RE: [Clamav-users] RFC: squidclam

[Mitch (WebCob)]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Lord
Sent: January 13, 2005 12:50 PM
To: clamav-users@lists.clamav.net
Subject: [Clamav-users] RFC: squidclam

Hi,

just wrote a small programm to replace SquidClamAV_Redirector.py 
Reason for doing that:
- I manage RPM based servers which don't have pylibclam
  (with my own program I only need one alien rpm not three)
- maybe C is faster as pyhton (not proven yet ;)
- I was in the mood doing that.


[Mitch says:] Sounds good to me - the fewer dependencies the better - right?

I've been looking at setting something up like this - will post how it goes
- I'm interested ;-)

m/

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] Virus Tests from www.testvirus.org

[Mitch (WebCob)]

-Original Message-
At 12.08 01/12/2004, you wrote:
 >> And now a wish:
 >> Is possible to implement in clamav-milter or clamd itself the
 >> possibility to define a list of suffix I'd like to consider as:
 >> UNAUTHORIZED ATTACH TYPE
 >
 >That is not the job of a virus-scanner, it's the job of a content-
 >filter.

I know, but what if I want to consider them by default undesiderable ?
I think clamav-milter should do the job quite easily.
If it found such attachment it threat like a virus name :
UNAUTHORIZED ATTACH TYPE
Stop... :-)

Do you think the idea is wrong ? In this way, as I said, you could also 
lower the cpu load on the antivir box (you discard without check) and you 
could fight better the new virus (If my sig doesn't detect, probably the 
attach type do the message be discarded).
And last... we probably stop to use other tool like noattach (which I like 
very much, indeed).

Thanks for attention.

[Mitch says:] 
Basically, what everyone is saying by "that is what a content filter is for"
is USE a content filter - do that BEFORE you run clam on the content - that
will be faster - and clam won't have to reinvent the wheel and maintain code
that others already do.

Opensource software is often not monolithic - to get what you want, you are
expected to combine suitable projects - this flexibility and dedication to
purpose is generally a good thing - projects fail more often as they
increase in scope.

m/

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] virus tests

[Mitch (WebCob)]

-Original Message-

I checked it too and everething is ok, except tests
nr. 24, 25 ( which are non-virus, anyway ).
We're running .80 on Gentoo.
Robert
[Mitch says:] 

24 & 25 could be stopped similar to how password protected zips are stopped
- not because they are viral, but because of a policy that allows us to
decide "If it ain't scannable I don't want it" - right?

24 - "multimessage segmented file trick" - as well as 25 - "clsid extension
used" could be prevented with optional tests... or perhaps blocked in some
sort of maildrop or procmail script.

I don't want to reignite the earlier battle about what clam should or
shouldn't do - but the zip test has proved useful to us, and it IS optional.
Something like these (assuming there are beasties in the wild taking
advantage of these flaws) could be nice additions...

Just my 2 cents.

m/

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

update as soon as possible WAS RE: [Clamav-users] Independent Testing

[Mitch (WebCob)]

> Hi, how do you make ClamAV update virus database as soon as possible
> when the signature becomes ready?
> 
> Sam.
> 
[Mitch (bitblock)] 
Sam. Bad toad! Don't hijack threads.

You can run freshclam - there is no such thing as an instant update - the
latest version uses DNS records to allow more frequent polling, but it's
still about 10 minutes from update til when you can download iirc...

That still beats everything else out there though I think.

m/

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] Re: Delays scanning MS Access db file ?

[Mitch (WebCob)]

> On a off-topic side note, if anyone knows what SMTP related
> timeout issues
> come up if a Milter timeout is set to greater than several
> minutes, I'd be very
> interested to hear.  Does sendmail somehow keep the SMTP session
> alive even
> if the Milter is taking longer than the SMTP DATA timeout might be, or am
> I restricted to the SMTP timeout periods?
>

My understanding (from attempted understanding behaviour I saw a while ago)
is that if sendmail OR the other side times out waiting for a response, you
will likely receive multiple copies - the remote MTA see's anything that is
not a SUCCESS, as a FAIL, and so considers the message undelivered. This can
result in hugely overflowed mailq's ;-)

m/

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] virus submission problem

[Mitch \(WebCob\)]

> > This is not an isolated case.  The virus submission page must be changed
> to run the latest RELEASED version of clamav.
>

Haven't looked in a while, but I think it should:

Display result using latest RELEASE
Display result using latest CVS
Display IDENTITY of the virus
Display config of the online scanner (in case this affects the result)
Indicate time / date of the addition of this sig.

This would eliminate confusion, and all the "it says detected but not what
it is" etc.

I volunteered to look at making changes like this as did a few others iirc,
but for some reason this "tool" is not "open" :(

Hopefully if enough people second the motion, the changes can at least be
implemented.

Thanks.

m/



---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: Re: Re: Windows port ?

[Mitch \(WebCob\)]

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:clamav-users-
> [EMAIL PROTECTED] On Behalf Of Tomasz Kojm
> Sent: September 25, 2004 12:22
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Re: Re: Re: Windows port ?
> 
> On Sun, 26 Sep 2004 00:09:22 -0700
> "Mitch (WebCob)" <[EMAIL PROTECTED]> wrote:
> 
> > containing all their proprietary stuff, and write application B, which
> > calls product A or uses it's libs, but IS open sourced and GPL'd -
> 
> They can always use clamd (via its socket) without writing any
> additional stuff.
> 

[Mitch]

I totally agree - except that to do that they have to install cygwin on
windows, etc...

I think that's what would have started this whole thing - still could be
usable that way, though when everything is wrapped in cygwin calls and
service emulators (to encapsulate daemon functionality) things can get
ugly... he probably started thinking he was simplifying those problems
without realizing the size of the ensuing discussion that would follow.

Realizing and acknowledging that clam was written focusing on unix in
general, mail scanners in particular, I wonder if the clam team would be
interested in accepting windows ports of the code... assuming it's doable,
and I'm not volunteering. It would just open the product to an even wider
audience... of course maybe that's not desirable yet ;-) (considering mirror
server loads etc.!)

m/




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: AW: [Clamav-users] Re: Re: Re: Windows port ?

[Mitch \(WebCob\)]

> The GPL defines "source" as "the preferred form of the work for making
> modifications to it". If the maintainers of the clamav db add new
> signatures by unpacking the database, modifying it and packing it again,
> it is source code (the act of packing and unpacking is IMHO similar to
> tarring and untarring C source files). If they the generate the database
> from a different source, which cannot be trivially reconstructed from
> the distributed database, it is not source code. In the latter case, the
> database cannot be covered by the GPL (you cannot require somebody to
> distribute the source if you don't give it to them).
> 
>   hp
[Mitch (bitblock)] 

Hi Peter...

Isn't just as easy as this? Company B wants to use GPL product A in a closed
source commercial product

So...

They write library B, license it to themselves closed source, containing all
their proprietary stuff, and write application B, which calls product A or
uses it's libs, but IS open sourced and GPL'd - there's nothing in the GPL
that prohibits you from using code within your GPL product that doesn't have
the same license - there couldn't be or you could run a GPL app on a BSD
system - right?

Just a musing...

m/



---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: Re: Re: Re: Windows port ?

[Mitch \(WebCob\)]

> > > > Ok, you can download the clam database handling and file scanner
> > > > at http://uscanit.free.fr/lib.zip
> > >
> > > It looks OK. Thanks for publishing it.
> > >
> >
> > Can you clarify for the rest of us? Does that mean the clam team is
> > accepting this sort of usage of the db?
>
> The library seems to cover _all_ operations that use the database in
> some way (loading, pattern matching, scanning of zip files,...). We
> can't forbid people to rewrite libclamav from a scratch and license it
> under LGPL (which allows linking with closed apps), but well - that
> would require a lot of hard work. As long as the mentioned heuristic
> scanning is completely independent from the database it's not affected
> by the GPL license.
>

Ok... So for anyone else working on similar now or in future, this is the
"approved" way to legally do it. Access the DB with an LGPL based library,
publish the library and share the source of it, then do what you will behind
the scenes. Or maybe even better, just use this library? Assuming it gets
tagged with the LGPL license...

m/



---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: Re: Re: Re: Windows port ?

[Mitch \(WebCob\)]

> > Ok, you can download the clam database handling and file scanner at
> > http://uscanit.free.fr/lib.zip
>
> It looks OK. Thanks for publishing it.
>

Can you clarify for the rest of us? Does that mean the clam team is
accepting this sort of usage of the db?

m/



---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: Re: Re: Re: Windows port ?

[Mitch \(WebCob\)]

Remi wrote:

> > No, it won't. Security by obscurity is a nonsense.
> It's true only for cryptography I think.
>

Anyone with a disassembler can find your secret sauce as soon as they
download your product. A lot of effort yes... but if what you think you have
found has any value it will be done. Consider the volume of movies and
software and keygens released daily...

The people who write viruses are used to low level analysis and reverse
engineering of systems and their weaknesses - right? They aren't
particularly fond of the laws...

That's the reason the big vendors have to keep rolling new engines as well
;-)

m/



---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: Re: Windows port ?

[Mitch \(WebCob\)]

Or write an open source program which does the scanning without dependancy
on cygwin. GPL it, give away the source. Keep your heuristics separate, and
if you like your interface, etc. This is the same effect as the windows
wrapper that exists without the underlying overhead of the gygwin underneath
(though is there really much point in that? cygwin is free, allows us to
start daemons and services (so you could run clam or clamd as your virus
scan tool underneath you app, and you can install cygwin by simply
distributing a single dll - right?

Note, I'm in full support of the project maintainer having the right to
control the use of their own work under their own license, just don't see
what the problem is - you just have to work WITH the system instead of
trying to hack around it and produce your own - which is kindof pointless
anyway - every new version results in additional signature formats, and more
porting work for you.

If you came up with a cygwinless patch / build script, it could be
opensourced, and you wouldn't have to do the ports - just call the resulting
engine!

m/

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Stefke
> Sent: Wednesday, September 22, 2004 4:02 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Clamav-users] Re: Re: Windows port ?
>
>
> Advise to Remi.
>
> Create your own database structure, write a GPL'ed program that converts
> Clamav's DB to your own, use your own DB in your "Free but closed source"
> program
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ralph
> Angenendt
> Sent: woensdag 22 september 2004 11:33
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Re: Re: Windows port ?
>
>
> Fajar A. Nugraha wrote:
> > How is that so?
> > From daily.cvd's COPYING :
> >
> > -GNU GENERAL PUBLIC LICENSE Version 2
> >Isn't LGPL more suitable for libraries?
>
> Why should it be? *IF* the authors chose to license it to you in a way,
> which *only* allows you to incorporate it into Programs with GPL
> compatible
> licenses, it should be respected.
>
> > -   1. You may copy and distribute verbatim copies of the Program's
> > source code as you receive it, in any medium ...
> > He didn't distribute it. He just use it
>
> He uses it in a program. He has to load it somehow.
>
> > How is his using clamavdb (but does not distribute it), be different
> > from hosting appliances (Ensim, CPanel, etc) which uses numerous open
> > source programs on Linux (apache, mysql, and even clamav) but does not
> > distribute it? I don't see Ensim released as GPL.
>
> He has to link the database *somehow* into his program. Look up
> what the GPL
> has to say about that.
>
> And: Hey, if you do not like the license of a program - do not
> use it. It is
> simple as that. If you want to use it - fulfill the license.
>
> Ralph
> --
> Ralph [EMAIL PROTECTED] | .."Text processing has made it
> possible Bayerischer Rundfunk...HA-Multimedia | to right-justify any
> idea, even one Rundfunkplatz 180300 München | .which cannot be
> justified on any other Tl:089.5900.16023..Fx:089.5900.16240 |
> ..grounds." -- J. Finnegan, USC
>
>
>
>
> ---
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>



---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Notification E-mail

[Mitch \(WebCob\)]

> With one caveat.
> It is perfectly acceptable to place an explanatory message in an SMTP
> REJECT message.
>
> Something like
>
> EHLO (hi)
> MAIL FROM (ok)
> RCPT TO (ok)
> DATA (can't accept for delivery, contains the EICAR virus!)
>
> If the mail is being sent by a virus, the virus will usually just give
> up and go on to the next recipient server on their list.  No "you sent a
> virus" mail is sent to a (usually) innocent third party.
>
> If the virus is a false positive, and is really good mail being sent by
> a legitimate mail server, the sending mail server will keep the
> responsibility of generating the undeliverable message.
>
> It would be nice if the SMTP reject message was customizable - say, to
> include a phone number to call in case of false positives.  I didn't see
> anything in the man pages for 0.75.1 - did I miss it?
>
> [EMAIL PROTECTED]  805.964.4554 x902

Clam doesn't do this at all. It's the widget that is used to integrate with
the MTA that has control of this. I use courier, and this is exactly how my
mail server handles it.

Whatever integration tool you use to tie clam to your MTA (or the MTA
itself) has this job - that's why it's not in the clam man pages ;-)

m/



---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] daemon restarting while clamdscan is running

[Mitch \(WebCob\)]

I think this was mentioned in a man page somewhere...

I believe that clam would return a timeout error, and what happens with that
depends on the script that calls clamdscan. If it accepts nothing other than
success, the mail should be deferred and tried again later by the MTA.

not authoritive, but hope it helps.

m/

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Yury
> Tarasievich
> Sent: Thursday, September 09, 2004 6:46 AM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] daemon restarting while clamdscan is running
>
>
> Hello,
>
> What happens if clamd is restarted while clamdscan was running?
> Clamdscan just completes its job and returns OK status?
> Or?..
>
> regards,
> Yury.
>
>
>
> ---
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>



---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] OverSize.Zip file

[Mitch \(WebCob\)]

Winzip 
reports the AVERAGE and clam uses the PEAK value... try bumping up the value to 
two or three times that amount:
ArchiveMaxCompressionRatio from 1000
to test this... the 
culprit could be an ascii file with a lot of white space that is hugely 
compressible.
 
m/

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Laura 
  PenhallowSent: Thursday, September 02, 2004 2:55 PMTo: 
  [EMAIL PROTECTED]Subject: [Clamav-users] 
  OverSize.Zip file
  I apologize in advance if this is something easy, 
  but I am at my wits end.  We have a customer that needs to receive rather 
  large zip files from a client of theirs.  
  Trouble is -- clam keeps classifying the 
  attachment as an OverSized.Zip virus and rejects it.
   
  The zip file is ~8.7 mb contains 1506 files and 
  winzip reports 78 % compression.
  We're running Clam v 0.74
  I have been googling and reading other posts 
  and I have made the following changes to clamav.conf
   
  Changed --  ArchiveMaxFileSize from 10M to 
  20M
  Changed -- ArchiveMaxFiles from 1000 to 
  2000
  Changed -- ArchiveMaxCompressionRatio from 200 to 
  300
   
  Still no luck.  Is there something I am 
  missing?? 
   
  thanks in advance
   
  Laura 
   

RE: [Clamav-users] Downloading clam virus definition files automatically

[Mitch \(WebCob\)]

> I think such a provider would be liable for very little - but it is very
> expensive to establish that in court. Law suits are trivial to initiate
> and we are in a very litigous society. If you have 10,000 customers you
> can bet at least one of them will levy a suit against you for some
> perceived affront and you are out of pocket without some kind of
> insurance.
>

Think we're blowing things out of proproation and way off topic here... This
is ClammAV not business 101...

Liability insurance doesn't PREVENT people from suing you. It covers
SPECIFIED perils if people do, but still requires you to defend yourself in
the suit - it kicks in to pay legal costs or settle if you lose... Having a
fat liability policy can also make you a target.

And a waiver, SLA or specific contract limiting liability can close off many
of these threats.

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Second-tier Mirrors...

[Mitch \(WebCob\)]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Graham
> Toal
>
> Aren't we missing something obvious here?  Shouldn't we be using some
> sort of distributed technology like BitTorrent?
>

That's been asked and answered... Bittorrent is meant to optimize download
of large files when there are many peers. We could effect the many peers,
but the size of the files involved are often finished downloading before a
torrent file is downloaded parsed, and attempted (there are always
unreachable / not responding hosts / slow hosts / bad routes etc.)

a summarization of my understanding anyways.

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Second-tier Mirrors...

[Mitch \(WebCob\)]

> I would love to setup a mirror, but 10Mbps and 100GB/month is more than
> I've got available.
>
> --TWH

By my count that makes 5 of us I recall seeing volunteer and it isn't even
an option yet.

As we are already trampling the rules with cnames to cnames... what about
this... the second tier cnames could exist as multiple rr ips in a single
mirror cname... thereby sharing the required bandwidth.

Just an idea. I don't think the problem will be adding a few more sites to
push updates too... it would probably be much worse to manage the complexity
of 2 tier deployment than to just update the secondary mirrors after the
primary mirrors from the same source... 10 updates vs 100 updates won't kill
the main source... when it becomes 1000's maybe we worry ;-)

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Second-tier Mirrors...

[Mitch \(WebCob\)]

> > > Someone recently suggested the idea of allowing sites with
> less than the
> > > mirror site requirements becoming second-tier mirrors.  This thread is
> > > an attempt to see what kind of interest there is in such an
> idea and for
> > > the developers to respond whether or not the idea has merit.
> >
> > It would help if you could define what you mean by a second-tier mirror.
> > If you allow just anyone to connect, then what makes you second-tier
> > instead of primary-tier?  And if you restrict your connections to come
> > from within your domain, then why do you need to become an official
> > mirror at all?
>
> Since there was no response, I'll offer an idea:
>
> What about one set of mirrors that host the main.cvd and another set of
> mirrors that host the daily.cvd?  Assuming people use the DNS to check
> what updates they need, they could then connect to the appropriate
> "class" of mirrors to get the actual updates.
>
> It seems to me that this could be a simple way to split the load and
> allow potential mirrors to choose how much they want to host (main only,
> daily only, or both).
>

I suggested this (2 tier mirrors) at one point - not sure if it was me you
are referring to or not...

I was thinking something like this:

Currently each mirror contributes around 100GB of traffic monthly

Perhaps (not sure of the DNS system in place) could be arranged so that 10%
of the requests a full primary mirror receives could be directed to a
secondary level mirror. With a committment of only roughly 10GB per month,
we'd get more volunteers (I'd volunteer 2).

Also, while I'm at it, sponsors of open source products are often credited -
the mirrors should have a web page crediting the responsible hosts with
banners / links to them if they would like it... (or has this appeared at
some point since I started participating)... Of course tier 1 mirrors would
get top billing. ;-)


m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Downloading clam virus definition files automatically

[Mitch \(WebCob\)]

> If you really want updates instantly, there *is* a solution.  Volunteer
> to run a mirror.  All mirrors are given updates within 2 minutes.
>
> Damian Menscher

Joining this thread a little late - sorry...

Then we get back to the level of committment required to do that... With
things as they are now, the 100GB / month (iirc) and massive number of hits
is too big for all but larger organizations to commit to - and they normally
often have politics involved that make such a decision more than one sysop
can make (unless he's not worried about his job)...

I for one would love to set up a mirror... if it was 10GB / 20GB / maybe
even 30GB... but 100 and growing is a little too much of an unknown for me.
I wouldn't want to opt in, and then have to opt out due to unanticipated and
growing load...

I've seen the notes about the new cap on daily sizes, maybe that will reduce
download size... or maybe at some point a multi levle approach will be
used...  (main, monthly, daily, etc...) or something through the setup of
the DNS that could allow people to volunteer to mirror at a second tier with
some fraction of main-mirror bandwidth.

Then we could get more mirrors, and reduce the load on each. Already the DNS
system will eliminate downloads / connections to the mirrors if the version
hasn't changed - right? So eventually we should be able to query more often.

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Freshclam cron interval {Revisado por Antivirus}

[Mitch \(WebCob\)]

>
> run freschclam on one machine, use on-update-execute to run an
> rsync script
> after a successfull download to update all your other machines.
>
>
> ==
> Chris Candreva  -- [EMAIL PROTECTED]

Does the clamd process need to be signaled on each machine to recognize the
new db?

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Freshclam cron interval {Revisado por Antivirus}

[Mitch \(WebCob\)]

> No, the cron job only runs on the hour (minute == 0) so it will only run
> once per hour at a random time between hh:00 and hh:30.
> 
> A.
> 

D'oh! Note to self - don't think you are smart when you're tired! Thanks.


---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Freshclam cron interval {Revisado por Antivirus}

[Mitch \(WebCob\)]

> > Please always try to _avoid_ to have cron based internet
> services run by the
> > hour. Please consider another value than 0. What about 17 or 41
> as the value
> > for the minute?
>
> As per discussions on this list on awhile ago; I use the following for
> my crontab entry
>   0 * * * * sleep $[ $RANDOM % 1800 ] ; /usr/local/bin/freshclam --quiet
> this causes it to sleep for a random period of time not exceeding 30 min
> before executing.

Hmmm - couldn't this THEORETICALLY result in freshclam being run every few
seconds?

I know it's random, but without a lower end on the value, it is possible -
right?

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Idea for more timely virusdb updates

[Mitch \(WebCob\)]

> >I still don't see why rsync can't be used here.  It can
> >easily do incremental
> >updates.
>
> True. However,
> (1) many firewall admins allow outgoing HTTP and DNS
> ports; I cannot say the same for rsync port.
> (2) The uncompressed signature (viruses.db*) files is a
> good candidate for rsync (or even a simple diff command).
> I don't know how well rsync or diff performs on the
> compressed-signed *.cvd.

Hmmm... interesting points... but what about this option?

Rsync and diff are generic "patching" mechanisms meant to accomodate data
without a known format - we don't have that problem here.

My understanding is that for the most part database updates are additions,
though sometimes there may be deletions or updates to preexisting keys

Lets say on the SERVER side, those updates were kept in something of the
form:

version|status|signature|md5

Where version is the version number containing the change...
status is + (new sig), - (remove sig), or = (update sig) (the sematics are
important, the values of the enum are not of course)
and signature contains whatever the current fields of the database are...
md5 would be the checksum of a database if all patches applied to this point
are sucessful

Then, any freshclam could connect, something like:

http://somemirror.db?version=xxx

The server would then return all updates > xxx, which would allow the
freshclam to patch it's local database, and verify the last md5 is a match
for the md5 of the updated local db. If the update fails to produce a
matching checksum, freshclam could then pull a fresh copy in it's entirety.


This would mean the mirrors would have to support basic scripting (PHP?) but
we could trade a significant portion of the bandwidth for a few cpu
cycles...

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Idea for more timely virusdb updates

[Mitch \(WebCob\)]

> Similarly, BitTorrent *requires* "raw" Internet access in order
> to operate -
> again - not a normal situation for an AV server.
>

Don't know what exactly you meant by "raw" as opposed to sauteed, broiled,
baked or toasted, but BitTorrent does NOT require unfirewalled access. It
does require a small port range to be forwarded to it, BUT that port range
is not required to be the same on any two hosts.

When the host contacts the tracker, it tells the tracker which ports it is
listening on so the tracker can distribute load to it.

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Idea for more timely virusdb updates

[Mitch \(WebCob\)]

> > DNS for serial numbers plus HTTP for actual data transfer still sounds
>
> New version of freshclam will work in this way. Big thanks to all for
> the interesting thread !
>

Sounds cool Tomasz! Be interested to hear if this helps reduce the load on
the mirrors at all. Once this is tested, an update to recommended polling
times would be appreciated (for anyone not running freshclam as a daemon)

Thanks!

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] OpenSource Clamav not ready?

[Mitch \(WebCob\)]

> So does that mean you no longer use Exiscan's "demime" facility, because,
> if I understand this correctly, it is sufficient to pass the mime parts
> to clamd for scanning. Using it and ScanMail would appear to bring some
> "competition" between Exiscan's demime and ClamAV's ScanMail.
>
> Could someone clarify this point?

I'd appreciate similar clarification...

I'd heard on the list of people having problems with clamd / clamdscan and
the various mail scanning options (can't remember if the problems were
related). For now (running courier on freebsd) I invoke an external mime
unpacker, and then run clamscan on the unpacked message parts. I know
clamscan is less efficient, but I keep hearing people commenting about run
away memory use etc, and haven't followed it all in enough detail to know if
it's still a problem? (currently the extra cpu cyles are less "costly" than
the downtime caused by run away ram or processor use...)

Can someone in similar config (courier and freebsd) confirm that they are no
longer  having (or never have had) stability issues with clamd / clamdscan
and what changes I make to clam config to properly scan a single mime
encoded message (not an entire mbox).

As a small measure of comfort it would also be nice to know how heavily
loaded your machines are (i.e. small corporate network or ISP/ enterprise
class)

Thanks a bunch!

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Idea for more timely virusdb updates

[Mitch \(WebCob\)]

> Opening another port is simply no option for any serious
> enterprise use. There
> is simply no way to open another port in the firewall. In addition I am
> confident that IANA will not allow to reserve a fixed port number
> for this
> service. After all port numbers are a limited resource with todays IPv4
> networks.

bittorrent doesn't rely on a fixed port - it doesn't need one.

If I understand it right, seeders (people with full copies) and peers
(people with partial downloads) register their ports with the tracker, and
if shutdown properly, de-register themselves.

The problem with slow starts DEFINITELY has something to do with seeders and
peers not deregistering themselves (I see it in logs) and have seen FAQ's on
web sites hosting torrent files to this effect.

With a closed loop distribution system with a custom client that guaranteed
a 10X ratio and then cleanly deregistered itself, we would have a very
powerful distribution system.

Might even make a project on it's own.

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Idea for more timely virusdb updates

[Mitch \(WebCob\)]

> I've already mentioned this jokingly, but I was half serious: I think
> setting up a bittorrent would solve a lot of the bandwidth problems.
>

Been playing with that a bit recently - the more I think about it, the more
I like it... saw a website that has built a custom tracker to manage
leeches, and prevent people (regardless of client) from sponging without
contributing...

The old way could remain, for offline / intermittantly or heavily firewalled
users...

The addition of DNS version management could reduce overhead bandwidth that
occurs during useless polls...

The new way could provide higher frequency updates for those willing to
share and contribute some bytes.

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Idea for more timely virusdb updates

[Mitch \(WebCob\)]

> The mirror page talkes about the need for mirrors, about
> exponential growth,
> and how at least a 10mbit pipe is needed to host a mirror. It puts March
> 2004 traffic at about 120gig/month
>

I think I read it differently... I thought it was 120GB / month per mirror
(at that point in time there were 11 mirrors!)

QUOTE (http://www.clamav.net/doc/mirrors/clamav-mirror-howto.txt)
Without mirrors, the traffic on our main site was
100GB/month (May 2003).

On Feb 2004 the traffic on each mirror (11 in total)
reached 120GB/month.
END QUOTE

Not sure if I read it wrong, but that would put total consumption about 1320
GB - makes it more urgent doesn't it?

Unfortunately the round robin - no limits nature makes the "entry price" for
people who want to help too high for some. I wonder in the short term if
there is a way to create a lower % hit mirror which could say take 10% of
the normal average...

at 12GB / month there might be more takers

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Idea for more timely virusdb updates

[Mitch \(WebCob\)]

> right, but as discussed below, generally bind servers don't have
> 100k people
> waiting for notifications and updates.
>

Nope, true... but like I suggested, the notification tree doesn't have to be
flat...

One server notifying 10 servers is time consuming and sure - costs a lot
of bandwidth...

Lets assume that each notify takes 5 seconds... we have to have SOMETHING to
"measure"...

1 server notifying 10 servers takes 50 seconds. That's a little over
a day to push the notification - bad idea ;-)

1 server notifying 100 servers, which each in turn notify 100 servers and so
on...
1 to 100: 100 seconds
each of them notifying 100: 100 seconds (total notified 10100)
each of them notifying 100: 100 seconds (total notified 1010100!) in 5
minutes!

That's 10 times your value of 10 servers. Each server would only have to
know about 100 others. Not a huge database - wouldn't even have to be
written to file. Each server could be responsible for polling it's master
once per hour.

> > Hourly polls is a good thing - but if the system worked both ways, the
> > mirror could signal the end clients that it's time to download... those
> > notifies could be send only to clients that had registered to
> receive it (an
> > option in freshclam) and would not push the data, but trigger a
> freshclam
> > pull.
>
> with that option, the 'clients' would either have to remain connected the
> entire time, which is completely not feasable, or somehow the
> database mirrors
> would have to either 'remember' who to notify, or have some sort
> of registry
> of people to notify (I can see how one might do this with a paid mirror
> service), and then send out notifications (even a single UDP
> packet to 100k
> servers could be quite bandwidth intensive.  The architecture
> could work, yes,
> but it doesn't scale well, and I don't think the clamav team has
> the resources
> to do this sort of ass-kissing for free.  They're already providing a
> wonderful service to the internet community, we cannot bite the hand that
> feeds us.

I wasn't proposing that it had to be done for free (not that it can't be
with the factor tree I explained above). It might even reduce the cost of
database distribution.

If each server is only pushing 100 updates @ 200KB per update (2MB total) we
can get 500 pushes per month for only a couple dollars.

> Another problem with this notification is there are still the
> spikes when the
> notifications come out that EVERYONE AND THEIR BROTHER contacts
> the database
> mirrors for updates.  Your solution doesn't solve any problems imposed by
> Christopher's idea, and actually introduces more.

100 servers for 200KB (20MB is hardly a spike.) and as for clients remaining
connected, that is what a server is - connected. This isn't for end users,
or local workstations. It's an OPTION for people who process a lot of data,
are at high risk, and need immediate response. Then their own internal
freshclam clients can poll their local authoritative server as often as they
want, or use the same procedure to distribute to them (if they are full time
connected that is).

> In my opinion, the existing system is fine, and if you want
> better, you should
> talk to the clamav folks about setting up some sort of 'priority'

Yeah, we could, but I don't think it needs that. And setting up an internal
mirror doesn't address the response time of the updates, unless I start
hammering the main freshclam every few minutes... and I just don't think
that would be friendly.

With the sort of hierarchical distribution I'm talking about, you could even
use an ranking system to automatically organize the distribtion (while I'm
on a roll ;-)...

What I mean is that everyone would contact one of the "root" mirrors
initially. In the request to be notified, it would indicate the number of
clients it serves. If less than a certain number, then it could be referred
to a child of the root server. If that child becomes unavailable it could
contact the root again (at the next hourly polling time). How many servers
are there on the Internet? We could probably handle the whole lot of them
with no more than 4 or 5 levels. Push an update to the world in under 10
minutes. Think how many virus laden emails this could stop.

(visions of f5...) in fact, the root server could hand out the IP's of all
child servers not fully loaded. The client could register with the nearest
(by route time) one -

just ranting...

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: [Clamav-virusdb] Update (daily: 445)

[Mitch \(WebCob\)]

> I have 445 (have had it for 5 hours or so) and it still calls it
> Trojan.JS.RunMe.  Am I missing something?  I can see in my
> clamd.log where
> it picked up the changes and reloaded the database, and sigtool -l lists
> both Trojan.JS.RunMe and Worm.Bagle.AI-2 in it.
>

I'm going to take a guess here...
The RunMe is the HTML part...
The Worm... is the executable payload...

iirc, clam stops scanning when it sees the first match. HTML would be seen
before payload, so that could be what you are seeing.

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Idea for more timely virusdb updates

[Mitch \(WebCob\)]

What about a deeper mirroring system? Perhaps one that supports
notification?

One of the things I like about BIND (not enough to use it, but still an
admired concept ;-) is the way zones can be distributed... notification
speeds things up if it works, polling creates a failsafe in which a missing
notify doesn't cause the world to end...

Hourly polls is a good thing - but if the system worked both ways, the
mirror could signal the end clients that it's time to download... those
notifies could be send only to clients that had registered to receive it (an
option in freshclam) and would not push the data, but trigger a freshclam
pull.

It could provide faster update response and smooth out the spikes in
download traffic, and could be used to maintain a larger set of mirrors...
without increasing polling frquency... a new "freshclam server" could allow
all larger users to easily run their own mirrors for internal
distribution...

Just a few ideas...

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Clamav Engine upgrades?

[Mitch \(WebCob\)]

This is predicated on the developers of the database incrementing the
"functionality level" when they make changes like this.

I'm still not sure I get it, but there seems to be some resistance to doing
this consistantly.

Some changes in detection seem to make it into CVS, and I think future
versions without a change in the db functionality level - so the code is
there, and maybe it was originally for MAJOR changes - not simply one or two
viruses that need the upgrade, but it doesn't seem to make sense for the way
people use this project...

my 2 cents.

m/

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Ryan Moore
> Sent: Thursday, August 05, 2004 2:02 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Clamav Engine upgrades?
>
>
> Jeremy Kitchen wrote:
> > On Thursday 05 August 2004 12:46 pm, Ryan Moore wrote:
> >
> >>Such that if freshclam downloads a signature and if the
> >>signature has a 'engine version requirement' or some attribute that can
> >>be compared against the installed engine, if the installed engine isn't
> >>newer, give a nasty warning in the log.
> >
> >
> > it already does this.  search the archives for 'functionality level'
> >
> >
> >>WARNING: Your ClamAV installation is OUTDATED - please update
> immediately !
> >>WARNING: Current functionality level = 1, required = 2
> >
> >
> > -Jeremy
> >
>
> I didn't get any such warnings on any of my machines, they were all
> using clamav 0.72 with freshclam daemonized (with LogVerbose in
> freshclam.conf). Do you have to do anything special to get this sort of
> behavior? Also did anyone get these warnings when running a version
> previous to 0.75.1?
>
>
> Ryan Moore
> --
> Perigee.net Corporation
> 704-849-8355 (sales)
> 704-849-8017 (tech)
> www.perigee.net
>
>
>
> ---
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>



---
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus found, not detected by Clamav, can'tsubmit (claimed already recognised but is not)

[Mitch \(WebCob\)]

I'd be willing to hack the code to add the information mentioned the other
day - care to share the base script (off list is fine by me).

I'd like to make it a little more informative what was found and how it was
found etc.

thanks

m/

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Mike
> Cathey
> Sent: Tuesday, July 27, 2004 7:13 AM
> To: Clamav-users
> Subject: Re: [Clamav-users] Virus found, not detected by Clamav,
> can'tsubmit (claimed already recognised but is not)
>
>
> Albert,
>
> On Tue, 2004-07-27 at 06:15, Albert Pauw wrote:
> > However when I tried to submit it, the page came back
> > saying that it already is recognised.
>
> We had to move the submission interface to another server (one of mine)
> and in the process, the interface was broken.  This was resolved
> yesterday afternoon/evening (GMT-4).  I sincerely apologize for the
> inconvenience.
>
> Cheers,
>
> Mike
> --
> Mike Cathey - [EMAIL PROTECTED]
> Unix/Networking geek & Perl hacker
> http://www.mikecathey.com/
>
>
>
> ---
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)

[Mitch \(WebCob\)]

Hi.

Before you do, I've been told by Tomasz Papszun that there are signatures
that won't work for anything other than CVS... so you'd have to try building
a CVS version to make it work.

I suggested changes to allow us users to know this info when we do an upload
to the webform, but haven't had response from any of the other developers,
so don't know if the idea is generally approved or not.

Wouldn't want anyone to waste time researching something that might be as
simple as a cvs snapshot build ;-)

Try running the snapshot build (perhaps without installing? can that work?)
to scan the individual file of interest... then you will know...

m/

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Nigel
> Horne
> Sent: Tuesday, July 27, 2004 4:50 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Virus found, not detected by Clamav, can't
> submit (claimed already recognised but is not)
>
>
> < # clamscan --mbox virus-20030403-121256-27560
>
> Forward a copy of the email to me and I'll look into it.
>
> -Nigel
>
> --
> Nigel Horne. Arranger, Composer, Typesetter.
> NJH Music, Barnsley, UK.  ICQ#20252325
> [EMAIL PROTECTED] http://www.bandsman.co.uk
>
>
> ---
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Signatures and versions... RE: [Clamav-users] Suggestion: Feature Freeze

[Mitch \(WebCob\)]

> I'd like to second that.  Those of us depending on clamav to catch stuff
> can't afford to upgrade in the middle of the day for new signatures to
> work.  And why don't these new signatures work?  Has that interface not
> yet stabilized?
>
> Thanks,
>   John

Just wondering...

If signatures come out that REQUIRE a new version of code to run, wouldn't
that be a good use for the versions flags in the signature files?

Right now there are two - right? One is for like a "format" version, and the
other is for an actual version right?

Either we could use the format version to at least raise the error that the
codebase requires an update to the latest (live or CVS or version X (could
predate the actual release so people know to use CVS until then) or we could
add another field to support this function - that may be harder though.

I'm going from memory here, but I remember a while back seeing errors in my
cron email even though I'd run freshclam with --quiet - right? Plus
something ended up in the log file... either of these two things (preferably
both!) could serve to notify users that their application needs an update to
catch the latest.

Thoughts?

Thanks!

m/



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] New virus not getting scanned, but web interface says already detected?

[Mitch \(WebCob\)]

For one thing, the web interface for uploading could be A LOT MORE USEFUL by
stating it's current clamscan version, what it detects the upload as,
selected options/config, and signature database - just allowing easier
confirmation of relavent settings.

I've downloaded the 0.75, and upgraded, ensured my freshclam is running and
current, and manually unpacked the zip archive containing the file.

Still don't get a positive scan on my end, though.

Help? Don't want to post the virus publicly of course... what now?

Thanks.




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Ethics Question

[Mitch \(WebCob\)]

I'd say so. You aren't talking about doing this after the fact, but as the
message is received and detected as viral - right? They'd have to have hung
up immediately and even then, it's unlikely the modem handshake would be
complete yet on the next call ;-)

> On Thu, 10 Jun 2004, Nigel Horne wrote:
> > And just hope that the next person to dial in to the ISP who gets that
> > IP address from DHCP is the same person...
>
> If it's done immediately, then the chance of alerting the wrong machine is
> pretty small, isn't it?
>
> Jeffrey Moskot
> System Administrator
> [EMAIL PROTECTED]
>



---
This SF.Net email is sponsored by the new InstallShield X.
>From Windows to Linux, servers to mobile, InstallShield X is the
one installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Ethics Question

[Mitch \(WebCob\)]

If they are in fact unprotected by a firewall, it's likely they are
receiving popups from all kinds of people... we can only hope they read
yours. Personally I'd be interested in the script you end up using - I'm
assuming you'd call smbclient to generate the popup - an interesting
experiment...

m/

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of jef moskot
> Sent: Wednesday, June 09, 2004 3:50 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Clamav-users] Ethics Question
>
>
> On Wed, 9 Jun 2004, Mitch (WebCob) wrote:
> > We are sending this notification as a public service. Please contact
> > your computer support person or visit one of the many PC Antivirus
> > providers. Many have free solutions to your problem.
>
> That does sound reasonable to me.  I wonder if there isn't a technical
> reason why this might be a Bad Idea, though.  For example, it used to be
> courteous to send an e-mail to a sender to let them know their computer
> was infected, but now trying to do things like that is a nuisance because
> it's highly unlikely that you're actually going to be contacting the
> original sender.
>
> Popping up a message on the machine with the proper IP number of the
> source of the infection sounds useful at best and harmless at worst...but
> is it really harmless?  Could these popups interrupt running processes on
> poorly configured servers and such?
>
> Jeffrey Moskot
> System Administrator
> [EMAIL PROTECTED]
>



---
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Ethics Question

[Mitch \(WebCob\)]

What's the harm? You aren't selling them anything... Spam is something done
for commercial gain by definition isn't it? they are hurting you - wasting
your bandwidth etc... and as many of my customers could prove - they can go
for MONTHS not knowing they are infected. Your message could say something
like:

Notice from SMTP server @ YOUR_IP:

We have detected incoming mail from you containing virus X.

We are sending this notification as a public service. Please contact your
computer support person or visit one of the many PC Antivirus providers.
Many have free solutions to your problem.


my 2 cents.

m/

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Samuel
> Benzaquen
> Sent: Wednesday, June 09, 2004 12:10 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Clamav-users] Ethics Question
>
>
>
>
> > Tris Forster
> > Sent: Wednesday, June 09, 2004 1:02 PM
> >
> > While the aim of doing this may be completely honourable,  sending
> > winpopups to a non-firewalled  machine stinks of spamming and thus I am
> > in two minds about putting it into practice
>
> You are right. That could be even worst that the virus, because you are
> sending it on purpose while the infected computer it's just a victim.
>
> >
> > Any thoughts or experiences with similar situations would be
> > appreciated..
> >
>
> I think the only way I could think is reporting the IP to some DNSBLs.
> That way you can stop receiving their mails and you leave the cleansing
> problem to their ISP.
>
> -Samuel
>
>
>
> ---
> This SF.Net email is sponsored by: GNOME Foundation
> Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
> GNOME Users and Developers European Conference, 28-30th June in Norway
> http://2004/guadec.org
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>



---
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Bad ideas WAS RE: [Clamav-users] Zero bytes vbs & cpl attachment

[Mitch \(WebCob\)]

> (it was removed) there is nothing for ClamAV to find.  About the best
> you can do is to educate others that stripping viruses out of email (and
> letting the rest through) is a Bad Idea.

While you are mentioning bad ideas... what about this trend of sending
bounce messages to the sender or postmaster based on the From or envelope
address of messages with virii in them. Does Clam-milter do this? (I don't
use that part - use my own courier filter system). Personally I fail to see
the point of this if it does... the virii are most often (these days) lying
about their origins anyways - the only time this helps is when the mail is a
trojan / malware. If the filter was smart enough to send a bounce ONLY in
those cases, it might be useful, but as it is, I've been asked to write
filters by my users to stop these bounces - they are most often telling my
users they are guilty of sending something they know they didn't ;-)

Is Clam on this crazy track of notifying the innocent? Or am I off base
here?

Thanks.

m/



---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: Virus Alias Database

[Mitch \(WebCob\)]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Kevin
> Spicer
> Sent: Monday, May 10, 2004 10:49 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Re: Virus Alias Database
>
>
> Its running PHP & MySQL on apache2, unfortunately this is my home box
> (that said its not a bad spec) so the response will be directly
> proportional to what I'm compiling at the time and the amount of
> bandwidth on my DSL line.
>
> > 2. If it could handle heavy loads, it would be useful if the form used
> > GET instead of POST, so that links to specific viruses could be posted.
>
> I've changed the form to GET, however direct links won't work because of
> the web diversion service that I use - unless you link to the IP address
> (of the lower frame, not the outer window), it is a static IP but could
> change if I get fed up with my ISP or something (not that that is at all
> likely right now, I'm using Eclipse and they are excellent)

I'm sure there are many (including myself) that could be convinced to host
mirrors once the concept stabilizes...

Or alternatively, you could allow download of the db and functions so people
wouldn't have to keep hitting your server...

m/




---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] You might not see OUTDATED warning...

[Mitch \(WebCob\)]

Just so all will know ;-)

It seems that 0.65 isn't smart enough to notice the difference - I didn't
get the warning on that box... but I'm upgrading anyways...

I'm assume the version smarts were added around 0.67?

Or is there some config value that causes me to not see a warning?

Thanks.

m/



---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] W32.Netsky.B@mm not removed

[Mitch \(WebCob\)]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Jim Maul
> Sent: Monday, April 19, 2004 11:04 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Clamav-users] [EMAIL PROTECTED] not removed
> > hi,
> > I also have some "NetSky.q.2" not dtected; They are detected by some
> > PC Antiviruses
> >
> > Moreover, Clamav Virus database Search
> > http://clamav-du.securesites.net/cgi-bin/clamgrok does not contains
> > nothing named Netsky*
> >
>
> Thats because (as stated above) clamav does NOT use the name Netsky.  It
> uses SomeFool instead.
>
> Jim

Jim - that would address why he doesn't see the sig, NOT why it doens't
detect. Presumably he is noticing the problem because it got through his
clam config and hit his pc av software...

He should use the web system to upload a test of the virus and see if it's
detected online, and if it is, then look at his config, and database to
check for proper settings and current data.

m/



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Updating ClamAV method other than freshclam

[Mitch \(WebCob\)]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Lionel
> Bouton
> Sent: Thursday, April 08, 2004 12:26 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Updating ClamAV method other than freshclam
>
>
> I just do that because I have 4 systems using clamav and want them to be
> in sync. So I put some glue around freshclam that compares the cvd
> contents before and after a freshclam run and if a diff is found update
> the 4 systems using rsync and mail the changes to me (new, removed and
> updated entries).
>

Neat idea!

I know some might think that's trivial, but others might benefit from the
script - I guess you are running it as a cron job?

Care to share? could reinvent the wheel, but would like to see if you've
done anything else interesting ;-)

cheers.

m/



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus Names

[Mitch \(WebCob\)]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of B. van
> Ouwerkerk
> Sent: Wednesday, April 07, 2004 2:00 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Virus Names
>
>
> I don't fancy the idea of doing the same job someone else does
> but I could
> do it if no one else does or has dropped the idea.
> This would be a good way for me to do something in return for
> using Clamav.

me either.

I'd certainly be willing to help with something along those lines as well -
even if it's only hosting a mirror!

I think the idea makes sense to me, but I keep hearing that the clamav
format will support some sort of alias system - just not sure what, or how,
or if it is enough information.

I'd IDEALLY like a system that allows us (collaboratively) to map viruses to
all commercial products - PARTICULARLY those maintaining virus information
databases, and then allow us to create a diff-based distribution of this
database - like the clamav datafile, and also a simple lookup page which
could use a template, and the database to return cross references / links to
information on the virii as documented by other systems.

m/



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus aliases

[Mitch \(WebCob\)]

> -Original Message-
> From: Tomasz Kojm
>
> On Thu, 11 Mar 2004 10:15:50 +
> Dave Ewart <[EMAIL PROTECTED]> wrote:
>
> > 2. Can the alias details be extracted from the .cvd files?  If not
> > currently, is there any way to add this detail?
>
> Virus aliases will be supported in signatures in the near future.
>

Maybe I spoke to soon... if you guys are already working on this great - how
will aliases be identified and submissions be processed?

I've heard that the bigger manufacturers often copy the first known name -
is there a way to get in that peer group?

Will the system handle multiple aliases in the event it occurs?

Will the system identify the "owner" of the alias (like norton / sophos /
etc.)

Thanks!

m/



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus aliases

[Mitch \(WebCob\)]

> No idea how easy this would be to implement but here goes:
>
> As well as the virus signature databases, how about having an alias
> database which would contain a record for each virus, indicating its
> ClamAV name along with those used by the more mainstream AV software
> like Sophos, McAfee etc. Then have the scanning software (clamd etc.)
> accept a commandline switch to indicate your preferred naming. That way,
> if you also use Sopos/McAfee/whatever on internal servers you could get
> ClamAV to report an infection using the same naming as internally.  Of
> course, as the Clam sigs are usually ahead of the rest, the aliases for
> a particular virus would all be set to ClamAV's chosen name. Then, as
> the other vendors get their signatures out the aliases could be updated
> accordingly.
>
> Workable/unworkable/insane idea?
>
> Paul

I like it!

Should be quite simple to implement and very workable - depending on the
will of the powers that be to maintain...

A little more complex idea would be to create a cololaborative maintenance
system allowing the users to update and complete the information - a simple
voting system could accept mutliple submissions from confirmed contributors
as validation...

With such a database (downloadable like freshclam currently maintains
regular virus db) we could issue warnings that make more sense to users of
bigger name commercial products, and even generate links to their
educational content on the virii...

The feeling I get is that clam detects the virus - generates the sig and
done... Norton, etc. decode it and see what it does and then publish the
info - when the link between the clam viruss and the norton name is made
(for example) a link to that content would let the clam user know what they
found and what potential damage it could or might have already caused.

The developers of clam already have probably got their plates full with clam
issues... I could (as I imagine many others) consider building and hosting
something like this if there was enough support for it - thoughts?

Thanks!

m/



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Simple patch for dealing with password zip files

[Mitch \(WebCob\)]

Fantastic Michael!

I think that will be a good interrum until there is an official method of
dealing with the problem.

Thanks.

m/

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Michael L
> Torrie
> Sent: Wednesday, March 03, 2004 12:38 PM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] Simple patch for dealing with password zip files
>
>
> I have made a rudimentary patch (clean patch) against clamav 0.67 to
> mark all zip files containing password-protected (and hence unscannable)
> files as a virus type "SuspectEncrypted.Zip."  This way I can simply
> quarantine all such passworded zip files, along with normal viruses.  I
> know of no other way for clamav to catch this virus currently.  (In fact
> it didn't even catch one of them using fingerprinters.)



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Password-protected .zip file viruses

[Mitch \(WebCob\)]

But...

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Chris
> Meadors
> Sent: Tuesday, March 02, 2004 11:44 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Password-protected .zip file viruses
>
>
> Paul Boven wrote:
>
> > How about only trying every word in the mail-body as a key to try,
> > instead of brute-forcing? The virus(-writer) cannot afford to fudge the
> > password in the mail-body: One would hope that the subset of users that
> > is clever enough to reconstruct the password, yet stupid enough to use
> > that to open it, is small enough to make the virus unviable.

The problem is that the virus could send an HTML message... in an HTML
message, character encodings, fonts with small spaces between, etc. could be
enough to fool software but not a human:

For example (don't take this too literally)::

the password is
d o gg y

will look like doggy

m/



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] password-protected Worm.Bagle.H

[Mitch \(WebCob\)]

That's got my vote - can the core team give some indication of options being
considered and what general direction we'll go here?

Thanks.

m/

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Andy Dills
> Sent: Tuesday, March 02, 2004 11:05 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] password-protected Worm.Bagle.H
>

I think clamav should return a certain value if the zip file is deemed
clean because it's encrypted, so that glue programs like amavisd-new can
allow people to control when encrypted zips are allowed through. This is a
reasonable thing for clamav to do regardless, if you think about it;
isn't that essentially an error condition ("can't scan zipfile")?

It would seem a simple fix for somebody familiar with the code.
Developers, any comments?

Thanks,
Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Password-protected .zip file viruses

[Mitch \(WebCob\)]

My understanding of reliable zip password checking was that you needed two
or more files encoded with the same password in the archive to allow a good
check...

Maybe I'm wrong on that, but still I'd rather a setting that allows me to
reject unscannable attachements. Preferably as mentioned before somehow by
user - if this was a command line argument "ignore unscannable archives" vs.
"reject unscannable archives".

m/

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Jesper
> Juhl
> Sent: Tuesday, March 02, 2004 5:55 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Password-protected .zip file viruses
>
>
> On Tue, 2 Mar 2004, Charlie Watts wrote:
>
> > Clearly the virus DB maintainers are inundated with password-protected
> > .zip files with viruses inside.
> >
> > I think I understand the technical impossibility of making a
> signature for
> > these - the .zip header is the same, and then the filenames inside are
> > randomized, as is the password, and thus the encrypted body has nothing
> > recognizable - so there isn't anything available to make a signature off
> > of.
> >
>
> What I'm thinking is; Would it be feasible to add an option to attempt to
> brute-force-crack the passwords on zip files when scanning them?
> Yes, it would slow down scanning immensely, and there's *no* way it should
> ever be a default option, but zip file passwords are /resonably/ simple to
> crack, so it is doable (although it takes time)...
>
> I could whip some code together for this if it has any interrest at all...
>
>
> --
> Jesper Juhl <[EMAIL PROTECTED]>
> Systems Administrator, Danmarks Idræts-Forbund / The Danish
> Sports Federation
> Please don't top-post
> http://www.catb.org/~esr/jargon/html/T/top-post.html
> Please send plain text emails only
> http://www.expita.com/nomime.html
>
>
> ---
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id56&alloc_id438&op=ick
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] password-protected Worm.Bagle.H

[Mitch \(WebCob\)]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Diego
> d'Ambra
> Sent: Tuesday, March 02, 2004 4:55 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Clamav-users] password-protected Worm.Bagle.H
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:clamav-users-
> > [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
> > Sent: 2. marts 2004 13:15
> > To: [EMAIL PROTECTED]
> > Subject: Re: [Clamav-users] password-protected Worm.Bagle.H
> >
> > Suggestions?  There are really easy ways for the virus writer to
> > circumvent this type of check but until they start utilizing such
> > strategies, is it possible to include the zip's crc into ClamAV's
> sigs?
> >
>
> From the (unzipped) samples I've access to they differ in size, so MD5
> or other checksums are useless.
>
> Best regards,
> Diego d'Ambra

Seeing how quickly this could get out of hand, and how hard it would be to
write code to "read" the password from the mail - how about a simple option
that allows full rejection of password encrypted archives - or optional
(based on db lookup) but I'm probably hoping too much there...

I run virtual users out of a mysql database - the user emails are in one
field - options controlling mail handling are in others ('Y' / 'N' enums).

Being able to control this would be ideal, but being able to outright reject
them would be an improvement.

Another tack on this might be accomplished through procmail / maildrop if
unzip will report if archived files are in fact password protected... does
anyone know if there is a way to list passworded file besides trying to
extract them?

Just a few thoughts - as always thank you for the excellent tool

m/



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Submission to virusbtn.com and AV-test.org?

[Mitch \(WebCob\)]

I was looking for reviews on virus protection quality as well as response
time...

Helen, the editor of virusbtn.com says as far as she knows, Clam AV has
never been submitted for review.

I asked for details on the process, and ask here if there is any reason NOT
to submit to various reviewers - don't want to step on toes, but I figure
the broader range of support we can get for the project, the faster our
response times will be to detecting virii in the wild etc.

I was given a pdf of a response time article written by Andreas
Marx at AV-test.org, but on a side note, she thinks he was unofficially
stating that Clam AV had only a 56% rate detection of virii in the wild -
I'd say my experience is better, perhaps this is someone to chat with?

Don't want to step on toes, so I thought I'd ask before I kept digging.

Thanks!

m/



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] 2 questions - virus naming convention & virus information

[Mitch \(WebCob\)]

Ahhh - Anyone have any idea who someone is?

Practically speaking, I'm a very happy camper with Clam AC - one could say
I'm happy AS a Clam ;-) But I'd rather contact his individual and ask him
what his status is / subscribe with him for an update than try to filter it
from this list (I know I'll miss it)

I wonder if eventually someone windowsish will work on a scanner to offer an
alternative on the desktop to the various forms of existing extorsion ;-)

Thanks again guys...

m/

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Peter
> Bonivart
> Sent: Saturday, February 21, 2004 2:19 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] 2 questions - virus naming convention &
> virus information
>
>
> Mitch (WebCob) wrote:
> > 1) Does the ClamAV system use a common naming convention? Where
> does it come
> > from? By this I mean I think I see other virus detection
> software using the
> > same names for things - how is this agreed upon?
>
> Usually the team uses the same, or similar, name as the commercial
> scanner that caught it first but lately Clam has been first to detect
> new viruses (great!) so they had no names for them and had to make them
> up. This has happened to SCO.A (MyDoom.A), YoursID (Bagle.B) and
> SomeFool (Netsky.B). Any confusion is cleared up on this list quickly.
>
> The commercials also uses this way of naming, it's just that they don't
> bother (know?) about not commercial alternatives so if Clam is first
> they name it after the first commercial anyway.
>
> > 2) Is there a Clam source for virus information? I'd like to
> tie my filter
> > to a status page that would link users to information on what
> is currently
> > hitting us and what it was capable of... When I search
> individual names on
> > google I see different databases online listing and describing
> the virii,
> > but I don't know which are to be considered authoritative...
>
> Someone is working on a web site with cross references between Clams
> naming and the commercials. That's all that is needed really, since
> several of them have nice info regarding every virus. I guess they will
> post here when they have something to share about the web site.
>
> --
> /Peter Bonivart
>
> --Unix lovers do it in the Sun
>
> Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
> SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2
>
>
> ---
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] 2 questions - virus naming convention & virus information

[Mitch \(WebCob\)]

1) Does the ClamAV system use a common naming convention? Where does it come
from? By this I mean I think I see other virus detection software using the
same names for things - how is this agreed upon?

2) Is there a Clam source for virus information? I'd like to tie my filter
to a status page that would link users to information on what is currently
hitting us and what it was capable of... When I search individual names on
google I see different databases online listing and describing the virii,
but I don't know which are to be considered authoritative...

Any thoughts?

Thanks and kudos on a most excellent project.

I'm running a custom perlfilter with courier-mta -- if anyone is looking for
something like this, I will share the source. I can't take credit for it,
but the original author didn't sign the source - I had to change it to
update it, and added some logging, works well - simpler than amavis, etc.

Thanks!

m/



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users