Re: [clamav-users] Manually copy and use local filesystem as DownloadMirror/PrivateMirror

[ANISH SHETTY via clamav-users]

Hi Ged,

> If I understand correctly, the clients disable the network connection
> most of the time, and enable it only every three months to do some
> sort of update operation; it might be possible to get them to do this
> once per month, is that correct?  Is the update operation to be purely
> for the ClamAV databases or is it also for some kind of maintenance of
> other software and/or data?

Yes, this is how it is right now. The machines mostly use the only intranet. 
They connect to our severs when they must perform an update.  We perform 
maintenance of other software, and I can fit in the updates of the virus 
definitions here.

Thanks a lot in clearing up my doubts related to freshclam. I am considering 
setting up a webserver now . I will have a discussion with my higher ups with 
all the inputs I've got here and see if our clients would be okay with this.

Anish.


From: clamav-users  on behalf of G.W. 
Haywood via clamav-users 
Sent: 18 May 2021 14:16
To: ANISH SHETTY via clamav-users 
Cc: G.W. Haywood 
Subject: Re: [clamav-users] Manually copy and use local filesystem as 
DownloadMirror/PrivateMirror

Hi there,

On Tue, 18 May 2021, ANISH SHETTY via clamav-users wrote:

> ... the update operation performed by clients is the only time when
> I can manage what data goes into the machines.  I can't setup a cron
> or such alternatives. I could use the web server on the same machine
> as a server for freshclam (since I guess I need a webserver and
> can't do it from local filesystem).

Yes, freshclam only obtains the signature data via Web servers, and
cannot usefully access the local filesystem as an alternative.  You
can in the case of a multi-homed machine specify which interface is to
be used for the downloads.  In case it's also an issue for you, the
current state of the database is held in DNS records.  That means that
freshclam should also have access to a nameserver, so that it can make
the DNS queries to get the information which it needs in order to know
if the signature databases are up to date.  Although we call them the
'signature databases' they are in fact just ordinary files.  Some are
compressed (and signed), but you can uncompress them to plain, flat,
text files which you can display with almost any pager or text editor
(and which I occasionally do to investigate signature issues).

If I understand correctly, the clients disable the network connection
most of the time, and enable it only every three months to do some
sort of update operation; it might be possible to get them to do this
once per month, is that correct?  Is the update operation to be purely
for the ClamAV databases or is it also for some kind of maintenance of
other software and/or data?

> Given all this, I'm not sure if it's worth the effort.  I'll see if
> I can think of any other approaches where the client machines can
> access a server which is kept up to date.

It does not matter what the Web server is - it could be a proxy like
Squid for example.  You could update the files which Squid serves in
whatever way you choose, and of course prevent it from accessing any
data other than your signature databases.  I do not know enough about
the restrictions in your networks to know if that might help.

It does not matter to ClamAV (that is, to the scanners - clamdscan,
clamscan and clamd) how the signature files are kept up to date.  But
it matters to the infrastructure how the downloads are performed, as
there are abuse protections in place which will probably be activated
if freshclam (and it must be a fairly up to date version of freshclam)
is not used.  That would mean that the IP address trying to download
the signatures will be blocked by the infrastructure provider and you
would need to ask for it to be unblocked after rectifying any issues.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Debug Symbols for the Windows version to analyze crash dumps

[Micah Snyder (micasnyd) via clamav-users]

Hi Sreeram,

The ClamAV windows builds that we publish on our website are Release builds, so 
there are no PDB files to share for debug symbols.
You would have to do a Debug build in order to have a clamav install that has 
debug symbols.

If you're up for compiling clamav on Windows yourself, have a look at the 
INSTALL.cmake.md file.  It's easiest to use vcpkg to supply library 
dependencies though you could also use Mussels. See 
https://github.com/Cisco-Talos/clamav/blob/dev/0.104/INSTALL.cmake.md#windows-build-with-vcpkg
 for details. And of course, use "Debug" instead of "Release".

Tangent: There is an issue with the PE parser right now where it tries to set 
the endianness of the variables in a couple of structures in read-only memory 
which causes a crash if you're using a Debug build.  The endianness for these 
variables is actually already correct on Windows x86/x86_64 systems so the code 
there doesn't _really_ do anything, but in Debug mode the compiler doesn't 
optimize away the call so it thinks it is changing read-only memory and this 
causes a crash.  TL;DR is that if you do make a Windows Debug build, expect to 
see a crash from this when scanning PE files.  It's not an actual issue that 
would affect Release-mode builds, but is a problem with testing Debug builds on 
Windows right now.  It's on my to-do list to resolve this.

-Micah

From: clamav-users  On Behalf Of Sreeram 
Nanjundan via clamav-users
Sent: Tuesday, May 18, 2021 11:13 AM
To: clamav-users@lists.clamav.net
Cc: Sreeram Nanjundan 
Subject: [clamav-users] Debug Symbols for the Windows version to analyze crash 
dumps

Hello

In one of our installed environments which is windows based we are running into 
clamd.exe crashing more often. To isolate the cause we are capturing the crash 
dump. To analyze that would require the debug symbols.  Is there a place where 
it is made available that can be consumed?

Thanks
Sreeram

Get Outlook for Android

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Debug Symbols for the Windows version to analyze crash dumps

[Sreeram Nanjundan via clamav-users]

Hello

In one of our installed environments which is windows based we are running into 
clamd.exe crashing more often. To isolate the cause we are capturing the crash 
dump. To analyze that would require the debug symbols.  Is there a place where 
it is made available that can be consumed?

Thanks
Sreeram

Get Outlook for Android

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] RClam AV installation with Postfix in RHEL

[Erwan David via clamav-users]

Le 18/05/2021 à 11:59, Eero Volotinen a écrit :

Read the documentation

http://books.msspace.net/mirrorbooks/linuxcookbook/0596006403/linuxckbk-CHP-21-SECT-8.html 



Typical way is use amavis with postfix



There is also a clamav milter (which works fine)

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] RClam AV installation with Postfix in RHEL

[Eero Volotinen]

Read the documentation

http://books.msspace.net/mirrorbooks/linuxcookbook/0596006403/linuxckbk-CHP-21-SECT-8.html

Typical way is use amavis with postfix


Eero

On Tue 18. May 2021 at 7.04, Anindya Banerjee-konsult <
anindya.banerjee-kons...@apoteket.se> wrote:

> Hello Team,
>
>
>
> We are using Postfix for email relay and has activated spam assassin. We
> intend to use Clam AV scanning of emails relayed by Postfix. We have
> documentation for installation but not on interoperability with Postfix.
> https://www.clamav.net/documents/installation-on-redhat-and-centos-linux-distributions.
> Please assist with documentation on how clam AV may be configured to work
> with Postfix email relay.
>
>
>
> Thanks & regards
>
> Anindya Banerjee
>
> Apoteket AB
>
> +91 9836106549
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Manually copy and use local filesystem as DownloadMirror/PrivateMirror

[G.W. Haywood via clamav-users]

Hi there,

On Tue, 18 May 2021, ANISH SHETTY via clamav-users wrote:


... the update operation performed by clients is the only time when
I can manage what data goes into the machines.  I can't setup a cron
or such alternatives. I could use the web server on the same machine
as a server for freshclam (since I guess I need a webserver and
can't do it from local filesystem).


Yes, freshclam only obtains the signature data via Web servers, and
cannot usefully access the local filesystem as an alternative.  You
can in the case of a multi-homed machine specify which interface is to
be used for the downloads.  In case it's also an issue for you, the
current state of the database is held in DNS records.  That means that
freshclam should also have access to a nameserver, so that it can make
the DNS queries to get the information which it needs in order to know
if the signature databases are up to date.  Although we call them the
'signature databases' they are in fact just ordinary files.  Some are
compressed (and signed), but you can uncompress them to plain, flat,
text files which you can display with almost any pager or text editor
(and which I occasionally do to investigate signature issues).

If I understand correctly, the clients disable the network connection
most of the time, and enable it only every three months to do some
sort of update operation; it might be possible to get them to do this
once per month, is that correct?  Is the update operation to be purely
for the ClamAV databases or is it also for some kind of maintenance of
other software and/or data?


Given all this, I'm not sure if it's worth the effort.  I'll see if
I can think of any other approaches where the client machines can
access a server which is kept up to date.


It does not matter what the Web server is - it could be a proxy like
Squid for example.  You could update the files which Squid serves in
whatever way you choose, and of course prevent it from accessing any
data other than your signature databases.  I do not know enough about
the restrictions in your networks to know if that might help.

It does not matter to ClamAV (that is, to the scanners - clamdscan,
clamscan and clamd) how the signature files are kept up to date.  But
it matters to the infrastructure how the downloads are performed, as
there are abuse protections in place which will probably be activated
if freshclam (and it must be a fairly up to date version of freshclam)
is not used.  That would mean that the IP address trying to download
the signatures will be blocked by the infrastructure provider and you
would need to ask for it to be unblocked after rectifying any issues.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Please give me the contact information for unblocking 429

[G.W. Haywood via clamav-users]

Hi there,

On Tue, 18 May 2021, ノコ via clamav-users wrote:


Can I use this email to request unblocking?


Yes, in a way.

First of all you need to tell us

(1) what version of ClamAV you are using,
(2) how you are getting the ClamAV signature databases, and
(3) that you have read some of the relevant posts to this list.

There have been many recent posts about abuse of the download servers
and ways to avoid being blocked by the strengthened abuse protection.

Please do some reading, and then get back to us if necessary with the
information which will be needed in order to help you.

You can find archives of the list in several places on the Internet, I
like the one at 'marc.info', for example:

https://marc.info/?t=16150771981&r=1&w=2

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml