Re: [Clamav-users] The EOL tweets
In message <004701cadd95$cfec35b0$6fc4a1...@biz> "Giampaolo Tomassoni" was claimed to have wrote: >> And if the server owners / sysadmins feel that sending mail is more >> IMPORTANT than sending clean mail, they do not not need to install any >> AV software and their mail system will happily send out all it's >> mail > >I guess around 25-50% of the malware is old, well-known one. So it is not >that silly to have an outdated AV running to lower the received one. > >But anyway, we are speaking of stuff which worked. It wasn't perfect, but it >worked. And in this days the ClamAV staff decided to break it, without a >rationale close to the point. > >Isn't this weird? Is clamav a trustable project? This is what a sysadmin may >end thinking next time he/she installs a new system. If ClamAV went the other direction and just left people hanging with a false sense of security, all the while happily returning a "yup, not infected" to every file with modernish malware in it, there would be just as much "can I trust 'em?" As far as whether or not you can trust ClamAV, if this was sprung upon server operators without notice, that might be a consideration. It wasn't. The difference is that this screaming gets attention and gets the attention of incompetently managed server operators so that things get fixed. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] What mental midget shut down my server?
In message <9203dabf-59fb-4462-9ca5-7d90fb265...@edisoninfo.com> Gary MacKay was claimed to have wrote: > >On Apr 16, 2010, at 2:56 PM, Eric Rostetter wrote: > >> Quoting Gary MacKay : >> >>> OK, who's the mental midget that decided to just up >>> and kill all installations of clamav ??? >> >> No one. Only very old installs, not all installs. >> >So who made who god to decide which servers get shutdown? Will the server not boot? >>> OK, so the version is not updated and it is probably not catching all >>> the viri that is should. SO WHAT >> >> So why run it at all? And why stop the rest of us from being able to >> catch all the viri we should be able to, and want to? >> >Nobody is stopping you from doing whatever you want to YOUR servers. Correct. You picked what should happen in the "SO WHAT" case described as above. Personally, my servers keep delivering mail in the event of a ClamD failure. I run multiple scanning engines and so I am tolerant of a single one failing. Why did you configure your server to "shutdown" if ClamD fails if what you actually wanted was mail to still flow unscanned? Given that Clam announced upcoming failures for out of date versions, and given your configuration choice, what did you expect would happen? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
In message <4bce64a1.8040...@cwa.co.nz> Steve Wray was claimed to have wrote: >The thing is that there are a few little issues here that, as points of law >are not clear yet. In what follows words like 'vendor' may not be used >entirely legally precisely, IANAL, but I am certain that with a bit of >squinting my meaning will be clear. > >I know that in certain jurisdictions, reaching out to someone elses >computer (ie not your property) and disabling functionality on it could >constitute a criminal act. ClamAV developers didn't reach out to anyone. Rather, most minimally competent ClamAV administrators configure their systems to connect to ClamAV's servers on a regular basis and download updated definition files. More importantly, administrators configured their systems to stop flowing mail in the event of a ClamAV failure. This is a configuration choice, it's fairly trivial to configure mail to flow through unscanned if you value a false sense of security over the potential of an outage. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] illegal or not, make a valid argument (was "no subject")
In message Simon Hobson was claimed to have wrote: >Here we go again, you are introducing something irrelevant to try and >justify your actions. Yes, I know what the licence says - but that >merely says I cannot expect support from you, and I can't complain if >it doesn't work. That still does not mean I am giving you permission >to enter my property and make changes Once again, no one "entered your property", but rather, you configured your server to request updates from an external source. A minor difference, but an awfully significant one. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Question about the clamdscan
This still has value as it can help catch things in action. It doesn't replace periodic scans either to catch malware discovered since the initial scan. There are a variety of ways of doing this if scanning everything in one shot isn't feasible. One option would be to split files up using a hashtable based on their name. This has the advantage of not needed to track any state, nor do you need to read every file (to hash the content) to determine whether the file has been scanned recently. On top of this, you could track hashes of scanned files so that you can tell how recently a duplicate copy of a file was scanned, avoiding the need to rescan duplicates, even across buckets. You would still want to use tripwire to scan new/modified files immediately. You might also consider scanning older files less frequently as it is less likely that an older file will contain a 8 month old 0-day that was just discovered. It all depends on your tolerance for risk of malware vs available resources. Lucky for me, the volume of data under my responsibility can be scanned both at creation and nightly without further stress. On Wed, Mar 21, 2018, at 18:41, Paul Kosinski wrote: > A few years ago, when Tripwire was no longer free, I set up a "scan > once" environment for ClamAV, identifying files using SHA1 hashing > (with a few 'stat' results like inode and timestamp for good measure). > > I gave up when I realized that even if a file had already been scanned, > it might have contained "0-day" malware when it was scanned. This could > make it quite nasty, especially if ClamAV is behind in 0-day detection. > > > On Wed, 21 Mar 2018 16:56:06 -0700 > Dennis Peterson wrote: > > > It is possible to integrate ClamAV and Tripwire to get to a scan-once > > environment. Include puppet or CFEngine for a more complete tool. > > > > dp > > > > On 3/20/18 5:01 AM, Micah Snyder (micasnyd) wrote: > > > Good morning Tsutomu, > > > > > > Al is quite correct. clamd and clamdscan maintain no memory of > > > what has been scanned before. > > > > > > In your ordinary use case, you simply run clamdscan over whatever > > > you want to scan. You can exclude specific directories in your > > > configuration if you want to point clamdscan at a high level > > > directory to scan many items. > > > > > > In truth, I've never tried accessing the files as they were > > > scanned, but I do not believe that there any reason why the files > > > would be locked by ClamAV except in the following case. > > > > > > On newer versions of Linux that have been built with > > > CONFIG_FANOTIFY=y enabled, you can configure clamd to monitor > > > directories. An additional option may be enabled that we call > > > "OnAccessPrevention" can intentionally block access to the file > > > until it has been scanned and will deny access if the file is > > > flagged. OnAccessPrevention requires your kernel has been built > > > with CONFIG_FANOTIFY_ACCESS_PERMISSION=y. If you're interested in > > > trying this out, please read > > > http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html > > > > > > Sadly, OnAccess scanning and prevention only exist for Linux at > > > this time. > > > > > > > > > Micah Snyder > > > ClamAV Development > > > Talos > > > Cisco Systems, Inc. > > > > > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] VirusDB Updates Broken?
As that is a Cloudflare IP, I believe it possibly could represent one or more backend mirrors as it may return different content depending on the hostname provided. On Tue, Jun 26, 2018, at 06:41, Robin Bourne wrote: > Joel, > > I'm now getting "WARNING: Mirror 104.16.188.138 is not synchronized." > when using the CDN. Could it be related to the changes made to fix > this as my definitions are 3 revisions out?> > Thanks, > > On 25 June 2018 at 04:28, Joel Esler (jesler) > wrote:>> Al, >> >> >> Thanks. We are aware. Looking into it. >> >> Sent from my iPhone >> >> >> > On Jun 24, 2018, at 23:12, Al Varnell wrote: >> > >> > Yes, but all but one was empty. >> > >> > Sent from my iPad >> > >> > -Al- >> > >> >> On Jun 24, 2018, at 19:42, Paul Kosinski >> >> wrote:>> >> >> >> I've gotten several daily.cvd updates in that period. They came >> >> from>> >> several IP addresses associated with http://db.us.clamav.net/. >> >> >> >> >> >> On Sun, 24 Jun 2018 18:08:59 -0700 >> >> Al Varnell wrote: >> >> >> >>> Just wanted to point out that there has only been one signature >> >>> added>> >>> to the VirusDB by daily updates in the last 32 hours. >> >>> >> >>> >> >>> -Al- >> >> ___ >> >> clamav-users mailing list >> >> clamav-users@lists.clamav.net >> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> >> >> >> Help us build a comprehensive ClamAV guide: >> >> https://github.com/vrtadmin/clamav-faq >> >> >> >> http://www.clamav.net/contact.html#ml >> > ___ >> > clamav-users mailing list >> > clamav-users@lists.clamav.net >> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> > >> > >> > Help us build a comprehensive ClamAV guide: >> > https://github.com/vrtadmin/clamav-faq >> > >> > http://www.clamav.net/contact.html#ml >> ___ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > _ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] I have no idea if my emails are getting through.
On 2018-07-24 22:29, Fajar A. Nugraha wrote: I'm not sure what the latest state of windows support is. Judging by lack of reponses that you find helpful, not many people use it either. One note here: Not many Windows users install it themselves. I'm betting the vast majority use it as part of another product and receive version upgrades and product support through that vendor. I count myself in this group on my Windows servers, I have only installed and configured ClamAV on my *nix boxes so I don't actually have any useful feedback myself. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Latest report on update "delays"
On Tue, Oct 23, 2018, at 11:50, Paul Kosinski wrote: > "...it works smoothly for a very large number of people, myself > included." > > It would be interesting to know what percentage have experienced our > original problem of all mirrors ending up blacklisted. I also wonder > how many ClamAV users monitor their logs: I don't remember ClamAV > *actively* reporting when signatures are out date (like some > Windows AV does). > > > "Have you absolutely ruled out the possibility of someone having set up > a transparent proxy on your border router(s)?" > > I guess I wouldn't put it past Comcast/Xfinity to interpose a proxy, > but if the proxy is transparent, how would one detect it? And would a > proxy once in a while be over an hour out of date? Maybe nobody in > *this* part of the Boston area uses ClamAV, but Boston is not exactly > Ulaanbaatar Mongolia (an actual Cloudflare mirror!). http://www.lagado.com/tools/cache-test can be used to detect caching (transparent or otherwise). ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [Clamav-users] Clamscan delays
In message <[EMAIL PROTECTED]> Urban Hillebrand <[EMAIL PROTECTED]> wrote: >We noticed as well the long delay with clamscan (several people have reported >this here). We are perfectly ok with using clamd + clamdscan - however, on >our mailgateways clamscan is still there as fallback if clamd is not >responding (due to a crash or a misconfiguration). > >With the newly introduced delays during the initialization of clamscan this >would cause us significant problems. So my question is: Will this get fixed, >or is this "working as expected"? I can't speak to whether this is "As expected" or not, but my solution was that if clamdscan reports an error and I fallback to clamscan, I only launch one instance of clamscan every 10 seconds, it scans all messages which have not yet been queued for a scan. Passes are trusted to be clean, anything which clamscan doesn't pass can sit in the queue until clamdscan recovers, since my current method doesn't let me pull individual errors out for each file without relaunching clamscan against each message individually. It's a bit of a hack, but it's the best failsafe I've come up with that doesn't slam my server. -- Dave Warren, [EMAIL PROTECTED] Office: (403) 775-1700 / (888) 300-3480 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamscan extremly slow
In message <[EMAIL PROTECTED]> jef moskot <[EMAIL PROTECTED]> wrote: >On Mon, 18 Jun 2007, Dennis Peterson wrote: >> Clamscan is a terrible tool to use in real time with email. > >I would recommend it for low volume servers with cycles to burn, given >that the other option is a daemon that can potentially fail. Neither is >entirely ideal, but we should take the wide variety of environments into >account. You can also detect the daemon's failure and fall back to clamscan in real time, getting the best of both worlds. On my server, if I detect a clamd failure, I fall back to running clamscan in a loop that pauses 10 seconds at a time to let a few messages build up before clamscan runs (in other words, to avoid relaunching clamscan for every message) I haven't seen a clamd failure in many moons though, so I'm not sure the added complexity is worth it. -- Dave Warren, [EMAIL PROTECTED] Office: (403) 775-1700 / (888) 300-3480 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Vote for ClamAV as the best anti-malware solut ion
In message <[EMAIL PROTECTED]> Dennis Peterson <[EMAIL PROTECTED]> wrote: >Question: Why is this called a "privacy statement" rather than "an invasion of >privacy statement"? Just because their statement is "you have no privacy" doesn't change that fact that it's a privacy statement. At least they're honest about it. -- Dave Warren, [EMAIL PROTECTED] Office: (403) 775-1700 / (888) 300-3480 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] WARNING: Suspicious recipient address blocked
In message <[EMAIL PROTECTED]> Stephen Gran <[EMAIL PROTECTED]> wrote: >On Mon, Apr 14, 2008 at 05:22:56PM +0200, Bas van Rooijen said: >> postfix would accept all three forms even >> and why not ?? > >I assume you haven't looked at sendmail's security record. I, for one, have made it a point to not care. >This has >been a pretty standard thing to do for a long time, and with even more >characters than the milter currently uses. Can we get any email address banned in clamav just because at least one software package has an associated exploit? -- Dave Warren, [EMAIL PROTECTED] Office: (403) 775-1700 / (888) 300-3480 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Why is ClamAV signature file so unpopular?
In message <[EMAIL PROTECTED]> Paul Kosinski
<[EMAIL PROTECTED]> was claimed to have wrote:
>When I go to the download page for ClamAV at SourceForge,
>I observe that the signature file ("clamav-0.*.*.tar.gz.sig")
>is downloaded less than 10% of the time that the source code
>("clamav-0.*.*.tar.gz") is downloaded. I find this strange,
>especially for anti-malware software, whose users presumably
>think about security more than the average SourceForge visitor.
If you can't trust SourceForge for the source, what makes you think you
can trust the signature file?
Anyone in a position to compromise one would almost definitely be able
to compromise the other.
--
Dave Warren, [EMAIL PROTECTED]
Office: (403) 775-1700 / (888) 300-3480
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] Why is ClamAV signature file so unpopular?
In message <[EMAIL PROTECTED]> Jan Pieter Cornet
<[EMAIL PROTECTED]> was claimed to have wrote:
>On Sat, Nov 29, 2008 at 02:52:53PM -0800, Dave Warren wrote:
>> >When I go to the download page for ClamAV at SourceForge,
>> >I observe that the signature file ("clamav-0.*.*.tar.gz.sig")
>> >is downloaded less than 10% of the time that the source code
>> >("clamav-0.*.*.tar.gz") is downloaded. I find this strange,
>> >especially for anti-malware software, whose users presumably
>> >think about security more than the average SourceForge visitor.
>>
>> If you can't trust SourceForge for the source, what makes you think you
>> can trust the signature file?
>
>Because it's PGP signed. It's not just an md5 hash.
>
>> Anyone in a position to compromise one would almost definitely be able
>> to compromise the other.
>
>Sure. But it would be suspect if gpg/pgp says:
>
>Good Signature by Snake Oil <[EMAIL PROTECTED]>.
True, but you could make it realistic enough to fool most of the people,
most of the time, especially with a readme.txt noting that the new
versions are signed slightly differently.
This sort of thing happens legitimately often enough that there isn't
any real practical way to tell if it's real or not other then to wait a
decent amount of time for the original author to notice and post a
contrary statement.
--
Dave Warren, [EMAIL PROTECTED]
Office: (403) 775-1700 / (888) 300-3480
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] Why is ClamAV signature file so unpopular?
In message <[EMAIL PROTECTED]> "David F. Skoll" <[EMAIL PROTECTED]> was claimed to have wrote: >Dave Warren wrote: > >> True, but you could make it realistic enough to fool most of the people, >> most of the time, especially with a readme.txt noting that the new >> versions are signed slightly differently. > >People who bother to download the .sig file in the first place probably >won't be fooled. And they won't believe an unsigned readme.txt file. The readme file wouldn't be unsigned, it would be signed by the new key since it's naturally impossible to sign anything with the old key once the old key has been lost. Anyone in a position to compromise the sourceforge distribution model could probably make it look good enough to fool the majority of people who would at best glance at the status and move on. It's human nature to assume when we're told "this is legit" by an authority to assume it's legit without investigating that authority. Sure, not everyone is fooled, but I'd put money down that you'd fool at least 50% of those who do bother to check the sig, and over 90% of those who don't even bother with the sig today even if they started looking at sigs. The only way a key can be completely trusted is if it's provided completely independently of the download infrastructure, hosted elsewhere entirely, requiring a compromise of two unique and unrelated systems. -- Dave Warren, [EMAIL PROTECTED] Office: (403) 775-1700 / (888) 300-3480 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Re: Speed of ClamAV vs Norton AV
In message <[EMAIL PROTECTED]> Paul Kosinski <[EMAIL PROTECTED]> wrote: >After thinking about it, I still have misgivings about not scanning every file >every day: a file may not change day-to-day, but new virus signatures are >added all the time, and yesterday's file may contain today's newly recognized >virus. But, given the time needed to do a full scan, I have had to adopt a >policy of scanning only new or changed files. I seem to get laughed at whenever I point that out (especially by the slower AV scanners) -- The way I see it, if you don't bother rescanning already scanned files, why bother updating your definitions either? If the old definitions were good enough for old files, they're good enough for new ones. That being said, perhaps scanning files written within the last week would be enough, since it's unlike that it will take ClamAV (or anyone other then Symantec) more then a week to get the definitions updated? -- Dave Warren, MSN Instant Messenger: [EMAIL PROTECTED] Phone: (204) 480-8407 Toll free: (888) 371-3470 Fax: (204) 283-6028 ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: Why is scanning so slow?
In message <[EMAIL PROTECTED]> Will Kramer <[EMAIL PROTECTED]> wrote: >It seems to me that it takes Clam a long time to scan >my hard drive 7:45 hours to scan 19 GB compared to >Norton which takes less than two hours I think. I used >the Cygwin package and ran clamscan -i -r ... Cygwin is a huge performance hog. You might want to try the native port at http://w32.clamav.net/ -- Dave Warren, MSN Instant Messenger: [EMAIL PROTECTED] Phone: (204) 480-8407 Toll free: (888) 371-3470 Fax: (204) 283-6028 ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: To ClamAV Developers: donation question
In message <[EMAIL PROTECTED]> Gerard Seibert <[EMAIL PROTECTED]> wrote: >On Wednesday November 08, 2006 at 11:16:21 (AM) Sergei Lavrov wrote: > >> Some of the businesses I know do want to make >> donations. But is ClamAV able to issue invoice ? > >In other words, you are looking for a tax write off. You've never worked with corporate accountants, have you? Without a paper trail, the (correct) assumption is that the money is in whoever approved the expense's pocket. -- Dave Warren, MSN Instant Messenger: [EMAIL PROTECTED] Phone: (204) 480-8407 Toll free: (888) 371-3470 Fax: (204) 283-6028 ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: To ClamAV Developers: donation question
In message <[EMAIL PROTECTED]> "Gary V" <[EMAIL PROTECTED]> wrote: >> >On Wed, 08 Nov 2006 11:14:52 -0700, you wrote: >> >> >In message <[EMAIL PROTECTED]> Gerard Seibert >> ><[EMAIL PROTECTED]> wrote: >> > >> >>On Wednesday November 08, 2006 at 11:16:21 (AM) Sergei Lavrov wrote: >> >> >> >>> Some of the businesses I know do want to make >> >>> donations. But is ClamAV able to issue invoice ? >> >> >> >>In other words, you are looking for a tax write off. > >Umm, that's not how it works here. Where I come from, any purchases made out >of state on the Internet require that we internally calculate the sales tax >and pay it to the state. At some point, in most states, every business is >likely to get tax audited for these purchases. Laws are changing however. At >some point in the future the state that sells the item will be required to >calulate, collect and send the sales tax the the state where it was >purchased. > There are different types of tax -- sales tax is entirely in the eyes of the payee, the payer has no obligation to ensure that the payee pays taxes. Imagine if the gov't came after you for shopping at Walmart because Walmart didn't pay enough sales tax to the gov't. Income tax is another ballpark -- As a business, I pay income tax on every penny the company brings in, unless it leaves the company in some way. If I get audited, any penny I can't account for as an expense is subject to income tax. Now for tax reasons, a receipt is sufficient. A print out of a website showing how to give donations, and a PayPal receipt showing the donation would be sufficient. For an accountant, however, receipts aren't everything, you often need a PO, an invoice AND a receipt in order for the expense to be counted. As a small business owner, my accountant listens to me. As an employee in a large company, if I want the expense to be reimbursed (or authorized if it's paid directly), I'd damn well better listen to the accountant. There. Now with all of that being said, year end is coming, time to do some open-source donations to projects that make my professional life easier. ClamAV will probably be on that list since it's doing a better job on my mail server then my paid AV product. -- Dave Warren, MSN Instant Messenger: [EMAIL PROTECTED] Phone: (204) 480-8407 Toll free: (888) 371-3470 Fax: (204) 283-6028 ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: DB Update email before actual update available?
In message <[EMAIL PROTECTED]> Luca Gibelli <[EMAIL PROTECTED]> wrote: > >Hello Jay, > >> I am attempting to write a script that will take action whenever an >> email from the [EMAIL PROTECTED] list is received. The >> script would run freshclam and grab the most recent update, thus giving >> me the most up to date version at all times without putting a heavy load >> on the ClamAV servers. > >This has been discussed before. Short answer: don't do it. > >If all of our users download the update at the same time, our mirrors >would die. That's why the TTL for current.cvd.clamav.net is 900 >secs and not a few secs. > >Best regards Although should that ever become that serious an issue, the solution would be to simply delay the emails so that they go out over a period of 900 seconds, spreading the load evenly. -- Dave Warren, MSN Instant Messenger: [EMAIL PROTECTED] Office: (403) 770-6140 Cell: (403) 690-3140 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: DB Update email before actual update available?
In message <[EMAIL PROTECTED]> Per Jessen <[EMAIL PROTECTED]> wrote: >Dennis Peterson wrote: > >>> At some point you've got to trust someone/something. Who watches >>> your daemon watcher? Who watches your OS? Who watches your >>> power-supply? >> >> I run SPARC equipment - I have monitoring for all that and cpu >> temperature, too. There's a difference between proper monitoring and >> absurdity. Your strawman fails that. > >We run Intel equipment (mostly) and monitor all that too. Still, it >sounds like you've decided to trust your daemon-watcher daemon? We do >not use daemon-watchers simply because it's impossible to tell when to >stop. If you trust your watcher, you might as well trust the daemons it >watches. There is no reason that monitors can't monitor other monitors too, in the software world. In the hardware world, an unnoticed overheat will result in the equipment going down, which would trigger whatever monitors that box to report failures. Is it self-healing? No -- But not everything can heal itself. Whether the outage is noticed by the users of the equipment is another matter entirely and will depend on your redundancy. -- Dave Warren, MSN Instant Messenger: [EMAIL PROTECTED] Office: (403) 770-6140 Cell: (403) 690-3140 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: Why does clam die on a malformed database ?
In message <[EMAIL PROTECTED]> John Rudd <[EMAIL PROTECTED]> wrote: >Sander Holthaus wrote: > >> A tempfail is not a disaster in most scenarios. You may not be able to >> receive mail until it is fixed, but you still get the mail after it is >> fixed. > >I think that attitude works fine in trivially small email environments. > >I don't think it works at all in environments where you've got an >enterprise email system in a mission critical environment, where having >an email delayed significantly can have financial implications. If having an email delayed causes significant financial implications, you've got more serious underlying issues. SMTP is a best-effort process, there is absolutely no guarantee of delivery at all, let alone timely delivery. -- Dave Warren, MSN Instant Messenger: [EMAIL PROTECTED] Office: (403) 770-6140 Cell: (403) 690-3140 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [clamav-users] LSD Malwares
The same applies: Report it. Cloudflare will either forward the complaint for you, or block the offending URL (or both). On 2019-04-25 19:16, Dennis Peterson wrote: That domain is hosted on a cloudflare IP block. They're become part of the problem. dp On 4/25/19 7:52 AM, J.R. via clamav-users wrote: Perhaps it would also be worthwhile to report dd.heheda.tk to their hosting provider & domain registrar that they are hosting malware and get that site shut down... ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] local server takes time to update clamav db
On 2020-12-11 08:51, Paul Kosinski via clamav-users wrote: "The whole CVD filename is not versioned (always "daily.cvd") which is why the CloudFlare caching issue may result in serving the previous version." HTML filenames for Web pages are not versioned either. Does this mean that CDNs like Cloudflare often serve up obsolete Web pages? If so, does nobody notice (and complain)? A delay of an hour could have an adverse effect on online commerce, especially during the busy holiday season. By default Cloudflare does not cache HTML. Cloudflare also respects cache-control headers, which is the normal mechanism used for websites which want caching, but only to a point. Cloudflare also has an API to clear the cache (at least by URI, or everything, and possibly more depending on the particular options offered by your plan). But in practice clearing the cache is not completely reliable and seems to be intended for cases where it is strictly needed and not for every "I updated this file" situation. I have the impression that this applies when using Cloudflare's tiered caching, my idle speculation wonders if perhaps this is a timing issue, where server #1 clears the cache, processes a request for the file which it obtains from server #2 all before server #2 clears the file from cache and then processes a request by pulling it from server #1. From a ClamAV perspective, one solution to solve this would be to call daily.cvd?version=26013 -- Note that the underlying web server could ignore the version parameter completely, but this would ensure that each Cloudflare cache retrieves a fresh version of the file and negates the need to push a cache clear message at all. If ClamAV's server serves an outdated version of the file then it would still get cached, but this would defeat any caching within Cloudflare for new versions as they're released. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] local server takes time to update clamav db
Okay, so then it seems like 1) ClamAV’s origin server periodically serves an old version of a file after the DNS TXT record is updated, or 2) Cloudflare returns a cached resource from the wrong URL, or 3) Someone is making a request to new ?version URLs before the DNS TXT record is updated (and such would be visible in the origin server’s HTTP request log). What is the URL format that is used? I don’t see an obvious example in the conf man pages for the fully constructed URL, and I’m not near a full computer to figure it out. I was hoping to throw a few HTTP requests at it and see if the headers give any clues. I have no way to prove or test #1, but #2 would be a major and fairly obvious issue that would cause an impact to virtually all Cloudflare customers. While not impossible, this seems unlikely. #3 would certainly be possible, but would be moderately straightforward to identify on the web server hosting the original files — Or could be avoided if the origin web server includes a cache-control: no-cache (or maybe max-age=300) for version numbers greater than the current, while still returning whatever version is actually current, so that the requesting client still gets something valid, but I’m not clear what, if any, smarts are contained on the origin server. Either way, perhaps “cache-control: max-age=3600, must-revalidate” would make sense so that the problem has the opportunity to clear itself faster than the current 43200 seconds? As long as the origin server supports last-modified and similar, the impact would be relatively minimal in terms of the number of bytes delivered, although the number of requests making it to the origin would increase somewhat, but still well within the capabilities of a modest server. I’m sure smarter minds than I have looked at this, but it seems like a relatively small set of possibilities, and it just seems unlikely to me that it would go unnoticed if Cloudflare were regularly returning cached content from a different URL. On Sun, Dec 13, 2020, at 19:57, Joel Esler (jesler) via clamav-users wrote: > Both of those things are done as well. > > Sent from my iPhone > > > On Dec 13, 2020, at 19:24, Dave Warren via clamav-users > > wrote: > > > > On 2020-12-11 08:51, Paul Kosinski via clamav-users wrote: > >> "The whole CVD filename is not versioned (always "daily.cvd") which is > >> why the CloudFlare caching issue may result in serving the previous > >> version." > >> HTML filenames for Web pages are not versioned either. Does this mean > >> that CDNs like Cloudflare often serve up obsolete Web pages? If so, does > >> nobody notice (and complain)? > >> A delay of an hour could have an adverse effect on online commerce, > >> especially during the busy holiday season. > > > > By default Cloudflare does not cache HTML. Cloudflare also respects > > cache-control headers, which is the normal mechanism used for websites > > which want caching, but only to a point. > > > > Cloudflare also has an API to clear the cache (at least by URI, or > > everything, and possibly more depending on the particular options offered > > by your plan). But in practice clearing the cache is not completely > > reliable and seems to be intended for cases where it is strictly needed and > > not for every "I updated this file" situation. I have the impression that > > this applies when using Cloudflare's tiered caching, my idle speculation > > wonders if perhaps this is a timing issue, where server #1 clears the > > cache, processes a request for the file which it obtains from server #2 all > > before server #2 clears the file from cache and then processes a request by > > pulling it from server #1. > > > > From a ClamAV perspective, one solution to solve this would be to call > > daily.cvd?version=26013 -- Note that the underlying web server could ignore > > the version parameter completely, but this would ensure that each > > Cloudflare cache retrieves a fresh version of the file and negates the need > > to push a cache clear message at all. If ClamAV's server serves an outdated > > version of the file then it would still get cached, but this would defeat > > any caching within Cloudflare for new versions as they're released. > > > > > > ___ > > > > clamav-users mailing list > > clamav-users@lists.clamav.net > > https://lists.clamav.net/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.
Re: [clamav-users] Linode Clam AV Updates
On 2021-03-22 13:56, Grant Taylor via clamav-users wrote: On 3/22/21 1:53 PM, Grant Taylor via clamav-users wrote: I'm both curious and want to make sure that what my Linode is (and has been) doing is not a problem. I want to make sure: 1) That what my Linode is doing is not a problem. -- fresh clam is waking up hourly and checking DNS to see if there are version updates. Upon new versions being published, downloading a cdiff and integrating it. 2) That whatever solution Linode puts in place won't interfere with or otherwise get in the middle between well behaved clients and ClamAV infrastructure. And as another Linode+ClamAV+Cloudflare customer... 3) That I take advantage of whatever solution Linode puts in place if it requires a configuration update (and therefore would otherwise only apply to new deployments based on their images, and/or their rescue image). Plus it is nice to see the sausage being made, but I realize that this doesn't apply to everyone. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Request for guidelines to connect freshclam to Squid proxy
A firewall's job is to regulate unwanted/undesired traffic and to enforce policy as defined by the business, not to invent it. If the business policy is to allow virus definition updates then the firewall should be configured to do so. If not, it should be blocked completely. Anything else is just a power-trip on the part of the firewall administrator and the responsibility should fall to them when their mis-configuration has consequences. On 2021-04-29 05:56, Zvi Kave via clamav-users wrote: Hi, The SysAdmin that responsible for Firewall maintenance, allows to open only one IP in the firewall for freshclam use. I shall check squid definitions again. Thank you, Zvi ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Update problem today
On 2022-04-25 11:14, Paul Smith via clamav-users wrote: The problem 'magically' disappeared as soon as the 26522 update was published, so, to me, it really looks as if there were bad files on one of the mirrors. The later update would have replaced that with a correct file, so it all works again. I spotted a similar problem on another (unrelated) mirror hosted by Cloudflare. I'll dig into it if I can reproduce it again, but a cache clear seems to have resolved it at the time. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Database updated over unencrypted connection?
On 2019-03-15 09:53, Franky Van Liedekerke via clamav-users wrote: I wonder why the http/https discussion is still relevant. Almost all sites use https now, http is getting slowly banned and a lot of companies just don't want to allow incoming http traffic towards a server. Certifcates cost nothing anymore (you have free ones), so that's no longer an issue too. And the cpu issue might've been relevant years ago, but it shouldn't be now (offloading https to a high-performant frontend server can help if you really have issues). Just my 2 cents here ... One other consideration here is historical: ClamAV relied on donated mirrors, some of which struggled to keep a bare minimum configuration working. Deploying HTTPS and getting the mirror operators to keep up with certificates, secure TLS configuration and other details would add a lot more load to what I understand was already a challenge for the ClamAV team. The situation has changed somewhat today with Cloudflare's involvement as there would only be one party involved in deploying certificates to all nodes, and a party that can sign and maintain certificates themselves completely automatically at that. As noted elsewhere in the thread, freshclam work needs to be done before freshclam itself could actually use this capability. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
