Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
On Mon, 2010-05-03 at 05:53 -0700, Jim Preston wrote: > Dennis Peterson wrote: > > > > Rsync is able to transfer only the differences between two files > > provided a version of the file being transferred exists on the source > > and the destination. In addition, rsync will not transfer anything if > > it determines there are no changes between the two files. > > Is this true for binary files as well? or just text files? Rsync treats all files as binary. When finding changes it splits a file into blocks, computes a checksum for each block and performs a comparison between the sending and receiving side. Then it only sends the blocks which have changed. When dealing with a text file which has been appended to, like a log, all the initial blocks are the same. But if the file is sorted, it's possible only a few additional lines will disrupt most every block by changing the start offsets through out the entire file. -- Chris ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Yet more clubbing of deceased equine.
On 4/23/2010 8:02 PM, Chris Knight wrote: 1) Release a new version that pulls updates from a new hostname. 2) Wait a couple of weeks, or even six months 3) Shut down old servers, 4. Orphan *all* previous versions, including the still heavily used, and valid, 0.95s which were released before the hostname change, not just the buggy 0.94 and older. -- Chris ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
On Wed, 2010-04-21 at 21:19 +0100, Steve Basford wrote: > I did see an interesting idea on the devel mailing list from David "I > have a feature suggestion: Incorporate the version number in your > DNS TXT records and download URLs. Your download mirrors can use > symlinks in most cases (when versions are completely compatible) and > you can easily stop older machines from attempting to download by > stopping updates on the 0.96.whatever.clamav.net TXT record. " > > Source: http://lurker.clamav.net/message/20100408.011105.c584f530.en.html > > Would this idea help minimise any future issues like this? It was pointed out even before that suggestion was made that 0.95 and later have a versioning system inside the signature DB which allows clam to selectively load only parts of the DB. New incompatible signature types can be created and 0.95 can be told to ignore them. -- Chris ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Lots of "pread fail" warnings during scanning
On 4/18/2010 5:16 PM, Hauke Duden wrote: I did what you asked me to do and it seems that the problem is not in clamav. The files in question are marked as having a size of 4096, but when I open them I only get a few bytes of data. The strange thing is that they are all in /sys. Some in /sys/module, some in /sys/kernel and some in /sys/hypervisor. Have you encountered anything like this before? Are these special files that should not be scanned? If so, what directories should I exclude? I was guessing that was going to be the case when I saw your mail. Yes, exclude: /dev /proc and /sys -- Chris ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
On 4/16/2010 7:08 PM, Giampaolo Tomassoni wrote: This is not a matter of missing upgrades. This is a matter of proactively breaking running systems. Exactly. They proactively broke the scanner so people would know why it broke, rather than letting it die with nothing more than an obscure malformatted hexstring error. Wasn't it better to simply let these system go the way they were used to? What's the difference from the clamav standpoint? The ClamAV developers want to continue on with things they way they are used to. They don't want to overhaul their update system just so they can continue to support a version of the software which is rapidly becoming less usable. You proposed that the change the way that 0.96 updates. Fine, that could have been done. But what about 0.95? Which is arguably the most deployed version at this moment. It was first released on 2009-03-23, and the last update was made 2009-10-28. It properly handles incremental updates of large signatures, and will continue to need new signatures for a while longer. 0.96 was just released on 2010-03-31. There's no way to stop updates for 0.94 and below, while still providing updates for the heavily used 0.95, even if changes were made for 0.96. -- Chris ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
On Fri, 2010-04-16 at 22:30 +0200, Giampaolo Tomassoni wrote: > So ClamAV should obey to the rules governing the open-software community. > > One is that everybody is free to run it own copy of the software, in > whichever shape he/she likes it. You can use ClamAV how ever you like. You just can't use the new signatures with versions older than 0.95. If you load a new signature into an older version it will crash. So if you want to use an older one, you can: 1. fix it so it doesn't crash when fed a new format signature. 2. Stop updating signatures. 3. Download the new signatures and remove the new style ones before installing them. None of those options will happen automatically. Anyone who has been content to ignore the update requirements and continues to download new signatures will be faced with a crashing clamd. The ClamAV team just chose to make it crash with a meaningful message. > This is not a matter of missing upgrades. This is a matter of proactively > breaking running systems. Exactly. They proactively broke the scanner so people would know why it broke, rather than letting it die with nothing more than an obscure malformatted hexstring error. -- Chris ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
On Fri, 2010-04-16 at 16:00 -0400, Christopher X. Candreva wrote: > Older versions of clamd were going to crash on signatures that newer > versions would accept, and the devs have been prevented for at least 6 > months from using that type of signature. They have posted since then for > people to upgrade. > > When they did was publish this type of signature (has to do with length, > greater than about 900bytes), where the signature itself is an error > message, so when the program dumped the signature the error would be > displayed. > > That's all, not a kill switch as such, but using a known bug to deliver a > message, rather than have it just bomb out with a hex dump when they tried > to use a larger signature. Exactly! Again, one of the first messages today showed exactly that. The error message which it dies with is: cli_hex2str(): Malformed hexstring: This ClamAV version has reached End of Life! Please upgrade to version 0.95 or later. For more information see www.clamav.net/eol-clamav-094 and www.clamav.net/download As you can see there isn't a "kill switch", but a bug in the parser 0.94 which doesn't handle the type of signature which they plan to use in the future. 0.95 just ignores this new signature, as it will do with the actual malware signatures which will be coming soon. -- Chris ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
On Fri, 2010-04-16 at 12:14 -0400, Bowie Bailey wrote: > Obviously this is not a retroactive solution, but now that they know > this may be necessary, something can be changed so that it can be dealt > with more smoothly in the future. It already has been. 0.95 recognizes signatures which can tell freshclam to not update anymore. So if in the future a new type of signature is added that is completely incompatible with 0.95 or later freshclam will no integrate any further updates into the DB. What is also being missed is that anyone running 0.94 has been placing an undue load on the update servers. Has prevented the maintainers from releasing more effective signatures for the 0.96 users. If these advanced signatures were to be released without a kill signature it would have made clamav choke anyway. This kill was an explicit method of what would happen if the new features were enabled. Instead of a random death loading what looks like a normal signature, a message was delivered spelling out what needs to be done. I've seen commercial AV scanners go into non-functioning mode when an incompatible signature was released. Of course having a GUI meant that I was told to download the new update. Clamav on a server has no GUI, it method of informing the user is it's log file. Anyone running 0.94 has been warned for over two years that they're out of date. Today that warning became a requirement. -- Chris ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] automated response
Christopher Checca wrote: > I will be out of the office until 08-04-2008. > > Christopher Checca > Packard Transport, Inc. > 24021 South Municipal Dr > PO Box 380 > Channahon, IL. 60410 > 815 467 9260 > 815 467 6939 Fax > [EMAIL PROTECTED] > www.packardtransport.com Wonder if he's gone on holiday? 401 Otoole Dr Minooka, IL 60447 Looks like a nice house... Don't send automated replies to mailing lists. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Re: OT: Download script
On Tue, 2006-04-25 at 16:29 -0400, Christopher X. Candreva wrote: > On Tue, 25 Apr 2006, G.W. Haywood wrote: > > > > If you know a gunzip option that will NOT delete the compresed file, > > > that would be the prefered method. > > > > cat file.gz | gunzip > file > > That's not a gunzip option -- that's (almost) exactly what I'm doing in the > program that I'm looking for an alternative for. And as you stated the gunzip option "-c" that preserves the original .gz file, does not restore the timestamp of the uncompressed file. What you want doesn't seem to be able to be done with a single command. I'd say the only option is to copy the .gz file while preserving its timestamp then uncompress and move the backup copy back into place. ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Linux virus found in the /.journal file
On Tue, 2005-03-29 at 10:08 -0500, Cormack, Ken wrote: > What filesystem "type" are you using, that the .journal file is visible, in > the first place? > > I'm assuming you're using the EXT3 filesystem type? If so, those > filesystems, IF properly mounted with proper /etc/fstab entries, should > render the journal invisible to clam (and any other command that operates on > "files"). > > A proper EXT3-appropriate fstab entry should look like this: > > LABEL=your_label/mount_pointext3defaults1 2 > > If the filesystem is properly mounted as an EXT3 fs type, then doing a "ls > -al .journal" SHOULD yield a "no such file or directory" error. > > Only when an EXT3 filesystem is IMPROPERLY mounted as an EXT2 filesystem, > would the journal be visible at all. If an ext2 fs is converted to an ext3 while it is mounted the .journal inode cannot be properly hidden. This actually goes for any mounted ext2 fs, but the ext3 driver will hide the inode on next mount. The problem comes up with the / mount point because it is mounted read only at boot, and thus is just remounted rw. So the driver has no chance to hide the inode. One way to fix this is to boot from a CD image and then mount straight out the ext3 file system under the root provided on the boot CD. -- Chris ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] PGP Signature for Diego d'Ambra
I notice that Diego d'Ambra sometimes posts to the virus update list. He signs his posts with PGP, but I can't find his public key anywhere. It is not listed on the team page ( http://www.clamav.net/team.html ) like most of the other developers, and it is also not on any of the key servers I have tried. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
On Wed, 2005-02-09 at 11:51 -0500, jef moskot wrote: > On Wed, 9 Feb 2005, Maxim Britov wrote: > > > > P900\Beyonce Knowles - Crazy In Love (2).wav: Exploit.W32.MS05-002 FOUND > > I don't know, but size is ~50-100KB. > > If they're tiny files, are you sure they're actually wavs? > > Maybe someone downloaded these things and instead of funky beats, they're > full of Greek soldiers? WAV files don't just have to be PCM audio. I've seen (from the I Love Bees site) MPEG Audio Layer-III data inside a WAV RIFF wrapper. Since these files were triggering the malformed RIFF scanner, this could very well be the case. -- Chris ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Mon, 2004-11-15 at 12:12 -0500, Bart Silverstrim wrote: > If it's a bunch of flashy graphics telling you to visit a website for > fantastic deals on hiding money from third world countries while > getting fantastic mortgage rates on your pen1s enlargement ointment, > it's for a spam filter. > > If it only does harm if you follow a link and then consciously give > your account information, be it ebay or bank or paypal, to a third > party site, it's for the spam filter. > > howzat? :-) How about an e-mail that contains a link that takes one to a webpage that exploits the web browser to install a program that will intercept the account information the next time the actual site is visited? ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] MyDoom.M Starting to get through
On Fri, 2004-09-03 at 11:47 +0200, Scott Ryan wrote: > Maybe you want to read the mail i sent again. > I use clamdscan not clamscan > > # man clamdscan Then do you have the "ScanMail" option set in the clamav.conf file set? -- Chris --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Mon, 2004-08-09 at 16:55 -0400, Christopher X. Candreva wrote: > This thread on Trojan.JS.RunMe had me thinking: Hourly virus updates is > better than any of the commercial virus scanners, but obviously still has > issues, especially since a bunch of us obviously submitted updates that had > already been entered. I gather from these posts that the virusdb's actually > have some form of version number. > > Suppose there was a DNS entry, say virusdb.clamav.net (or > version.virusdb.clamav.net, etc), that returned simply a text record with > the current DB version in it. Then, it would be possible to check the > version with a relatively cheap single UDP packet, rather than a full http > check, and people could check for DB updates more often than once an hour > without taxing the distribution system. > > If nothing else, if this TXT record existing we could hack together some > shell script to check it and run freshclam as needed. Then all users would sworm to download the new sig, as soon as that serial number incrimented, flooding the download server with update requests. --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Compression/archive methods
On Mon, 2004-08-02 at 21:00 +0100, Matt wrote: > Hello all, > > This isn't a specific Clam question, but what are the main type of > archive/compression methods used on virii, when being sent as email > attachments? Does it tend to be just zip/rar as a rule, or are there more > variations? I believe there were some .tar.gz archives thrown in for good measure too. WinZip opens them just like .zip files, so it was a viable vector. -- Chris --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] upgrade
On Tue, 2004-07-27 at 21:17 +0100, Antony Stone wrote: > On Tuesday 27 July 2004 6:54 pm, Jona Tallieu wrote: > > > Hi All, > > > > Just upgraded to 0.75 on OSX 10.3. > > > > When checking CLAMAV version to be sure the upgrade was ok I get: > > > > mail:/usr/local/bin root# ./clamscan --version > > clamscan / ClamAV version 0.75 > > > > But when I forgot the ./, I get this: > > > > mail:/usr/local/bin root# clamscan --version > > clamscan / ClamAV version 0.70 > > > > Is this normal (difference in version)? > > No - it means you have two versions installed in different places on your > system (which is not good). > > Try "locate clamscan" or "find / -name clamscan" to see where the older > version is, if you're not sure about where to remove it from. Even better, "which clamscan" will tell you which clamscan program will run if you just type it without being pathed out. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)
On Tue, 2004-07-27 at 14:06 -0400, Jim Maul wrote: > Am I the only one here whos existing installation is catching MyDoom.M? > > [EMAIL PROTECTED] clamav]# grep -i mydoom /var/log/clamav/clamd.log > Tue Jul 27 13:32:23 2004 -> > /var/spool/qmailscan/tmp/external.elih.org109094954247931544/attachment.zip: > Worm.Mydoom.M FOUND > Tue Jul 27 13:32:23 2004 -> > /var/spool/qmailscan/tmp/external.elih.org109094954247931544/orig-external.elih.org109094954247931544: > Worm.Mydoom.M FOUND > Tue Jul 27 13:35:54 2004 -> > /var/spool/qmailscan/tmp/external.elih.org109094975447931691/message.zip: > Worm.Mydoom.M FOUND > > [EMAIL PROTECTED] clamav]# clamscan -V > clamscan / ClamAV version 0.74 > > > Or am i missing something? grep Mydoom\.M clamd.log | wc -l 798 That's since midnight today. So mine seems to be working. I'm using Exiscan for Exim. I upgraded to 0.75 yesterday thinking I must have been missing something, but looking at the logs from 0.72 it was also catching it. I dunno. But you aren't the only one catching it. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus found in virgin RHES 3 installation?
On Fri, 2004-05-07 at 13:36 -0400, Ken Morley wrote: > I've just installed RedHat Enterprise ES V3 and patched to the latest > revision. I then installed ClamAV 0.70, ran freshclam and did a clamdscan > against the entire drive. > > I was surprised when clamdscan reported: > > //proc/kcore: Trojan.MiniCommander.dr FOUND > > What's the possibility that the server is really infected? It's been up > just about two days, behind an commercial grade ICSA-certified firewall with > only outbound access to the internet. > > Does anyone else have a RHES V3 box that they can try? > > I wonder if the infected file ships with the RH distribution??? > > Any suggestions are appreciated. First don't scan /proc. There are lots of files there that shouldn't be read unless you have a specific reason to. I would put kcore at the top of that list. That is the core kernel memory. So it is very unlikely that a Windows trojan is installed in that file. It just happened that the random pattern of bits in the core at that time triggered a false positive. -- Chris --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Spam/Virus stats using mrtg
On Fri, 2004-04-02 at 14:33 -0500, John Madden wrote:
> > #!/bin/sh
> > VIRCOUNT=`grep -c FOUND /wherever/is/your/clamd.log`
>
> I blend in a little perl to print per-virus totals sorted by name:
>
> grep VIRUS /var/log/messages | perl -e 'while(<>){ $_ =~ /VIRUS:(.*)\)/;
> $v = $1; $hash{$v}++;} foreach $x (sort(keys(%hash))){ print "$x:
> $hash{$x} \n";}'
>
> (Note that this is taken from syslog while using amavisd, not clamd's log.)
Here is one for the clamd.log in just shell, Perl would probably handle
this a bit better, and not have to run through the file for every virus
name, but this works for me:
for VIRUS in $(grep FOUND clamd.log | cut -d ':' -f 4 | cut -d ' ' -f 2 | sort |
uniq); do
echo -n "$VIRUS: "
grep -c "$VIRUS" clamd.log
done
--
Chris
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] RE: memory leak?
On Thu, 2004-03-25 at 08:56 +, Trog wrote: > Well, you appear to be the only one seeing a leak. We (the devs) do > check for memory leaks quite frequently, and so are pretty sure there > are no big leaks. Does that include the RAR scanner? I have yet to enable it because of the comments in the .conf file. -- Chris --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus ID
On Tue, 2004-03-23 at 09:41 -0500, Bart Silverstrim wrote: > Silly question time... > > While I suppose the questions about the standard naming sequences may > help, I would propose one other idea (along with asking for help with > my question :-) > > First: I see a hit in my logfiles for Exploit.HTML.Bagle.Gen-4-eml; is > this the variant I've read about where if a user on Windows *previews* > a mail message (no attachment), they can get infected? That would be the one. > Second: is there a database for clamav with descriptions of the > viruses? I wondered if some kind of user-supplemented database could > be used online, and *there* have the aliases, rather than bulk up the > antivirus database with aliases and pseudonyms. If you see a virus > hit, you could refer to the online site and check for AKA's of the > virus name (as well as information of what the viruses are capable of). > Just an idea... I've considered suggesting just such an idea myself. Most AV vendors do have information about the viruses listed in their databases (what it does, what it infects, how to prevent and how to clean if possible). Along with current outbreak info. While that would be a big task for the core developers, I'm sure there'd be a few people in the Clam community who could submit this information. A Wiki type interface would be perfect for this. -- Chris --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Postmaster bounces and such.
On Sun, 2004-03-21 at 17:40, Damian Menscher wrote: > There are three cases to consider: > > 1 - virus from infected machine > 2 - virus relayed through another server > 3 - false positive > > Everyone agrees we don't want to generate a notification for case 1. > Everyone agrees we *do* want to generate a notification for case 3. > > The *only* way to pull this off, is to *reject* viruses. Yes, this > allows for a few false notifications (case 2) but those are fairly rare. ...and are not your problem. You just closed the SMTP session with an error. If the relaying host generates a bounce to the wrong person, it is their problem. -- Chris --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Freshclam died
Steven P. Donegan wrote: Hmmm, I just do a freshclam from chron rather than let it run as a daemon - as a new user (I just downloaded, installed, integrated with my anti-spam/anti-virus proxy - home built, today). Is doing this in any way a negative thing? I don't think it hurts, and from the reports of freshclam dying, it might be better for now. Just make sure you don't have your cron job running on the hour. Too many people do that, and it really loads up the servers. Pick a random number for the minutes after the hour. I do run my freshclam with --daemon, and have it set to do 13 checks a day. So it gets started at a random time when the server boots, and since 13 doesn't go into 24 evenly, it always checks on a different minute mark. I guess eventually I'll hit the hour and then it will take over 6000 more updates to hit on the hour again. :) --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Encrypted RAR Signature
> Submission: 2005 > Sender: Fisher > Submitted virus name: Unknown Virus > Virus name: Worm.Bagle.Gen-rarpwd > Notes: Signature added through daily.cvd version 187 to > Notes: detect password protected RAR files. > Added: No Is this signature in effect for all scans, or only those with the "ArchiveDetectEncrypted" option set? -- Chris --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] network scanning questions
On Tue, 2004-03-09 at 18:41, Tomasz Kojm wrote: > On Tue, 9 Mar 2004 17:51:52 -0500 (EST) > Charles Sprickman <[EMAIL PROTECTED]> wrote: > > > Interesting; do you have any info on "ICAP"? Will the old network > > www.icap.org International Center for Alcohol Policies? Now what exactly will the new version of ClamAV be doing? :) Maybe http://www.i-cap.org/home.html? -- Chris --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] TCP on Clam Milter
Seve Ho wrote: I am trying to use Clamav-milter with sendmail. I found it cannot clean up it socket file(.sock) opened after killing the milter process.(I use kill -9 to kill the process, is there other prosper way to stop the milter?) And this make me have to remove the .sock file first before restarting. That is not convenient. So i want to ask if this possible to run milter on a TCP port but not on socket? Don't use `kill -9`. Just a `kill` would have done, and probably cleaned up the socket. See: http://www.sektorn.mooo.com/era/unix/award.html#uuk9letter -- Chris --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Password-protected .zip file viruses
Paul Boven wrote: How about only trying every word in the mail-body as a key to try, instead of brute-forcing? The virus(-writer) cannot afford to fudge the password in the mail-body: One would hope that the subset of users that is clever enough to reconstruct the password, yet stupid enough to use that to open it, is small enough to make the virus unviable. Good point. That should take less than a second. My 700 MHz machine can try every word in an unabridged English dictionary in about 15 seconds. Though there could be HTML bodies with the password. -- Chris --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Password-protected .zip file viruses
Jesper Juhl wrote: What I'm thinking is; Would it be feasible to add an option to attempt to brute-force-crack the passwords on zip files when scanning them? Yes, it would slow down scanning immensely, and there's *no* way it should ever be a default option, but zip file passwords are /resonably/ simple to crack, so it is doable (although it takes time)... I could whip some code together for this if it has any interrest at all... I don't think it can be in reasonable time. My 700 MHz machine takes about 15 minutes to crack a .zip when I have a 1k of known plain text. To brute force it takes about a day to run through all valid passwords up to 6 characters. I think ZIP supports around 64 different characters in the password. So it would take around two months to do the complete 7 character set, 8 characters just gets stupid. 15 minutes up to the heat death of the universe isn't something that can be done during an SMTP transaction. That would make the feature only useful for local scans. So maybe you don't want to try brute forcing, just known plain text attacks. Well that is still 15 minutes for every plain text you want to try. That means you have to have 1k of every virus you want to stored somewhere. Also that is for 1k of plain text, to crack a .zip you only need 16 bytes. But the time required to crack goes up very quickly when the plain text shrinks. At 16 bytes it is almost as long as a brute force. Cracking .zips is only really useful when you have one that contains multiple files, and you have a complete copy of one of the files, and just need to recover the rest. I'm not going to say, don't do the work, if you think it could be useful. But go time your cracking code again, and see if you think it is something that can reasonably be done for thousands of files a day. -- Chris --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
