Re: [Clamav-users] bash script to split mbox file and scan individual messages
* On 27/08/06 15:02 -0400, Dan MacNeil wrote: | | See bottom of thread for thoughts | | the circumstances arose where mail folders are kept | from a pre-clamav time, or there was an issue with the clamav setup at | the time, or clamav was not scanning incoming mail | | I have to say that while I commend your sharing of a concept/idea, it | does appear that it's not very viable. | As for the situation, we've been using ClamAV for going on 3 years now, | and I have never (I repeat never) seen this occur. | Outside of a poor configuration/implementation that is. | | We're using maildir instead of mbox so the OP's script. | | However, I beg to differ on the point that post-delivery scanning is | useless (dumb???). We run clam through amavis. We also clamscan our mail | spool when fresh-clam gives us a new signature. Post-delivery scanning. 1. You accept the mail (imagine it was infected). 2. Then scan it... How long is the time difference between when it is delivered and when the owner accesses it? We block all infected mail at SMTP time, so we don't even receive it. I have been using Clamav (clamd) for over 3 years and this is the way we have always done it. Initially there was exiscan patch for Exim, then exiscan-acl and finally exiscan was integrated into Exim so virus/spam filtering is already in the MTA. You just have to install/configure SpamAssassin/Clamav and enable the filtering/(blocking) at SMTP time. To be honest, in all my years as sysadmin, I don't know why I would want post-delivery scanning. -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Magnocartic, adj.: Any automobile that, when left unattended, attracts shopping carts. -- Sniglets, Rich Hall Friends ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
On Mon, Aug 28, 2006 at 09:25:54AM +0300, Odhiambo Washington wrote: * On 27/08/06 15:02 -0400, Dan MacNeil wrote: | However, I beg to differ on the point that post-delivery scanning is | useless (dumb???). We run clam through amavis. We also clamscan our mail | spool when fresh-clam gives us a new signature. To be honest, in all my years as sysadmin, I don't know why I would want post-delivery scanning. Time to get some glasses man? He just explained it in detail. -hk ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Something difficult
Hi All, Now here is a OS, which is based on FreeBSD.I am design a Security Manage Center(like the one in Windows XP). In this Desktop version FB OS, I installed ClamAV. Now I need get the ClamAV'information(such as the version, the running status, the update status of the ClamAV) into the Secturity Center, show them to the client. I worked on ClamAV' source code for couples of days but still can not feagure it out. How and where can I get the data from ClamAV?? Best, Frank _ 率先尝试 Windows Live Mail。 http://ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e-4911fb2b2e6d ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] probelm installing clam av, zlib dependancy
On 8/28/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Erez Epstein wrote: Hello, i have a problem when i try to install clam av. after running rpm -i [EMAIL PROTECTED] GZ]# rpm -ivh clamav-0.87-1.i386.rpm warning: clamav-0.87-1.i386.rpm: V3 DSA signature: NOKEY, key ID 06827e33 error: Failed dependencies: zlib = 1.2.2 is needed by clamav-0.87-1.i386 so i tried to update zlib to ver 1.2.2 [EMAIL PROTECTED] GZ]# rpm -Uvh zlib-1.2.2.2-5.fc4.i386.rpm error: Failed dependencies: zlib = 1.2.1.2 is needed by (installed) zlib-devel-1.2.1.2-1.i386 ofcourse when i try the opoosite, i get this [EMAIL PROTECTED] GZ]# rpm -Uvh zlib-devel-1.2.2.2-2.i386.rpm warning: zlib-devel-1.2.2.2-2.i386.rpm: V3 DSA signature: NOKEY, key ID 06827e33 error: Failed dependencies: zlib = 1.2.2.2 is needed by zlib-devel-1.2.2.2-2.i386 How can i overcome this? Erez ___ http://lurker.clamav.net/list/clamav-users.html remove the existing Zlib dev package. Upgrade zlib and then install the upgraded zlib package. Lyle ___ http://lurker.clamav.net/list/clamav-users.html ahh...i have tried that, but it wont let me remove zlib-devel, as there are many dependencies for this package also. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] probelm installing clam av, zlib dependancy
thanks! that preety much solved the problem. where can i get a newer rpm then clam 0.87-1? On 8/27/06, Rob MacGregor [EMAIL PROTECTED] wrote: On 8/27/06, Erez Epstein [EMAIL PROTECTED] wrote: Hello, i have a problem when i try to install clam av. after running rpm -i [EMAIL PROTECTED] GZ]# rpm -ivh clamav-0.87-1.i386.rpm warning: clamav-0.87-1.i386.rpm: V3 DSA signature: NOKEY, key ID 06827e33 error: Failed dependencies: zlib = 1.2.2 is needed by clamav-0.87-1.i386 so i tried to update zlib to ver 1.2.2 [EMAIL PROTECTED] GZ]# rpm -Uvh zlib-1.2.2.2-5.fc4.i386.rpm error: Failed dependencies: zlib = 1.2.1.2 is needed by (installed) zlib-devel-1.2.1.2-1.i386 ofcourse when i try the opoosite, i get this [EMAIL PROTECTED] GZ]# rpm -Uvh zlib-devel-1.2.2.2-2.i386.rpm warning: zlib-devel-1.2.2.2-2.i386.rpm: V3 DSA signature: NOKEY, key ID 06827e33 error: Failed dependencies: zlib = 1.2.2.2 is needed by zlib-devel-1.2.2.2-2.i386 How can i overcome this? You need to specify both zlib and zlib-devel in the same RPM command. Then you need to be installing a current version of ClamAV :) -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Something difficult
* On 28/08/06 14:47 +0800, ZhangFrank wrote: | Hi All, | | Now here is a OS, which is based on FreeBSD. | I am design a Security Manage Center (like the one in Windows XP). | | In this Desktop version FB OS, I installed ClamAV. Now I need get | the ClamAV'information ... | (such as the version /usr/local/bin/clamd --version | the running status, What information do you want in the running status? | the update status of the ClamAV) Check the log file for freshclam for the update status. | into the Secturity Center, show them to the client. | | I worked on ClamAV' source code for couples of days but still can | not feagure it out. How and where can I get the data from ClamAV?? Just avail your source code for people to look at and they will surely give you ideas. If the code does not conform to the licence under which Clamav is released, then you should not be using Clamav in the first place, so you will have to stop asking your questions here ;) -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Boling's postulate: If you're feeling good, don't worry. You'll get over it. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Mail-Files scan showes only the first found virus
Hi, yes indeed, but we have changed our mailscanner from sophos to clamAV, so some mailboxes have already the virus in the queue :-( Ehm, by the way, we are using amavis 0.3.13 as mailscanner, but the performance is very bad - is clamd working better for a mail-emergence up to 5000 mails/day ? Regards, Jens Hmmm, Maybe I am misunderstanding something... I assume you are periodically scanning your queue?... Why not run a milter that can call Clamd to scan messages as they are coming in then let the milter reject, drop, or quarantine infected messages? That way you should never get a virus in your mail queue. That is how we run the Gateways here. Mark Jens Strohschnitter wrote: Hi list, when I scan mailfiles in /var/spool/mail and one of the mailfiles containing more than one virus, only the first found was displayed. So when there are more mails in the box, only one will be displayd. Now, I removed the attachment out of the file, the next scan showes me the next found virus. What can I do, that clamscan notify me about more than 1 virus in mailspool-file ? -- Regards, Jens Strohschnitter - *!!!LINUX LINUX LINUX LINUX LINUX!!!* * http://www.jens-strohschnitter.de * - Set the controls for the heart of the sun - ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] remote manag of clamav + mail notification
Erez Epstein wrote: ok, but i'm talking about remote mange, i mean that i need some tool that will show me if i have some servers with outdated scan engine, how can i do that? I have started to write one (it is included in the distribution, look in .../contrib/clamavmon) but it isn't finished. There has been little interest, so I have put my recent efforts into other areas (win32 port, win32 tools - on access scanning etc.). However if there is interest in this area I'll carry on developing it. For example, clamavmon tells you which machines are down, and alerts when viruses are detected. -Nigel ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] probelm installing clam av, zlib dependancy
On 8/28/06, Erez Epstein [EMAIL PROTECTED] wrote: thanks! that preety much solved the problem. where can i get a newer rpm then clam 0.87-1? See whoever created the RPM you're using just now. The standard advice on this list is to compile from source... -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
On Mon, 28 Aug 2006, Odhiambo Washington wrote: * On 27/08/06 15:02 -0400, Dan MacNeil wrote: | | See bottom of thread for thoughts | | the circumstances arose where mail folders are kept | from a pre-clamav time, or there was an issue with the clamav setup at | the time, or clamav was not scanning incoming mail | | I have to say that while I commend your sharing of a concept/idea, it | does appear that it's not very viable. | As for the situation, we've been using ClamAV for going on 3 years now, | and I have never (I repeat never) seen this occur. | Outside of a poor configuration/implementation that is. | | We're using maildir instead of mbox so the OP's script. | | However, I beg to differ on the point that post-delivery scanning is | useless (dumb???). We run clam through amavis. We also clamscan our mail | spool when fresh-clam gives us a new signature. Post-delivery scanning. 1. You accept the mail (imagine it was infected). 2. Then scan it... How long is the time difference between when it is delivered and when the owner accesses it? We block all infected mail at SMTP time, so we don't even receive it. But you still do - see below. I have been using Clamav (clamd) for over 3 years and this is the way we have always done it. Initially there was exiscan patch for Exim, then exiscan-acl and finally exiscan was integrated into Exim so virus/spam filtering is already in the MTA. You just have to install/configure SpamAssassin/Clamav and enable the filtering/(blocking) at SMTP time. To be honest, in all my years as sysadmin, I don't know why I would want post-delivery scanning. This is why: There are several problems with scanning at SMTP time: It takes a lot of CPU power to be able to scan all incoming SMTP connections at once If you find a virus you can't do anything about it until the end of the DATA phase, so you have effectively received the traffic, even if you haven't saved it to disk. One you find the virus what do you do? Reject the message and then let the sending server bounce it back to some poor individual whose address was spoofed? That is not very courteous. With off-line scanning (assuming you are using some scanning manager such as Amavis or, in my case, MailScanner), you save the incoming message to a temporary queue and then process it. The advantages of that are: You can spread the scanning load more effectively, and never have to run more than a specified number of scanning instances. It takes no more bandwidth than online scanning. If you do identify a virus then you can take selective action, eg for a Word macro virus you can remove the attachment and deliver the message, for other known viruses you just quarantine them, sending no notices to either sender or recipient. If doubtful, send the message without the attachment. No one gets a silly message saying You have sent a virus . . . (I really hate that!) Obviously you don't just deliver the mail to a local mailbox and then start scanning! I also find that it is useful to have a store of quarantined viruses as it gives you the opportunity to have a look at what is going on, as well as to investigate the source, which is often not the server that actually sends it out to you. Obviously you want to blacklist totally brain-dead systems, but if you find a co-operative but newbie sysadmin who wants some help in finding the source you then have a chance to do it. In any case I think it is essential to have a system that examines the mail offline before final delivery to check it not only for known viruses, but also for other problems, eg: Potentially dangerous filenames/filetypes Oversize messages/attachments (with individual settings) Removal of scripting inside html Removal of web bugs Checking for phishing attacks in addition to those provided by ClamAV Individual blacklisting of mail from some addresses Scanning for spam, using DNS blacklists, SpamAssassin etc. All the above can be done using MailScanner (and probably Amavis as well). It would be theoretically possible to do all the above on line, but the chances of dying from a DOS attack would be very high. So off-line scanning for malware and spam seems to me to be the best way to go unless you have unlimited horsepower. That is not to argue against blocking anything at all during the SMTP stage - I have an extensive blacklist of known spammers, virus spewers etc that I don't accept, as well as checking for reverse DNS, enforcing greet-pause etc etc. That blocks 80% of incoming traffic right away, without any SMTP DATA phase at all. We use ClamAV as our sole virus scanner and have been very impressed. Keep up the most valuable work! Regards Jim
Re: [Clamav-users] high clamd CPU load on Solaris
David Blank-Edelman wrote: Howdy- We've recently been seeing our clamd processes run very hot (spiking up to 85% of the CPU as reported by prtstat and top) on two different Solaris 9 boxes. For example, here's a few lines from prtstat -L (showing the two clamav threads who are together eating 66% of the CPU) . PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/LWPID 18447 root 61M 60M run 00 0:27:51 34% clamd/14 18447 root 61M 60M cpu0200 0:25:40 32% clamd/22 Both machines are running 0.88.2 clamds being fed by exim. We'll upgrade to 88.4 shortly, Repeating advice already given here: the engine in 0.88 is *old*. If performance is an issue upgrade to the code in CVS. -Nigel ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Clamav Milter + Postfix
I originally had the 'clamav-milter' working with Sendmail on my system. I recently switched over to Postfix for numerous reasons. I have not been able to configure the 'clamav-milter' to work correctly with Postfix. I have version 2.3.x of Postfix which is suppose to support Sendmail type milters. Does any have this running under Postfix now? If so, would they be willing to share their configuration with me? Thanks! -- Gerard Seibert [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav Milter + Postfix
On Mon, 28 Aug 2006, Gerard Seibert wrote: I originally had the 'clamav-milter' working with Sendmail on my system. I recently switched over to Postfix for numerous reasons. I have not been able to configure the 'clamav-milter' to work correctly with Postfix. I have version 2.3.x of Postfix which is suppose to support Sendmail type milters. Does any have this running under Postfix now? If so, would they be willing to share their configuration with me? I don't have personal experience, but a lot of people have been using Postfix through MailScanner as their virus scanning and spam filtering manager - see http://www.mailscanner.info. ClamAV is the recommended virus scanner for that package. I would recommend you look at off-line scanning, for reasons explained in previous posting. If MailScanner doesn't do it for you then look at Amavis. You will need to check to see whether your version of Postfix is fully supported - I understand that there has been a recent code update to Postfix which might have introduced some incompatibilities with MailScanner. These will be sorted out by MailScanner's developer as soon as he can - he always has done in the past. Unfortunately Postfix's developer will not co-operate at all, for religious reasons as they say. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service Tel: (263-4)-334111/304471 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
On Mon, Aug 28, 2006 at 09:35:56AM +0300, Henrik Krohns wrote: On Mon, Aug 28, 2006 at 09:25:54AM +0300, Odhiambo Washington wrote: * On 27/08/06 15:02 -0400, Dan MacNeil wrote: | However, I beg to differ on the point that post-delivery scanning is | useless (dumb???). We run clam through amavis. We also clamscan our mail | spool when fresh-clam gives us a new signature. To be honest, in all my years as sysadmin, I don't know why I would want post-delivery scanning. Time to get some glasses man? He just explained it in detail. Replying to myself.. I thought you meant clamscan our mail spool with post-delivery scanning. So apologies if that was the case. But still, after-queue (post-delivery) scanning with amavisd-new is much better.. -hk ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav Milter + Postfix
At 08:20 AM 8/28/2006, [EMAIL PROTECTED] wrote: On Mon, 28 Aug 2006, Gerard Seibert wrote: I originally had the 'clamav-milter' working with Sendmail on my system. I recently switched over to Postfix for numerous reasons. I have not been able to configure the 'clamav-milter' to work correctly with Postfix. I have version 2.3.x of Postfix which is suppose to support Sendmail type milters. Does any have this running under Postfix now? If so, would they be willing to share their configuration with me? I don't have personal experience, but a lot of people have been using Postfix through MailScanner as their virus scanning and spam filtering manager - see http://www.mailscanner.info. ClamAV is the recommended virus scanner for that package. MailScanner has been documented to on rare occasion truncate mail it is processing in postfix. MailScanner is a fine product to use with other MTA's, but not with postfix. Doubtless there are many people who will testify they haven't noticed a problem. Apparently they don't mind playing russian roulette with their mail. Popular choices for integrating clamav with postfix include clamsmtp and amavisd-new. -- Noel Jones ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] probelm installing clam av, zlib dependancy
i used to that in the past, but after time.. i have learned that its not always good to compile from source, because many bad things can happen in the compilation process when you need to upgrade a product. sometimes when compiling old files are overwritten, without deleting other files that aren't needed anymore, also make uninstall doesn't always work, and much more. On 8/28/06, Rob MacGregor [EMAIL PROTECTED] wrote: On 8/28/06, Erez Epstein [EMAIL PROTECTED] wrote: thanks! that preety much solved the problem. where can i get a newer rpm then clam 0.87-1? See whoever created the RPM you're using just now. The standard advice on this list is to compile from source... -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] probelm installing clam av, zlib dependancy
Erez Epstein wrote: On 8/28/06, Rob MacGregor [EMAIL PROTECTED] wrote: On 8/28/06, Erez Epstein [EMAIL PROTECTED] wrote: thanks! that preety much solved the problem. where can i get a newer rpm then clam 0.87-1? See whoever created the RPM you're using just now. The standard advice on this list is to compile from source... i used to that in the past, but after time.. i have learned that its not always good to compile from source, because many bad things can happen in the compilation process when you need to upgrade a product. sometimes when compiling old files are overwritten, without deleting other files that aren't needed anymore, also make uninstall doesn't always work, and much more. That is sometimes true, but the advantage is that you get the new versions as fast as possible. I consider this to be a major advantage with an anti-virus product. In your case, the distribution is significantly behind (0.87-1 is from Nov 2005 -- current version is 0.88-4). -- Bowie ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
On Sun, 27 Aug 2006, Bit Fuzzy wrote: As for the situation, we've been using ClamAV for going on 3 years now, and I have never (I repeat never) seen this occur. Occasionally there are major virus flare-ups (and often there are phishing scams and such) that occur before an appropriate signature is in place. In these instances, it's not unreasonable to try to clean out user inboxes before they have a chance to do something they shouldn't. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
jef moskot wrote: On Sun, 27 Aug 2006, Bit Fuzzy wrote: As for the situation, we've been using ClamAV for going on 3 years now, and I have never (I repeat never) seen this occur. Occasionally there are major virus flare-ups (and often there are phishing scams and such) that occur before an appropriate signature is in place. In these instances, it's not unreasonable to try to clean out user inboxes before they have a chance to do something they shouldn't. When do you actually scan then? Do you scan when the email is retrieved by the end user or do you just cron job something to go through all the boxes? I can see disadvantages and problems to both of these scenarios. Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
On Mon, 28 Aug 2006, jef moskot wrote: On Sun, 27 Aug 2006, Bit Fuzzy wrote: As for the situation, we've been using ClamAV for going on 3 years now, and I have never (I repeat never) seen this occur. Occasionally there are major virus flare-ups (and often there are phishing scams and such) that occur before an appropriate signature is in place. In these instances, it's not unreasonable to try to clean out user inboxes before they have a chance to do something they shouldn't. Jeffrey Moskot System Administrator [EMAIL PROTECTED] [...] It seems to me, that if the mail has been in the system for any appreciable amount of time, it has been accessed at least once already. If it was infected, it would no doubt have been caught by then. I have never witnessed an instance where I needed to manually scan mail after it was received. I agree that there is a possibility that a new or improved 'phishing' sig might be available but that hardly justifies the effort required to rescan every bit of mail. The days of someone routinely replying back to a 'PayPay - Your Account is Disabled' or whatever are in serious decline. -- Gerard Seibert [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
On Mon, 28 Aug 2006 [EMAIL PROTECTED] wrote: jef moskot wrote: Occasionally there are major virus flare-ups (and often there are phishing scams and such) that occur before an appropriate signature is in place. When do you actually scan then? Do you scan when the email is retrieved by the end user or do you just cron job something to go through all the boxes? I usually only do this manually in special instances, but then I don't have a huge number of mailboxes to go through. When it's a major outbreak (eg, something Microsoft has no patch for), I would consider it negligent not to try to eliminate as many copies of the virus as possible. I have a small script I modify to do the job of lifting the offending messages out of the mbox files. On a large scale, there's the obvious problem of modifying files that could be in use or files that the user could modifying during the stripping process. I can monitor these fairly easily in my environment, but on a larger scale, this would certainly be a much nastier problem. As to the question of whether or not the files have been accessed already, in the general case, I can get to the mailboxes before they are accessed by a majority of the users. Certainly a high enough percentage to make the task worth it. Again, though, this is due to our environment. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
jef moskot wrote: I have a small script I modify to do the job of lifting the offending messages out of the mbox files. On a large scale, there's the obvious problem of modifying files that could be in use or files that the user could modifying during the stripping process. I can monitor these fairly easily in my environment, but on a larger scale, this would certainly be a much nastier problem. As to the question of whether or not the files have been accessed already, in the general case, I can get to the mailboxes before they are accessed by a majority of the users. Certainly a high enough percentage to make the task worth it. Again, though, this is due to our environment. I can see this working in a smaller environment although I still think it is less then ideal because you have the potential to scan email that has already been scanned and dubbed clean, especially using mbox. It seems to me that in a larger environment scanning at the SMTP level is ideal. Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
On Mon, 28 Aug 2006 [EMAIL PROTECTED] wrote: I can see this working in a smaller environment although I still think it is less then ideal... I think we all agree with that, but the world is a somewhat less than ideal place and there are some cases where such a tool is useful. Thanks to the original poster for sharing his work. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
[EMAIL PROTECTED] wrote: jef moskot wrote: I have a small script I modify to do the job of lifting the offending messages out of the mbox files. On a large scale, there's the obvious problem of modifying files that could be in use or files that the user could modifying during the stripping process. I can monitor these fairly easily in my environment, but on a larger scale, this would certainly be a much nastier problem. As to the question of whether or not the files have been accessed already, in the general case, I can get to the mailboxes before they are accessed by a majority of the users. Certainly a high enough percentage to make the task worth it. Again, though, this is due to our environment. I can see this working in a smaller environment although I still think it is less then ideal because you have the potential to scan email that has already been scanned and dubbed clean, especially using mbox. It seems to me that in a larger environment scanning at the SMTP level is ideal. Steve You seem to be missing the point here. Nowhere that i saw did anyone say that they are scanning the mailboxes INSTEAD of at smtp time. This mailbox scanning is in addition to smtp scanning. I think anyone could agree that additional scanning is beneficial (although not always necessary). Thefore, i dont see the point of your argument. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
Jim Maul wrote: You seem to be missing the point here. Nowhere that i saw did anyone say that they are scanning the mailboxes INSTEAD of at smtp time. This mailbox scanning is in addition to smtp scanning. I think anyone could agree that additional scanning is beneficial (although not always necessary). Thefore, i dont see the point of your argument. -Jim ___ A quote from a previous email(not from me): It would be theoretically possible to do all the above on line, but the chances of dying from a DOS attack would be very high. So off-line scanning for malware and spam seems to me to be the best way to go unless you have unlimited horsepower. To me this implies that they want offline scanning instead. I could be wrong in the interpretation. It is just my counterpoint that this is not always the case. But anyway, why would you want to perform additional virus scanning of mailboxes if it is all scanned upon arrival anyway? The only reason I could think is if virus definitions were updated after some malware had already been accepted and you want to go back and look for it. I don't see this happening in large environments though. Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
[EMAIL PROTECTED] wrote: Jim Maul wrote: You seem to be missing the point here. Nowhere that i saw did anyone say that they are scanning the mailboxes INSTEAD of at smtp time. This mailbox scanning is in addition to smtp scanning. I think anyone could agree that additional scanning is beneficial (although not always necessary). Thefore, i dont see the point of your argument. -Jim ___ A quote from a previous email(not from me): It would be theoretically possible to do all the above on line, but the chances of dying from a DOS attack would be very high. So off-line scanning for malware and spam seems to me to be the best way to go unless you have unlimited horsepower. To me this implies that they want offline scanning instead. I could be wrong in the interpretation. It is just my counterpoint that this is not always the case. Perhaps, but i read it differently. But anyway, why would you want to perform additional virus scanning of mailboxes if it is all scanned upon arrival anyway? The only reason I could think is if virus definitions were updated after some malware had already been accepted and you want to go back and look for it. Exactly. And to me, this is a very good reason to do so. Many people also scan incoming messages (during smtp) with multiple virus scanners. Do you also ask the question, Why scan the same message twice with 2 virus scanners? The same principal applies here - redundant scanning is a good idea. I don't see this happening in large environments though. Actually, i would expect this more in large environments. The more email a particular site receives, the greater the chance of missed viruses. Its simply a matter of volume. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] high load condition
My mail server has been choking under high load for about 3 months now. I have about 725 user accounts, using sendmail, imapd and horde for webmail. Top shows the load average climbing above 30. Server is a 4 gb+ memory and Dual pIII. I use clamav with procmail. Top shows clamscan in the top portion of utilization everytime. My clamav isnt logging (doesnt look like it has for sometime). I disabled clamscan in procmail and mail utilization went way down. Does anyone know how I can start troubleshooting this? I am running ClamAV 0.88.4/1742. My clamav.conf is pretty normal. I havent changed it in quite sometime though. Procmail script: # send through clamav #:0fw #| /usr/local/bin/clamassassin # quarantine if clamav found virus #:0: #* ^X-Virus-Status: Yes #/opt/viruses/clamav-viruses thanks, ddh -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] high load condition
Dwayne Hottinger wrote: My mail server has been choking under high load for about 3 months now. I have about 725 user accounts, using sendmail, imapd and horde for webmail. Top shows the load average climbing above 30. Server is a 4 gb+ memory and Dual pIII. I use clamav with procmail. Top shows clamscan in the top portion of utilization everytime. My clamav isnt logging (doesnt look like it has for sometime). I disabled clamscan in procmail and mail utilization went way down. Try using clamdscan instead of clamscan ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
Jim Maul wrote: Perhaps, but i read it differently. Fair enough. But anyway, why would you want to perform additional virus scanning of mailboxes if it is all scanned upon arrival anyway? The only reason I could think is if virus definitions were updated after some malware had already been accepted and you want to go back and look for it. Exactly. And to me, this is a very good reason to do so. Many people also scan incoming messages (during smtp) with multiple virus scanners. Do you also ask the question, Why scan the same message twice with 2 virus scanners? The same principal applies here - redundant scanning is a good idea. Redundant scanning is good but it matters where you do it. If it is done during the delivery process then fine but to scan through peoples' mailboxes after delivery is a waste of resources. You would be scanning through huge amounts of data (assuming large environment) to maybe catch something that represents much less then 1% of your total volume. In an environment where there are tens to hundreds of millions of stored messages this is almost an impossibility. Not just due to implementation but because of cost. Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] high clamd CPU load on Solaris
On 8/28/06, Nigel Horne [EMAIL PROTECTED] wrote: Repeating advice already given here: the engine in 0.88 is *old*. If performance is an issue upgrade to the code in CVS. How long before the current CVS code base becomes the stable release? Jeff D ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Zip module failure ERROR
Hello, I get the message Zip module failure ERROR in my clamd logfile. I use 0.88.4 I have (un)zip installed Does anybody have a glue? Is clamd calling an external zip probram or has it a internal one? -- With kind regards, Maurice Lucas TAOS-IT ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] high load condition
On 8/28/06, Dwayne Hottinger [EMAIL PROTECTED] wrote: My mail server has been choking under high load for about 3 months now. I have about 725 user accounts, using sendmail, imapd and horde for webmail. Top shows the load average climbing above 30. Try using clamdscan with sendmail instead (via one of the milters). Part of your problem will be that you're using clamscan, part will be that you'll be scanning the same email each time it's delivered if people are CCd. -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lurker.clamav.net/list/clamav-users.html