Re: [Clamav-users] Is CME officially supported/supporting ClamAV?
Jason Haar wrote: Hi there I've been watching CME (Common Malware Enumerator) starting to take off over the past few weeks, and I've noticed CME entries and their corresponding names used by antivirus vendors. ...and ClamAV ain't in there from what I've seen... Correct. Is there no interest in supporting this, or am I just blind? (the latter is quite possible ;-) I don't know if ClamAV meets "membership" requirements, since AFAIK nobody from ClamAV has been contacted or tried to contact CME (yet). Best regards, Diego d'Ambra ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Is CME officially supported/supporting ClamAV?
Jason Haar wrote: > I've been watching CME (Common Malware Enumerator) starting > to take off over the past few weeks, and I've noticed CME > entries and their corresponding names used by antivirus vendors. > > ...and ClamAV ain't in there from what I've seen... > > Is there no interest in supporting this, or am I just blind? > (the latter is quite possible ;-) > > See http://cme.mitre.org/ >From the CME FAQ: "A8. How can my organization and I participate? An integral component of the CME initiative is broad community participation. We strongly encourage users of anti-virus products to ask their preferred vendors to adopt CME identifiers. For anti-virus product vendors, supporting and participating in the CME initiative is a bold first step in announcing to your users that you want to help alleviate their confusion and further protect their systems and networks. Adopting the use of CME identifiers is a significant first step in establishing a consistent approach by anti-virus entities that will benefit users and the entire information security community. Contact us at [EMAIL PROTECTED] to discuss how you and your organization can help this growing anti-virus and information security initiative." Looks like they expect the ClamAV team to contact them, not the other way round. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
On Tue, 24 Jan 2006, Steve Basford wrote: > From: Steve Basford <[EMAIL PROTECTED]> > To: clamav-users@lists.clamav.net > Date: Tue, 24 Jan 2006 20:49:03 + > Subject: [Clamav-users] Unofficial Phishing Signatures > > There are already a number of great phishing signatures in ClamAV > but the Official ClamAV signature makers are obviously very busy > taking care of the higher priority Virus/Trojan signatures. > > As, I've seen a number of new phishing attempts get past the > Official ClamAV signatures, I thought I'd try to produce my own > signatures, to see if some of these newer phishing attempts could > be stopped. ... Very useful. I started using these signatures on this University's mail servers on Monday. Appended below are the stats on the incoming crap they stopped yesterday (Tuesday). Virus Count - - Html.Phishing.Bank.Sanesecurity.06012200 169 Html.Phishing.Pay.Sanesecurity.0508290038 Html.Phishing.Bank.Sanesecurity.06012600 19 Html.Phishing.Bank.Sanesecurity.06013001.rock 19 Html.Phishing.Bank.Sanesecurity.06012000 15 Html.Phishing.Auction.Gen004.Sanesecurity.06012903 12 Html.Phishing.Bank.Sanesecurity.06012500 11 Html.Phishing.Auction.Gen002.Sanesecurity.06012901 3 Html.Phishing.Pay.Gen001.Sanesecurity.06012700 3 Html.Phishing.Pay.Sanesecurity.06010901 3 Html.Phishing.Bank.Sanesecurity.051019002 Html.Phishing.Pay.Gen002.Sanesecurity.06012700 2 Html.Phishing.Pay.Gen003.Sanesecurity.06012700 2 Html.Phishing.Auction.Gen005.Sanesecurity.06012904 1 Html.Phishing.Azon.Sanesecurity.060110001 Html.Phishing.Bank.Sanesecurity.051181031 Html.Phishing.Bank.Sanesecurity.051208001 Html.Phishing.Bank.Sanesecurity.060110021 Html.Phishing.Bank.Sanesecurity.060126011 Html.Phishing.Pay.Sanesecurity.05100500 1 Html.Phishing.Pay.Sanesecurity.05120802 1 Html.Phishing.Pay.Sanesecurity.06011103 1 Html.Phishing.Pay.Sanesecurity.06012201 1 -- Total 308 The total incoming virus count for yesterday was 512[1]. So these signatures account for some 60% of what was detected. [1] I'm blocking on several RBLs and using other methods for reducing incoming rubbish. These may well be preventing a lot of viruses even reaching the scanning stage. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unofficial Phishing Signatures
> I feel that it's going to be quite difficult for me to go though 500-odd > ClamAV phishing signatures and > compare them, with an editor to my 100-ish signatures and find out what > bits are duplicated. I really > need some samples. > > If possible, to save a whole load of time... could you: > > a) give me the sample phishing emails that are duplicated > b) give me the sample phishing emails that are missed > > Email me, to chat off-list: steveb_clamav -AT- sanesecurity -DOT- com > > Thanks again for the feedback... I will give you access to the mails you requested, but here a few statistics first for everybody outthere. I used ClamAV 0.88-1 with main.cvd 35 and daily.cvd 1263. The Unoffical Phsihing sigantues are the 162 ones from 31st January. Total Phishing mail count - 522 Deteted by ClamAV only - 490 (of 522) Undetected - 32 (of 522) >From the undetected, detected by unofficial signatues - 13 (of 32) Total undetected - 19 (of 522) Detected by ClamAV and also by unofficial signatures - 121 (of 490) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Is CME officially supported/supporting ClamAV?
I've been watching CME (Common Malware Enumerator) starting to take off over the past few weeks, and I've noticed CME entries and their corresponding names used by antivirus vendors. ...and ClamAV ain't in there from what I've seen... Is there no interest in supporting this, or am I just blind? (the latter is quite possible ;-) See http://cme.mitre.org/ Mitre? Are not these boys same as Mitre "security experts" from Clifford Stoll's book CUCKOO'S EGG? Petr ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Is CME officially supported/supporting ClamAV?
On Feb 1, 2006, at 4:32 AM, Randal, Phil wrote: Jason Haar wrote: I've been watching CME (Common Malware Enumerator) starting to take off over the past few weeks, and I've noticed CME entries and their corresponding names used by antivirus vendors. ...and ClamAV ain't in there from what I've seen... Is there no interest in supporting this, or am I just blind? (the latter is quite possible ;-) See http://cme.mitre.org/ From the CME FAQ: "A8. How can my organization and I participate? An integral component of the CME initiative is broad community participation. We strongly encourage users of anti-virus products to ask their preferred vendors to adopt CME identifiers. For anti-virus product vendors, supporting and participating in the CME initiative is a bold first step in announcing to your users that you want to help alleviate their confusion and further protect their systems and networks. Adopting the use of CME identifiers is a significant first step in establishing a consistent approach by anti-virus entities that will benefit users and the entire information security community. I fail to see how everyone using the same names protects my users any more than they already are by my using the best antivirus server-side solution out there. Who cares what you call the virus, when norton only releases new signatures on wednesdays. Contact us at [EMAIL PROTECTED] to discuss how you and your organization can help this growing anti-virus and information security initiative." Looks like they expect the ClamAV team to contact them, not the other way round. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Is CME officially supported/supporting ClamAV?
* On 01/02/06 07:52 -0600, John Jolet wrote: > > On Feb 1, 2006, at 4:32 AM, Randal, Phil wrote: > > >Jason Haar wrote: > > > >>I've been watching CME (Common Malware Enumerator) starting > >>to take off over the past few weeks, and I've noticed CME > >>entries and their corresponding names used by antivirus vendors. > >> > >>...and ClamAV ain't in there from what I've seen... > >> > >>Is there no interest in supporting this, or am I just blind? > >>(the latter is quite possible ;-) > >> > >>See http://cme.mitre.org/ > > > >>From the CME FAQ: > > > >"A8. How can my organization and I participate? > > > >An integral component of the CME initiative is broad community > >participation. > >We strongly encourage users of anti-virus products to ask their > >preferred > >vendors to adopt CME identifiers. For anti-virus product vendors, > >supporting > >and participating in the CME initiative is a bold first step in > >announcing > >to your users that you want to help alleviate their confusion and > >further > >protect their systems and networks. Adopting the use of CME > >identifiers > >is > >a significant first step in establishing a consistent approach by > >anti-virus > >entities that will benefit users and the entire information security > >community. > > > > I fail to see how everyone using the same names protects my users any > more than they already are by my using the best antivirus server-side > solution out there. Who cares what you call the virus, when norton > only releases new signatures on wednesdays. I don't care as well! Afterall, I can smell a rat on this CME issue, only the smell is still quite not identifiable! Some people want to control the Virus business ;) -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington<[EMAIL PROTECTED]> Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Hire the morally handicapped. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Is CME officially supported/supporting ClamAV?
On Wed, 2006-02-01 at 17:45 +0300, Odhiambo Washington wrote: > * On 01/02/06 07:52 -0600, John Jolet wrote: > > I fail to see how everyone using the same names protects my users any > > more than they already are by my using the best antivirus server-side > > solution out there. Who cares what you call the virus, when norton > > only releases new signatures on wednesdays. > > > I don't care as well! > Afterall, I can smell a rat on this CME issue, only the smell is still > quite not identifiable! > Some people want to control the Virus business ;) The only reason that I care is that when there is hew and cry over a massively destructive virus, I can point at my virus statistics and say "oh, our AV calls CME-24 'worm.vb9' - we've been blocking it for weeks." Then I don't have to worry about what name another group might give it, and the PHB's will leave me alone for a little while longer. -- Daniel J McDonald, CCIE # 2495, CNX, CISSP # 78281 Austin Energy [EMAIL PROTECTED] gpg Key: http://austinnetworkdesign.com/pgp.key Key fingerprint = B527 F53D 0C8C D38B DCC7 901D 2F19 A13A 22E8 A76A ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Is CME officially supported/supporting ClamAV?
On Feb 1, 2006, at 9:11 AM, Daniel J McDonald wrote: On Wed, 2006-02-01 at 17:45 +0300, Odhiambo Washington wrote: * On 01/02/06 07:52 -0600, John Jolet wrote: I fail to see how everyone using the same names protects my users any more than they already are by my using the best antivirus server- side solution out there. Who cares what you call the virus, when norton only releases new signatures on wednesdays. I don't care as well! Afterall, I can smell a rat on this CME issue, only the smell is still quite not identifiable! Some people want to control the Virus business ;) The only reason that I care is that when there is hew and cry over a massively destructive virus, I can point at my virus statistics and say "oh, our AV calls CME-24 'worm.vb9' - we've been blocking it for weeks." Then I don't have to worry about what name another group might give it, and the PHB's will leave me alone for a little while longer. has anyone ever noticed how much EXTRA work we sysadmins do for that reason alone? There's a lot of cycles spent, collectively, to prove to management what we already know. ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] My first question
Hi everybody I installed clam for checking mails. The problem is update database, I have to specify to my admin where freshclam have to connect to do available connection. My question is: If I say to the admin that only opens connection to database.clamv.net , will clam works fine? If this option isn't correct, how can I do to update manually the database? thks for your replies. ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] giant messages, giant clamd?
Some of my business customers occasionally exchange very large messages, for example today, a message about 83MB in size. When such a message hits my clamd/spamassassin proxy server, clamd's size 'explodes', and it start blocking the flow of other messages. for example, in top, the resident size may be as high as 190MB. when this occurs, i have to kill and restart clamd to restore normal functionality (i'm running 0.88 in freebsd). of course, since the huge message didn't go through, it sits on my MX, waiting to be requeued, and the process starts all over again, until i bypass the clam/spam proxy and just dump the message unscanned onto my popserver. i'm unclear what exactly i'm doing wrong. here's my current clamd.conf: Foreground LogFile /var/log/clamd.log LogFileMaxSize 25M LogTime LogSyslog LogVerbose LogFacility LOG_LOCAL6 PidFile /var/run/clamd/clamd.pid LocalSocket /tmp/clamd FixStaleSocket MaxConnectionQueueLength 500 StreamMaxLength 100K MaxThreads 500 ReadTimeout 1200 IdleTimeout 240 MaxDirectoryRecursion 25 SelfCheck 3600 ExitOnOOM User qscand ScanPE ArchiveMaxCompressionRatio 0 ArchiveMaxFileSize 100K ArchiveMaxRecursion 45 ArchiveMaxFiles 800 i run in foreground as i have it running supervised. i realize my maxconnectionqueuelength and maxthreads are absurdely high - those were just my latest stabs at trying to 'help' the message through. normally they are 1/10th that size. clamd is spawned via qmail-scanner-queue. i'd have thought that the archivemaxfilesize would cause the giant message to be bypassed by clamav; i realize that may be an utterly clueless conjecture. thanks in advance for any clues. Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com http://www.forumgarden.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] giant messages, giant clamd?
On Wed, Feb 01, 2006 at 02:46:13PM -0800, [EMAIL PROTECTED] said: > Some of my business customers occasionally exchange very large > messages, for example today, a message about 83MB in size. When such > a message hits my clamd/spamassassin proxy server, clamd's size > 'explodes', and it start blocking the flow of other messages. for > example, in top, the resident size may be as high as 190MB. when this > occurs, i have to kill and restart clamd to restore normal > functionality (i'm running 0.88 in freebsd). of course, since the > huge message didn't go through, it sits on my MX, waiting to be > requeued, and the process starts all over again, until i bypass the > clam/spam proxy and just dump the message unscanned onto my popserver. The usual suggestion in this case is roughly that - have whatever is feeding the message to clamav not do so for messages over a certain size. -- -- | Stephen Gran | Good girls go to heaven, bad girls go | | [EMAIL PROTECTED] | everywhere. | | http://www.lobefin.net/~steve | | -- signature.asc Description: Digital signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] giant messages, giant clamd?
At 02:56 PM 2/1/2006, Stephen Gran wrote: The usual suggestion in this case is roughly that - have whatever is feeding the message to clamav not do so for messages over a certain size. i guess the problem is there seems to be no automated way of doing that. it's a by-hand task, which is inconvenient, to say the least, a major problem at most. Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com http://www.forumgarden.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] giant messages, giant clamd?
On Wed, Feb 01, 2006 at 03:11:58PM -0800, [EMAIL PROTECTED] said: > At 02:56 PM 2/1/2006, Stephen Gran wrote: > > >The usual suggestion in this case is roughly that - have whatever is > >feeding the message to clamav not do so for messages over a certain > >size. > > i guess the problem is there seems to be no automated way of doing > that. it's a by-hand task, which is inconvenient, to say the least, a > major problem at most. If you're receiving large files by email, most of the 'glue' methods that exist for calling clamav have size restriction parameters. Certainly exiscan, mailscanner and amavis seem to. There are probably more out there, but those are the ones that come up regularly here. -- -- | Stephen Gran | I wouldn't marry her with a ten foot| | [EMAIL PROTECTED] | pole. | | http://www.lobefin.net/~steve | | -- signature.asc Description: Digital signature ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] postfix with clamav
Hello, To get postfix work clamav on fedora 4, I installed the following packages, clamav-lib-0.88-1.fc4 clamav-update-0.88-1.fc4 clamav-data-0.88-1.fc4 clamav-0.88-1.fc4 clamav-server-0.88-1.fc4 and clamsmtp-1.6-1.fc4.mf However, I have no clue if I need all of those packages and how to configure clamav to work with postfix? any suggestions? Tom ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Is CME officially supported/supporting ClamAV?
On 2/1/06, Krištof Petr <[EMAIL PROTECTED]> wrote: > > Mitre? Are not these boys same as Mitre "security experts" from Clifford > Stoll's > book CUCKOO'S EGG? > Mitre is a major US DoD contractor. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] postfix with clamav
On Feb 1, 2006, at 7:00 PM, Tom Lee wrote: Hello, To get postfix work clamav on fedora 4, I installed the following packages, clamav-lib-0.88-1.fc4 clamav-update-0.88-1.fc4 clamav-data-0.88-1.fc4 clamav-0.88-1.fc4 clamav-server-0.88-1.fc4 and clamsmtp-1.6-1.fc4.mf However, I have no clue if I need all of those packages and how to configure clamav to work with postfix? i'm not sure about those packages...too lazy to check my fc4 box :) however, i'm using amavis to call clam. you put amavis in as a transport, and uncomment the clam parts of amavis. amavis also calls spamassassin. any suggestions? Tom ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
