always starts up again.

I am not particulary interested in the MS-Linux-war. I just want a machine which I feel comfortable with and which let me have the control.

I need to know the following:

Is this a normal behavor?
Why do my machine do this?
Why dont any program advise me before it starts a connection?
How can I stop the behavor?
Can anybody recomend a program for monitoring my network traffic in realtime. If the program may translate tcp to http it would be great.

Please give me my thred back

EnigmaOne:

I guess I'll need to try and better understand some of the processes involved before I'll begin to trust it more. But, responses like you just made help.

Thanks for feeling chatty.

kamikaze:

Sorry about that. I thought the discussion was very relevant (i.e., if Linux is so secure, why are you seeing this kind of behavior).

I don't know if it's normal (I'm a Linux novice). Given that the sites appear to be related to the virus scanner or Ubuntu from what you mentioned you found out about the IP Addresses, I'd say that it's "probably" normal and it's only a bug that is ignoring that you turned off updates (or you missed a step turning off the updates).

I've already removed both ClamAV and KlamAV from my system because I was more suspicios of the virus scanner than my concern over viruses after seeing your post.

But, if memory serves, there was one than one place to turn off updates -- one for the GUI front end and one for the actual virus engine. So, perhaps you missed one of them?

A common trick that gets a lot of Windows users is software masquerading as antispyware/antivirus software that is really spyware. But, as EnigmaOne pointed out, these are source based applications, and it should be difficult to pass off anything like that without a lot of people noticing quickly. This is apparently a respected virus scanner, too.

I'm probably not helping you feel comfortable with Linux, since I've got my doubts about why I'm seeing what appears to be more network traffic than normal, too (I am a suspicous person, probably because I've seen this type of behavior so often with Windows).

I was just trying to figure out how to configure the firewall after seeing your post, since I'm used to ZoneAlarm letting me know when an application is trying to connect from Windows, so I can make a decision on whether or not to let it.

The connection to an Uubuntu site could just be checking for any relevant updates, since it will show you if updates are available in the panel (it appeaars to check the repositories automatically), and it would have to update the package lists to find out if updates are needed (which means downloading all of the new package lists each time). So, the traffic could probably look suspicious.

One of the things I've noticed lately is a lot of fickering LED's on my router, even when my PC's were totally idle, with Linux loaded versus Windows. I remember thinking that this behavior was *very* suspicous, even before I saw your post (since I did not notice this behavior with Windows loaded).

I've updated a lot of packages via Automatix, and I still think that there is a possibility of something "phoning home" information. To be frank, I don't trust my installation (to the point of booting into a different distro via a Live CD versus continuing to run under SimplyMEPIS).

Is that suspicion without merit? I hope so. Perhaps others can shed some light on what you're seeing to help both of us feel more comfortable (or give us reason to be more concerned).

I was going to go into why I'm suspicious in more detail, since EnigmaOne seems to be a pretty knowledgeable person and could let us know why my suspicions may or may not be valid, and unlike some forum members, appears to try and see things from my point of view, trying to share knowledge on why Linux is different enough to limit more common vulnerabilities.

But, since you consider this to be hijacking your thread, I'll shut up now. If I decide to take the time to try and figure out how to setup a sniffer on a separate box to try and see what the traffic I'm seeing is (unlikely, but I have been thinking about), I'll update the thread.

Good Luck.

Jim C.

Kamikaze,
Sorry about the side track...

You are already using netstat. Are you using
netstat -p or netstat -l -p
?
They will give you the list of ports that are connected and to whom they are connected, along with IP adresses and the names of the programs on your box that are running the connection.

Once you have made a list of those programs run the system monitor and see if they are running as services. If they are, stop them by deleteing them from the list of running processes by selecting them and using the "Kill" button. If you can kill them they are running with your rights. If you can't kill them they have root priviledge and you'll have to run the system monitor as root (kdesu ksysmonitor) and then kill them. Use "netstat -l -p" to verify that they have been disconnected.

Now you find out where they get loaded and make changed to the appropirate config files to eliminate them from restarting the next time you boot. If they are running with your rights they are probablly loaded in /home/youracct/.bashrc. If they are runnning as root they are probably loaded in /etc/profile or what ever file profile sources. If they restart themselves automatically after you kill them then they are probably spawned in /etc/inittb. Edit it as root (kdesu kwrite /etc/inittb) and remove the offending lines, then reboot.

--
GreyGeek

One more thing kamikaze: Are you seeing this "unknown activity" 1) shortly after you start your system, 2) shortly after you log in as you, or 3) shortly after you start your browser?

Also, (I haven't gone back through the thread) are you on dial-up?

If the activity is happening in 1) then there are lots of different scripts that are started/stopped based on your "run level". You will find "links" to them in /etc/rc*.d directories, but don't confuse yourself by looking there yet. The real applications are located in /etc/init.d. But first, use GreyGeek's advice to find the names of the applications. With that information we can show you how to temporarily/permanently stop the applications from running.

If the activity is happening in 2) then it is either tied in with your /home/youraccount/bashrc and/or /home/.kde/autostart directory. Again, find the names of the things and let us know.

If the activity is happening in 3) then Idunno

Oh, one other tool you can run to see what's eating all the time is to simply run "top" in a konsole. It will show you the top memory and disk users. You can quit out by entering "q". One particular hog is "find" if you are hooked up to multiple network-enabled partitions like in a Windows network. I just recently found this devil on some servers that hook up to a multi-terabyte Windows network. The poor thing was trying to index too-much-good-stuff and it was taking hours! Since I didn't care about any-o-that-stuff, I was able to make some entries in /etc/updatedb.conf to stop that nonsense. I don't suspect this is your problem

And yes, if you are on dial-up, I am sympathetic. I have a friend, who posts on this forum too, that is on dial-up. It definitely is a pain when all your "precious fluids" are drained by updates. Kinda like being on AOL huh?

Oh, and sorry for "redirecting" your thread. My, we do seem to be a chatty group lately don't we!

Jon

The hijack was entirely my fault, for which I apologize.

Kamikaze,

I do not have ClamAV installed on this particular machine, and show none of the connections that you have mentioned.
Of the IPs you listed:
62.26.160.3 (ClamAV virus database mirror)
193.1.193.64 (HEAnet's primary mirror server hosting archive.ubuntu.com/ - probably apt-notify)
212.7.0.71 (ClamAV virus database mirror)
and
217.173.238.34 (http://www.clamav.net/)
are trivially explained by the ClamAV (freshclam) and apt-notify applications.

See: http://www.clamav.net/doc/latest/clamdoc.pdf

As to the other two network numbers:

186.196.225 OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 186.0.0.0 - 186.255.255.255
CIDR: 186.0.0.0/8
NetName: NET186
NetHandle: NET-186-0-0-0-0
Parent:
NetType: IANA Reserved

193.218.105 inetnum: 193.218.105.0 - 193.218.105.255
netname: FR-ISDNAP
descr: Network Aggregate PEOCH
country: FR
admin-c: AM6904-RIPE
tech-c: AM6904-RIPE
status: ASSIGNED PI

No explanation for you. They *may* relate to your ISP connectivity.

Then there's the matter of:

213.9.78.42 inetnum: 213.9.75.0 - 213.9.78.255
netname: ELKHOUSE-NET
descr: Elkhouse GmbH
descr: Friedrich-Ebert-Strase 134
descr: D-47229 Duisburg
country: DE
admin-c: MN1206-RIPE
tech-c: MN1206-RIPE
status: ASSIGNED PA

Give it a try: http://213.9.78.42/ = http://www.iwasno.net/
They appear to be at least a ClamAV affilitae. Sorry. German isn't among my non-primary language set.

[added:] You may also be seeing exchanges related to mozilla and thunderbird checking for updates. Opera does this as well; so I'm fairly certain that there are other programs in that venue.

Hey all,

Kamikaze is your ISP one of the Time-Warner groups? I have no idea what ISPs might exist up in Marina Del Rey area. The 186.196.225 is an incomplete number so I don't know if that's part of the IP assigned to your company or you or... but my guess is that it's "your" ISP. Do you have a hardware router? If so, check to see what IP address has been assigned to you on the WAN side. You can also "cat /etc/resolv.conf" to show what your name resolution addresses are. If they are also in the 186.196... subnet then they are being provided by your ISP (probably).

Jon

To Jim:

Sorry to offend you! My “hijack” complain was meant as a joke. (A very useful one; I received a lot of answers... thanks to everyone for that!) I find your considerations very interesting. Me myself is also a kind of paranoid.... You are of course welcome to keep on in the thread. And please do not shut up...shut out!

To GreyGeek:

I am using
netstat -p -e --inet –numeric-hosts

Thanks a lot for your recommendations. I will try as soon as the traffic appears again. Yesterday I just let (accidentally of course) the traffic end by itself after downloading more than 6.000.000 bytes. Looks like, whatever it was, it is satisfied by the moment.

To Jon:

I have not been able to see any system in the behaver of my machine. Some times it connects right away, sometimes it takes 15 min before it starts. And now at the end as you can see in my last post it does not start at all. The connections start even if I do not start my browser, my email or whatsoever. It just starts when it decides to start and i do not like that!

Yes I am on dial-up. I started the thread with this:

“Actually I am on vacation and I am using a PCMCIA Novatel dual GPRS/UMTS card to connect to Internet. I am using Mepis 6 beta2.
As I am paying for the data traffic I am particularly interested in maintaining the data received and sent to a minimum. However I can observe that my machine starts connexion to different sites without me giving any order to connect:”

Even if I can not give you the name of the application please show me how to temporarily/permanently stop applications from running. And to start it again... I can see in my etc/init.d that it exist a file called “clamav-freshclam”. It is the "ClamAV virus database updater" so I suppose I am close to my problem.
My ISP is not one of the Time-Warner groups. One thing that made me mad was that trying to connect to xxxx the sites just say: You are not supposed to see this site.....If not... why the heck do “they” connect me to this sites. “The site is supposed to not see my computer.....

To EnigmaOne:

No need to apologize! I just was afraid that my silly little questions were about to disappear in the middle of so much knowledge....Thanks a lot for helping. Aah finally anybody can tell me how to assure that Clamav and Klamav stays quiet without uninstalling them. I would need to know how to start them up again too.....

Hi Kamikaze. Hmm, the only other thing I can suggest might be some sort of peer-to-peer application running/trying-to-run.

Check your guarddog firewall first and disallow the various p2ps that might be running. To do so:
Start guarddog and give root's password
Click on the Protocol tab
Check, one-at-a-time, the Internet and Local "Defined Network Zones"
On the right, click on the File Transfer Network Protocol. You will find a number of file sharing tools. If any of them are checked that you don't want then click on them till the box is CLEAR (not "x"; clear makes you invisible; whereas "x" allows outsiders to "see" that you are actively blocking).
If you make any changes, be sure to click the Apply button before moving on. Answer "Yes" to allow the changes.
If you find anything "interesting" that you don't want to run ever, you can then check through Synaptic, via the search capabilityes, and "remove" the applications.

Let us know what you find and if you have any more questions. If you need help in disabling or removing the applications let us know

Jon

Freshclam is the process which starts the connections. The process do not start on boot but it starts whenever it feels for it. How could I stop the Freshclam bitch without taking away the antivirus funcion? What would uninstalling the freshclam package implicate? My configuration in Klamav states no automatic download but it seems that Freshclam make no importance of that. Any clues?

Thanks

freshclam refreshes the clamav database.
looks like the default action is twelve checks per day.

How do I change that to 0? And how do I update manually? Suppose that frechclam is a daemon? How to stop that from starting?

Thanks for helping

Hello kamikaze,

What a delightful vacation you must be having, what with all this distraction. I hope you are finding some time for walking on the beach, or whatever suits your fancy.

I am a new user, too, and experienced the same grinding halt to my internet connection. I set clam to update manually but that didn't help. I dedicated time to do that but the upgrade failed. I uninstalled it.

I also removed the apt-notify from my task bar. I know I should be doing upgrades but am holding out until I am able ot obtain the extra cd's. There is plenty to keep me busy while I learn this new OS.

By the way, that one problem is the only unplesent experience I have had while running SimplyMepis. I think this is the most 'polished' distro available.

Anyway, back on topic, once I removed the AV and stopped the synaptic activity I have had no internet slowdowns.

Regards,
Handyman's Special

Hello Kamikaze,

I searched for the URL of the thread I had on this subject (different 'subject' however). http://www.mepis.org/node/10855

The replies in here helped me get things under control. Hope you can find something there to help you, also.

regards,
HS

kamikaze,

This is a long thread and I am not sure if you were told in it to stop Apt Notify. This applet connects to repositories automatically and frequently and consumes a lot of bandwidth for a dial-up connection.

Right-click in the panel, choose Remove From Panal/Applet/Apt Notify.

Ok I now know that Freshclam starts updating each hour. I can see that from the logfile "frechclam.log" found in /var/log/clamav

I have also discovered that it exists a cron job which actually schedules the updates each hour. You can find this in /etc/cron.d/

My file looks like:

44 */1 * * * clamav [ -x /usr/bin/freshclam ] && /usr/bin/freshclam >/dev/null

which I think means that freshclam (the updating process) should start each hour at the minute 44.

This correspond nicely to my logfiles

I want to change this setting to never update automatically. Or to make freshclam update each year 1/1-00:01 (Hopefully I am not using my diaup......)

Could anyone explain how to change this cron job? Could I just change the textfile in cron.d or do i need to do something after making changes in the "clamav-freshclam" file in /etc/cron.d/?

Then I have the following question: In KlamAV I have have stated that I do not want any automatic updates. It looks like the cron job overrides this setting. ¿Why?

I still got more doubt about Clamav: the freshclam update is always much,much,much bigger than the manual update you can make from the links in:

http://wiki.clamav.net/index.php/FrequentlyAskedQuestion

The strange behavior of Clamav make me thinks that they are not just using my bandwidth for updating the virus base. Any comments?

kamikaze, I have a question for your question. If you only want clamav or any other application to run only once-a-year, then why have it in a cron job anyway? At that (lack-of) frequency it would almost make more sense (to me) to put a reminder in a personal scheduler and do it when you have the convenient time.

But if you want to have it scheduled a little differently I have one (partial) suggestion. Do you have "anacron" loaded on your system? Cron is a tool that is intended to run different jobs at specific dates and times. Anacron is a little different. It is intended to run different jobs regularly, at least once, at specific periods. It is useful on computers that are not on all the time, like laptops and personal computers. If you have something that should run "daily" or "weekly" but not necessarily at a specific time, then anacron is extremely useful.

If you look in your /etc directory you will find some other directories called cron.hourly, cron.daily, cron.weekly, and cron.monthly. Once all commands run from the hourly, daily, or whatever directory, they will not run again until the next period.

In each of these directories you will find various scripts, usually with the same name as some system command. You could always create a script in /etc/cron.monthly, a "wrapper" for the clamav update script, that checks to see if the month is "1". If it is, then do the update.

You most likely have anacron running because I think that it is loaded by default in Mepis 3.3 and 6.0. I do not currently have clamav running on my systems so I can't check the script location to give you better guidance on how/where to write the script.

Get back with me on the exact /location/and/name of the file and I'll see what I can do

Jon

Edit: Oops! Almost forgot. This is a link to a pretty decent tutorial on cron:
Cron Tutorial. Cron, the linux event scheduler-Linux Tutorials, HOWTO's & Reference Material-Linux Forums
http://www.linuxforums.org/forum/linux-tutorials-howtos-reference-material/3877-cron-tutorial-cron-linux-event-scheduler.html

Another Edit:
Kamikaze, I came across the documentation from the guy who wrote the version of cron that is used by most Linux distros. It has some very helpful stuff about running things on particular dates. So it might be better than the link I gave you above.
Newbie: Intro to cron
http://www.tech-geeks.org/contrib/mdrone/cron-howto.html

Please Make Him Stop!
According to another site, there are special strings you can enter in the crontab file, one of which will do what you want:
Crontab : Scheduling Tasks - math-linux.com
http://www.math-linux.com/spip.php?article45

There are also special strings of characters :
String     Action
@reboot    execution at boot
@yearly    execution once a year,   "0 0 1 1 *"
@annually  execution once a year,   "0 0 1 1 *"
@monthly   execution onnce a month, "0 0 1 * *"
@weekly    execution once a week,   "0 0 * * 0"
@daily     execution once a day,    "0 0 * * *"
@midnight  execution once a day,    "0 0 * * *"
@hourly    execution once an hour,  "0 * * * *"

Ok, I'm done now. Really