Re: [Clamav-users] Re: Clam Packet Scanning
On 1/29/06, Mar Matthias Darin <[EMAIL PROTECTED]> wrote: > > If this methodology catches 80% of viruses, then it is indeed worth the > investment, if it catches only 20%, is the approach still worth the time and > resources to develop, refine, and maintain it. At the proxy level it should work reasonably well (keeping in mind that clamav is aimed at catching email viruses). I've used products that work that way before. As a packet scanner I'd be surprised if it ever amounted to much. The technical problems are rather large :) Off the top of my head: 1) You'd need to decode the packet contents on the fly 2) Anything running over 1 packet would never be spotted 3) By the time the packet has gone by, it's probably already too late 4) If you run inline the delays will be significant > It is this line of thinking that I am interested in, is virus scanning > single packets worth the cost of production. Not weather it can be done > or rude and inconsiderate comments from individuals that obviously missed > the intent of the question. Ultimately that's a business decision, not a technical one. -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] CME-24
Thanks Michael Ken On Sun, 29 Jan 2006, Michael Torrie wrote: > On Sun, 2006-01-29 at 06:31 -0800, [EMAIL PROTECTED] wrote: > > Rob, > > > > Thanks for the response. I did check through this site first. I found some > > references to the named viruses on this site but they were very old, and > > there for came to the conclustion we were not talking about the same > > virus. I also checked every comerical virus site that I could find, but > > could not find any referance to clamav and what they might be calling this > > virus. It seems that everyone has a different name for this virus. I > > posted the question here because after I exhausted my search else where I > > thought I might find an intelligent answer from people that know. > > The CME-24 virus, known to CA and Symantec as "W32.Backmal-F" is being > detected by ClamAV as Worm.VB-8 and a variant Worm.VB-9. > > Hope this helps. > > > > > Thank you for at least trying to point me in the correct direction which > > is a lot more than the last rude person did. > > In fairness a simple google search[1] revealed this information, as did > a brief check of my ClamAV quarantine. If I recall correctly, this > virus was discussed in detail on this list a few weeks ago. > > Now I might me totally misunderstanding the virus your are talking about > in the first place, though. > > Michael > > > > > Ken > > > > [1] http://www.google.com/search?q=clamav+Blackmal.F > ___ > http://lurker.clamav.net/list/clamav-users.html > ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Squirriel Mail clamav scanner
Hi folks, Sorry for the top-post and new thread, but I just subscribed cuz I saw this thread in the wild. Note that there is a SquirrelMail plugin that does scan for viruses, but it does so at login, and I think it scans everything in the INBOX (not sure about subfolders) horribly bad idea as you can imagine -- easy way to cripple a busy server. Additionally, I think the signatures are set to periodically refresh from the plugin author's own server, which he has stopped updating regularly. http://squirrelmail.org/plugin_view.php?id=202 So the point I want to make is that this has been done before, but the idea needs a lot of refinement. If the idea is to allow a user to click on a "scan" button in the interface, or somehow define a criteria for which messages to scan, and to allow scanning to happen at a user-defined/initiated time, that probably wouldn't be very hard to do in the form of a SquirrelMail plugin. If anyone wants to write one (or better yet, contact Jimmy, the author of the one referenced above and work with him to build these other types of scanning into that plugin), come 'round the squirrelmail-plugins mailing list and we'll be happy to help. Although I too would advocate for scanning at the time of receipt and leaving this out of the client, there are perhaps lots of people who want something a little different, thus we'd love to see a SquirrelMail plugin for this kind of thing that is more fully functional and that isn't a web server killer. Cheers, Paul > 1. Stephen Gran, you mention a 'php library with clamav bindings' how does > that help me? is that something i should be looking into in relation to a > squirriel mail plugin? > > 2. James Kosin, you've said 'be sure to get clamdscan to scan for viruses > or > get a script to scan when checking email. There are plenty of choices out > there.' Can you point me in the direction of a few of those scripts? > > 3. Joe Polk, you said 'OpenWebMail has a hook into clamav and it looks > better than Squirrelmail'. I know this thats where i got the idaea, but i'm > using Squirriel Mail on my server at the moment with a lot of squirriel > mail > plugins, so i would like to stay with it. But both are webmail clients, i > would imagen if one could do it so could the other ... > > 4. Dennis Peterson, your've said 'One difference is the T-bird client uses > client cpu clicks whereas squirrel mail uses server clicks. Unless you can > come up with a browser based scanner. 10,000 users all clicking and > scanning > at the same time seems like a potential problem for the average server'. > thats very true, i never thought of that, although if Freddie Cash is > saying, 'it could be mitigated using clamdscan in a SM plugin instead of > clamscan. While it would still be using server CPU resources, it shouldn't > be nearly as bad' that would be better and as Joe Polk has said before > there > is a plugin for openwebmail then i can't see why there would be one for > squirriel mail? > > i guess i'm still looking for an answer? so far i can tell that it is > possiable (openwebmail uses one) but it just hasn't been made yet ... or no > one knows of one? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Freddie Cash > Sent: Tuesday, 10 January 2006 7:17 > To: ClamAV users ML > Subject: Re: [Clamav-users] Squirriel Mail clamav scanner > > > On January 9, 2006 11:46 am, Dennis Peterson wrote: > > > On January 9, 2006 11:06 am, Jeremy Kitchen wrote: > > > > just reject viruses at the front door, and you'll be fine. > > > > 'client-side' scanning (squirrelmail IS a client, even though it's > > > > run on a server) is not a 'feature'. Don't think you should do it > > > > that way just because thunderbird does it. The only reason > > > > thunderbird or kmail have client-side virus scanning support is > > > > because some providers don't do their own scanning. > > > > Re-read your last sentence, then compare how Thunderbird accesses > > > messages from a POP server compared to how SquirrelMail accesses > > > messages from a POP server using the built-in Mail Fetch plugin (that > > > completely by-passes any and all mail servers at the site using > > > SquirrelMail). There is no functional difference, so why should one > > > client be allowed to scan messages while another isn't? > > > > While it's not the most optimal setup, having the option to scan > > > messages in the mail client should not be frowned upon. If your mail > > > provider does not scan your incoming messages, then the mail client > > > is a good place to scan messages. After-all, it's the only place > > > *you*, the recipient, fully control access to the e-mail message. > > > One difference is the T-bird client uses client cpu clicks whereas > > squirrel mail uses server clicks. Unless you can come up with a browser > > based scanner. 10,000 users all clicking and scanning at the same time > > seems like a potential problem for the a
Re: [Clamav-users] Unofficial Phishing Signatures
Oliver Stöneberg wrote: So these are Phishing mails, that are not recognised by ClamAV, but by your signatures. If I scan the complete set with your signatures a lot of mails already recognised by ClamAV are actually recognised by your signatures, so there are quite some duplicates in your signatures, compared to ClamAV. I might post a list of the signatures, that are recognising mails, that are already in ClamAV signatues, but I rather see you doing a cleanup first. I did this test with 0.88-1 and siagntures database version 1257. It's worth repeating the question I asked over a week ago - what methodology is used in collecting these so that dupes are avoided? Nobody answered, unfortunately, so now we see we have dupes. dp ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: Clam Packet Scanning
Hello, Look at http://clamav.net/3rdparty.html#other What you describe is similar to Endian Firewall, Snort-ClamAV, Snort-inline and perhaps RedWall Firewall. I have looked at them and their source code before. These do not answer the questions of feasibility and practicality of a packet level virus scanner. My interest is not weather it can be done... but rather weather the time and technical merit in doing so will produce an acceptable catch catch percentile. If this methodology catches 80% of viruses, then it is indeed worth the investment, if it catches only 20%, is the approach still worth the time and resources to develop, refine, and maintain it. A good example of this is the U.S. gov't spend $8 million a year to study cow burps and $13 million to research fly farts WHY? Where is the practicality of this and to what ends will this "research" be used other then simply to waste money? It is this line of thinking that I am interested in, is virus scanning single packets worth the cost of production. Not weather it can be done or rude and inconsiderate comments from individuals that obviously missed the intent of the question. Thank you in advance. pgphkFr1lblS0.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
You should really cleanup your signatures. I have a Phishing set of 512 Phishing of which 23 are not recognised by ClamAV. From those only 4 are captured by your signatures, which are the following: d:\_ham-mails\_scan/phishing.070: Html.Phishing.Bank.Sanesecurity.05080100 FOUND d:\_ham-mails\_scan/phishing.192: Html.Phishing.Auction.Sanesecurity.05080100 FOUND d:\_ham-mails\_scan/phishing.199: Html.Phishing.Pay.Sanesecurity.05120802 FOUND d:\_ham-mails\_scan/phishing.335: Html.Phishing.Pay.Sanesecurity.06011101 FOUND So these are Phishing mails, that are not recognised by ClamAV, but by your signatures. If I scan the complete set with your signatures a lot of mails already recognised by ClamAV are actually recognised by your signatures, so there are quite some duplicates in your signatures, compared to ClamAV. I might post a list of the signatures, that are recognising mails, that are already in ClamAV signatues, but I rather see you doing a cleanup first. I did this test with 0.88-1 and siagntures database version 1257. > Hi, > > Firstly, I've done an update to the Unofficial Phishing Signatures. > > Secondly... will whoever is using ip address 216.35.188.119, please sort > out their wget config file: > > 216.35.188.119 - - [29/Jan/2006:20:36:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:38:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:40:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:42:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:44:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:46:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:48:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:50:02 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:52:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:54:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:56:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > 216.35.188.119 - - [29/Jan/2006:20:58:01 +] "HEAD /clamav/phish.ndb > HTTP/1.0" 200 0 "-" "Wget/1.10.2" > > I don't update the sigs *that* often ;) > > IP has been blocked access for now. > > Cheers, > > Steve > > ___ > http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
On 1/29/06, Steve Basford <[EMAIL PROTECTED]> wrote: > Hi, > > Firstly, I've done an update to the Unofficial Phishing Signatures. > > Secondly... will whoever is using ip address 216.35.188.119, please sort > out their wget config file: A quick WhoIS check says it's mail.mrball.net (POC todd mrball.net). -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Hi, Firstly, I've done an update to the Unofficial Phishing Signatures. Secondly... will whoever is using ip address 216.35.188.119, please sort out their wget config file: 216.35.188.119 - - [29/Jan/2006:20:36:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:38:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:40:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:42:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:44:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:46:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:48:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:50:02 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:52:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:54:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:56:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" 216.35.188.119 - - [29/Jan/2006:20:58:01 +] "HEAD /clamav/phish.ndb HTTP/1.0" 200 0 "-" "Wget/1.10.2" I don't update the sigs *that* often ;) IP has been blocked access for now. Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] CME-24
On Sun, 2006-01-29 at 06:31 -0800, [EMAIL PROTECTED] wrote: > Rob, > > Thanks for the response. I did check through this site first. I found some > references to the named viruses on this site but they were very old, and > there for came to the conclustion we were not talking about the same > virus. I also checked every comerical virus site that I could find, but > could not find any referance to clamav and what they might be calling this > virus. It seems that everyone has a different name for this virus. I > posted the question here because after I exhausted my search else where I > thought I might find an intelligent answer from people that know. The CME-24 virus, known to CA and Symantec as "W32.Backmal-F" is being detected by ClamAV as Worm.VB-8 and a variant Worm.VB-9. Hope this helps. > > Thank you for at least trying to point me in the correct direction which > is a lot more than the last rude person did. In fairness a simple google search[1] revealed this information, as did a brief check of my ClamAV quarantine. If I recall correctly, this virus was discussed in detail on this list a few weeks ago. Now I might me totally misunderstanding the virus your are talking about in the first place, though. Michael > > Ken > [1] http://www.google.com/search?q=clamav+Blackmal.F ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] CME-24
Please do not send any more messages. Thank you. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] CME-24
Rob, Thanks for the response. I did check through this site first. I found some references to the named viruses on this site but they were very old, and there for came to the conclustion we were not talking about the same virus. I also checked every comerical virus site that I could find, but could not find any referance to clamav and what they might be calling this virus. It seems that everyone has a different name for this virus. I posted the question here because after I exhausted my search else where I thought I might find an intelligent answer from people that know. Thank you for at least trying to point me in the correct direction which is a lot more than the last rude person did. Ken On Sun, 29 Jan 2006, Rob MacGregor wrote: > On 1/29/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > Why would say this? Is this list not about clamav and viruses? > > I suspect the posters point is that it's pretty obvious you've put > zero effort into finding the answer for yourself. > > Try reading the page on "Virus Naming" on the ClamAV site. You may > also want to look at the clamav-virusdb list: > http://lurker.clamav.net/list/clamav-virusdb.html > > -- > Please keep list traffic on the list. > Rob MacGregor > Whoever fights monsters should see to it that in the process he > doesn't become a monster. Friedrich Nietzsche > ___ > http://lurker.clamav.net/list/clamav-users.html > ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] CME-24
On 1/29/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Why would say this? Is this list not about clamav and viruses? I suspect the posters point is that it's pretty obvious you've put zero effort into finding the answer for yourself. Try reading the page on "Virus Naming" on the ClamAV site. You may also want to look at the clamav-virusdb list: http://lurker.clamav.net/list/clamav-virusdb.html -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lurker.clamav.net/list/clamav-users.html
