Re: [Clamav-users] CME-24
On Saturday 28 January 2006 19:41, [EMAIL PROTECTED] wrote: Please do not send any more messages. Thank you. Why would say this? Is this list not about clamav and viruses? my guess is this person was trying to unsubscribe from the list. anyways, does anyone actually take AOL users seriously? ;) /duck -Jeremy -- Jeremy Kitchen ++ [EMAIL PROTECTED] In the beginning was The Word and The Word was Content-type: text/plain -- The Word of Bob. pgpnT5vtkXbef.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Clam Packet Scanning
Rob MacGregor wrote: 1) You'd need to decode the packet contents on the fly 2) Anything running over 1 packet would never be spotted Just wondering how far a signature can go? Does the scanner needs to go back and forth in a file for scanning or can it scan a stream as it passes by? How far does it needs to go if it has to go backwards? What about zip files? Do they need to be unzipped before scanning ? The idea is to have a small packet queue where last n packets are stored, scanned and then transmitted in a cyclic fashion. ie first n-1 packets will just gets queued, when the nth packet arrives, the queue is scanned, and 1st packet is released and nth packets is appended to the queue. This process is repeated for every packet. Now don't flame me about performance, I just want to know if such an arrangement will catch all virus in that stream or if some virus will get past this. What I just looking if such a thing is ever possible (as opposed to feasible) The aim is to catch malware that comes via a random tcp connection, like some sort of p2p application. raj ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: Clam Packet Scanning
Hello, Rajkumar S writes: Rob MacGregor wrote: 1) You'd need to decode the packet contents on the fly 2) Anything running over 1 packet would never be spotted Just wondering how far a signature can go? Does the scanner needs to go back and forth in a file for scanning or can it scan a stream as it passes by? How far does it needs to go if it has to go backwards? What about zip files? Do they need to be unzipped before scanning ? The idea is to have a small packet queue where last n packets are stored, scanned and then transmitted in a cyclic fashion. ie first n-1 packets will just gets queued, when the nth packet arrives, the queue is scanned, and 1st packet is released and nth packets is appended to the queue. This process is repeated for every packet. Now don't flame me about performance, I just want to know if such an arrangement will catch all virus in that stream or if some virus will get past this. What I just looking if such a thing is ever possible (as opposed to feasible) The aim is to catch malware that comes via a random tcp connection, like some sort of p2p application. I have done some research on this already... If you store the file in a disk buffer (say max 100K at a shot using tmpfs for speed), then scan the buffer, it does indeed work. HAVP uses this technique quite well. Where your problem is going to occur, as with havp, is in notifing the user that their file was trashed unless the P2P software incorporates the antivirus scanning inline with the downloading. In such a manner, the P2P can notify the user that the transfer was abort and why. pgpyxSSbUCk3c.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Clam Packet Scanning
Mar Matthias Darin wrote: I have done some research on this already... If you store the file in a disk buffer (say max 100K at a shot using tmpfs for speed), then scan the buffer, it does indeed work. How short can this buffer go? Does this file needs to be seekable? Where your problem is going to occur, as with havp, is in notifing the user that their file was trashed unless the P2P software incorporates the antivirus scanning inline with the downloading. In such a manner, the P2P can notify the user that the transfer was abort and why. One way would be to overwrite the matched signatures with zero, that would defang the file. Another way would be to use this in conjunction with desktop virus scanner where the gateway antivirus would provide defence in depth, There is no fit all approach here. raj ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Clam Packet Scanning
On Monday 30 January 2006 02:10, Rajkumar S wrote: Where your problem is going to occur, as with havp, is in notifing the user that their file was trashed unless the P2P software incorporates the antivirus scanning inline with the downloading. In such a manner, the P2P can notify the user that the transfer was abort and why. One way would be to overwrite the matched signatures with zero, that would defang the file. Another way would be to use this in conjunction with desktop virus scanner where the gateway antivirus would provide defence in depth, There is no fit all approach here. well, some p2p apps keep checksums of their parts so they know the file went across ok, so they'd see the zero'd out parts, the checksum would fail, and they would try again, see the zero'd out parts, checksum would fail, try again, checksum fail, try again I would say just ban the use of p2p apps like kazaa, limewire on your network, and police it very closely. Anyone who doesn't follow the rules gets the door. -Jeremy -- Jeremy Kitchen ++ [EMAIL PROTECTED] In the beginning was The Word and The Word was Content-type: text/plain -- The Word of Bob. pgpZbucfv0lnf.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Why I couldn't scan this file?
I use clamav 0.88 on FreeBSD 6.0-stable. But when I scan the file which download from ftp://ftp.freebsd.org/pub/FreeBSD/ISO-IMAGES-i386/6.0/6.0-RELEASE-i386-disc1.iso,it doesn't work. It returns -- summary -- Known viruses: 43832 Engine version: 0.88 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Time: 1.602 sec (0 m 1 s) You see the Data scanned:0.00MB ,but the file is 551MB Large. I want to know,how to use clamAV scan the larger files? ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Why I couldn't scan this file?
On Mon, 30 Jan 2006 19:55:54 +0800 [EMAIL PROTECTED] wrote: I use clamav 0.88 on FreeBSD 6.0-stable. But when I scan the file which download from ftp://ftp.freebsd.org/pub/FreeBSD/ISO-IMAGES-i386/6.0/6.0-RELEASE-i386-disc1.iso,it doesn't work. It returns -- summary -- Known viruses: 43832 Engine version: 0.88 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Time: 1.602 sec (0 m 1 s) You see the Data scanned:0.00MB ,but the file is 551MB Large. I want to know,how to use clamAV scan the larger files? libclamav skips ISO images. In order to scan it, you should first mount the image and then run clamscan on the mount point -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Jan 30 13:43:44 CET 2006 signature.asc Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Clam Packet Scanning
On 1/30/06, Rajkumar S [EMAIL PROTECTED] wrote: Just wondering how far a signature can go? Does the scanner needs to go back and forth in a file for scanning or can it scan a stream as it passes by? How far does it needs to go if it has to go backwards? What about zip files? Do they need to be unzipped before scanning ? The idea is to have a small packet queue where last n packets are stored, scanned and then transmitted in a cyclic fashion. ie first n-1 packets will just gets queued, when the nth packet arrives, the queue is scanned, and 1st packet is released and nth packets is appended to the queue. This process is repeated for every packet. What about out of order packets? What about duplicates...? The short answer is, no such approach, even if you can get it performing reasonably well, will be completely effective. You would be better off defaulting to blocking all outbound traffic and routing all allowed traffic through proxies or gateways. Keep in mind that clamav can't catch a virus it doesn't have a signature for. For there to be a signature somebody has to have reported it. That means that it has to be in the wild *before* you can get signatures to detect it. Which may mean that you're already infected. This isn't unique to clamav. -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Dennis Peterson wrote: It's worth repeating the question I asked over a week ago - what methodology is used in collecting these so that dupes are avoided? Nobody answered, unfortunately, so now we see we have dupes. Sorry for the delay... apart from being more than a little busy... I must admit, I've spent more time adding to the signatures, then doing the boring bit of documenting the methods of producing them. Anyway, here's a very rushed, first draft version of how I put together one signature: http://sanesecurity.com/clamav/method.pdf No doubt, it's got a lot of stuff missing and people will have much better/quicker way of doing the same thing. but, I guess that's life! ;) Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] RE: File Attachment Size Problem
On 1/27/06, Bill King [EMAIL PROTECTED] wrote: I am running ClamAV on a Solaris host, with MIMEDefang. Versions and log examples are posted below. I am trying to modify ... ...snip... I'm already using MIMEDefang. Jan 26 12:05:31 MTA_Daemon[4795]: Milter (mimedefang): timeout before data read This sounds like a milter timeout rather than clamd. Check your milter configuration in sendmail.mc, if it says something like S:1m;R:1m it's too low for scanning large messages. Try something like: INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:5m;R:5m;E:10m') Thanks! This is working. However I am thinking of trying to skip the scan of large messages as I am not sure if it is worth the CPU ticks. Does anyone have ideas about whether or not this is a good plan? Bill King Systems Administrator Nuclear Engineering Department U.C. Berkeley (510)642-1021, (510)866-3386 [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Oliver Stöneberg wrote: You should really cleanup your signatures. I have a Phishing set of 512 Phishing of which 23 are not recognised by ClamAV. From those only 4 are captured by your signatures, which are the following: Firstly, thanks for the feedback. Although I must say, I'm disappointed but not really surprised that my signatures, didn't get all your samples, as there are sooo many ways of doing phishing attempts. If I scan the complete set with your signatures a lot of mails already recognised by ClamAV are actually recognised by your signatures, so there are quite some duplicates in your signatures, compared to ClamAV. Hmmm well, in my sample set, I've certainly scanned them with the default ClamAV sigs and then used --remove to remove the samples *before* I try to create a sig for the missed ones. I guess there muar be dupes...elsewhere. Both signatures will match... but I might post a list of the signatures, that are recognising mails, that are already in ClamAV signatues, but I rather see you doing a cleanup first I feel that it's going to be quite difficult for me to go though 500-odd ClamAV phishing signatures and compare them, with an editor to my 100-ish signatures and find out what bits are duplicated. I really need some samples. If possible, to save a whole load of time... could you: a) give me the sample phishing emails that are duplicated b) give me the sample phishing emails that are missed Email me, to chat off-list: steveb_clamav -AT- sanesecurity -DOT- com Thanks again for the feedback... Steve ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] RE: File Attachment Size Problem
Bill King wrote: On 1/27/06, Bill King [EMAIL PROTECTED] wrote: I am running ClamAV on a Solaris host, with MIMEDefang. ... Jan 26 12:05:31 MTA_Daemon[4795]: Milter (mimedefang): timeout before data read Try something like: INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:5m;R:5m;E:10m') Thanks! This is working. However I am thinking of trying to skip the scan of large messages as I am not sure if it is worth the CPU ticks. Does anyone have ideas about whether or not this is a good plan? If you're looking to save ticks... If you're using MIMEDefang with SpamAssassin, and you have a reasonably high percentage of your mail volume that is viral, you might save ticks by using clamav-milter as well. That would keep the number of memory-hungry MIMEDefang threads down, if you ran the clamav-milter before calling MIMEDefang. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: Clam Packet Scanning
Hello, Rajkumar S writes: Mar Matthias Darin wrote: I have done some research on this already... If you store the file in a disk buffer (say max 100K at a shot using tmpfs for speed), then scan the buffer, it does indeed work. How short can this buffer go? Does this file needs to be seekable? Ideally, I would say 16K would be as small as you want to go. If the buffer is to small, the transfer speed will suffer. Where your problem is going to occur, as with havp, is in notifing the user that their file was trashed unless the P2P software incorporates the antivirus scanning inline with the downloading. In such a manner, the P2P can notify the user that the transfer was abort and why. One way would be to overwrite the matched signatures with zero, that would defang the file. Another way would be to use this in conjunction with desktop virus scanner where the gateway antivirus would provide defence in depth, There is no fit all approach here. These would work. However; one must take into account that many end-users would not have an understanding of this technique when their computer locks up from a bad jump table in the EXE header. My personal opinion is that the antivirus at this level needs to be integrated into the application or have hooks that allow easy integration. pgpVDFNWYdZof.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Clam Packet Scanning
Rob MacGregor wrote: On 1/30/06, Rajkumar S [EMAIL PROTECTED] wrote: The idea is to have a small packet queue where last n packets are stored, scanned and then transmitted in a cyclic fashion. ie first n-1 packets will just gets queued, when the nth packet arrives, the queue is scanned, and 1st packet is released and nth packets is appended to the queue. This process is repeated for every packet. What about out of order packets? What about duplicates...? These are problems, I was actually looking at this from a theoretical perspective, like can this approach ever work. Our of order and duplicate packets are solvable problems (I understand they are not easy, but IDS has done it before) So is performance. be better off defaulting to blocking all outbound traffic and routing all allowed traffic through proxies or gateways. It may not be possible to run proxies for all applications used by users. While proxies are one of the better ways to control traffic, I am just exploring alternate ways to achieve a much more general solution. That means that it has to be in the wild *before* you can get signatures to detect it. Okay. Which may mean that you're already infected. How come? A virus in wild I getting infected. But there is a chance that wild == my PC :) But that's the risk we take with all AV. raj ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Clam Packet Scanning
Mar Matthias Darin wrote: Hello, Rajkumar S writes: How short can this buffer go? Does this file needs to be seekable? Ideally, I would say 16K would be as small as you want to go. If the buffer is to small, the transfer speed will suffer. That's a nice number. I am pretty encouraged by this possibility. Time to go coding :) raj ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Clam Packet Scanning
Rob MacGregor wrote: On 1/30/06, Rajkumar S [EMAIL PROTECTED] wrote: Just wondering how far a signature can go? Does the scanner needs to go back and forth in a file for scanning or can it scan a stream as it passes by? How far does it needs to go if it has to go backwards? What about zip files? Do they need to be unzipped before scanning ? The idea is to have a small packet queue where last n packets are stored, scanned and then transmitted in a cyclic fashion. ie first n-1 packets will just gets queued, when the nth packet arrives, the queue is scanned, and 1st packet is released and nth packets is appended to the queue. This process is repeated for every packet. What about out of order packets? What about duplicates...? What about tar files? What about zip files? dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Hello Steve, Le Mardi 24 Janvier 2006 21:49, Steve Basford a écrit : As, I've seen a number of new phishing attempts get past the Official ClamAV signatures, I thought I'd try to produce my own signatures, to see if some of these newer phishing attempts could be stopped. They are here to download, if anyone is interested: http://www.sanesecurity.com/clamav/ Your signatures are based on HTML (Filetype = 3). Shouldn't it be based on Mail (Filetype = 4) ? This could avoid false positive like this one : - Go to http://www.sanesecurity.com/clamav/ - Save the html page on your hardisk - Scan the saved web page with your phish.ndb signatures = Html.Phishing.Auction.Sanesecurity.06010701 FOUND Anyway, thank you for creating signatures. This is usefull for a lot of us. Best regards, Arnaud Jacques Consultant Sécurité Téléphone / Fax : +33-(0)3.44.39.76.46 Portable : +33-(0)6.24.40.95.03 E-mail : [EMAIL PROTECTED] Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
Webmaster wrote: Your signatures are based on HTML (Filetype = 3). Shouldn't it be based on Mail (Filetype = 4) ? Interesting... I'll do some tests later today changing the type. The interesting thing though, is that when you go to the online database search site http://clamav-du.securesites.net/cgi-bin/clamgrok and type in Phishing, Select contains and then tick the signature box, you'll get a list of current ClamAV signatures... the majority of which are type 3. But you're right... it does work... but would mail format be better? This could avoid false positive like this one : - Go to http://www.sanesecurity.com/clamav/ - Save the html page on your hardisk - Scan the saved web page with your phish.ndb signatures = Html.Phishing.Auction.Sanesecurity.06010701 FOUND Doh ;) Okay...thanks for reporting that one... I'll take a look Anyway, thank you for creating signatures. This is usefull for a lot of us. No problem... just trying to help. In fact, yesterday the sigs certainly saved me a job yesterday, as this attempt came in and was blocked by the sig that I make in November. ClamAV's default sigs didn't know about the virus in the attachment but I caught it using the content of the text :) Eg: http://groups.google.co.uk/groups?q=sightings+%22picture+is+not+to+your+liking%22start=0scoring=dhl=en; Thanks again, Steve ___ http://lurker.clamav.net/list/clamav-users.html