[Clamav-users] Re: newbie setup question - Solaris 9 + sendmail
Jerry K wrote: I am a new ClamAV user. I am configuring a new mail server running Solaris 9 + sendmail 8.13.x. I have several specific questions, but my first question is one of where to find more documentation. To date, I have printed out the user guide, gone through the FAQ several time, looked through the archives and done some google'ing. specific questions I have are: a) since I am using sendmail, I am making the assumption that compiling/using libmilter is the way to go? Not necessarily. You can use any of the 3rd party packages available for integration with sendmail. b) if I am using ClamAV as a milter, do I need to run the clamd daemon or will sendmail just call libclamav.a/so? You choose wich way you want to go, with or without clamd. c) What is the default behavior when ClamAV receives an email with a virus? Does it just delete the whole email? Does it quarantine the file and forward the email to the user? Or is there any action, other than virus identification when an email arrives with an attached virus. By clamav what do you mean? The milter is configurable to do all the things you mention and more. With other (3rd party) mail scanners options vary but you usually can configure to discard the message or quarantine and show what was done in some log. Packages like MailScanner can check for viruses and for spam, which is what I think you are driving at. I did find this line in the clamd.conf file, but I don't know what command that I would run when a virus is found iExecute a command when virus is found. In the command string/i Any script or program can be executed. I don't use this option but I've seen programs that keep statistics. Also, from my google'ing, I came across this page http://linux-sxs.org/administration/clamav-milter.html that indicates that email's with viruses are rejected. Is this the only possible action? Thats OK if it is, I have just yet to run across the run across the documentation that discusses this. Or, I have over looked it. No, usually most people configure the milter to quietly discard the infected message. The documentation is in clamav-milter/INSTALL and the man page. d) is ClamAV + Sendmail everything I need, once functional? I am asking this because several of the links that I came across while google'ing mentioned using ClamAV in coordination with another product called Amavis. Amavis is one of the 3rd party packages that do more than virus scanning (spam, file extension, whatever). Also, roughly half of the user manual is filled with Third Party Products. Why some of these have obvious purposed (graphing or log file processing), are there any of these necessary for me to get up and going in my environment? No. TIA for any pointers or URL's where I can RTFM. HTH -- René Berber ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Libclamav and zip files
Jason Haar wrote: Eric Scopinho wrote: But if I do that, some side effects could happen like: - I'll need free space to store the file. - The infected packets may get in while I store the next packets to scan. - I have to download the whole file before send it to the end-user. How else could you catch a virus whose signature happens to cross packet boundaries? I assume you are talking about snort-inline plus the ClamAV preprocessor? As such you should be asking them. To be honest this isn't a problem the ClamAV people can help you with - it's not their fault your viruses don't arrive in nice 1500 byte chunks ;-) However, I think you'll be out of luck. The only network virus scanners I know of are big beasts - because they effectively have to inline translate packets back to specific protocols (such as SMB/CIFS), pull the data content out, then run real AV over the fully formed files (or at least some largish data window). How they do that inline and manage to drop the session (i.e. killing the virus download) is a bit beyond me - I guess they rely on a RSET on the last packet being enough to cause the entire transfer to fail? Yes, I'm talking about sth like snort-inline+Clamav, but the problem with that is exactly the problem with zip files. I understand what you said and I was just wondering if maybe there was someway to create signatures for this kind of situation. That's way I wrote to this list. Maybe your last comments should be a good direction to follow. Thanks. E.S ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Libclamav and zip files
Dennis Peterson wrote: Eric Scopinho said: But if I do that, some side effects could happen like: - I'll need free space to store the file. You're not properly committed and funded to support this activity. Maybe. - The infected packets may get in while I store the next packets to scan. There is no way on earth you can possibly identify an infected packet with ClamAV. As such, point one is irrelevant. Maybe, but things can change. All that I know is that I have one appliance in front of mine right now performing a virus scanner inline, and it work´s fine, independent of the protocol. I'm just thinking about how they did that! - I have to download the whole file before send it to the end-user. Read some RFC's. IMHO, this post is unnecessary. No ofense, but I always beleive if you don't have some answer or suggestion people should just listen. In this case, for instance, something like: Try RFC 793/1323 whould be better, since I didn't see any message saying this maillist is just for high-ultra-top-guy specialists. dp ___ http://lurker.clamav.net/list/clamav-users.html E.S ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Problem with 0.86.1
Hi, I upgraded my clamav (0.85 0.86.1) on a mail server yesterday and I'm having a problem with a particular virus getting through the system. I received the message as a bounce from an unknown address, so I assumed it must be a new variant and submitted the sample, which returned: This virus is already recognized by ClamAV 0.86.1/987/Thu Jul 21 16:57:41 2005 (timezone: +0200 ) as Worm.Mytob.GP . Be careful when submitting samples and remember to run freshclam! I'm definitely running this version, as from the freshclam.log: daily.cvd updated (version: 987, sigs: 423, f-level: 5, builder: diego) From my maillog, sending the infected mail to myself: Jul 22 13:13:39 mail sendmail[15253]: j6MCDXPG015253:from=[EMAIL PROTECTED], size=155580, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=[000.000.000.000] Jul 22 13:13:39 mail sendmail[15253]: j6MCDXPG015253: Milter add: header: X-Virus-Scanned: ClamAV version 0.86.1, clamav-milter version 0.86 on mail.igeek.co.uk Jul 22 13:13:39 mail sendmail[15253]: j6MCDXPG015253: Milter add: header: X-Virus-Status: Clean Jul 22 13:13:41 mail sendmail[15259]: j6MCDXPG015253: to=[EMAIL PROTECTED], ctladdr=[EMAIL PROTECTED] (510/510), delay=00:00:08, xdelay=00:00:01, mailer=local, pri=185865, dsn=2.0.0, stat=Sent I've done the obvious things, restarted clamd, clamav-milter. Checked that the database is indeed up to date. The doesn't appear to be any problems with the upgrade that I performed. As far as I can see no other virus has got through, indeed I'm still catching approx 50 an hour which seems to be about average for my system which is an x86 RH9 box, if that helps working out what's wrong. Can anyone shed any light on this problem? TIA Regards, Mark. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Libclamav and zip files
Eric Scopinho wrote: But if I do that, some side effects could happen like: - I'll need free space to store the file. - The infected packets may get in while I store the next packets to scan. - I have to download the whole file before send it to the end-user. I'm trying to develop some sort of firewall+anti-virus using an embedded Linux with solid-state board, so space would be a problem. I saw one solution like that from Sonicwall's guys, but I don't know how they do that. I've hearded that Fortinet has it's own network-based anti-virus solution too (as an appliance). I was wondering how this guys handle the zip problem, since their hardware just have 128 of RAM and 16 of ROM. :-( I have a sonicwall pro 4060 which indeed does malware detection. I was curious how it could do this considering the data is passing through packet by packet. According to sonicwall, they have signatures developed which match viruses and malware on a packet level. Now this doesnt really make any sense to me because if a virus spans 20 packets or so, how can the device know this? Maybe the sonicwall tech support guy was talking out his ass..i dunno. But yes, there are devices that do this sort of thing. They cost $3,000+ though and i have no idea how they work. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] newbie setup question - Solaris 9 + sendmail
Jerry K wrote: a) since I am using sendmail, I am making the assumption that compiling/using libmilter is the way to go? I went that way. b) if I am using ClamAV as a milter, do I need to run the clamd daemon or will sendmail just call libclamav.a/so? sendmail will NOT call libclamav.a/so. You need a milter. You can use the clamav-milter program included or the distribution, or a third-party milter that calls clamd directly, such as MIMEDefang. I use both. If you use clamav-milter, you still have two options. You can have clamav-milter do the virus-checking itself, or defer to a running clamd daemon. There have been threading problems in the past with clamav-milter doing its own virus-checking, FYI. If you choose to defer to a running clamd daemon, start clamav-milter with the --external flag. c) What is the default behavior when ClamAV receives an email with a virus? Does it just delete the whole email? Does it quarantine the file and forward the email to the user? Or is there any action, other than virus identification when an email arrives with an attached virus. ClamAV just detects viruses. What is done with the virus is up to the calling agent - the milter, in this case. This could include rejecting the email, accepting the email but silently discarding it, and / or sending notification emails to everyone and their mother. I did find this line in the clamd.conf file, but I don't know what command that I would run when a virus is found iExecute a command when virus is found. In the command string/i shutdown now, for example... Also, from my google'ing, I came across this page http://linux-sxs.org/administration/clamav-milter.html that indicates that email's with viruses are rejected. Is this the only possible action? Thats OK if it is, I have just yet to run across the run across the documentation that discusses this. Or, I have over looked it. It's not the only possible action, but its what I do. d) is ClamAV + Sendmail everything I need, once functional? I am asking this because several of the links that I came across while google'ing mentioned using ClamAV in coordination with another product called Amavis. Depends. I also scan incoming email with SpamAssassin, by way of MIMEDefang's milter. Also, roughly half of the user manual is filled with Third Party Products. Why some of these have obvious purposed (graphing or log file processing), are there any of these necessary for me to get up and going in my environment? No. TIA for any pointers or URL's where I can RTFM. www.mimedefang.com www.spamassassin.org www.clamav.net -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg, ___ http://lurker.clamav.net/list/clamav-users.html