RE: [Clamav-users] Idea for more timely virusdb updates
> I've already mentioned this jokingly, but I was half serious: I think > setting up a bittorrent would solve a lot of the bandwidth problems. > Been playing with that a bit recently - the more I think about it, the more I like it... saw a website that has built a custom tracker to manage leeches, and prevent people (regardless of client) from sponging without contributing... The old way could remain, for offline / intermittantly or heavily firewalled users... The addition of DNS version management could reduce overhead bandwidth that occurs during useless polls... The new way could provide higher frequency updates for those willing to share and contribute some bytes. m/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Idea for more timely virusdb updates
> The mirror page talkes about the need for mirrors, about > exponential growth, > and how at least a 10mbit pipe is needed to host a mirror. It puts March > 2004 traffic at about 120gig/month > I think I read it differently... I thought it was 120GB / month per mirror (at that point in time there were 11 mirrors!) QUOTE (http://www.clamav.net/doc/mirrors/clamav-mirror-howto.txt) Without mirrors, the traffic on our main site was 100GB/month (May 2003). On Feb 2004 the traffic on each mirror (11 in total) reached 120GB/month. END QUOTE Not sure if I read it wrong, but that would put total consumption about 1320 GB - makes it more urgent doesn't it? Unfortunately the round robin - no limits nature makes the "entry price" for people who want to help too high for some. I wonder in the short term if there is a way to create a lower % hit mirror which could say take 10% of the normal average... at 12GB / month there might be more takers m/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
In a perfect world, wouldn't this be the ultimate application for say, multicast? Just keep casting the database over and over, when it changes, you instantly have it! ;-) -- Robert Blayzor, BOFH INOC, LLC [EMAIL PROTECTED] PGP: http://www.inoc.net/~dev/ Key fingerprint = 1E02 DABE F989 BC03 3DF5 0E93 8D02 9D0B CB1A A7B0 Press Ctrl-Alt-Del now for IQ test. --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
OK, here's my pitch I like the DNS idea as a way to push out just the version number of the update. This "pattern serial number" would be the current version of the CVD file. A record like this in tinydns: 'dbversion.clamav.net:447:600 would create a DNS TXT record for "dbversion.clamav.net" with a value of "447" with a TTL of 600 sec (10 minutes). I see no point in any more information being recorded. If freshclam were to initially do that DNS lookup, it could afford to look every 10 minutes instead of hourly, and would dramatically cut down on the amount of HTTP (or any other TCP) transactions required. I think all the comments about using SMTP or NNTP suffer the same problem as HTTP - they are no where near as fast or as natively "multicast" as DNS is - oh yeah - and it's UDP too. DNS natively "shares the load", whereas all other "load sharing" solutions would have to be created. So I'd envisage freshclam doing the DNS lookup, and if the "pattern number" TXT record returned is *different* (not smaller! DNS cache poisoning can affect this solution, so just choose DIFFERENT) than the current "pattern number", then it should check for an update. This has the advantage that it could just be a new bit of code added in front of the existing freshclam code. The TTL > 0 allows you to even cut down the load on the primary DNS servers. The ClamAV team should make a "policy" saying people aren't allowed to check for updates more often than every "TTL" seconds and this within freshclam would enforce it. Just my 2c worth -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] freshclam security
Am Mittwoch, 11. August 2004 01:58 schrieb Tomasz Kojm: Hi, > > Is there any "serial number" feature? > > Yes, there is. And I can assume that freshclam looks at the serial number and never does a downgrade?! Yours, -- martin Dipl.-Phys. Martin Konold e r f r a k o n Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker Nobelstrasse 15, 70569 Stuttgart, Germany fon: 0711 67400963, fax: 0711 67400959 email: [EMAIL PROTECTED] --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Where to download latest virus samples
Where can I download samples of the new virus and test my ClamAV? TIA, Zoong ___ THIS EMAIL IS CONFIDENTIAL. If you have received this email in error please forward it to [EMAIL PROTECTED] It may contain personal information and it is intended for the addressee only. If you receive this email in error you must not use, copy forward, print or otherwise disseminate any information it contains. Mercy Health & Aged Care is a Catholic community benefit organisation. Each year one in twenty Victorian families are touched by the services we provide. Visit www.mercy.com.au for more information. Our services include: * Mercy Hospital for Women - East Melbourne (moving to Heidelberg in 2005) * Werribee Mercy Hospital - Werribee * Mount Alvernia Mercy Hospital - Bendigo * Mercy Hospice - Western suburbs * O'Connell Family Centre - Canterbury * Corporate Office - Richmond * Rice Village - Geelong * Tullamore Mercy - Montrose * Eventide Mercy - Colac * Bethlehem Home for the Aged - Bendigo * --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] freshclam security
On Wed, 11 Aug 2004 03:36:50 +0200 Martin Konold <[EMAIL PROTECTED]> wrote: > Am Mittwoch, 11. August 2004 01:18 schrieb Tomasz Kojm: > > Hi, > > > > I am wondering how authenticity and integrity of clamav updates is > > > handled. > > > > All *.cvd databases are digitally signed (signatures use 1024 bit > > RSA key with MD5 hash). > > How does this protect from "replaying" old patterns? > > Is there any "serial number" feature? Yes, there is. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Aug 11 01:58:10 CEST 2004 pgp6cMwTuBNgb.pgp Description: PGP signature
Re: [Clamav-users] Idea for more timely virusdb updates
Jeremy Kitchen wrote: On Tuesday 10 August 2004 02:41 pm, Damian Menscher wrote: [snip: using a program delivery to process update mailing list mails] With sendmail, you could add to /etc/aliases something like: clamav-updates | sigtool --add that's the ticket. And a cool little DOS tool. Nothing like a well-known email address for a little fun having. I imagine the blackhats will slam that rather quickly. dp --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
Jeremy Kitchen wrote: or scrap the whole idea all together :) Maybe the best thing written on the subject today! ;-) j/k But really, what's the problem? Shouldn't "big time folks" complain to the commercial companies to whom they pay for service and still they got updates later than Clam? Instead hundreds of mails are written here with one "solution" more far out than the other. Please, I *think* you might have caught the attention of the developers by now so please let them think about this for a moment. They still beat everyone else so I just want to say thank you. Everything works great! In combination with MailScanner which checks inside zip files and blocks executables I stopped all the viruses even before Clam was updated. From what I have seen from reading this list for some time many of you seem to rely to heavily on too few layers of protections. Maybe that's why you "must" have the updates immediately with no regard to server load or maybe I missed the solution that took care of that one too in the flood of mail. Premium servers for a fee is the best solution I have seen so far. No offence meant to anyone in particular. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.32.5, SpamAssassin 2.63 + DCC 1.2.50, ClamAV 0.75.1 + GMP 4.1.2, Vispan 1.4 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] freshclam security
Am Mittwoch, 11. August 2004 01:18 schrieb Tomasz Kojm: Hi, > > I am wondering how authenticity and integrity of clamav updates is > > handled. > > All *.cvd databases are digitally signed (signatures use 1024 bit RSA > key with MD5 hash). How does this protect from "replaying" old patterns? Is there any "serial number" feature? Yours, -- martin Dipl.-Phys. Martin Konold e r f r a k o n Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker Nobelstrasse 15, 70569 Stuttgart, Germany fon: 0711 67400963, fax: 0711 67400959 email: [EMAIL PROTECTED] --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] freshclam security
On Tue, 10 Aug 2004 20:08:27 +0200 Martin Konold <[EMAIL PROTECTED]> wrote: > > Hi, > > I am wondering how authenticity and integrity of clamav updates is > handled. All *.cvd databases are digitally signed (signatures use 1024 bit RSA key with MD5 hash). -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Aug 11 01:15:15 CEST 2004 pgp7zXmAiiWSL.pgp Description: PGP signature
Re: [Clamav-users] Idea for more timely virusdb updates
On Tuesday 10 August 2004 02:41 pm, Damian Menscher wrote: [snip: using a program delivery to process update mailing list mails] > With sendmail, you could add to /etc/aliases something like: > clamav-updates| sigtool --add that's the ticket. > Anyone know if it's really feasible for us to obtain a mailserver that > can send out 2k emails to all (100,000?) users in a short (5-10 mins) > time? Assuming those numbers are reasonable, that means 200 meg of > data. Combined with SMTP overhead, it seems like it would be > troublesome. Additionally, there are potential bandwidth issues if you > consider we'd need to do that several times/day. well, I would think this would be an 'optional' thing you could do, or maybe part of a 'premium' service provided for a fee. As Jef mentioned, most small time folks are perfectly happy with hourly updates in a pull configuration. > Updating the "main" database is one concern. Sending out a 2-meg email > to everyone seems like it might be too much load, but sending out the 1K > email telling everyone to get it means the mirrors will get swamped. I > can't think of a way around this, but hopefully someone else can? well, I would hope that while also grabbing these daily.cvd updates via email, that the admin is also running freshclam (perhaps less frequently now that he/she only needs to check main.cvd once a day) to grab the main.cvd and doesn't need notification for it. Forgive my ignorance if I'm not interpreting the role of the main/daily.cvd files correctly: main.cvd: updated daily with all of the updates done to daily.cvd throughout the day daily.cvd: 0sec updates to the database, get rolled into main.cvd nightly > Also, this doesn't give much provision for removing "bad" signatures > (that cause false positives) since it really just appends rules. We'd > need to figure out a way to delete signatures also. I could imagine > doing this by including a "null" signature, or using some other flag. true. perhaps the first line of the email could be a command, and a simple sh/perl/c program could parse it and then call the proper commands to add or remove the signature that follows. > Finally, there's the whole issue of multiplying your points of failure. > If your current database is screwed, appending more to it will leave it > screwed. And if you add stuff to it a few times a day, chances are it > will get screwed up at some point. At least this issue has a simple > fix: include an MD5 sum with the update which must match your MD5 sum > after applying the update. If they don't match, you know something went > wrong, either with this update or a previous one. (This has the danger > that if the developers send an email with an incorrect MD5 hash, > everyone will thrash the mirrors.) eek. > Note to the developers: please don't feel like you have to code up any > of our random ideas. I'm just having fun brainstorming about how to > optimize this process. I expect in another few days of discussion we'll > have converged on a fairly sane idea. or scrap the whole idea all together :) -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Tue, Aug 10, 2004 at 10:39:19PM +0200, Peter J. Holzer wrote:
> On 2004-08-10 14:41:28 -0500, Damian Menscher wrote:
[... about sending clamav updates quickly to all subscribers]
> > Anyone know if it's really feasible for us to obtain a mailserver that
> > can send out 2k emails to all (100,000?) users in a short (5-10 mins)
> > time?
>
> How about using NNTP instead of SMTP? Then the clamav server doesn't
Why use such an old protocol that isn't suited to binary transfers.
I've already mentioned this jokingly, but I was half serious: I think
setting up a bittorrent would solve a lot of the bandwidth problems.
You would need some place to get the daily.cvd.torrent file, which seems
to be about 170 bytes when I tried creating one yesterday (Small enough
to fit base64-encoded in a DNS TXT record, if you insist, but I doubt
that that is prudent to rely upon). Then you'd need a decent tracker,
or a bunch of trackers, and at least one seeder per tracker. I guess
that the current db.*.clamav.net hosts can easily host both a tracker
and a seeder.
If you then distribute a downloading clients that keeps seeding for just
1 hour (or until a preset share ratio was reached, say, 10x), you would
very quickly take a HUGE load off the download servers... and everyone
using clamav would automatically help the project by donating bandwidth
for the updates.
P2P - it's not just for downloading pirated Metallica mp3s.
HTH,
--
#!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;# Jan-Pieter Cornet
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Tue, 2004-08-10 at 12:40, Christopher X. Candreva wrote: > If people can't check for database updates more often than once an hour, > then there is a pressing need. [...] > If only 1.3% of every update is actually needed, and people only downloaded > what they needed, the traffic on the mirrors would drop from 120gig/month to > 1.6 gig/month. > > If I am completely off by a factor of 10 -- say only 10% of every update > is actually needed, traffic on the mirrors drops from 120gig to 12gig. That's one of the things that seems to be driving the size of daily.cvd up - updating main.cvd entails a massive distribution of files to the world. Perhaps a tiered approach to the update files, with main.cvd, monthly.cvd, weekly.cvd, daily.cvd, and hot.cvd The advantage there is that the really big update could be distributed very seldom - perhaps only with new code (the code generally has to be upgraded every few months to deal with a new threat anyway). If you had overlapping signatures between the files, you could add a fuzzy-factor into freshclam that it might not bring down the latest weekly/monthly if the other files overlap completely. That would distribute the load on the freshclam servers for the larger updates, and there would just be the very small daily.cvd (and perhaps hot.cvd) downloads. I like the idea of using DNS to signal the change - maybe just for hot.cvd. so, whenever a major virus breakout occurs, the new sig would be added to hot.cvd and the DNS TXT record changed. 10,000 users pulling down a 2-3K file is not terribly hard for a server with decent bandwidth -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
Christopher X. Candreva wrote:
This thread on Trojan.JS.RunMe had me thinking: Hourly virus updates is
better than any of the commercial virus scanners, but obviously still has
issues, especially since a bunch of us obviously submitted updates that had
already been entered. I gather from these posts that the virusdb's actually
have some form of version number.
This could actualy be easily accomplished also by attaching a soa record
to a zone ... for example
dbversion.clamav.net
Incrementing the serial for that should be trivial enough.writing a
mechanism to rapidly query against it and then to invoke a freshclam is
left as an exercise to the reader.
Presumably then the lists of Nameservers for that particular zone would
be expanded to about 10 or more. Notification from whatever master zone
server could be trivialy accomplished on that.
We should probably consider that the load balancing of all those end
users/isp's DNS resolvers may not be all it can be, particularly the
selection of which nameserver to talk to out of many for a particular zone.
Anyways I did a dig Arent CNAMEs that Point to CNAMEs contrary to RFC?
Might that be behind the infrequent dns resolution complaints?
Also... Is there any single name that covers ALL mirrors?
Also Any insight as to how the { presumably dynamic } selection to
alias the db-local to db.america is done?
c:\Documents and Settings\joe.JOE.000>dig database.clamav.net
; <<>> DiG 9.2.3rc3 <<>> database.clamav.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 5, ADDITIONAL: 2
;; QUESTION SECTION:
;database.clamav.net. IN A
;; ANSWER SECTION:
database.clamav.net.5 IN CNAME db.local.clamav.net.
db.local.clamav.net.7200IN CNAME db.america.clamav.net.
db.america.clamav.net. 5 IN A 128.121.60.235
db.america.clamav.net. 5 IN A 196.40.71.226
db.america.clamav.net. 5 IN A 199.239.233.95
db.america.clamav.net. 5 IN A 200.68.106.39
db.america.clamav.net. 5 IN A 24.244.193.21
db.america.clamav.net. 5 IN A 38.136.139.7
db.america.clamav.net. 5 IN A 64.18.103.6
db.america.clamav.net. 5 IN A 64.69.64.158
db.america.clamav.net. 5 IN A 65.75.154.69
db.america.clamav.net. 5 IN A 65.77.42.207
db.america.clamav.net. 5 IN A 66.139.75.171
db.america.clamav.net. 5 IN A 67.18.205.218
db.america.clamav.net. 5 IN A 69.93.108.98
;; AUTHORITY SECTION:
clamav.net. 7200IN NS ns5.clamav.net.
clamav.net. 7200IN NS ns1.oltrelinux.com.
clamav.net. 7200IN NS ns2.clamav.net.
clamav.net. 7200IN NS ns3.clamav.net.
clamav.net. 7200IN NS ns4.clamav.net.
;; ADDITIONAL SECTION:
ns1.oltrelinux.com. 38516 IN A 194.242.226.43
ns5.clamav.net. 153717 IN A 80.69.66.9
;; Query time: 671 msec
;; SERVER: 64.95.32.37#53(64.95.32.37)
;; WHEN: Tue Aug 10 16:40:04 2004
;; MSG SIZE rcvd: 429
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On 2004-08-10 14:41:28 -0500, Damian Menscher wrote: > On Tue, 10 Aug 2004, Jeremy Kitchen wrote: > > On Tuesday 10 August 2004 12:23 pm, Damian Menscher wrote: > > > Ok, this is turning into a scary beast. But we already have several > > > mailing lists (clamav-users, for example) which can obviously handle a > > > bit of a load. Might be interesting to concoct a specially-formatted > > > message that the milter (or clamd itself) could recognize as a database > > > update, and automatically append to its list of signatures. [...] > Before people get too excited about this idea, though, there are some > issues that need to be fixed. > > Anyone know if it's really feasible for us to obtain a mailserver that > can send out 2k emails to all (100,000?) users in a short (5-10 mins) > time? How about using NNTP instead of SMTP? Then the clamav server doesn't have to push out those messages to everybody but only to its neighbours which will distribute it further. hp -- _ | Peter J. Holzer| Je höher der Norden, desto weniger wird |_|_) | Sysadmin WSR | überhaupt gesprochen, also auch kein Dialekt. | | | [EMAIL PROTECTED] | Hallig Gröde ist fast gänzlich dialektfrei. __/ | http://www.hjp.at/ | -- Hannes Petersen in desd pgpcRxcR1GytI.pgp Description: PGP signature
Re: [Clamav-users] Idea for more timely virusdb updates
On Tue, 10 Aug 2004, Damian Menscher wrote: > Anyone know if it's really feasible for us to obtain a mailserver that > can send out 2k emails to all (100,000?) users in a short (5-10 mins) > time? I haven't been following the whole discussion, but I thought this was mostly to provide support to "power users". I think the average small-time admin would be happy with the hourly updates. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Additional logging info.
On Tue, Aug 10, 2004 at 01:47:52PM -0400, Brett Simpson said: > On Mon, 2004-08-09 at 22:21, Stephen Gran wrote: > > Don't loop - make a more complicated data structure, like a multi level > > hash (ugly pseudo-code to follow): > > Ok. > > > Just read the file once, fill in the bits as you go, and process the > > whole thing at the end. > > I wrote this and it's much much faster. In fact the old way of looping > through the file multiple times took a 1 minute and 20 seconds while the > code below took 20 seconds. It looks good. I might steal some of this to do reporting for some clients - do you mind? -- -- | Stephen Gran | You will be awarded the Nobel Peace | | [EMAIL PROTECTED] | Prize... posthumously. | | http://www.lobefin.net/~steve | | -- pgpneNJrtZcPD.pgp Description: PGP signature
Re: [Clamav-users] Idea for more timely virusdb updates
On Tue, 10 Aug 2004, Jeremy Kitchen wrote: > On Tuesday 10 August 2004 12:23 pm, Damian Menscher wrote: > > Ok, this is turning into a scary beast. But we already have several > > mailing lists (clamav-users, for example) which can obviously handle a > > bit of a load. Might be interesting to concoct a specially-formatted > > message that the milter (or clamd itself) could recognize as a database > > update, and automatically append to its list of signatures. > > this is actually a pretty decent idea. I think it would be best to, rather > than have clamd try to detect it, have a special address on the machine that > processes the message via a program. Most MTAs I'm aware of (at least on the > unix side) can do this, I know qmail can for sure. Good idea. Taking it out of the milter allows for qmail/exim/postfix compatibility, and sending to a dedicated address saves the effort of processing every message (though presumably you're doing that anyway). With sendmail, you could add to /etc/aliases something like: clamav-updates | sigtool --add Before people get too excited about this idea, though, there are some issues that need to be fixed. Anyone know if it's really feasible for us to obtain a mailserver that can send out 2k emails to all (100,000?) users in a short (5-10 mins) time? Assuming those numbers are reasonable, that means 200 meg of data. Combined with SMTP overhead, it seems like it would be troublesome. Additionally, there are potential bandwidth issues if you consider we'd need to do that several times/day. Updating the "main" database is one concern. Sending out a 2-meg email to everyone seems like it might be too much load, but sending out the 1K email telling everyone to get it means the mirrors will get swamped. I can't think of a way around this, but hopefully someone else can? Also, this doesn't give much provision for removing "bad" signatures (that cause false positives) since it really just appends rules. We'd need to figure out a way to delete signatures also. I could imagine doing this by including a "null" signature, or using some other flag. Finally, there's the whole issue of multiplying your points of failure. If your current database is screwed, appending more to it will leave it screwed. And if you add stuff to it a few times a day, chances are it will get screwed up at some point. At least this issue has a simple fix: include an MD5 sum with the update which must match your MD5 sum after applying the update. If they don't match, you know something went wrong, either with this update or a previous one. (This has the danger that if the developers send an email with an incorrect MD5 hash, everyone will thrash the mirrors.) Note to the developers: please don't feel like you have to code up any of our random ideas. I'm just having fun brainstorming about how to optimize this process. I expect in another few days of discussion we'll have converged on a fairly sane idea. Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Trojan.JS.RunMe?
Jason Haar wrote: On Mon, Aug 09, 2004 at 04:44:23PM -0500, Steven Stern wrote: As usual, ClamAV's name came out too soon The standard naming seems to Yes - well done. ClamAV had updates for this virus hours before they started hitting our site. I also want to point out that the two commercial AV systems we also use both didn't get updates out for at least 2-3 hours after ClamAV. Amazing what a bunch of "volunteers" can do vs a large multi-billion dollar industry :-) The big guys also provide the anti-venom for already infected systems. I've often wondered if they delay patterns until they have a remover ready. I remain very impressed with the response of this team. dp --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Tuesday 10 August 2004 04:57 am, Jeremy Kitchen wrote: > Tomasz, et al.: Please expect to see an email from me by the end of the > work day tomorrow (or rather, today, but I haven't slept yet) sigh, and after saying that I now have tons of work to do so I won't be able to get this email to you guys until later. I will send it though :) -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Tuesday 10 August 2004 12:23 pm, Damian Menscher wrote: > Ok, this is turning into a scary beast. But we already have several > mailing lists (clamav-users, for example) which can obviously handle a > bit of a load. Might be interesting to concoct a specially-formatted > message that the milter (or clamd itself) could recognize as a database > update, and automatically append to its list of signatures. this is actually a pretty decent idea. I think it would be best to, rather than have clamd try to detect it, have a special address on the machine that processes the message via a program. Most MTAs I'm aware of (at least on the unix side) can do this, I know qmail can for sure. > I'd imagine a format something like: [snip email message for the update] > Doing something like this would push a lot of the distribution load onto > sourceforge (which seems to get messages out to this list in about 1/2 > hour). for something like this I wouldn't use sourceforge's mail servers :P They're already bogged down as it is, us adding load to them like this would be bad, and the notifications would eventually get slower, and slower, and slower... having a dedicated list server for this purpose would be the best. > The gpg-signature prevents spoofing. And the sequence numbers > keep everyone current. The major problems I see are getting clamd to > recognize a message targeted for it, and the obvious problems of DoS > attacks (someone sending spoofed messages that would suck CPU time > decoding the gpg signature). yes, that's an unfortunate problem with this idea, however, if you used, as I stated, a special address that uses program delivery, you'd have to hack the listserver to get everyone's 'subscription' address to be able to do this. > Anyway, just another wild-n-crazy idea to throw out there. I'm guessing > we're better off with the current method for now, but this might be an > interesting possibility for the future. it definitely is interesting. > [I haven't given up on DNS updates yet, but it's hard to come up with a > clean way to distribute >256 bytes of data that way, which means even > single rules don't always fit.] I wouldn't distribute the rule in DNS, however, a timestamp of sorts in dns isn't a bad idea. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Additional logging info.
On Mon, 2004-08-09 at 22:21, Stephen Gran wrote:
> Don't loop - make a more complicated data structure, like a multi level
> hash (ugly pseudo-code to follow):
Ok.
> Just read the file once, fill in the bits as you go, and process the
> whole thing at the end.
I wrote this and it's much much faster. In fact the old way of looping
through the file multiple times took a 1 minute and 20 seconds while the
code below took 20 seconds.
#!/usr/bin/perl -w
print "Shows uniques hosts with a virus count over 10:\n";
open(FILE, "/var/log/maillog");
while() {
if
(/(\d|\D)+sendmail\[(\d)+\]:\s((\w)+):(\d|\D)+\[(\d+\.\d+\.\d+\.\d+)\]/)
{
$ip_addr = $6;
$message_id = $3;
unless ( $ip_addr eq "127.0.0.1" ) {
$email->{$message_id}->{ip_addr} = $ip_addr;
}
}
elsif
(/(\d|\D)+clamav-milter\[(\d)+\]:\s((\w)+):\sstream:\s(\d|\D+)virus(\d|\D)+/) {
$message_id = $3;
$virus = $5;
$email->{$message_id}->{virus} = $virus;
}
}
close(FILE);
foreach $message_id ( keys %{ $email } ) {
if ( $email->{$message_id}->{virus} ) {
$virus = $email->{$message_id}->{virus};
$ip_addr = $email->{$message_id}->{ip_addr};
$ip_addr{$virus}++;
$virus{$ip_addr}++;
}
}
sub hashValueDescendingNum {
$ip_addr{$b} <=> $ip_addr{$a};
}
foreach $virus (sort hashValueDescendingNum (keys(%ip_addr))) {
print "Count is $ip_addr{$virus} for $virus\n";
}
sub hashValueDescendingIp {
$virus{$b} <=> $virus{$a};
}
foreach $ip_addr (sort hashValueDescendingIp (keys(%virus))) {
if ($virus{"$ip_addr"} >= "10") {
print "Count is $virus{$ip_addr} for $ip_addr\n";
}
}
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Tue, 10 Aug 2004, Lionel Bouton wrote: > > Another possibility might be to patch the .cvd file(s) > > > > That was one proposition I made last year. But in practice it seems there > isn't really a pressing need now. If people can't check for database updates more often than once an hour, then there is a pressing need. The mirror page talkes about the need for mirrors, about exponential growth, and how at least a 10mbit pipe is needed to host a mirror. It puts March 2004 traffic at about 120gig/month Some quick calculations: daily.cvd is about 150k compressed, 334k uncompressed -- let's say 50%. Greping the virses added for updated 447 gave me about 3k uncompressed -- so let's say 2k compressed, on the outside. For 2k of update, everyone downloaded 150k. That shows (at least for that update) only 1.3% of what was downloaded was needed. If only 1.3% of every update is actually needed, and people only downloaded what they needed, the traffic on the mirrors would drop from 120gig/month to 1.6 gig/month. If I am completely off by a factor of 10 -- say only 10% of every update is actually needed, traffic on the mirrors drops from 120gig to 12gig. There are a lot of assumptions here, but I would think ever reducing the load on the virus servers by half would be significant. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Tue, 10 Aug 2004, Bart Silverstrim wrote: > > Maybe like a modified GPG-signed listserv system only on it's own "clam > update daemon" port...take a little more configuration since the people > installing clam would have to subscribe and install a GPG key or > something like that in the process, but that shouldn't be something > back-breaking to figure out. Ok, this is turning into a scary beast. But we already have several mailing lists (clamav-users, for example) which can obviously handle a bit of a load. Might be interesting to concoct a specially-formatted message that the milter (or clamd itself) could recognize as a database update, and automatically append to its list of signatures. I'd imagine a format something like: ---gpg-cleartext-signed-message--- BEGIN clamd update 24.449 Worm.bagle.zz CCCEEFEFKL.. Worm.SkyNet.zz 14445577 ... END ---gpg-signature--- JDSLJGIREJIOJDGLSJLGHSLKJGLKSDJLKGJSLKJGIEJ*Y*G($Y*HHIO4k245j2jk kdjaflkjkh325hjk35h2jkhkjhjkfdhjh42jkh345jk2h35jk2hkjhjkfhjskh32 fhjkhafdjhajk53h2jk5h3j2kh35jkhfay983489527938572035230398udfsfs ---end-signature--- When scanning stuff like this, clamd could automagically decode the gpg signature and test that it is valid. If so, it looks at the sequence number (24.449 in this case). If that's the next one in the series, it appends the rules to its database. If not, it assumes it lost a message somewhere and contacts a mirror via HTTP to get main 24 and daily 449. Doing something like this would push a lot of the distribution load onto sourceforge (which seems to get messages out to this list in about 1/2 hour). The gpg-signature prevents spoofing. And the sequence numbers keep everyone current. The major problems I see are getting clamd to recognize a message targeted for it, and the obvious problems of DoS attacks (someone sending spoofed messages that would suck CPU time decoding the gpg signature). Anyway, just another wild-n-crazy idea to throw out there. I'm guessing we're better off with the current method for now, but this might be an interesting possibility for the future. [I haven't given up on DNS updates yet, but it's hard to come up with a clean way to distribute >256 bytes of data that way, which means even single rules don't always fit.] Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Aug 10, 2004, at 5:57 AM, Jeremy Kitchen wrote: Mitch (WebCob) wrote: Just a few ideas... hey, brainstorming is good, it's just the ideas aren't always ;) Another stupid idea...how about a mechanism where clam can have updates "pushed" to it, so servers controlled by the clam team can distribute mini updates to them. The admins would have to subscribe to it, like a listserv, only instead of through email, it's done through this theoretical mechanism. There wouldn't be traffic spikes (as big) for times where there *aren't* updated db's available, only when there are updates, and the updates are sent out as the clam servers are able to handle the load. Maybe like a modified GPG-signed listserv system only on it's own "clam update daemon" port...take a little more configuration since the people installing clam would have to subscribe and install a GPG key or something like that in the process, but that shouldn't be something back-breaking to figure out. Maintenance would have to be done for the subscription mechanism, etc., like a listserv would, but it may be something that could be done. May even be extendable so that a master server for a network could receive the updates from the clam site (pushed from clamserv) then in turn be told to push them out to machines on the internal network. (I know this could already be set up, but it may be easier through this type of model to set up and maintain...) I'm probably overlooking something obvious, but again...just an idea, right? :-) -Bart --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] freshclam security
Hi, I am wondering how authenticity and integrity of clamav updates is handled. Any pointer to some documentation available? Yours, -- martin Dipl.-Phys. Martin Konold e r f r a k o n Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker Nobelstrasse 15, 70569 Stuttgart, Germany fon: 0711 67400963, fax: 0711 67400959 email: [EMAIL PROTECTED] --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Idea for more timely virusdb updates
> right, but as discussed below, generally bind servers don't have > 100k people > waiting for notifications and updates. > Nope, true... but like I suggested, the notification tree doesn't have to be flat... One server notifying 10 servers is time consuming and sure - costs a lot of bandwidth... Lets assume that each notify takes 5 seconds... we have to have SOMETHING to "measure"... 1 server notifying 10 servers takes 50 seconds. That's a little over a day to push the notification - bad idea ;-) 1 server notifying 100 servers, which each in turn notify 100 servers and so on... 1 to 100: 100 seconds each of them notifying 100: 100 seconds (total notified 10100) each of them notifying 100: 100 seconds (total notified 1010100!) in 5 minutes! That's 10 times your value of 10 servers. Each server would only have to know about 100 others. Not a huge database - wouldn't even have to be written to file. Each server could be responsible for polling it's master once per hour. > > Hourly polls is a good thing - but if the system worked both ways, the > > mirror could signal the end clients that it's time to download... those > > notifies could be send only to clients that had registered to > receive it (an > > option in freshclam) and would not push the data, but trigger a > freshclam > > pull. > > with that option, the 'clients' would either have to remain connected the > entire time, which is completely not feasable, or somehow the > database mirrors > would have to either 'remember' who to notify, or have some sort > of registry > of people to notify (I can see how one might do this with a paid mirror > service), and then send out notifications (even a single UDP > packet to 100k > servers could be quite bandwidth intensive. The architecture > could work, yes, > but it doesn't scale well, and I don't think the clamav team has > the resources > to do this sort of ass-kissing for free. They're already providing a > wonderful service to the internet community, we cannot bite the hand that > feeds us. I wasn't proposing that it had to be done for free (not that it can't be with the factor tree I explained above). It might even reduce the cost of database distribution. If each server is only pushing 100 updates @ 200KB per update (2MB total) we can get 500 pushes per month for only a couple dollars. > Another problem with this notification is there are still the > spikes when the > notifications come out that EVERYONE AND THEIR BROTHER contacts > the database > mirrors for updates. Your solution doesn't solve any problems imposed by > Christopher's idea, and actually introduces more. 100 servers for 200KB (20MB is hardly a spike.) and as for clients remaining connected, that is what a server is - connected. This isn't for end users, or local workstations. It's an OPTION for people who process a lot of data, are at high risk, and need immediate response. Then their own internal freshclam clients can poll their local authoritative server as often as they want, or use the same procedure to distribute to them (if they are full time connected that is). > In my opinion, the existing system is fine, and if you want > better, you should > talk to the clamav folks about setting up some sort of 'priority' Yeah, we could, but I don't think it needs that. And setting up an internal mirror doesn't address the response time of the updates, unless I start hammering the main freshclam every few minutes... and I just don't think that would be friendly. With the sort of hierarchical distribution I'm talking about, you could even use an ranking system to automatically organize the distribtion (while I'm on a roll ;-)... What I mean is that everyone would contact one of the "root" mirrors initially. In the request to be notified, it would indicate the number of clients it serves. If less than a certain number, then it could be referred to a child of the root server. If that child becomes unavailable it could contact the root again (at the next hourly polling time). How many servers are there on the Internet? We could probably handle the whole lot of them with no more than 4 or 5 levels. Push an update to the world in under 10 minutes. Think how many virus laden emails this could stop. (visions of f5...) in fact, the root server could hand out the IP's of all child servers not fully loaded. The client could register with the nearest (by route time) one - just ranting... m/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] file handles leak in ClamAV (CVS 040731) ?
On Tue, 10 Aug 2004 07:59:42 -0700 exo dia <[EMAIL PROTECTED]> wrote: > So it appears that there is a fairly significant file handle leak in > this ClamAV version I am using. Has this been fixed following 7/31? Yes, the problem has been fixed. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Aug 10 17:22:10 CEST 2004 pgpsiKxhxIsap.pgp Description: PGP signature
Re: [Clamav-users] Idea for more timely virusdb updates
Erich Titl wrote the following on 08/10/2004 05:12 PM : At 16:03 10.08.2004, you wrote: ... I've also thought about rsync -- if putting the cvd files on an rsync server would lighten the load at all. Oh it would, rsync is quite effective. Not much with compressed files like *.cvd. Another possibility might be to patch the .cvd file(s) That was one proposition I made last year. But in practice it seems there isn't really a pressing need now. Lionel. -- Lionel Bouton - inet6 - o Siege social: 51, rue de Verdun - 92158 Suresnes / _ __ _ Acces Bureaux: 33 rue Benoit Malon - 92150 Suresnes / /\ /_ / /_ France \/ \/_ / /_/ Tel. +33 (0) 1 41 44 85 36 Inetsys S.A.Fax +33 (0) 1 46 97 20 10 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
Erich Titl wanted us to know: >>I've also thought about rsync -- if putting the cvd files on an rsync >>server would lighten the load at all. >Oh it would, rsync is quite effective. Another possibility might be to >patch the .cvd file(s) Agree with rsync, depends how much changes in the file per download, but I think it can be marvelously efficient. Disagree with patching, binary files don't lend themselves to diff/patch very well. >0.02 Now we have 0.04 :-) -- Regards... Todd We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state. -- Jeff Schiller on NANOG Linux kernel 2.6.3-15mdkenterprise 2 users, load average: 0.09, 0.03, 0.01 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
At 16:03 10.08.2004, you wrote: ... I've also thought about rsync -- if putting the cvd files on an rsync server would lighten the load at all. Oh it would, rsync is quite effective. Another possibility might be to patch the .cvd file(s) 0.02 Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] file handles leak in ClamAV (CVS 040731) ?
I've been using ClamAV for some time and am so happy you are providing this solution, especially with the latest Bagel variant that is going around. I am using the development version from CVS on 7/31/04, and have been sticking with it because it seems to have solved all of the memory leak problems from previous versions (0.75 and so on) However this morning I logged in and my system was completely out of file handles -- I couldn't reliably run anything, apps would fail, etc. I checked /proc/sys/fs/file-nr and found that the system had almost no file handles available. So I killed clamav and freshclam and "file-nr" went back up to ~3500 available. So it appears that there is a fairly significant file handle leak in this ClamAV version I am using. Has this been fixed following 7/31? Should I upgrade to a new version? thanks ! ed --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Tue, 10 Aug 2004, Fajar A. Nugraha wrote: > The only snag, is that TXT record is limited to a number of bytes ( I tried > putting 4096 bytes on it, it didn't work). > Now, the question is, can the daily (or hourly) updates fit in a single TXT > record? I don't know that putting ALL of the records in DNS is necessary. The only reason I was putting the version number there was to allow quick, more frequent checks to see if you had the current version. It's possible to run DNS with very short TTL times, even 0. In terms of load on the servers: a smaller file would certainly help. I can see the simplicity of just haveing two files to grab being attractive. However, daily.cfg is now about 150k . I don't consider this big in the scheme of things, but if we are talking about hundreds or thousands of people trying to get the file, then the difference could be significant. Suppose there was a numbered file for each version that would 'upgrade' you from the previous version. IE, if I'm at 444, and current is 445, I grab 445.cvd. If I'm at 440, I grab 441.cvd, 442.cvd, through 445.cvd. Downside -- obviously harder to maintain. Upside -- someone who is staying constantly up to date is grabbing only a few bytes off the server at a time. I think this is simpler than putting all the data into DNS. I've also thought about rsync -- if putting the cvd files on an rsync server would lighten the load at all. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Ignoring option -r
On Tue, 10 Aug 2004 at 14:30:32 +0200, Niek wrote: > Tomasz Papszun said the following on 8/10/2004 1:45 PM GMT+2: > >On Tue, 10 Aug 2004 at 13:39:57 +0300, Arthur Kerpician wrote: > > > >>Clamdscan is called by qmail-scanner-1.23 and don't remember > >>setting any -r option anywhere. > > > >I don't know qmail-scanner so I can't say details but something _must_ > >issue "-r" anyway. > > From QS 1.23 qmail-scanner-queue.pl: > my $clamdscan_binary='/usr/bin/clamdscan'; > my $clamdscan_options="-r --disable-summary --max-recursion=10 > --max-space=10"; > (wrapped) > > Kind regards, > Niek Baakman So most of these options is useless for clamdscan (-r, --max-recursion, --max-space). For the list of supported options one can issue 'clamdscan -h' or 'man clamdscan'. Also, --disable-summary is _temporarily_ unsupported in CVS version (--no-summary is supported instead). It's due to an oversight - sorry. But before this message is delivered by the mailing list, it will be already corrected in CVS, most probably. A general tip: all "--disable-foo" options in clamscan and clamdscan are replaced with "--no-foo" form for conciseness. The longer form is of course still supported for backward compatibility, but it's more convenient to type less :-) . -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: [Qmail-scanner-general]QS 1.23 upgrade - procs not dying
On Tuesday 10 Aug 2004 13:00, Doug Monroe wrote: > Turns out its the same msg doing it repeatedly - I assume because it > never got delivered and is being retried. And, though it may seem that > way to the casual observer, it is not "spam" since it's directly related > to the recipient org, not to mention requested by them :). > > the orig msg is available at: http://63.246.146.40/synack/badclam.zip I've downloaded and tried your file. Seems OK to me using the development version with your options: [EMAIL PROTECTED] njh]$ clamscan -r -m --unzip --unrar --unzoo --lha --disable-summary badclam.msg /home/njh/badclam.msg: OK [EMAIL PROTECTED] njh]$ -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Ignoring option -r
Tomasz Papszun said the following on 8/10/2004 1:45 PM GMT+2: On Tue, 10 Aug 2004 at 13:39:57 +0300, Arthur Kerpician wrote: Tomasz Papszun wrote: Because these warnings from clamdscan have been introduced just recently (they are needed to help avoid repeated complaints like "I use 'clamdscan --mbox' but viruses in emails aren't detected!"). Previously clamdscan just silently ignored unsupported options. Clamdscan is called by qmail-scanner-1.23 and don't remember setting any -r option anywhere. I don't know qmail-scanner so I can't say details but something _must_ issue "-r" anyway. From QS 1.23 qmail-scanner-queue.pl: my $clamdscan_binary='/usr/bin/clamdscan'; my $clamdscan_options="-r --disable-summary --max-recursion=10 --max-space=10"; (wrapped) Kind regards, Niek Baakman --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: [Qmail-scanner-general]QS 1.23 upgrade - procs not dying
Jason Haar wrote: On Mon, Aug 09, 2004 at 11:19:11PM -0400, Doug Monroe wrote: I notice clamscan options within QS have changed from: my $clamscan_options="-r --disable-summary --max-recursion=10 --max-space=10"; to: my $clamscan_options="-r -m --unzip --unrar --unzoo --lha --disable-summary --max-recursion=10 --max-space=10"; but I can run any of the above options from cmd line on the orig. email msg w/o problem. Really? So if you kill those jobs off, do those same emails trigger the same problem, or does that occur later with a new bunch of emails? The difference there is the "-m" bit - scan mailboxes. I can imagine some broken MIME mail messages (100% SPAM no doubt) could be triggering a bug in ClamAV. Also check it isn't just a out of memory issue - maybe you need to up your memory limits? (I can't see why as clamdscan won't use a lot of RAM. But are you running clamd under softlimits? That would do it) clamscan not clamdscan (yes...someday I'll move to clad [just need time]) but...yes...I can run clamscan with -m fine Current softlimit fwiw is 1800 $ clamscan -r -m --unzip --unrar --unzoo --lha --disable-summary --max-recursion=10 --max-space=10 /tmp/clam/orig-twobar.example.com109213562948225466 /tmp/clam/orig-twobar.example.com109213562948225466: OK Turns out its the same msg doing it repeatedly - I assume because it never got delivered and is being retried. And, though it may seem that way to the casual observer, it is not "spam" since it's directly related to the recipient org, not to mention requested by them :). the orig msg is available at: http://63.246.146.40/synack/badclam.zip for now I'm reconfiguring QS to call clamscan without -m --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Ignoring option -r
On Tue, 10 Aug 2004 at 13:39:57 +0300, Arthur Kerpician wrote: > Tomasz Papszun wrote: > > > >Which options you start clamd with - is irrelevant here. > > > >It matters which options you call clamdscan with! > > > I was using a snapshot (clamav-20040805.tar.gz) when getting this > warning. Now I rolled back to 0.75.1 and I don't get the message > anymore. Because these warnings from clamdscan have been introduced just recently (they are needed to help avoid repeated complaints like "I use 'clamdscan --mbox' but viruses in emails aren't detected!"). Previously clamdscan just silently ignored unsupported options. > Clamdscan is called by qmail-scanner-1.23 and don't remember > setting any -r option anywhere. I don't know qmail-scanner so I can't say details but something _must_ issue "-r" anyway. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Ignoring option -r
Tomasz Papszun wrote: On Tue, 10 Aug 2004 at 11:42:16 +0300, Arthur Kerpician wrote: Hi all, Is anybody getting this message in the mail notifications? ---clamdscan results --- ^ WARNING: Ignoring option -r: please edit clamav.conf instead. --- Couldn't find anything related to thet -r switch. I start clamd only with -c to point to the configuration file. Which options you start clamd with - is irrelevant here. It matters which options you call clamdscan with! I was using a snapshot (clamav-20040805.tar.gz) when getting this warning. Now I rolled back to 0.75.1 and I don't get the message anymore. Clamdscan is called by qmail-scanner-1.23 and don't remember setting any -r option anywhere. --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
Mitch (WebCob) wrote: What about a deeper mirroring system? Perhaps one that supports notification? One of the things I like about BIND (not enough to use it, but still an admired concept ;-) is the way zones can be distributed... notification speeds things up if it works, polling creates a failsafe in which a missing notify doesn't cause the world to end... right, but as discussed below, generally bind servers don't have 100k people waiting for notifications and updates. Hourly polls is a good thing - but if the system worked both ways, the mirror could signal the end clients that it's time to download... those notifies could be send only to clients that had registered to receive it (an option in freshclam) and would not push the data, but trigger a freshclam pull. with that option, the 'clients' would either have to remain connected the entire time, which is completely not feasable, or somehow the database mirrors would have to either 'remember' who to notify, or have some sort of registry of people to notify (I can see how one might do this with a paid mirror service), and then send out notifications (even a single UDP packet to 100k servers could be quite bandwidth intensive. The architecture could work, yes, but it doesn't scale well, and I don't think the clamav team has the resources to do this sort of ass-kissing for free. They're already providing a wonderful service to the internet community, we cannot bite the hand that feeds us. Another problem with this notification is there are still the spikes when the notifications come out that EVERYONE AND THEIR BROTHER contacts the database mirrors for updates. Your solution doesn't solve any problems imposed by Christopher's idea, and actually introduces more. In my opinion, the existing system is fine, and if you want better, you should talk to the clamav folks about setting up some sort of 'priority' mirror, in which you would pay a fee for having more enhanced services, like notification, dns update polling, etc. And of course, proceeds (or at least a major part of) would go to the clamav team for being the most kick ass anti-virus product out there. I'm not sure how the official procedure would be to roll something like this out, but now that I think of it, I may just go about working on something like this. Gotta pay for my colocation somehow :) Tomasz, et al.: Please expect to see an email from me by the end of the work day tomorrow (or rather, today, but I haven't slept yet) It could provide faster update response and smooth out the spikes in download traffic, and could be used to maintain a larger set of mirrors... without increasing polling frquency... a new "freshclam server" could allow all larger users to easily run their own mirrors for internal distribution... I would think that most 'larger users' (5+ node mail server cluster) would already have an internal mirror. It's not difficult to do, and has been discussed on this list, and in the clamav documentation many times. Just a few ideas... hey, brainstorming is good, it's just the ideas aren't always ;) -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Ignoring option -r
On Tue, 10 Aug 2004 at 11:42:16 +0300, Arthur Kerpician wrote: > Hi all, > Is anybody getting this message in the mail notifications? > ---clamdscan results --- ^ > WARNING: Ignoring option -r: please edit clamav.conf instead. > --- > > Couldn't find anything related to thet -r switch. I start clamd only > with -c to point to the configuration file. Which options you start clamd with - is irrelevant here. It matters which options you call clamdscan with! -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Ignoring option -r
On Tue, 10 Aug 2004, Arthur Kerpician wrote: ; Hi all, ; Is anybody getting this message in the mail notifications? ; ---clamdscan results --- ; WARNING: Ignoring option -r: please edit clamav.conf instead. ; --- Whatever process is using the 'clamdscan' command is passing the -r flag to it which isn't recognised. This message isn't related to the arguments you're giving to clamd itself. Andy --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
AW: [Clamav-users] Ignoring option -r
> On Tue, 2004-08-10 at 09:42, Arthur Kerpician wrote: > > Hi all, > > Is anybody getting this message in the mail notifications? > > ---clamdscan results --- > > WARNING: Ignoring option -r: please edit clamav.conf instead. > > --- > > > > Couldn't find anything related to thet -r switch. I start > clamd only > > with -c to point to the configuration file. > > Thanks for any ideas. > > Arthur > > - are -r characters in your conf ? - clam compiled with some special options ? - place your clamav.conf to your sysconfdir named while compile (basic: /etc) and start without -c greetings andy --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Ignoring option -r
On Tue, 2004-08-10 at 09:42, Arthur Kerpician wrote: > Hi all, > Is anybody getting this message in the mail notifications? > ---clamdscan results --- > WARNING: Ignoring option -r: please edit clamav.conf instead. > --- > > Couldn't find anything related to thet -r switch. I start clamd only > with -c to point to the configuration file. > Thanks for any ideas. > Arthur > You're giving options to clamdscan which it doesn't understand. -trog signature.asc Description: This is a digitally signed message part
[Clamav-users] Ignoring option -r
Hi all, Is anybody getting this message in the mail notifications? ---clamdscan results --- WARNING: Ignoring option -r: please edit clamav.conf instead. --- Couldn't find anything related to thet -r switch. I start clamd only with -c to point to the configuration file. Thanks for any ideas. Arthur --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] QS 1.23 upgrade - procs not dying
Doug Monroe said the following on 8/10/2004 5:19 AM GMT+2: linux RH9 2.4.20-31.9 Qmail-Scanner 1.23 clamav 0.75.1 odd problem since upgrading to 1.23, with coincidental update to clamav 0.75 Over the past 3-4 days I've seen clamscan processes hanging around, sucking up resources, never dying, causing high load. I can kill the processes, but after some time I end up in the same boat: I notice clamscan options within QS have changed from: my $clamscan_options="-r --disable-summary --max-recursion=10 --max-space=10"; to: my $clamscan_options="-r -m --unzip --unrar --unzoo --lha --disable-summary --max-recursion=10 --max-space=10"; but I can run any of the above options from cmd line on the orig. email msg w/o problem. Anyone seeing similar problems with thier QS setup? Doug, I would recommend clamdscan (together with clamd) instead of clamscan. When you run clamscan, it has to initialize the virusdb every time it runs. Set up clamd, and configure QS to use clamdscan instead of clamscan. You will see huge load/io improvements. Kind regards, Niek Baakman --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Problems upgrading from 0.70rc to 0.75.1
On Tuesday 10 Aug 2004 06:44, Todd Lyons wrote: > John Twyman wanted us to know: > > >I haven't changed my clamav.conf file at all between versions. Its contents > >are: > >LocalSocket /tmp/clamd > >FixStaleSocket > >TCPAddr x.x.x.x > > You can't have both a TCP and a unix file socket. Gotta comment one or > the other out. Furthermore, look in /var/log/maillog, that should tell you why it's failed. -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
