Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
> I meant that the other day there was a URL in the body of an email > that passed through as ham when in fact it ended in 'ecard.exe' and, > should the recipient download it, would be shown to be a trojan. > Doesn't clamav block stuff like this, I thought? Hi Alex, If you still have a copy of the headers & body, could you send me a sample: samples AT sanesecurity DOT me DOT uk I'll run it against the dbs I've got here. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
Hi, >> Will amavisd now also pass to it HTML files to scan for bad URLs >> within HTML and other email threats? > > I don't understand your question, but most likely it depends on your you > have configured amavisd. I meant that the other day there was a URL in the body of an email that passed through as ham when in fact it ended in 'ecard.exe' and, should the recipient download it, would be shown to be a trojan. Doesn't clamav block stuff like this, I thought? I'm now rejecting URLs ending in .exe right in postfix, but I thought one of the databases was a list of bad URLs, a la blacklists... Thanks Alex ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
>>> Why, are you blocking outbound rsync traffic? If so, after 3 years of >>> maintaining this script and many >>> thousands of users, this is the first time I've heard this request. >> >> Some of do this by default - set an outbound policy of block and allow >> specific traffic that's allowed. It >> means that should a machine get compromised despite all other precautions, >> it can't* then be used to >> launch an attack on others (or other servers in your own network) and/or is >> unable to communicate with >> it's control centre. Just another layer of security. Yes, exactly. That which is not expressly permitted is prohibited. Not only once it's been compromised, but even by a trusted user that uses rsync to download something from his own remote site to actually do the compromising (of your system or an other system). It's one thing on a home system, but quite another on a corporate network where there is a policy in place. I think it's more likely that no one has reported it previously, rather than not implementing it. Thanks, Alex ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
FWIW, we have the same setup where I am. The last place I was at the network guys were planning to do the same thing. --Bryan -- Bryan Blackwell -- Unix Systems Engineer br...@skiblack.com On Apr 28, 2010, at 4:54 PM, Simon Hobson wrote: >> Why, are you blocking outbound rsync traffic? If so, after 3 years of >> maintaining this script and many thousands of users, this is the first time >> I've heard this request. > > Some of do this by default - set an outbound policy of block and allow > specific traffic that's allowed. It means that should a machine get > compromised despite all other precautions, it can't* then be used to launch > an attack on others (or other servers in your own network) and/or is unable > to communicate with it's control centre. Just another layer of security. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
Bill Landry wrote: Why, are you blocking outbound rsync traffic? If so, after 3 years of maintaining this script and many thousands of users, this is the first time I've heard this request. Some of do this by default - set an outbound policy of block and allow specific traffic that's allowed. It means that should a machine get compromised despite all other precautions, it can't* then be used to launch an attack on others (or other servers in your own network) and/or is unable to communicate with it's control centre. Just another layer of security. * Yes the attacker (assuming they got root equivalent access) can clear iptables - but that means they have to be proactive and risk making themselves more visible, not to mention they risk their remote install breaking networking (and also making their presence visible). But then what would I know about administering servers :-/ -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
Hi, > If you run rsync manually and then run the script after, you'll no doubt > get a block from the server...as some mirrors only allow one rsync hit per > hour... > > Just to try this out... > > 1. run the above rsync command manually > 2. run the above rsync command *again*, manually Yes, that explains it. I now understand. I hadn't realized that was the case. Thanks again, Alex ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Large File problems
On 04/28/2010 06:40 PM, rick...@mm.com wrote: > WARNING: Can't access file > /app/ndm/misc/RT_Confirms.01122006.04222010194815.zip > /app/ndm/misc/RT_Confirms.01122006.04222010194815.zip: Value too large for > defined data type > WARNING: Can't access file > /app/ndm/misc/RT_Confirms.01122006.04222010194815.zip.gpg > /app/ndm/misc/RT_Confirms.01122006.04222010194815.zip.gpg: Value too large > for defined data type Looks like you are running on a 32-bit system, and you didn't compile ClamAV with -D_FILE_OFFSET_BITS=64, hence the stat() system call fails on files who's size/inode exceeds 32-bits. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Large File problems
WARNING: Can't access file /app/ndm/misc/RT_Confirms.01122006.04222010194815.zip /app/ndm/misc/RT_Confirms.01122006.04222010194815.zip: Value too large for defined data type WARNING: Can't access file /app/ndm/misc/RT_Confirms.01122006.04222010194815.zip.gpg /app/ndm/misc/RT_Confirms.01122006.04222010194815.zip.gpg: Value too large for defined data type > On 28/04/2010 5.24, rick...@mm.com wrote: >> I have a zip file of PDF files I'm trying to scan, the file is >> 2623701980 >> bytes. I've set all the Limits to 0 but still no joy. I'm running the >> latest version, on Solaris 10, x86. I have a lot more files like this >> coming soon and really need to get this working so any help would be >> great. > > Generally is not a good idea to scan such large pdf > btw what is exactly the error? > > I think it may be realted to used os file access functions > > Regards > > > -- > Gianluigi Tiesi > EDP Project Leader > Netfarm S.r.l. - http://www.netfarm.it/ > Free Software: http://oss.netfarm.it/ > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
On 4/28/2010 6:01 AM, Alex wrote: Hi, The rsync mirror are defined in the script, not the config file. However, you can find the full list of mirrors by executing: host rsync.sanesecurity.net It might be worth mentioning this in the docs so other people can properly configure their firewall if necessary. Why, are you blocking outbound rsync traffic? If so, after 3 years of maintaining this script and many thousands of users, this is the first time I've heard this request. Connection to ns.km33603.keymachine.de 87.118.124.191 failed - Trying next mirror site... Maybe the site was down at the time the script ran...? No, I can run rsync right afterwards and it succeeds, like this: # rsync -v rsync://ns.km33603.keymachine.de/sanesecurity/ Here's the output from the clamav-unofficial-sigs.sh script immediately after: Sanesecurity mirror site used: ns.km33603.keymachine.de 87.118.124.191 Number of files: 40 Number of files transferred: 0 Total file size: 27032205 bytes Total transferred file size: 0 bytes Literal data: 0 bytes Matched data: 0 bytes File list size: 1318 File list generation time: 0.241 seconds File list transfer time: 0.000 seconds Total bytes sent: 34 Total bytes received: 1932 sent 34 bytes received 1932 bytes 786.40 bytes/sec total size is 27032205 speedup is 13749.85 Connection to ns.km33603.keymachine.de 87.118.124.191 failed - Trying next mirror site... Looks to me like the rsync succeeded, since it received the filelist and actually received data. Could it instead be saying that it failed to find an update, and not that it failed to connect? The script only reports failed to connect if it actually failed to connect, not if there were no updates available. How can I query clamd to find out which databases it's currently using to scan files? ClamD will use every signature database that you have located in your production database directory. Will amavisd now also pass to it HTML files to scan for bad URLs within HTML and other email threats? I don't understand your question, but most likely it depends on your you have configured amavisd. Is it possible to configure it to log through syslog, instead of to a file directly? Not unless you want to edit the script. I intentionally steered away from using syslog so as not to pollute any of the existing system log files, nor did I want to require script users to create a new syslog facility in order to keep script logging separate. I was interested in this so I can pass it to a remote log server instead of having to monitor it locally, and also for buffering (not that there's a lot of overhead) and for monitoring, so I don't have to have another script that runs and watch a daemon or additional set of log files. Do you have any suggestions? Do you think it's necessary? Personally, I don't think its necessary. However, you could look at modifying the script to use"logger" if *you* feel it's necessary. Thanks again for all your work! You're welcome. Bill ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
> No, I can run rsync right afterwards and it succeeds, like this: > > # rsync -v rsync://ns.km33603.keymachine.de/sanesecurity/ > > Here's the output from the clamav-unofficial-sigs.sh script immediately > after: Hi Alex, If you run rsync manually and then run the script after, you'll no doubt get a block from the server...as some mirrors only allow one rsync hit per hour... Just to try this out... 1. run the above rsync command manually 2. run the above rsync command *again*, manually Does the first one work.. and the second one fail? If that's the case, wait 5 mins or so and run the script again, by that time, you should hit a different mirror. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
Hi, > The rsync mirror are defined in the script, not the config file. However, > you can find the full list of mirrors by executing: > > host rsync.sanesecurity.net It might be worth mentioning this in the docs so other people can properly configure their firewall if necessary. >> Connection to ns.km33603.keymachine.de 87.118.124.191 failed - Trying >> next mirror site... > > Maybe the site was down at the time the script ran...? No, I can run rsync right afterwards and it succeeds, like this: # rsync -v rsync://ns.km33603.keymachine.de/sanesecurity/ Here's the output from the clamav-unofficial-sigs.sh script immediately after: Sanesecurity mirror site used: ns.km33603.keymachine.de 87.118.124.191 Number of files: 40 Number of files transferred: 0 Total file size: 27032205 bytes Total transferred file size: 0 bytes Literal data: 0 bytes Matched data: 0 bytes File list size: 1318 File list generation time: 0.241 seconds File list transfer time: 0.000 seconds Total bytes sent: 34 Total bytes received: 1932 sent 34 bytes received 1932 bytes 786.40 bytes/sec total size is 27032205 speedup is 13749.85 Connection to ns.km33603.keymachine.de 87.118.124.191 failed - Trying next mirror site... Looks to me like the rsync succeeded, since it received the filelist and actually received data. Could it instead be saying that it failed to find an update, and not that it failed to connect? How can I query clamd to find out which databases it's currently using to scan files? Will amavisd now also pass to it HTML files to scan for bad URLs within HTML and other email threats? > Is it possible to configure it to log through syslog, instead of to a file > directly? Not unless you want to edit the script. I intentionally steered away from using syslog so as not to pollute any of the existing system log files, nor did I want to require script users to create a new syslog facility in order to keep script logging separate. I was interested in this so I can pass it to a remote log server instead of having to monitor it locally, and also for buffering (not that there's a lot of overhead) and for monitoring, so I don't have to have another script that runs and watch a daemon or additional set of log files. Do you have any suggestions? Do you think it's necessary? Thanks again for all your work! Best regards, Alex ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
On 4/27/2010 11:53 PM, Alex wrote: Hi, I've done some research on the best way to integrate it, but hoped someone could point me to a current document that outlines how to do this and help me answer some of my questions. The best way to integrate them is to follow the instructions at Steve's web site (Sane Security). Great, thanks. There's an awful lot of work they've done to create this. I've managed to get the clamav-unofficial-sigs package installed and it appears to be working correctly so far. A few questions. Where are the mirrors defined? I've had to add rules through the firewall the hard way, instead of knowing what the full list are. The rsync mirror are defined in the script, not the config file. However, you can find the full list of mirrors by executing: host rsync.sanesecurity.net Some of them appeared to fail, although when I run rsync manually they succeed just fine: Connection to ns.km33603.keymachine.de 87.118.124.191 failed - Trying next mirror site... Maybe the site was down at the time the script ran...? Running it manually, like this, results in the file list: # rsync -av rsync://ns.km33603.keymachine.de/ sirupmusic sirupmusic rsync sanesecuritySaneSecurity Signatures sanesecurity-update SaneSecurity Signatures (requires authentication) What is sanesecurity-update? Should I somehow obtain authentication or just use the regular sanesecurity? Authentication is not required, you just need to specify the directory /sanesecurity Is it possible to configure it to log through syslog, instead of to a file directly? Not unless you want to edit the script. I intentionally steered away from using syslog so as not to pollute any of the existing system log files, nor did I want to require script users to create a new syslog facility in order to keep script logging separate. Bill ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml