Re: [Clamav-users] Downloading clam virus definition files automatically
All parties are willing and agreeable, and the vendor stands to make some money. I can't imagine that would be a bad thing. I wouldn't underestimate the importance of liability, tho. Uhhh... but then what do you think someone providing such service would be liable for then? Unable to download an update? Or not being updated as soon as an update arrives? Pretty hard one because you connection might be temporarily down, a temporarily routing problem might exist somewhere between you and the server supposed to update your server. If you want to be able to sue someone then why don't you use a product like Symantec Corporate edition, or from any other large vendor? Good luck. Clamav already gives you free support, that's much much more then you can say about Symantec. I have some experience with liability insurances and they will limit what they cover as much as possible. Making an update service pretty expensive.. B. --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Second-tier Mirrors...
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Graham Toal Aren't we missing something obvious here? Shouldn't we be using some sort of distributed technology like BitTorrent? That's been asked and answered... Bittorrent is meant to optimize download of large files when there are many peers. We could effect the many peers, but the size of the files involved are often finished downloading before a torrent file is downloaded parsed, and attempted (there are always unreachable / not responding hosts / slow hosts / bad routes etc.) a summarization of my understanding anyways. m/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Second-tier Mirrors...
Mitch (WebCob) wrote the following on 08/26/2004 10:47 AM : -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Graham Toal Aren't we missing something obvious here? Shouldn't we be using some sort of distributed technology like BitTorrent? That's been asked and answered... Bittorrent is meant to optimize download of large files when there are many peers. Not really, the protocol is tunable to scales down too (just use small chunks for the torrents). Sure there will be more overhead BW-wise because the aggregated BW is always more than the one you get using a central point of distribution and the overhead gets bigger when the files' sizes go down. But this isn't the point, the point is : you get rid of the central distribution point(s) bottleneck. The aggregated BW is distributed on as many links as freshclam instances... You may want to have more than one tracker though with DNS views to redirect people to a local tracker, I don't think a tracker scales well beyond 10 clients today (you could use the multi-tracker extensions too). We could effect the many peers, but the size of the files involved are often finished downloading before a torrent file is downloaded parsed, and attempted (there are always unreachable / not responding hosts / slow hosts / bad routes etc.) a summarization of my understanding anyways. m/ In fact the main obstacle is the firewall setup needed for such a scheme for each client. One possibility would be to provide 2 distributions paths : the current one, DNS-enhanced for administrators worrying about a new port open, a parallel one for people looking for near zero-delay, using the bittorrent protocol with adequate sigs for torrent as I described earlier on this list. Anybody with some time to spare ? -- Lionel Bouton - inet6 - o Siege social: 51, rue de Verdun - 92158 Suresnes / _ __ _ Acces Bureaux: 33 rue Benoit Malon - 92150 Suresnes / /\ /_ / /_ France \/ \/_ / /_/ Tel. +33 (0) 1 41 44 85 36 Inetsys S.A.Fax +33 (0) 1 46 97 20 10 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Second-tier Mirrors...
On Wed, 2004-08-25 at 16:28, Mitch (WebCob) wrote: ..snip.. Perhaps (not sure of the DNS system in place) could be arranged so that 10% of the requests a full primary mirror receives could be directed to a secondary level mirror. With a committment of only roughly 10GB per month, we'd get more volunteers (I'd volunteer 2). We could/would mirror at 10GB/month. -- Matthew Keller signat-url: http://mattwork.potsdam.edu/signat-url/ No one ever says, 'I can't read that ASCII E-mail you sent me.' --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Downloading clam virus definition files automatically
B. van Ouwerkerk said: All parties are willing and agreeable, and the vendor stands to make some money. I can't imagine that would be a bad thing. I wouldn't underestimate the importance of liability, tho. Uhhh... but then what do you think someone providing such service would be liable for then? Unable to download an update? Or not being updated as soon as an update arrives? I think such a provider would be liable for very little - but it is very expensive to establish that in court. Law suits are trivial to initiate and we are in a very litigous society. If you have 10,000 customers you can bet at least one of them will levy a suit against you for some perceived affront and you are out of pocket without some kind of insurance. Pretty hard one because you connection might be temporarily down, a temporarily routing problem might exist somewhere between you and the server supposed to update your server. Tell it to the judge. Ka-ching! If you want to be able to sue someone then why don't you use a product like Symantec Corporate edition, or from any other large vendor? I don't want to sue someone - I just like being protected against those who do, and there are a lot of them out there. I have some experience with liability insurances and they will limit what they cover as much as possible. Making an update service pretty expensive.. Imagine the expense of having to be represented in court 5 or 10 times a year. dp --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Downloading clam virus definition files automatically
If you want to be able to sue someone then why don't you use a product like Symantec Corporate edition, or from any other large vendor? I don't want to sue someone - I just like being protected against those who do, and there are a lot of them out there. That's why you pay so much for insurance. I have some experience with liability insurances and they will limit what they cover as much as possible. Making an update service pretty expensive.. Imagine the expense of having to be represented in court 5 or 10 times a year. Yeah, and how much more expensive any update service would get to cover the additional cost. B. --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Question
Hi, I'm using ClamAV 0.75.1 and I encounter one of the Oversized.zip issues. I've read a few threads about this issue and I've learned that maxcompressionratio could be 200 ~ 99.5% compression. I have a zip file which reports a compression ratio of 466. Is this possible ? bash-2.05b$ clamscan --debug VHS_Single_SpecialEdition.zip LibClamAV debug: Loading databases from /var/lib/clamav LibClamAV debug: Loading /var/lib/clamav/main.cvd LibClamAV debug: /var/lib/clamav/main.cvd: CVD file detected LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 65cfe3193203ba5ac9ef23de49ce7eba LibClamAV debug: Decoded signature: 65cfe3193203ba5ac9ef23de49ce7eba LibClamAV debug: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /tmp/clamav-520ff652dbf5d1d5/COPYING LibClamAV debug: Unpacking /tmp/clamav-520ff652dbf5d1d5/viruses.db LibClamAV debug: Loading databases from /tmp/clamav-520ff652dbf5d1d5 LibClamAV debug: Loading /tmp/clamav-520ff652dbf5d1d5/viruses.db LibClamAV debug: Initializing trie. LibClamAV debug: Loading /var/lib/clamav/daily.cvd LibClamAV debug: /var/lib/clamav/daily.cvd: CVD file detected LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 13d5a99d7ef5a1ed695165e5ed8910a6 LibClamAV debug: Decoded signature: 13d5a99d7ef5a1ed695165e5ed8910a6 LibClamAV debug: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /tmp/clamav-42e9e742ccf763e6/COPYING LibClamAV debug: Unpacking /tmp/clamav-42e9e742ccf763e6/viruses.db2 LibClamAV debug: Loading databases from /tmp/clamav-42e9e742ccf763e6 LibClamAV debug: Loading /tmp/clamav-42e9e742ccf763e6/viruses.db2 LibClamAV debug: Not suported signature type detected at line 15. Skipping. LibClamAV debug: Not suported signature type detected at line 318. Skipping. LibClamAV debug: Recognized ZIP file LibClamAV debug: Starting scanzip() LibClamAV debug: Zip - VHS Single Special.job/, compressed: 0, normal: 0, ratio: 0 (max: 200) LibClamAV debug: Zip - VHS Single Special.job/Fonts Folder/, compressed: 0, normal: 0, ratio: 0 (max: 200) LibClamAV debug: Zip - VHS Single Special.job/Fonts Folder/B Helvetica Bold, compressed: 32, normal: 15403, ratio: 466 (max: 200) VHS_Single_SpecialEdition.zip: Oversized.Zip FOUND Thank you! Regards, Ovidiu signature.asc Description: OpenPGP digital signature
RE: [Clamav-users] Downloading clam virus definition files automatically
Uhhh... but then what do you think someone providing such service would be liable for then? Unable to download an update? Or not being updated as soon as an update arrives? Pretty hard one because you connection might be temporarily down, a temporarily routing problem might exist somewhere between you and the server supposed to update your server. BigCorp contracts with you, ClamAVUpdates, for X amount of money per month for virus updates. ClamAVUpdates.com goes down for twenty minutes. During that twenty minutes, a new virus comes out, and BigCorp gets infected with it. BigCorp then turns around and sues ClamAVUpdates for not fufilling their end of the contract. Yes, said contract probably included the standard 'best effort' clauses, or maybe it's not even your fault; but this is an important point, so I'm going to put it in it's own paragraph. You're still going to wind up in court. Court is expensive. So, liability insurance. --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] libcurl support in latest ClamAV
I noticed the libcurl support to follow urls. I tried setting up a test by sending myself an email with a link to a virus on a test web server but it doesn't pick up there's a virus. I have curl-devel installed and when I compiled clamav it picked up that I had libcurl. Is this still very Alpha or am I doing something wrong? On the Web server... [EMAIL PROTECTED] root]# clamscan /var/www/html/document.zip /var/www/html/document.zip: Worm.Mydoom.M FOUND After I receive the email I save it into mbox format: [EMAIL PROTECTED] root]# clamscan --mail-follow-url url-test-mail url-test-mail: OK Contents of url-test-mail: From [EMAIL PROTECTED] Fri Aug 20 08:02:16 2004 Return-Path: [EMAIL PROTECTED] Received: from ns2b.hillsboroughcounty.org (ns2b.hillsboroughcounty.org [207.156.7.21]) by impmail.dnsalias.com (8.12.11/8.12.10) with ESMTP id i7KC2GMX009647 for [EMAIL PROTECTED]; Fri, 20 Aug 2004 08:02:16 -0400 Received: from simpsonb.hillsboroughcounty.org (firewall.hillsborough.fl.us [207.156.7.1] (may be forged)) by ns2b.hillsboroughcounty.org (8.12.11/8.12.11) with ESMTP id i7KC2HZD018881 for [EMAIL PROTECTED]; Fri, 20 Aug 2004 08:02:17 -0400 Subject: Test url From: Brett Simpson [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Content-Type: text/plain Message-Id: [EMAIL PROTECTED] Mime-Version: 1.0 Date: Fri, 20 Aug 2004 08:02:17 -0400 Content-Transfer-Encoding: 8bit http://172.27.228.145/document.zip --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Downloading clam virus definition files automatically
I think such a provider would be liable for very little - but it is very expensive to establish that in court. Law suits are trivial to initiate and we are in a very litigous society. If you have 10,000 customers you can bet at least one of them will levy a suit against you for some perceived affront and you are out of pocket without some kind of insurance. Think we're blowing things out of proproation and way off topic here... This is ClammAV not business 101... Liability insurance doesn't PREVENT people from suing you. It covers SPECIFIED perils if people do, but still requires you to defend yourself in the suit - it kicks in to pay legal costs or settle if you lose... Having a fat liability policy can also make you a target. And a waiver, SLA or specific contract limiting liability can close off many of these threats. m/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Siggen -- small tool to (hopefully) aid someone :)
Hi List, just put something together to aid me in generating signatures for my database. Perhaps someone likes it. Just use your favorit hex editor (vim :%!xxd) and get a good offset value. ./siggen virus.exe 0FF337 you get a 300 character signature which you (probably) have to cut a bit and give it an appropriate name. Greetings Daniel -- Saying that Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders --ToxicSin siggen.c /* * Copyright (C) 2004 Daniel Lord* * * * This is free software; you can redistribute it and/or modify * * it under the terms of the GNU General Public License as published * * by the Free Software Foundation; either version 2 of the License, * * or (at your option) any later version.* * * * This software is distributed in the hope that it will be useful, * * but WITHOUT ANY WARRANTY; without even the implied warranty of* * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * * GNU General Public License for more details. * * * * You should have received a copy of the GNU General Public License * * along with this software; if not, write to the Free Software * * Foundation, Inc., 59 Temple Place - Suite 330, Boston,* * MA 02111-1307, USA. * */ /* gcc -Wall -Os -s -lm -o siggen siggen.c */ #include stdio.h #include stdlib.h #include string.h #include ctype.h #include math.h FILE * fopenfile_ro (char *file) { FILE *fdp; if ((fdp = fopen(file, rb)) == NULL){ perror(fopen); exit (EXIT_FAILURE); } return fdp; } int main (int argc, char *argv[]) { FILE *virfd; short i,x; long offset; long filesize=0; if (argc != 3) { fprintf(stderr, usage: %s file offset\n, argv[0]); return EXIT_FAILURE; } virfd = fopenfile_ro(argv[1]); x=0; offset=0; for (i=strlen(argv[2])-1; i=0; i--) { if ((toupper(argv[2][i]) = 'A') (toupper(argv[2][i]) = 'F')){ offset += (toupper(argv[2][i])-0x37)*(pow(16,x)); x++; } else { if ((toupper(argv[2][i]) = '0') (toupper(argv[2][i]) = '9')){ offset += (argv[2][i]-0x30)*(pow(16,x)); x++; } else { fprintf(stderr, Wrong Offset Value\n); fprintf(stderr, String: %s -- Value: %c\n, argv[2],argv[2][i]); fclose(virfd); return EXIT_FAILURE; } } if (x 6) { fprintf(stderr, Really big Offset? (FIXME)\n); fclose(virfd); return EXIT_FAILURE; } } if (fseek(virfd, 0, SEEK_END) != 0){ perror(fseek); fclose(virfd); return EXIT_FAILURE; } if ((filesize = ftell (virfd)) == -1) { perror(ftell); fclose(virfd); return EXIT_FAILURE; } if ((offset+300) filesize) { fprintf(stderr, File too short or offset to big\n); fprintf(stderr, Filesize: %li -- Offset: %li + 300\n, filesize, offset); fclose(virfd); return EXIT_FAILURE; } if ((fseek (virfd, offset, SEEK_SET)) != 0) { perror(fseek); fclose(virfd); return EXIT_FAILURE; } printf(unknown.auto.lo (Clam)=); for (i=0; i300; i++) { x = fgetc(virfd); printf(%02X,x); } printf(\n); fclose(virfd); return EXIT_SUCCESS; } /siggen.c --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Siggen -- small tool to (hopefully) aid someone :)
On Thu, 26 Aug 2004 23:32:56 +0200 Daniel Lord [EMAIL PROTECTED] wrote: Hi List, just put something together to aid me in generating signatures for my database. Perhaps someone likes it. Just use your favorit hex editor (vim :%!xxd) and get a good offset value. ./siggen virus.exe 0FF337 you get a 300 character signature which you (probably) have to cut a bit and give it an appropriate name. Such a method may lead to false positives. The CVS version of ClamAV allows users to create their own signatures for a static malware in a very simple manner - by using MD5 hashes. The format is MD5:Size:MalwareName[:Alias1,Alias2,Alias3,...,AliasN] Example: [EMAIL PROTECTED]:/tmp/malware$ ls -l total 969 -rw-r--r-- 1 zolw zolw 990208 Aug 27 00:43 test.exe [EMAIL PROTECTED]:/tmp/malware$ md5sum test.exe dfcd1da74cd5ec997f5f311800919e29 test.exe The signature is dfcd1da74cd5ec997f5f311800919e29:990208:Test-Signature Save it in a *.hdb file and install in your clamav-db directory. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Aug 27 00:40:29 CEST 2004 pgpfXBQqh01Qh.pgp Description: PGP signature
Re: [Clamav-users] postfix+clamav without amavisd-new
Alex V. Kovirshin wrote: On Tue, Aug 24, 2004 at 07:39:20PM -0700, Ajay wrote: Hi, What are some other ways to get clamd support in postfix without using amavisd-new because I don't need all the features of amavisd-new. Hi. Try my script, it's simple. Hey, thanks your script is really straightforward. Isn't it probably a good idea not to bounce the message back to the sender since the sender address is most likely spoofed anyway? --Ajay - Satyajot (Ajay) Sharma REVShare Corp System Administrator --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] libcurl support in latest ClamAV
On Thursday 26 Aug 2004 20:34, Brett Simpson wrote: I noticed the libcurl support to follow urls. I tried setting up a test by sending myself an email with a link to a virus on a test web server but it doesn't pick up there's a virus. I have curl-devel installed and when I compiled clamav it picked up that I had libcurl. Is this still very Alpha or am I doing something wrong? [snip] After I receive the email I save it into mbox format: [EMAIL PROTECTED] root]# clamscan --mail-follow-url url-test-mail url-test-mail: OK [snip] Content-Transfer-Encoding: 8bit http://172.27.228.145/document.zip Three things 1) The support for libcurl is only in the development version 2) You need to recompile libclamav/mbox.c with FOLLOWURLS defined 3) The reason it doesn't work with your example is that currently it only scans html formatted email. So try it again with an e-mail with contents such as: ... Content-Type: text/html . HTMLBODY A HREF=http://172.27.228.145/document.zip;Click here to download a virus/A /BODY/HTML -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users