Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

[Freddie Cash]

Joel posted pictures (in one of these update thread) of where the mirrors
are located along with the relative traffic that each one transfers.

Cheers,
Freddie

Typos courtesy of my phone's keyboard.

On Tue, Jul 10, 2018, 6:37 PM Paul Kosinski,  wrote:

> I have a question. I presume that there are more physical Cloudflare
> server instances than implied by database.clamav.net's 5 IP addresses,
> and that they are geographically distributed, rather than all being
> in/near San Francisco. This suggests that they are Anycast addresses.
> But I don't know how to determine where the server instances are
> located, or which one(s) we reach when trying to download cvds.
>
> The fact that we have observed a 1 hour delay further suggests that
> there a large number of instances, otherwise they would be brought into
> sync with the DNS TXT record more quickly. Is there any way that you
> people at ClamAV can determine when the various server instances in fact
> get the new cvd files? I would think that a CDN would provide statistics
> on that, especially if expected delays are spelled out in an SLA.
>
>
> On Tue, 10 Jul 2018 22:11:46 +
> "Joel Esler (jesler)"  wrote:
>
> > Thanks for this feedback everyone.  This is extremely useful.
> >
> >
> > > On Jul 10, 2018, at 11:26 AM, Paul Kosinski
> > >  wrote:
> > >
> > > Last night our new method of getting cvd updates showed that it was
> > > *one hour* from the time the DNS TXT record claimed a new cvd was
> > > available to the time when our quick curl said it was really
> > > available!
> > >
> > > In particular at 1:03 AM (EDT), DNS said version 24739 was
> > > available, but a curl of the first few bytes of the cvd file said
> > > it was still at version 24738. It wasn't until 2:03 AM that curl
> > > reported that version 24739 was really available for download.
>
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

[Freddie Cash]

On Thu, Jul 5, 2018 at 2:21 PM Joel Esler (jesler)  wrote:

> For the people who have this issue, can you change your mirror to "
> database.clamav.net" and see if this error occurs any more?
>

I'm no longer seeing "Can't query" messsages or "Mirror unsynched" messages
in the freshclam.log for the last 8 checks (we do 6 per day).

-- 
Freddie Cash
fjwc...@gmail.com
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

[Freddie Cash]

On Tue, Jul 3, 2018 at 9:28 AM, Paul Kosinski 
wrote:

> The way Linux updates are done in practice is significantly different
> from ClamAV virus signature updates.
>
> With ClamAV, freshclam is automatically run periodically, sees (by
> some low-cost means) that a new file version is *supposed* to be
> available and tries to download it. If either it can't, or worse yet,
> it's the wrong one, it tries the next mirror. This all takes time and
> bandwidth.
>
> With Linux updates, I explicitly ask (via aptitude) what new updates
> are available: It takes some time to retrieve the list. Then I select
> the ones I want and ask to install them. I have *never*, *ever* seen
> this mechanism deliver the wrong version and thus fail to install it.
>

​You obviously haven't tried very hard, then.  :)  Or you don't run a local
repo mirror, at least.

We've run into issues with our local Debian repo mirror.  Usually, it's
that we're asking to install an old version of something and it's no longer
available on the mirror (ie forgot to run "aptitude update" first).  Or the
mirror ran out of disk space, so it didn't actually download the new
packages, but the index files were correctly downloaded/loaded.  Thus,
running "aptitude update" works, but it can't find any of the new files to
download/install.  Or, the Debian project decided to change how things work
in the repo, and that change didn't get propagated to our repo, so aptitude
just stops working on all our servers (the localisation changes for Jessie
were the latest niggle​ to trip us up).  Or, or, or.

The Linux updating method (at least as used in Debian) is not bulletproof.
No update method every is.


> This is due to the fact that the same Debian mirror machine provides
> the new versions of a group of files as provides the list of new
> versions. Thus there is an almost zero chance of a race condition
> (unless some idiot adds a version to the list before uploading the
> actual deb file). Even if set to auto update, I think the *lists*
> always come from the same servers as the files.
>
> It's not a matter of using DNS TXT records, it's a matter of sourcing
> them on a *different* computer than the actual files. This separation
> virtually begs for synchronization problems.


​Or, it's a matter of everyone getting in a tizzy over something that's
really minor in the grand scheme of things.  They've migrated to a new
CDN.  There's going to be teething pains with any new infrastructure.
Instead of trying to "rip-a-new-one" in the devs and demanding everything
be redone from scratch, how about we wait a bit while they work out the
bugs in the new setup.

Are updates completely broken right now?  No.  Are there occasional
hiccups?  Sure.  Are things getting better?  Yeah, they are.  Are they
perfect?  Not yet.  Should they scrap everything and start over?  Hell no.

-- 
Freddie Cash
fjwc...@gmail.com
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Mirror Load + ClamAV Updates

[Freddie Cash]

On Tue, Jun 26, 2018 at 3:10 PM, Micah Snyder (micasnyd)  wrote:

> What is the output of "freshclam --list-mirrors"?  You may need to delete
> your mirrors.dat file (located with your databases) and then try freshclam
> again.
>

​I deleted mirrors.dat before restarting freshclam each time; otherwise it
just spits out "skipping mirror due to previous problems" and does
nothing.  :)  The log entries I've posted are all from running:

rm mirrors.dat; service clamav-freshclam restart; tail -f
/var/log/freshclam.log

But here's the output from list-mirrors:

Tue Jun 26 15:12:09 2018 -> *Current working dir is /var/lib/clamav
Mirror #1
IP: 104.16.185.138
Successes: 1
Failures: 1
Last access: Tue Jun 26 15:08:14 2018
Ignore: Yes
-
Mirror #2
IP: 104.16.188.138
Successes: 1
Failures: 1
Last access: Tue Jun 26 15:08:24 2018
Ignore: Yes
-
Mirror #3
IP: 104.16.187.138
Successes: 1
Failures: 1
Last access: Tue Jun 26 15:08:34 2018
Ignore: Yes
-
Mirror #4
IP: 104.16.189.138
Successes: 1
Failures: 1
Last access: Tue Jun 26 15:08:44 2018
Ignore: Yes
-
Mirror #5
IP: 104.16.186.138
Successes: 1
Failures: 1
Last access: Tue Jun 26 15:08:52 2018
Ignore: Yes
-
Mirror #6
IP: 2400:cb00:2048:1::6810:bb8a
Successes: 0
Failures: 1
Last access: Tue Jun 26 15:08:52 2018
Ignore: Yes
-
Mirror #7
IP: 2400:cb00:2048:1::6810:bc8a
Successes: 0
Failures: 1
Last access: Tue Jun 26 15:08:52 2018
Ignore: Yes
-
Mirror #8
IP: 2400:cb00:2048:1::6810:bd8a
Successes: 0
Failures: 1
Last access: Tue Jun 26 15:08:52 2018
Ignore: Yes
-
Mirror #9
IP: 2400:cb00:2048:1::6810:b98a
Successes: 0
Failures: 1
Last access: Tue Jun 26 15:08:52 2018
Ignore: Yes
-
Mirror #10
IP: 2400:cb00:2048:1::6810:ba8a
Successes: 0
Failures: 1
Last access: Tue Jun 26 15:08:52 2018
Ignore: Yes

-- 
Freddie Cash
fjwc...@gmail.com
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Mirror Load + ClamAV Updates

[Freddie Cash]

On Tue, Jun 26, 2018 at 2:41 PM, Freddie Cash  wrote:

> On Tue, Jun 26, 2018 at 2:17 PM, Joel Esler (jesler) 
> wrote:
>
>> Team --
>>
>> Today we were able to add 100% of the mirror infrastructure to our CDN,
>> Cloudflare.  We are currently measuring the load and evaluating the
>> viability and problems (if any) with this solution.  We are currently
>> pushing approx 12GB a second through their Tier 1 POP locations.
>>
>> We are seeking feedback about the stability of this, or if any updates
>> are failing.  (I have seen the thread that is currently on-going).
>>
>>
>> If you having problems downloading from the ClamAV mirror infrastructure,
>> please delete your mirrors.dat file and start over.
>>
>
> ​This is on Debian 8 which is why the ClamAV version is a little behind.​
>

​Turns out ClamAV 0.100.0 is available in Debian 8.  But, upgrading to it
doesn't change the end result.  No mirrors available to download from.

​Tue Jun 26 14:54:54 2018 -> Current working dir is /var/lib/clamav
Tue Jun 26 14:54:54 2018 -> freshclam daemon 0.100.0 (OS: linux-gnu, ARCH:
x86_64, CPU: x86_64)
Tue Jun 26 14:54:54 2018 -> Max retries == 5
Tue Jun 26 14:54:54 2018 -> ClamAV update process started at Tue Jun 26
14:54:54 2018
Tue Jun 26 14:54:54 2018 -> Using IPv6 aware code
Tue Jun 26 14:54:54 2018 -> Querying current.cvd.clamav.net
Tue Jun 26 14:54:54 2018 -> TTL: 538
Tue Jun 26 14:54:54 2018 -> Software version from DNS: 0.100.0
Tue Jun 26 14:54:54 2018 -> main.cvd version from DNS: 58
Tue Jun 26 14:54:54 2018 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Tue Jun 26 14:54:54 2018 -> daily.cvd version from DNS: 24699
Tue Jun 26 14:54:54 2018 -> Retrieving http://db.ca.clamav.net/daily.cvd
Tue Jun 26 14:54:54 2018 -> Trying to download
http://db.ca.clamav.net/daily.cvd (IP: 104.16.186.138)
Tue Jun 26 14:54:56 2018 -> Downloading daily.cvd [100%]
Tue Jun 26 14:54:57 2018 -> WARNING: Mirror 104.16.186.138 is not
synchronized.
Tue Jun 26 14:54:57 2018 -> Querying daily.0.91.0.0.6810BA8A.ping.clamav.net
Tue Jun 26 14:54:57 2018 -> Can't query
daily.0.91.0.0.6810BA8A.ping.clamav.net
Tue Jun 26 14:54:57 2018 -> Trying again in 5 secs...
Tue Jun 26 14:55:02 2018 -> ClamAV update process started at Tue Jun 26
14:55:02 2018
Tue Jun 26 14:55:02 2018 -> Using IPv6 aware code
Tue Jun 26 14:55:02 2018 -> Querying current.cvd.clamav.net
Tue Jun 26 14:55:02 2018 -> TTL: 530
Tue Jun 26 14:55:02 2018 -> Software version from DNS: 0.100.0
Tue Jun 26 14:55:02 2018 -> main.cvd version from DNS: 58
Tue Jun 26 14:55:02 2018 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Tue Jun 26 14:55:02 2018 -> daily.cvd version from DNS: 24699
Tue Jun 26 14:55:02 2018 -> Retrieving http://db.ca.clamav.net/daily.cvd
Tue Jun 26 14:55:02 2018 -> Ignoring mirror 104.16.185.138 (due to previous
errors)
Tue Jun 26 14:55:02 2018 -> Ignoring mirror 104.16.186.138 (due to previous
errors)
Tue Jun 26 14:55:02 2018 -> Trying host db.ca.clamav.net (104.16.188.138)...
Tue Jun 26 14:55:02 2018 -> Trying to download
http://db.ca.clamav.net/daily.cvd (IP: 104.16.188.138)
Tue Jun 26 14:55:03 2018 -> Downloading daily.cvd [100%]
Tue Jun 26 14:55:05 2018 -> WARNING: Mirror 104.16.188.138 is not
synchronized.
Tue Jun 26 14:55:05 2018 -> Querying daily.0.91.0.0.6810BC8A.ping.clamav.net
Tue Jun 26 14:55:05 2018 -> Can't query
daily.0.91.0.0.6810BC8A.ping.clamav.net
Tue Jun 26 14:55:05 2018 -> Trying again in 5 secs...
Tue Jun 26 14:55:10 2018 -> ClamAV update process started at Tue Jun 26
14:55:10 2018
Tue Jun 26 14:55:10 2018 -> Using IPv6 aware code
Tue Jun 26 14:55:10 2018 -> Querying current.cvd.clamav.net
Tue Jun 26 14:55:10 2018 -> TTL: 522
Tue Jun 26 14:55:10 2018 -> Software version from DNS: 0.100.0
Tue Jun 26 14:55:10 2018 -> main.cvd version from DNS: 58
Tue Jun 26 14:55:10 2018 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Tue Jun 26 14:55:10 2018 -> daily.cvd version from DNS: 24699
Tue Jun 26 14:55:10 2018 -> Retrieving http://db.ca.clamav.net/daily.cvd
Tue Jun 26 14:55:10 2018 -> Ignoring mirror 104.16.188.138 (due to previous
errors)
Tue Jun 26 14:55:10 2018 -> Ignoring mirror 104.16.185.138 (due to previous
errors)
Tue Jun 26 14:55:10 2018 -> Trying host db.ca.clamav.net (104.16.187.138)...
Tue Jun 26 14:55:10 2018 -> Trying to download
http://db.ca.clamav.net/daily.cvd (IP: 104.16.187.138)
Tue Jun 26 14:55:10 2018 -> Downloading daily.cvd [100%]
Tue Jun 26 14:55:12 2018 -> WARNING: Mirror 104.16.187.138 is not
synchronized.
Tue Jun 26 14:55:12 2018 -> Querying daily.0.91.0.0.6810BB8A.ping.clamav.net
Tue Jun 26 14:55:12 2018 -> Can't query
daily.0.91.0.0.6810BB8A.p

Re: [clamav-users] Mirror Load + ClamAV Updates

[Freddie Cash]

 14:34:29 2018 -> Ignoring mirror 104.16.185.138 (due to previous
errors)
Tue Jun 26 14:34:29 2018 -> Trying host db.ca.clamav.net (104.16.186.138)...
Tue Jun 26 14:34:29 2018 -> Trying to download
http://db.ca.clamav.net/daily.cvd (IP: 104.16.186.138)
Tue Jun 26 14:34:32 2018 -> Downloading daily.cvd [100%]
Tue Jun 26 14:34:33 2018 -> WARNING: Mirror 104.16.186.138 is not
synchronized.
Tue Jun 26 14:34:33 2018 -> Querying daily.0.84.0.0.6810BA8A.ping.clamav.net
Tue Jun 26 14:34:33 2018 -> Can't query
daily.0.84.0.0.6810BA8A.ping.clamav.net
Tue Jun 26 14:34:33 2018 -> Giving up on db.ca.clamav.net...
Tue Jun 26 14:34:33 2018 -> ClamAV update process started at Tue Jun 26
14:34:33 2018
Tue Jun 26 14:34:33 2018 -> Using IPv6 aware code
Tue Jun 26 14:34:33 2018 -> Querying current.cvd.clamav.net
Tue Jun 26 14:34:33 2018 -> TTL: 1759
Tue Jun 26 14:34:33 2018 -> Software version from DNS: 0.100.0
Tue Jun 26 14:34:33 2018 -> WARNING: Your ClamAV installation is OUTDATED!
Tue Jun 26 14:34:33 2018 -> WARNING: Local version: 0.99.3 Recommended
version: 0.100.0
Tue Jun 26 14:34:33 2018 -> DON'T PANIC! Read
http://www.clamav.net/documents/upgrading-clamav
Tue Jun 26 14:34:33 2018 -> main.cvd version from DNS: 58
Tue Jun 26 14:34:33 2018 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Tue Jun 26 14:34:33 2018 -> daily.cvd version from DNS: 24699
Tue Jun 26 14:34:33 2018 -> Retrieving http://db.local.clamav.net/daily.cvd
Tue Jun 26 14:34:33 2018 -> Ignoring mirror 104.16.187.138 (due to previous
errors)
Tue Jun 26 14:34:33 2018 -> Ignoring mirror 104.16.188.138 (due to previous
errors)
Tue Jun 26 14:34:33 2018 -> Ignoring mirror 104.16.185.138 (due to previous
errors)
Tue Jun 26 14:34:33 2018 -> Ignoring mirror 104.16.189.138 (due to previous
errors)
Tue Jun 26 14:34:33 2018 -> Ignoring mirror 104.16.186.138 (due to previous
errors)
Tue Jun 26 14:34:33 2018 -> Trying host db.local.clamav.net
(2400:cb00:2048:1::6810:ba8a)...
Tue Jun 26 14:34:33 2018 -> nonblock_connect: connect(): fd=4 errno=101:
Network is unreachable
Tue Jun 26 14:34:33 2018 -> Can't connect to port 80 of host
db.local.clamav.net (IP: 2400:cb00:2048:1::6810:ba8a)
Tue Jun 26 14:34:33 2018 -> Trying host db.local.clamav.net
(2400:cb00:2048:1::6810:bb8a)...
Tue Jun 26 14:34:33 2018 -> nonblock_connect: connect(): fd=4 errno=101:
Network is unreachable
Tue Jun 26 14:34:33 2018 -> Can't connect to port 80 of host
db.local.clamav.net (IP: 2400:cb00:2048:1::6810:bb8a)
Tue Jun 26 14:34:33 2018 -> Trying host db.local.clamav.net
(2400:cb00:2048:1::6810:bc8a)...
Tue Jun 26 14:34:33 2018 -> nonblock_connect: connect(): fd=4 errno=101:
Network is unreachable
Tue Jun 26 14:34:33 2018 -> Can't connect to port 80 of host
db.local.clamav.net (IP: 2400:cb00:2048:1::6810:bc8a)
Tue Jun 26 14:34:33 2018 -> Trying host db.local.clamav.net
(2400:cb00:2048:1::6810:bd8a)...
Tue Jun 26 14:34:33 2018 -> nonblock_connect: connect(): fd=4 errno=101:
Network is unreachable
Tue Jun 26 14:34:33 2018 -> Can't connect to port 80 of host
db.local.clamav.net (IP: 2400:cb00:2048:1::6810:bd8a)
Tue Jun 26 14:34:33 2018 -> Trying host db.local.clamav.net
(2400:cb00:2048:1::6810:b98a)...
Tue Jun 26 14:34:33 2018 -> nonblock_connect: connect(): fd=4 errno=101:
Network is unreachable
Tue Jun 26 14:34:33 2018 -> Can't connect to port 80 of host
db.local.clamav.net (IP: 2400:cb00:2048:1::6810:b98a)
Tue Jun 26 14:34:33 2018 -> ERROR: Can't download daily.cvd from
db.local.clamav.net
Tue Jun 26 14:34:33 2018 -> Giving up on db.local.clamav.net...
Tue Jun 26 14:34:33 2018 -> Update failed. Your network may be down or none
of the mirrors listed in /etc/clamav/freshclam.conf is working. Check
http://www.clamav.net/doc/mirrors-faq.html for possible reasons.

The interesting bit is the "Tue Jun 26 14:39:19 2018 -> WARNING: Mirror
104.16.188.138 is not synchronized" line.

Changing freshclam.conf to use "DatabaseMirror database.clamav.net" doesn't
change anything (it's normally set to db.ca.clamav.net).


main.cvd is dated June  7
daily.cvdis dated June 25
mbl.ndb  is dated June 26
bytecode.cvd is dated June 22


​This is on Debian 8 which is why the ClamAV version is a little behind.​



-- 
Freddie Cash
fjwc...@gmail.com
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99.4 has been released!

[Freddie Cash]

If you would take the time to actually read the message, you'd see that
freshclam is routing the local version as 0.99.4 and complaining that is
behind the recommended version of 0.99.4.

IOW, it's a spurious error message that's complaining incorrectly.
Something the ClamAV devs will need to fix.

Cheers,
Freddie

Typos courtesy of my phone.

On Mar 7, 2018 9:33 AM, "Reindl Harald"  wrote:



Am 07.03.2018 um 18:29 schrieb Brian Fluet:

> Here's the most recent freshclam log entry:
>
> Wed Mar 07 12:19:08 2018 -> ClamAV update process started at Wed Mar 07
> 12:19:08 2018
> Wed Mar 07 12:19:08 2018 -> WARNING: Your ClamAV installation is OUTDATED!
> Wed Mar 07 12:19:08 2018 -> WARNING: Local version: clamav-0.99.4
> Recommended version: 0.99.4
> Wed Mar 07 12:19:08 2018 -> DON'T PANIC! Read
> http://www.clamav.net/documents/upgrading-clamav
>

and why don't you just read http://www.clamav.net/documents/upgrading-clamav

frankly even if it would say "clamav-0.99.3 Recommended version: 0.99.4"
the DON'T PANIC applies because when you ue LTS distributions it#s pretty
common that the version of many packages don't change but security related
and critical fixes are backported

the PHP 5.4 of RHEL/CentOS as example is not just a plain, never updated
PHP 5.4

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Locky Dridex plan

[Freddie Cash]

On Mar 26, 2016 6:26 AM, "C.D. Cochrane"  wrote:
>
> And I am guessing my Linux distro will not just seamlessly move on to
0.99 by itself with an "apt-get update".

Debian 6 includes ClamAV 0.98. Thus, anything newer than that will have a
newer version of ClamAV. And if you are running anything older than Debian
6, you really should upgrade your OS to one that gets security fixes.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [Clamav-announce] announcing ClamAV 0.97.2

[Freddie Cash]

2011/7/29 Török Edwin 

> On 07/29/2011 06:36 PM, Nathan Gibbs wrote:
> > On 7/29/2011 11:03 AM, polloxx wrote:
> >>
> >> When will the package be available in Debian Squeeze?
> >>
> >>
> > When the package maintainer gets around to putting it there
>
> It just got packaged for unstable:
> http://packages.qa.debian.org/c/clamav/news/20110729T152659Z.html
>
> >, and then of
> > course it needs to come down from testing.
> > Stable is still at 0.97
>
> Isn't stable at 0.97.1? (via stable-updates):
> http://packages.qa.debian.org/c/clamav/news/20110704T135601Z.html
>
> Candidate: 0.97.1+dfsg-1~squeeze1
>  Version table:
> 0.97.1+dfsg-1~squeeze1 0
>500 http://cdn.debian.net/debian/ squeeze-updates/main amd64
> Packages
> 0.97+dfsg-2~squeeze1 0
>500 http://cdn.debian.net/debian/ squeeze/main amd64 Packages
>

$ cat /etc/debian_version
6.0.2

$ aptitude show -t squeeze clamav
Package: clamav
State: not installed
Automatically installed: no
Version: 0.97+dfsg-2~squeeze1

However, a Squeeze box upgraded from a very recent Lenny will have 0.97.1
installed, as Lenny is at 0.97.1:

$ aptitude show clamav
Unable to find an archive "squeeze-backports" for the package "clamav"
Package: clamav
State: installed
Automatically installed: no
Version: 0.97.1+dfsg-1~lenny1

The above is from our mail server that was running Etch until this Monday
(July 25) when I did an in-place upgrade to latest Lenny, then to latest
Squeeze.

-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] safe_clamd

[Freddie Cash]

On Thu, Oct 14, 2010 at 4:09 PM, Luca Gibelli  wrote:
>> Since I have never seen the clamd daemon crash on any of my servers, I'm
>> not particularly interested in having a program waste resources checking
>> on it every 30 seconds.
>
> It won't take up a lot of resources. It just periodically sends a signal
> to clamd.
>
>> Besides, why not use daemontools or one of the other existing process
>> monitoring programs?  Why do we need a custom one for clam?
>
> Well the main reason is to allow the average user to just
> type:
>
> safe_clamd
>
> instead of:
>
> clamd
>
> and get the benefits of a monitoring script without any effort.

I haven't looked at the script yet, but for something simple like
checking if clamd is responding, wouldn't a cronjob make more sense?
Or is 1-minute granularity too coarse?


-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Some questions about clamav update warning messages

[Freddie Cash]

On Tue, Jul 6, 2010 at 10:20 AM, JD  wrote:
>>>> WARNING: Current functionality level = 44, recommended = 53
>>>> DON'T PANIC! Read http://www.clamav.net/support/faq
>>>
>>>       I read the FAQ and it does not tell me where this setting is set.
>>
>> It's set by ClamAV within the source code itself; this reflects the
>> capabilities of that particular version.  It's not a configurable setting;
>> to fix this warning, you need to upgrade to the latest version of ClamAV--
>> which you generally should be doing for any security-related software,
>> anyway.
>
> So, the fedora distro people screwed up by setting it to level 44 in the
> source code?

No, it's set by the clamav devs, and is dependent on the version.
This is not a configurable setting, it's hardcoded into clamav.

So long as you are running 0.95 or newer you don't have to worry about
these errors.

If you want the absolute latest features, then install the latest
version.  Otherwise, carry on.  0.95 works perfectly well.  These are
just notices, not "you must upgrade or die" messages.  :)

-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Tiered freshclam updates on port443

[Freddie Cash]

On Fri, May 21, 2010 at 7:48 AM, Shawn Bakhtiar wrote:

> I believe each of the points you both made, including OUTBOUND security to
> prevent hackers from using a hacked machine on our network, are very valid
> points. But I have yet to see gateway blocks actually reduce the number of
> infections on my network, and when compared to the complexity it introduces
> into the system, it is just not worth it. Complexity is your worst enemy.
> When things are kept as simple as possible, in a time of crisis, they are
> simple to figure out.
>
>
It may not have happened on your network, but it's (filtering outbound
traffic) saved our bacon several times over the years, especially back in
the Code Red/Nimda days.  And, in an educational setting (I work for a
school district now), you definitely do not want to have wide-open Internet
access for student computers.

I would never violate a netizen's right by restricting his or her movements
> on the internet.


There's no such thing as "a netizen's right to use the Internet".


> I believe a user should be able to use the machine assigned to them for
> what ever purpose they choose, and it is my job to provide a reliable, safe,
> and secure, environment for them to operate in.
>
> Wow, I want to work where you do.  :)  Everywhere I've worked, the computer
has always been the property of the company, and is only provided as a
convenience to do company work.  The only apps installed are the ones
required for doing your work, and the only approved activities are those
that pertain to doing your work.  It's not your personal PC to do with as
you please.  That sounds more like a home computer.  :)


-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] [Windows] How does ClamAV compare with closed-source alternatives?

[Freddie Cash]

On Wed, May 12, 2010 at 9:01 AM, Alain Zidouemba
wrote:

> > ClamAV can only detect malware, it does not clean or even quarantine
> > anything.
>
> ClamAV does not just detect malware, it can can quarantine it.


Since when?  As long as I've been using it, it's been a detection-only
system.  The frameworks that use ClamAV (milter, amavisd, etc) handle the
quarantining.  All ClamAV does is say "file good" or "file bad".


> > And it's geared toward e-mail, which means the focus of the AV DB will be
> > threats that use e-mail as an attach vector.  As such, you won't
> signatures
> > in the DB for things like boot sector viruses, or rootkits, or things
> like
> > that.
>
> The focus of the AV DB is not just threat that use email as an attack
> vector, but rather malware that can make its way to end-users
> machines, regardless of the vector or attack.
>

That could be, although everything I've seen on this list has been that
ClamAV is geared toward e-mail-based malware.

-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] [Windows] How does ClamAV compare with closed-source alternatives?

[Freddie Cash]

On Wed, May 12, 2010 at 6:08 AM, Fred-145  wrote:

> I searched the archives of this mailing-list (the web interface to the
> archives of the ClamWin doesn't provide a search option) and read the links
> provided in the subscription e-mail (www.clamav.net/support/ml,
> www.clamav.net/support/faq, wiki.clamav.net), but only found a single
> thread
> from 2004 on the subjet.
>
> I like the fact that ClamAV is open-source, but I can only recommend
> ClamAV-included live CDs (like www.trinityhome.org or www.sysresccd.org)
> to
> customers if it's as reliable as the closed-source leaders such as
> Kasperksy
> or AVG in detecting (and ideally, fixing) viruses on Windows hosts.
>
> Is there a recent and unbiased review of ClamAV vs. closed-source
> alternatives?
>

ClamAV can only detect malware, it does not clean or even quarantine
anything.

And it's geared toward e-mail, which means the focus of the AV DB will be
threats that use e-mail as an attach vector.  As such, you won't signatures
in the DB for things like boot sector viruses, or rootkits, or things like
that.

If you need something to go on a LiveCD for scanning, repairing, and
recovering Windows systems, ClamAV is not what you want.

-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Some doubts about Clamav upgrade

[Freddie Cash]

On Tue, May 4, 2010 at 5:11 PM, Dennis Peterson  wrote:

> On 5/4/10 1:25 PM, Freddie Cash wrote:
>
>  Add the volatile repo to /etc/apt/sources.list, if it's not already there.
>>
>> Then it's a simple:
>>   aptitude update
>>   aptitude install clamav-daemon clamav-freshclam
>>
>> aptitude will install everything else automatically.
>>
>
> Does it first uninstall the existing version?
>

If it was installed as a .deb package (via dpkg, apt, aptitude, whatever),
then yes.

-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Some doubts about Clamav upgrade

[Freddie Cash]

On Tue, May 4, 2010 at 1:15 PM, Wagner Pereira wrote:

> I am heading to upgrade my Clamav version, from 0.93 to 0.96.
>
> I found out this page below and I need to know:
>
> 1. If it is necessary to install all of these Debian packages and
> 2. The note says: "Depending on your installation method" do this... or
> that... - so, how can I know what method was used to?
>
> 
> http://wiki.clamav.net/bin/view/Main/DebianInstall
>
> TWiki> Web Main>ClamPackages>DebianInstall (2010-05-04,
> NormanDHigginbotham)
>
> Available packages
> clamav-getfiles - Update script for clamav
> clamav - antivirus scanner for Unix
> clamav-base - base package for clamav, an anti-virus utility for Unix
> clamav-daemon - antivirus scanner daemon
> clamav-data - clamav data files
> clamav-docs - documentation package for clamav, an anti-virus utility for
> Unix
> clamav-freshclam - downloads clamav virus databases from the Internet
> clamav-milter - antivirus scanner for sendmail
> clamav-testfiles - use these files to test that your Antivirus program
> works
> clamav-dbg - debug symbols for clamav
>

Add the volatile repo to /etc/apt/sources.list, if it's not already there.

Then it's a simple:
  aptitude update
  aptitude install clamav-daemon clamav-freshclam

aptitude will install everything else automatically.
-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] My first question in this mailing list

[Freddie Cash]

On Tue, May 4, 2010 at 12:48 PM, Wagner Pereira wrote:

> Hi, everyone.
>
> How can I see my Clamav's version?
>
> The thing is: my freshclam.log is warning me "WARNING: Your ClamAV
> installation is OUTDATED!"
>
> I am reading the Clamav's official FAQ right now, but I just need to know,
> before upgrade it, what is its version.
>
> Thanks in advance.
>

When in doubt, check the man page.  Doing so for freshclam or clamscan
shows:
freshclam --version
clamscan --version

-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Freddie Cash]

On Fri, Apr 16, 2010 at 2:17 PM, Giampaolo Tomassoni <
giampa...@tomassoni.biz> wrote:

> Because I'm a bit old. And I like freedom. And I prefer to have to bother
> with mailing lists and bulletin reports and have the control of systems,
> instead of put my work in the hand of people who could change the rules at
> will.
>
> An open-source project is not supposed to change rules at will. The license
> itself of open source software is often oriented toward this view, such
> that
> it guarantees people to keep using software they already got, even when the
> project becomes a completely commercial one.
>

Wow, not even close.  OSS licenses cover what you can do with the source
code.  Nothing more.  Nothing less.  And there's nothing stopping you from
grabbing the clamav source code, rewriting freshclam to ignore updates past
the 14th of April, and making that available to the world.  *THAT* is the
point of OSS ... you have the freedom to do whatever you want with the
source code.

There's nothing in any OSS license that says the software will always work,
that the software will be bug free, that all future updates will work with
any previous version, etc.


> Because the open-source idea is
> all based on freedom.
>

Not in the way you think it is.

-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Freddie Cash]

On Fri, Apr 16, 2010 at 5:40 AM, Simon Hobson wrote:

> Török Edwin wrote:
>
>  On 04/16/2010 03:17 PM, Giampaolo Tomassoni wrote:
>>
>>> It was explicitly stated that clamd will be disabled.
>>>>
>>>
>>> In which language?
>>>
>>
>> "Starting from 15 April 2010 our CVD will contain a special signature
>> which disables all clamd installations older than 0.95"
>>
>> http://www.clamav.net/lang/en/2009/10/05/eol-clamav-094/
>>
>
> Could you please point out where in this log extract it mentions anything
> about the software getting remotely turned off ?
>
> Nowhere, since that's not the version that is affected.  It's only version
older than 0.95.  0.95 still runs along just fine.  We're still using 0.95.3
just fine.


>  Received signal: wake up
>> ClamAV update process started at Fri Apr 16 10:26:14 2010
>> WARNING: Your ClamAV installation is OUTDATED!
>> WARNING: Local version: 0.95.3 Recommended version: 0.96
>> DON'T PANIC! Read http://www.clamav.net/support/faq
>> main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder:
>> sven)
>> daily.cvd is up to date (version: 10751, sigs: 52057, f-level: 51,
>> builder: guitar)
>>
>
-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Automating freshclam

[Freddie Cash]

On Fri, Apr 9, 2010 at 6:49 AM, Alex  wrote:

> > Also, in my installation, the documentation can be found in both
> clamd.conf
> > (under "Perform a database check SelfCheck xxx") and in man
> clamd.conf
> > (under "Directives -> SelfCheck NUMBER"). It does seem a bit vague as
> only
> > in clamd.conf does it indicate what the value might mean ("Default: 600
> (10
> > min)").
>
> I guess it is a little vague, because I don't understand what you mean
> even here.
>
> I assumed the database check was an integrity check, not an update check,
> right?
>
> Correct.  The setting in clamd.conf tells clamd to double-check the loaded
database, and to reload it from disk if there are any issues.


> How does this parameter relate to freshclam in any way, particularly
> for database updates?
>
> It doesn't.

The Checks parameter in freshclam.conf tells the freshclam daemon how often
to poll the update servers to see if there are updated database files to
download.

-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Automating freshclam

[Freddie Cash]

On Thu, Apr 8, 2010 at 10:40 PM, Alex  wrote:

> I'm a bit confused on the "Checks" variable in freshclam.conf. In
> various places on the website and elsewhere, it seems to indicate that
> freshclam should be run manually (periodically in cron) to update the
> virus databases. However, the "Checks" variable implies that it is
> perhaps being automatically spawned periodically by clamd and there is
> no need to automate this in cron?
>
> Is it then necessary to somehow signal clamd to run freshclam?
>
> In the past it has always been necessary to run it from cron, I believe.
>
> Where is this documented?
>

There's always been 2 ways to run freshclam:
  - manually, either via the CLI or via cron
  - as a daemon

If run via cron, the Checks parameter has no meaning.

If run as a daemon, the Checks parameter specifies how many times a day the
daemon should check for updates.

-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] load issues due to sanesecurity signatures

[Freddie Cash]

On Thu, Nov 5, 2009 at 11:46 AM, Steve Basford
 wrote:
> Freddie Cash wrote:
>>
>> Yes, I still have this directory.  If anyone is interested in it, I
>> can tar it up and make it available.  Can also tar up the working
>> directory is needed.
>
> Yep, I'll take a look and see if I can see anything this end.
>
> Cheers,
> Steve
> Sanesecurity

http://www.sd73.bc.ca/downloads/clamav-libdir-broken.tbz2
http://www.sd73.bc.ca/downloads/clamav-libdir-working.tbz2

Enjoy!  :)

-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] load issues due to sanesecurity signatures

[Freddie Cash]

On Mon, Nov 2, 2009 at 1:45 PM, Tom Shaw  wrote:

> At 4:10 PM -0600 11/2/09, Noel Jones wrote:
>
>> On 11/2/2009 1:42 PM, Avinash wrote:
>>
>>> Hi everyone,
>>>
>>> We are using Sanesecurity signatures in clamd for scanning mails.
>>> Recently
>>> we are seeing some load issues on clamd server due to sanesecurity
>>> signatures (load is automatically decreasing when the sanesecurity sigs
>>> are
>>> removed)
>>>
>>> Does anyone face this issue before? Sanesecurity sigs are much needed to
>>> catch spam, is these anyway that i can fix this issue? Please help me.
>>>
>>>
>> Likely just one of the signature files is causing problems. Try disabling
>> them one at a time until load comes down to an acceptable level.  I'd start
>> with winnow.complex.patterns.ldb.
>>
>
> Just a question. Why disable a file that currently has only 2 rules in it?
> Wouldn't you want to 1) determine what he has enabled? After all
> safebrowsing is humongous, 2) what hardware configuration and scan volume he
> is using and 3) what else is running on the machine?
>
> After all there are a lot of us using all sansecurity files and
> safebrowsing with no issues which would lead one to believe that there is
> not a signature file that is causing problems but more probably the
> interaction of light hardware, higher data volume and other processes
> running on the server coupled with a large number of signatures.
>
> Lets first look at what Avinash wrote. He said all was well with ClamAV and
> SaneSecurity signatures until recently.
>

clamd on our mail server started hogging 100% of both CPUs, and mail started
backing up like crazy.  This started last Thursday evening.  I played with
the Postfix, Amavisd-new, and Clamd settings all Friday morning trying to
figure this out and clear out the backlog of messages.

On a whim, I renamed the clamav database directory, ran freshclam to get
just the basic signatures, and restarted clamd.  Number of signatures went
from 925,000+ to under 600,000, and CPU usage dropped to below 20%.  Cleared
out 1200 messages from the queue in under 15 minutes.  Reran the script to
download all the extra signature databases, putting the total back up over
700,000, and still the CPU usage is under 20%.

Haven't had any issues since then, so can't really say if it was a corrupted
database, a bad signature, or exactly what the issue was.  Don't have any
plans to test the old copies of the database files, as I don't want to mess
with things now that they are working again.  :)

Something strange happened to the database files last week.  This week,
everything is fine.
-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Script updated: clamav-unofficial-sigs.sh (v3.2)

[Freddie Cash]

On Thu, May 14, 2009 at 4:03 PM, Bill Landry  wrote:
>> In the actual script itself, it all references
>> /etc/clamav-unofficial-sigs.conf, which is different from the *.cron
>> file, where everything references
>> /usr/local/etc/clamav-unofficial-sigs.conf.
>
> Yes, because /etc is the default location for the config file.  If you use
> the '-c' flag, you can use any config file located wherever you want.
>
>> And the INSTALL file references both locations.
>
> Yes, again because you can run the script with multiple different config
> files, and with each one setup differently, if you want.

Well, the release notes say one thing, the install file says another,
and the script says different, which is why I made the comment.

>> Perhaps it's time to cook up a Makefile or an install script that uses
>> sed to alter the paths in the cron/man/script and then copies the
>> files into the correct locations.  :)
>
> Why, the script was intentionally setup this way?  You can decide to use
> the default config file location, an alternative location, or both - it's
> up to you.  And this will not change.

Which is fine.  But the docs don't match the script.  The only reason
I brought it up was that it was mentioned in the release notes.

-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Script updated: clamav-unofficial-sigs.sh (v3.2)

[Freddie Cash]

On Thu, May 14, 2009 at 11:37 AM, Bill Landry  wrote:
> Just a couple of changes in this release.  Most importantly, fixed a
> misplaced echo command that was causing empty cron messages to be sent,
> even if all silence options in script's config were set and no error
> conditions existed.  If all silence option are now set, the script should
> once again only send cron emails when error conditions are detected.
>
> Here's what has changed with this release (from the CHANGELOG):
>
> Version 3.2 (updated 2009-05-14)
> - Repositioned a badly placed 'echo' command that was causing empty
>  cron emails to be sent even if all silence variables were set in
>  the config file and no error conditions existed.  Issue reported
>  by Andreas PrieB.
> - Added a '-b' switch that can be used to create a bypass signature
>  for local.ign in order to temporarily resolve false-positive issues
>  with a third-party signature.  The local.ign file will automatically
>  be deleted once its timestame shows the last change time to be at
>  least 24 hours old.  This is done in order to keep bypass entries
>  from becoming stale.
> - Updated the README and INSTALL documents, and the manual page.  Also
>  updated the cron file to point the script location to /usr/local/bin/
>  instead of /usr/bin/.  This also matches the base path to the config
>  file (/usr/local/).

In the actual script itself, it all references
/etc/clamav-unofficial-sigs.conf, which is different from the *.cron
file, where everything references
/usr/local/etc/clamav-unofficial-sigs.conf.

And the INSTALL file references both locations.

Perhaps it's time to cook up a Makefile or an install script that uses
sed to alter the paths in the cron/man/script and then copies the
files into the correct locations.  :)

-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] 0.95 compile problem on FreeBSD 4.8

[Freddie Cash]

On April 1, 2009 8:13 am Mark wrote:
> -Original Message-
> From: clamav-users-boun...@lists.clamav.net
> [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Steffan
> Vigano Sent: dinsdag 31 maart 2009 23:01
> To: clamav-users@lists.clamav.net
> Subject: [Clamav-users] 0.95 compile problem on FreeBSD 4.8
>
> > We're getting compilation errors trying to compile the latest version
> > on an older FreeBSD box. Prior to 0.95 all versions compiled up fine
> > and we are not seeing the same thing on some of our newer fBSD
> > machines. No special switches during configure, we just use the
> > vanilla: ../configure, make, make install.   I've trolled the mailing
> > list, Google, etc and can't find anything that stands out.  Can anyone
> > shed some light?
>
> Running ./configure seems to suggest you weren't installing from ports.
> Correct? If so, that's not very wise (unless you REALLY know what you're
> doing,) as the ports usually contain specific, local FreeBSD patches.
>
> I'm still using a FreeBSD 4.11 system myself, and so far so good. :) For
> stuff that won't compile any more, what's to stop you from going to
> /usr/ports/lang/gcc44, and compile yourself a shiny new compiler?

The FreeBSD ports tree removed support for 4.x systems many a year ago.  
Using the ports tree updated beyond the EOL date is not guaranteed to work, 
and no PRs or bug reports will be looked at if using a 4.x system.

Anyone still using FreeBSD 4.x is on their own to make the ports tree work, 
and would probably be better of installing/managing software on their own.

-- 
Freddie
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Can anybody direct me to the correct postfix/amavis-new clamav configuration

[Freddie Cash]

On February 27, 2009 8:32 am Goodman, William wrote:
> I'm running postfix and amavisd-new, spamassassin and clamav. I have all
> the daemons running and mail is getting
> filtered through amavisd-new (as per the header), I'm trying to get
> spammassassin and clamav configured with
> postfix. I don't know if my mail is being filtered. Could someone point
> me in the right direction, Google is wearing me out.

You don't configure SpamAssassin and ClamAV to work with Postfix.  You 
configure them to work with Amavisd-new.  Amavisd-new provides the glue 
between postfix and all the scanners/filters.

So long as Postfix can send mail to amavisd-new, and amavisd-new can send 
the mail back to Postfix, then all you have to do is make sure amavisd-new 
is configured to correctly use SA and Clam.
-- 
Freddie
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Frequency of virus attacks

[Freddie Cash]

On Fri, Jun 13, 2008 at 9:21 PM, Eggert Ehmke <[EMAIL PROTECTED]> wrote:
> Since I installed ClamAV on my mail server, I did not get one single mail with
> virus attached. Other spam mail is filtered out by DSpam. When I send some
> test mail to my own address and attach some test virus, it is detected by
> ClamAV. Is this the expected behaviour? I would have expected to get some
> real viruses sooner or later. So I get the impression that real attacks are
> not so frequently as expected, or am I just lucky?

How many messages are being processed per day?  For how many accounts?
 And what percentage of those accounts are Windows stations?

The higher those numbers, the higher the likelihood you'll see
infected messages reach your mail server.

We process around 2.3 millions messages a month, with about 1.7
million of those blocked as spam at the SMTP level, about 300,000 are
blocked as spam by amavis/spamassassin/dspam, another 50,000 or so are
tagged as possible spam but still delivered, and maybe 20,000 are
blocked as infected.  The rest go through.

So they're still out there.  :)

-- 
Freddie Cash
[EMAIL PROTECTED]
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] I need to refute a 'security expert'

[Freddie Cash]

On November 19, 2007 02:06 pm Dennis Peterson wrote:
> Derick Centeno wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > Which is why my primary system is not OS X, but rather Yellow Dog
> > Linux (YDL)!
>
> This highlights the big gripe I have with Linux. You can't even talk
> about it without immediately indicating which vendor's Linux.

There's not much difference between that and specifying which version of 
Windows you are talking about, or which version of MacOS X.  
Replace "Linux" with "Windows" and "vendor" with "version" to see what I 
mean.

The problem is not that "Linux" is fragmented.  The problem is that people 
equate "Debian Linux", "RedHat Linux", "Fedora Linux", "SuSE Linux" with 
the word Linux.  It's the general population that has co-opted the word 
Linux to mean more than what it should.

It's like people saying "Windows" when they actually mean "Windows Vista" 
or "Windows XP" or "Windows 2000" or "Windows 98", etc.  Replace Windows 
with MacOS X and the issue is the same.

Don't blame the OS for people who can't use the correct term.  :)  We just 
need to start beating people with clue bats that there is no such beast 
as "Linux" the OS.

-- 
Freddie Cash, LPIC-2 CCNT CCLP  Network Support Technician
School District 73  (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Phishing feature defaults, naming, and 0.92

[Freddie Cash]

On 11/16/07, rick pim <[EMAIL PROTECTED]> wrote:
>
> David F. Skoll writes:
> > But you are missing the point.  The problem is not the
> configfiles.  Anyone
> > can easily edit a config file.
> >
> > The problem is that new behaviour suddenly appears when using an *old*
> > configfile.  It's the hard-coded defaults in the source that are the
> problem.
>
> i'm probably going to get my tuchis flamed off here, but
>
> this is pre-version-1.0 software: it's a beta. who on earth upgrades
> from one beta to another and uses the same configfile???


In the world of open-source, pre-1.0 version numbers *do not* equal beta
status.  There are some projects that have dozens of stable,
production-quality releases, without ever hitting 1.0.

These are stable, production-ready releases.

-- 
Freddie Cash
[EMAIL PROTECTED]
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] PhishingScanURLs is dreadfully slow/CPU-intensive

[Freddie Cash]

On October 29, 2007 06:53 pm Joe Clements wrote:
> For what it is worth, Linux will only forge ahead in the market by
> improvements in 2 areas. One of them is security. I would like to see
> 1 security suite which has the capability to deal with ALL threats.
> Windows security has to have an anti virus, anti trojan, adware and
> malware protection, an anti browser hijacker, a rootkit checker, a
> secure firewall, and these are all separate programs. Pardon me if I
> missed one out. When Linux guarantees protection from all these
> threats in 1 package, then one major hurdle holding back a greater
> uptake of Linux will have been removed.

That flies in the face of the Unix philosophy of having a large toolkit 
full of small, single-purpose apps that do one thing, one thing only, and 
one thing really really well.  Multi-purpose, jack-of-all-trades, 
swiss-army-knife bloatware is a Windows thing.  Let's keep it there.

-- 
Freddie Cash, LPIC-2 CCNT CCLP  Network Support Technician
School District 73  (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] speeding up clamav

[Freddie Cash]

On September 10, 2007 01:31 am Andy Fiddaman wrote:
> ; Res wrote:
> ; > On Sun, 9 Sep 2007, Dennis Peterson wrote:
> ; >
> ; >> F-PROT Antivirus for Solaris Mail Servers
> ; >>  Number of Users Annual license fee
> ; >>  1-10US$ 130
> ; >>  11-24   US$ 250
> ; >>  25-49   US$ 399
> ; >>  50-99   US$ 499
> ; >>  100-199 US$ 799
> ; >>  200-299 US$ 1099
> ; >>
> ; >> dp
> ; >
> ; > I wont shock you with what the cost is for 700K users :)
> ; > clamd is fast enough for secondary MX's though.
> ; >
> ; > F-prots BS licensing is one reason we are trying to move away from
> it, but ; > it's hard when nothing comes close to it in speed, its
> still cheaper with ; > the license (only just) then buying extra
> hardware to further distribute ; > the load more than we do now, if we
> can get HP to come to a good deal that ; > makes it even equal the
> cost, we'll dump f-prot on principle.
>
> We currently use F-Prot, Sophos and ClamAV in parallel and, with our
> volume, the contribution of F-Prot to the cost is almost negligible.
> In real terms ClamAV does actually cost us more overall but it's well
> worth it!
>
> F-Prot's licence costs are among the cheapest in the industry, just try
> looking at the cost of Sophos, McAfee or Kaspersky licences!

Kaspersky AV is cheap, if you just use their daemon scanner and not their 
SMTP proxy scanner.  That way, there's no per-account licensing to worry 
about.

> ClamAV's price point is far better of course.. and it's performance in
> terms of detection rates far outstrips most of the competition. We
> really only have the commercial scanners in there because customers
> want to see them for confidence and that may well change in the future
> thanks to Sourcefire.

-- 
Freddie Cash, LPIC-2 CCNT CCLP  Network Support Technician
School District 73  (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Sourcefire's acquisition of ClamAV -- Will ClamAV become close source ?

[Freddie Cash]

On August 27, 2007 06:30 am Sergei Lavrov wrote:
> Does this mean ClamAV will become close source
> sometime in the future ?

Read through the mailing list archives for this month, there's a 
super-long thread on this subject in there.

-- 
Freddie Cash, LPIC-2 CCNT CCLP  Network Support Technician
School District 73  (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Problems with installation

[Freddie Cash]

On August 2, 2007 01:42 pm Steven wrote:
> Freddie Cash wrote:
> > Note:  The latest version of the ports tree that will successfully
> > work with FreeBSD 4.x must be cvsupped using tag=FREEBSD_4_EOL and
> > *not* tag=. like normal.  After that tag was put on the ports tree,
> > the ports team ripped out all support for building ports on FreeBSD
> > 4.x.
> >
> > If you want to install newer versions of software than what is in the
> > FREEBSD_4_EOL ports tree, you will need to either upgrade to FreeBSD
> > 6.x, or install it manually via source tarballs and
> > the "standard" './configure; make; make install' method, taking extra
> > care to get the ./configure --options right.
>
> I have empirical evidence that says otherwise.  I have quite a few 4.11
> boxes that have worked fine with the latest ports tree.  I have
> installed Clamav 0.91.1 with it.  All the ports may not work but
> everyone I have tried has.

It's nice that you have been lucky so far, but don't count on that lasting 
forever.  :)  Ports maintainers are actively removing all checks and 
patches for making things work on FreeBSD 4.x.  At some point, you will 
not be able to use the stock ports tree on your 4.x boxes.

-- 
Freddie Cash, LPIC-2 CCNT CCLP  Network Support Technician
School District 73  (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Problems with installation

[Freddie Cash]

On August 2, 2007 12:36 pm Marshall Dudley wrote:
> Steven wrote:
> > Peter Boosten wrote:
> >> Marshall Dudley wrote:
> >>> Any ideas?  Visa and Mastercard are insisting that I put a virus
> >>> scanner on the server, and this is the only one I can find. They
> >>> also insist that any upgrades have to go through a long process,
> >>> which would probably take a month on the OS, and if I don't get
> >>> this done in a few days, they may shut me down.
> >
> > You can make it work but you will probably have to update your
> > FreeBSD version to something newer if you want to use the ports. 
> > Somewhere along the line they changed some of the port scripts that
> > broke building them on some of the older 4.x versions.  I can confirm
> > for you that the latest Clamav will build from ports and run fine on
> > FreeBSD 4.11.  I believe it may even work on 4.10.
> >
> > You will also have to update your ports tree as Clamav 0.54 is so old
> > you won't want to run it.
>
> I am upgrading my ports tree now, hopefully that will fix it.

Note:  The latest version of the ports tree that will successfully work 
with FreeBSD 4.x must be cvsupped using tag=FREEBSD_4_EOL and *not* tag=. 
like normal.  After that tag was put on the ports tree, the ports team 
ripped out all support for building ports on FreeBSD 4.x.

If you want to install newer versions of software than what is in the 
FREEBSD_4_EOL ports tree, you will need to either upgrade to FreeBSD 6.x, 
or install it manually via source tarballs and 
the "standard" './configure; make; make install' method, taking extra 
care to get the ./configure --options right.

-- 
Freddie Cash, LPIC-2 CCNT CCLP  Network Support Technician
School District 73  (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] *.cvd again!

[Freddie Cash]

On Friday 13 April 2007 09:25 am, Dennis Peterson wrote:
> Freddie Cash wrote:
> > On Thursday 12 April 2007 06:53 pm, Dennis Peterson wrote:
> >> And just an fyi, be cautious of the MSRBL-Images file. Rechecking it
> >> while I was typing this shows that with it in place it will cause
> >> the clamd cpu to rise to 90% and stay there. At 11M it may be too
> >> big to be practical.
> >
> > I think that really depends on your CPU.  Running 4 parallel checks
> > of the MSRBL-Images.hdb file (9 MB on my system since our provider
> > has blocked rsync for the past couple weeks) only drops the CPUs'
> > idle % by 15 (85% idle).
> >
> > Of course, our main mail server is a dual-Opteron @ 2 GHz with 4 GB
> > of RAM.  YMMV.  :)
>
> I'm running dual proc Sun Sparc systems, and the cpu usage from clamd
> appears to be an unhealthy kind of cpu usage. It sits at 95%, and
> running truss does not return anything - just an empty screen. I can't
> tell what it's doing, but it is definitely using the processors.
> Removing the MSRBL-Images file eliminates the problem. So - what is the
> cost? I checked the logs and found only 5 files found out of 10,000
> found by SaneSecurity. I think I won't miss the MSRBL contribution.

Let's re-do this using the correct parameters for grep and the right name 
for the signatures.

Heh, lucky you.  :)

Out of the 4199 messages blocked as "infected" so far this month, 289 of 
them were marked as MSRBL-Images/* by amavisd-new and clamav.  
If we took out the MSRBL-Images database, we'd hear about it quite 
quickly from our users.  Between that and the FuzzyOCR plugin for 
SpamAssassin, we've pretty much eliminated image spam.

Looking at March's stats, 1493 out of 10840 "infected" messages were 
blocked by the MSRBL-Images database.

As with much in life, it all depends.  :)

-- 
Freddie Cash, LPIC-2 CCNT CCLP  Network Support Technician
School District 73  (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] *.cvd again!

[Freddie Cash]

On Friday 13 April 2007 01:35 pm, Bill Landry wrote:
> Freddie Cash wrote the following on 4/13/2007 12:43 PM -0800:
> >> I'm running dual proc Sun Sparc systems, and the cpu usage from
> >> clamd appears to be an unhealthy kind of cpu usage. It sits at 95%,
> >> and running truss does not return anything - just an empty screen. I
> >> can't tell what it's doing, but it is definitely using the
> >> processors. Removing the MSRBL-Images file eliminates the problem.
> >> So - what is the cost? I checked the logs and found only 5 files
> >> found out of 10,000 found by SaneSecurity. I think I won't miss the
> >> MSRBL contribution.
> >
> > Heh, lucky you.  :)
> >
> > Out of the 4199 messages blocked as "infected" so far this month,
> > 2072 of them were marked as Html.Img.*.Sanesecurity by amavisd-new
> > and clamav. If we took out the MSRBL-Images database, we'd hear about
> > it quite quickly from our users.
>
> "Html.Img.*.Sanesecurity"  !=  MSRBL-Images.

Doh! You're right, my bad.  Ignore my last post with numbers in it.  :)  
The CPU post was correct, though.

-- 
Freddie Cash, LPIC-2 CCNT CCLP  Network Support Technician
School District 73  (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] *.cvd again!

[Freddie Cash]

On Friday 13 April 2007 09:25 am, Dennis Peterson wrote:
> Freddie Cash wrote:
> > On Thursday 12 April 2007 06:53 pm, Dennis Peterson wrote:
> >> And just an fyi, be cautious of the MSRBL-Images file. Rechecking it
> >> while I was typing this shows that with it in place it will cause
> >> the clamd cpu to rise to 90% and stay there. At 11M it may be too
> >> big to be practical.
> >
> > I think that really depends on your CPU.  Running 4 parallel checks
> > of the MSRBL-Images.hdb file (9 MB on my system since our provider
> > has blocked rsync for the past couple weeks) only drops the CPUs'
> > idle % by 15 (85% idle).
> >
> > Of course, our main mail server is a dual-Opteron @ 2 GHz with 4 GB
> > of RAM.  YMMV.  :)
>
> I'm running dual proc Sun Sparc systems, and the cpu usage from clamd
> appears to be an unhealthy kind of cpu usage. It sits at 95%, and
> running truss does not return anything - just an empty screen. I can't
> tell what it's doing, but it is definitely using the processors.
> Removing the MSRBL-Images file eliminates the problem. So - what is the
> cost? I checked the logs and found only 5 files found out of 10,000
> found by SaneSecurity. I think I won't miss the MSRBL contribution.

Heh, lucky you.  :)

Out of the 4199 messages blocked as "infected" so far this month, 2072 of 
them were marked as Html.Img.*.Sanesecurity by amavisd-new and clamav.  
If we took out the MSRBL-Images database, we'd hear about it quite 
quickly from our users.  Between that and the FuzzyOCR plugin for 
SpamAssassin, we've pretty much eliminated image spam.

Looking at March's stats, 6796 out of 10840 "infected" messages were 
blocked by the MSRBL-Images database.

As with much in life, it all depends.  :)

-- 
Freddie Cash, LPIC-2 CCNT CCLP  Network Support Technician
School District 73  (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Clamav-0.90.2 compile Error on FreeBSD 4.8

[Freddie Cash]

On Friday 13 April 2007 11:07 am, Nigel Horne wrote:
> Gerard Seibert wrote:
> > I thought that they had stopped supporting 4.x systems? In any case
> > would it be feasible to update to the 6.2 version?
>
> You don't make it clear who you mean by "they", but if you mean ClamAV,
> you're mistaken. File a bug report against 4.x and we'll look into it,
> I have a Pentium running FreeBSD4.11 in my compile farm.

See my post to Anton in this thread.  There is no longer any support in 
the FreeBSD ports tree for FreeBSD 4.x systems.

-- 
Freddie Cash, LPIC-2 CCNT CCLP  Network Support Technician
School District 73  (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Clamav-0.90.2 compile Error on FreeBSD 4.8

[Freddie Cash]

On Friday 13 April 2007 10:32 am, Anton Yuzhaninov wrote:
> Hello, Matthias.
>
> You wrote on Friday, April 13, 2007, 8:44:34 PM:
> > i get a compile error on FreeBSD 4.8
> >
> >  i have 3 production Server running under FreeBSD 4.8
>
> Try to build it from ports.

Note:  for those still using FreeBSD 4.x systems you *MUST* change your 
ports supfile to use "tag=RELENG_4_EOL" instead of "tag=."  Otherwise, 
you will get a ports tree that does not support FreeBSD 4.x in any way.  
All support knobs and features to support FreeBSD 4.x were removed from 
the ports tree after that tag was laid down.  To use "tag=." when 
cvsup'ing the file is just asking to break things.  :)

-- 
Freddie Cash, LPIC-2 CCNT CCLP  Network Support Technician
School District 73  (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] *.cvd again!

[Freddie Cash]

On Thursday 12 April 2007 06:53 pm, Dennis Peterson wrote:
> And just an fyi, be cautious of the MSRBL-Images file. Rechecking it
> while I was typing this shows that with it in place it will cause the
> clamd cpu to rise to 90% and stay there. At 11M it may be too big to be
> practical.

I think that really depends on your CPU.  Running 4 parallel checks of the 
MSRBL-Images.hdb file (9 MB on my system since our provider has blocked 
rsync for the past couple weeks) only drops the CPUs' idle % by 15 (85% 
idle).

Of course, our main mail server is a dual-Opteron @ 2 GHz with 4 GB of 
RAM.  YMMV.  :)

-- 
Freddie Cash, LPIC-2 CCNT CCLP  Network Support Technician
School District 73  (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: problem during compilling clamav-0.90.1

[Freddie Cash]

On Friday 16 March 2007 06:26 am, [EMAIL PROTECTED] wrote:
> Gerard Seibert wrote:
> > On Friday March 16, 2007 at 07:02:33 (AM) sergio wrote:
> >>   I tried to install new clamav on my freebsd-4.8. ./configure with
> >>   enable-experimental was good. but make ends with error code 1.
> >>   Clamav-0.90.1 is not installable on freebsd-4.8,yes?
> >>   Help please.
> >
> > Versions of FreeBSD <= 5.5 are not supported by FBSD. Would it be
> > conceivable for you to update your system to version 6.2, the current
> > version, and then attempt to install clamav again? I think you are
> > only going to have problems running modern software on an outdated OS
> > version.
>
> It probably isn't necessary to goto the latest version of FreeBSD.
> What you will probably need to do is go to the latest version
> in the 4.x train.  Somewhere along the 4.x train they changed
> the package utilities so a lot of the ports don't work with it
> now.  I had this problem with other ports and an update to 4.11
> fixed it for me.  Jumping minor versions is a lot less tramatic
> then jumping major versions.

If you're going to stick with FreeBSD 4.x, then you will need to edit your 
ports supfile to use tag=RELEASE_4_EOL.  That's the last-known-working 
ports tree for FreeBSD 4.x.  After that tag was put on the ports tree, 
they removed all support for FreeBSD 4.x from the ports framework.

-- 
Freddie Cash, LPIC-2 CCNT CCLP  Network Support Technician
School District 73  (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: 0.90.1 from ports crashing on FreeBSD 5.4 during selfcheck

[Freddie Cash]

On Thursday 15 March 2007 01:09 pm, Rob MacGregor wrote:
> On 3/15/07, Rob MacGregor <[EMAIL PROTECTED]> wrote:
> > Right, complete re-write :)
> >
> > The FreeBSD port uses the following arguments to configure:
> >
> > '--with-dbdir=/var/db/clamav' '--with-zlib=/usr'
> > '--mandir=/usr/local/man' '--disable-zlib-vcheck' '--disable-clamuko'
> > '--disable-clamav' '--enable-bigstack' '--disable-gethostbyname_r'
> > '--enable-readdir_r' '--disable-dependency-tracking' '--with-libcurl'
> > '--prefix=/usr/local' '--build=i386-portbld-freebsd5.4'
> > 'build_alias=i386-portbld-freebsd5.4' 'CC=cc' 'CFLAGS=-O -pipe '
> > 'LDFLAGS= -L/usr/local/lib  -lthr' 'CPPFLAGS=-I/usr/local/include  '
> > 'CXX=c++' 'CXXFLAGS=-O -pipe'
>
> Further testing shows that, for FreeBSD 5.4 at least, the use of -lthr
> (1:1 Threading Library) the result is instability.  The second I added
> that to the configure argument clamd started crashing.

libthr is only really usable on FreeBSD 6+.  You'll need to upgrade if you 
want to use that.

ClamAV 0.90.x is really only usable on FreeBSD 6+ using libthr.  There's 
something in the threading in 0.90.x that does not like libpthread on 
FreeBSD.

-- 
Freddie Cash, LPIC-2 CCNT CCLP  Network Support Technician
School District 73  (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] This seems particularly nasty

[Freddie Cash]

On Fri, October 20, 2006 4:50 pm, Noel Jones wrote:
> At 05:50 PM 10/20/2006, Dennis Peterson wrote:
>> It is a morphing problem so the question is, is ClamAV
>> moving with it? I don't know and thought it worth asking. I still
>> don't know.
>
> Most likely no one had submitted a sample of that virus
> previously.  Since the author tested it on VirusTotal, it would have
> been auto submitted to the clamav signature team and likely detected
> within hours of his initial test.  Since we don't have the exact file
> in question, we can't confirm just when it was submitted or added.
>
> Yes, clamav-devel-20060429 is a little old, although that
> probably isn't a factor in this case (but we'll never know).  The
> signature file was apparently current at the time of the test.
>
> Words of wisdom:
> Clamav has an impressive track record of quickly detecting
> current malware circulating via email.  It is frequently (but certainly
> not always) among the first scanners with signature updates for new
> viruses.  This is one such case where other products detected a virus
> that clamav missed.  It would have been interesting if the author had
> tried rescanning the file at some regular interval to see when other
> products did start to recognize it.  Clamav depends on community
> support for submitting undetected viruses.

Now that would be a virus scanner review worth reading:
  - how many viruses were found upon initial install?
  - how many of the undetected ones were found after updating the
definition files?
  - how many of the still undetected ones were found after 1 day?  one
week? two weeks? a month?
  - how long until all viruses were detected?

Would require a good sampling of viruses, a bunch of machines, and a
lot of time to do correctly, though.


Freddie Cash, LPIC-2 CCNT CCLPHelpdesk / Network Support Tech.
School District 73(250) 377-HELP [377-4357]
[EMAIL PROTECTED]

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Disable Specific Document Scanning

[Freddie Cash]

On Wed, July 12, 2006 12:37 pm, Nathan Tullis wrote:
> I am new to ClamAV and am just trying to get my head straight!  The
> business I work for currently uses a Postfix mail server, and we are
> running ClamSMTP using ClamAV of course.  My problem is that we
> receive hundreds of emails with Excel & Word document attachments
> daily.  Some of these "legitimate" files often get blocked, preventing
> the entire email from going through.

> My question is, how do I tweak ClamAV to allow Word and Excel
> documents to get through, but still filter out executables and so
> forth.  Or how would I go about creating a WhiteList of domain names
> that will be allowed to send such attachments through?

You don't configure ClamAV to do this.  ClamAV just scans files that
are passed to it, it doesn't care what format the file is in (to a
point).

You need to configure the "glue" product that passes the files to
ClamAV.  In this case, it's ClamSMTP.  No idea how to configure it,
though.  It may be that you can't configure it the way you want, and
you'll need to look at something else (like amavisd-new or Maia
Mailguard or similar).


Freddie Cash, LPCI-1 CCNT CCLPHelpdesk / Network Support Tech.
School District 73(250) 377-HELP [377-4357]
[EMAIL PROTECTED]

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamav and OpenLDAP

[Freddie Cash]

On Wed, July 12, 2006 7:48 am, Odhiambo Washington wrote:
> * On 12/07/06 08:00 -0600, [EMAIL PROTECTED] wrote:
> | Odhiambo Washington wrote:
> | >Hello List,
> | >Perhaps I missed the discussion, so someone can help me out.
> | >The clamav port on FreeBSD has been made to use OpenLDAP as
> | >a dependency by default. I have just written to the person
> | >concerned, but perhaps I am mistaken.
> | >Can someone tell me what they use OpenLDAP for wit ClamAV?
> |
> | I have installed Clamav on many versions of FreeBSD and just
> | yesterday got the latest ports from CVS and upgraded to 0.88.3
> | and I have never seen it depend on LDAP.
> |
> | Looking at the Makefile in the ports it looks like it depends
> | on the gmp lib, lha, arj, unzoo, arc, and unzip.
> |
> | Are you sure you are using the right port?  Have you gotten
> | an up to date ports?
>
>
> #grep LDAP /usr/ports/security/clamav/Makefile
> .if !defined(WITHOUT_LDAP) && exists(${LOCALBASE}/lib/libldap.so)
> USE_OPENLDAP=   yes
>
> In fact if you use a tool like portupgrade, if you fail to specify
> -m WITHOUT_LDAP=1, `portupgrade clamav` build OpenLDAP 2.3.x and
> tries to install it.
>
> The latest port version is 0.88.3, if you doubt that as well ;)
>
> It being there is not a problem for me, since I don't care what
> people do with LDAP, but the annoyance is that by default the port
> install Open LDAP.

If you look closely at the Makefile (don't just grep it), you'll see
that the LDAP dependency check is in the WITH_MILTER if-statement. 
Which means it only checks for LDAP dependencies if you are using a
sendmail built with LDAP.  It's trying to keep the milter, sendmail,
and clamav-milter support all sync'd together with any LDAP options.

IOW, unless you already have LDAP installed, it won't add anything to
your system.  If you already have LDAP installed, but don't want LDAP
support in your sendmail/milter setup, then you may run into problems.


Freddie Cash, LPCI-1 CCNT CCLPHelpdesk / Network Support Tech.
School District 73(250) 377-HELP [377-4357]
[EMAIL PROTECTED]

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] OT: Download script

[Freddie Cash]

On Sun, April 23, 2006 11:04 pm, Steve Basford wrote:
> In order to optimize the use of my bandwidth for the unofficial
> phishing signatures, I want to put up a few example scripts on the
> main page of my site that users should use to download the phish.ndb
> file.

> The reason is that I've got quite a few users, downloading every 15
> mins, the same phish.ndb file, whether the contents of the phish.ndb
> file has changed or not :(

> I've just moved server onto a higher bandwidth package but it's not
> unlimited :)

> Could anyone come up with some good wget/curl scripts, with wget, I
> guess it's using the -N option to only download changes and only
> download hourly (eg.  15:00, 16:00, 17:15, 18:15) etc.

> Sorry to be slightly off-topic here...

Here's the portion of my update-deffiles.sh script that deals with
ClamAV running on FreeBSD 6 (uses fetch not wget):

#!/bin/sh
cd /var/db/clamav
echo ""
echo "Fetching MSRBL Images database"
/usr/bin/fetch -Aa http://download.mirror.msrbl.com/MSRBL-Images.hdb
/usr/sbin/chown clamav:clamav MSRBL-Images.hdb

cd /var/db/clamav
echo ""
echo "Fetching UnOfficial Phishing database"
/usr/bin/fetch -Aa http://www.sanesecurity.com/clamav/phish.ndb
/usr/sbin/chown clamav:clamav phish.ndb

echo ""
echo "Restarting clamd"
/usr/local/etc/rc.d/clamav-clamd.sh restart


Run via cron using:
25 04 *  * */root/scripts/update-deffiles.sh


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Unofficial Phishing Signatures

[Freddie Cash]

On Wednesday 25 January 2006 10:24 am, Mike Robinson wrote:
> Jason Haar wrote:
> > Dennis Peterson wrote:
> >> What methodology are you using to create these? It looks
> >> like an opportunity for collaboration if there's a way
> >> to avoid dupes.
> >
> > If signature development is truly getting bogged down, perhaps more
> > official people are needed? I guess we'd hear a call for volunteers
> > if it was?
> >
> > Is there a process by which people can volunteer? I think more skills
> > than "need to know how to run md5sum" will be required ;-)

> The first question is, does clamd automatically detect changes to .ndb
> files?  If not, I'm thinking we should get it put into the newest

clamd loads the databases once at startup.  You can restart clamd, send a 
notify to clamd, or run freshclam to have it reload the databases.

clamscan loads the databases each time it is called, so it will pick up 
the new databases right away.

clamdscan uses clamd, see above.

-- 
Freddie Cash, LPIC-1 CCNT CCLP  Helpdesk / Network Support Tech.
School District 73  (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Squirriel Mail clamav scanner

[Freddie Cash]

On January 9, 2006 11:46 am, Dennis Peterson wrote:
> > On January 9, 2006 11:06 am, Jeremy Kitchen wrote:
> > > just reject viruses at the front door, and you'll be fine.
> > > 'client-side' scanning (squirrelmail IS a client, even though it's
> > > run on a server) is not a 'feature'.  Don't think you should do it
> > > that way just because thunderbird does it.  The only reason
> > > thunderbird or kmail have client-side virus scanning support is
> > > because some providers don't do their own scanning.

> > Re-read your last sentence, then compare how Thunderbird accesses
> > messages from a POP server compared to how SquirrelMail accesses
> > messages from a POP server using the built-in Mail Fetch plugin (that
> > completely by-passes any and all mail servers at the site using
> > SquirrelMail). There is no functional difference, so why should one
> > client be allowed to scan messages while another isn't?

> > While it's not the most optimal setup, having the option to scan
> > messages in the mail client should not be frowned upon.  If your mail
> > provider does not scan your incoming messages, then the mail client
> > is a good place to scan messages.  After-all, it's the only place
> > *you*, the recipient, fully control access to the e-mail message.

> One difference is the T-bird client uses client cpu clicks whereas
> squirrel mail uses server clicks. Unless you can come up with a browser
> based scanner. 10,000 users all clicking and scanning at the same time
> seems like a potential problem for the average server. Personally I
> don't think there's such a thing as being too late to scan for viruses,
> but I do think if it's going to happen on my servers it's also going to
> be my processes with customer policy input that does it.

Now that's a genuine concern, but it could be mitigated using clamdscan in 
a SM plugin instead of clamscan.  While it would still be using server 
CPU resources, it shouldn't be nearly as bad.  Not sure how clamd would 
handle a couple hundred simultaneous requests to scan files, though.

Perhaps a better mechanism would be to hook a virus scan into any 
download / view actions for attachments, similar to the way 
Yahoo!/Hotmail do things.  That way, it wouldn't scan every message as it 
came in, but would only scan messages with attachments, when those 
attachments are accessed.

But that's getting into the realm of the SM developers, and not so much 
the clamav devs.  :)
-- 
Freddie Cash, LPIC-1 CCNT CCLP  Helpdesk / Network Support Tech.
School District 73  (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Squirriel Mail clamav scanner

[Freddie Cash]

On January 9, 2006 11:06 am, Jeremy Kitchen wrote:
> just reject viruses at the front door, and you'll be fine. 
> 'client-side' scanning (squirrelmail IS a client, even though it's run
> on a server) is not a 'feature'.  Don't think you should do it that way
> just because thunderbird does it.  The only reason thunderbird or kmail
> have client-side virus scanning support is because some providers don't
> do their own scanning.

Re-read your last sentence, then compare how Thunderbird accesses messages 
from a POP server compared to how SquirrelMail accesses messages from a 
POP server using the built-in Mail Fetch plugin (that completely 
by-passes any and all mail servers at the site using SquirrelMail).  
There is no functional difference, so why should one client be allowed to 
scan messages while another isn't?

While it's not the most optimal setup, having the option to scan messages 
in the mail client should not be frowned upon.  If your mail provider 
does not scan your incoming messages, then the mail client is a good 
place to scan messages.  After-all, it's the only place *you*, the 
recipient, fully control access to the e-mail message.

-- 
Freddie Cash, LPIC-1 CCNT CCLP  Helpdesk / Network Support Tech.
School District 73  (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: Worm.Sober.U not being recognized

[Freddie Cash]

On November 29, 2005 09:37 am, Richard Hirner wrote:
> At 28.11.2005, 21:38 +0100, Richard Hirner wrote:
> >[Sober.U not recognised]

> The problem was that the signature directory of the FreeBSD port has
> changed from /usr/local/share/clamav to /var/db/clamav, but I didn't
> update the freshclam.conf so freshclam downloaded the sigs to the old
> directory which isn't used anymore. I changed the directory in
> freshclam.conf and it works now.

Note:  when updating the FreeBSD ports tree, always 
read /usr/ports/UPDATING before upgrading any apps, as it lists changes 
like this.  :)

-- 
Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech.
School District 73 (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] benchmarks for a LARGE site?

[Freddie Cash]

> My silly university spent $0.5M on a commercial product to perform
> spam and virus filtering (they have the "if it costs that much, it
> MUST be good" mentality).  And, just after they put it into
> production, Sober.P came out and knocked it flat.  After a couple
> days with multi-hour email delays, people are pretty pissed.  And I
> smell opportunity

> Could someone with a LARGE site (we have about 35,000 users) post
> what hardware they use for ClamAV, and how many messages/day it
> handles? I'd like to suggest they put it on a few PCs and have their
> relays contact the milter via a network socket in a round-robin
> fashion.  But it would be good to hear people's experiences with
> something on this large of a scale before I make the proposal.

We're running FreeBSD 5.2.1 (soon 5.4) with Postfix 2.1, Amavisd-new
2.x, SpamAssassin 3.x, and ClamAV 0.83 (soon 0.84), on a dual-AthlonMP
2200+ with 4 GB RAM and 400 GB diskspace on a RAID5 array (3Ware
Escalade 7604-LP).  This is all stored in a 2U rackmount server.  This
is not a name-brand server, but comes with local warranty and support.

This is the filtering mail gateway for a school district, and handles
15-20 domains, roughly 30,000 mail accounts (students and staff), ~20
mailing lists, and filters both incoming and outgoing messages.  This
is the primary MX for all the domains, and delivers mail to the
appropriate mail servers for message storage and retrieval.  School
firewalls also intercept all outgoing SMTP connections and forward the
messages to this server, so all outgoing mail is scanned, regardless
of what SMTP server is configured in the users' mail program.

This server processes approximately 250,000 messages per month, with
about 56% blocked as spam, and 15-20% blocked due to viruses.  If
needed, I can post the mail stats for Sept. 2004 (when the server went
online) to Apr. 2005.

This box is very lightly loaded, and was even used as a test
Courier-IMAP and Cyrus IMAP server for the IT department (15 accounts)
without any issues.  Now it's just the filter server.

-- 
Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech.
School District 73 (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] looking for utility that can control clamav remotely ...

[Freddie Cash]

On April 27, 2005 06:02 am, Joanna Roman wrote:
> Hi, I am thinking of building/looking for some kind of
> utility that can let me remotely control clamav tools.
> (The utility is not restricted to control only clamav
> but can be used to control other tools remotely in a
> similar manner.) Basically the utility will be running
> on the same machine as the clamd/clamscand. A client
> can connect to the utility via web interface. From the
> web interface, the user can  start or stop, for
> example, the clamd/clamdscan.

> Does anyone know any existing source code that can do
> such a thing ? Thanks.

Webmin (http://www.webmin.com), a web-based administration tool for 
Unix-like systems.  Even includes a ClamAV configuration module.  Does 
everything you just listed.  Works quite nicely, too.

You'll most likely want to grab the Swell Technology theme 
(http://www.swelltech.com), as it's mucher lighter weight than the default 
Webmin theme, and a lot nicer than the included light-weight theme.
-- 
Freddie Cash, CLCP CNCPNetwork Support / Helpdesk
School District 73 (250) 377-4357
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: Two persistent problems with clamav

[Freddie Cash]

On March 9, 2005 01:33 pm, Jerry Bell wrote:
> > How do you start freshclam, as daemon or manually to test it?
>
> It's sztarted as a daemon by a script.  I have manually started it up
> with the same results.
>
> > I don't agree with the library theory, it looks to me that you are
> > running at least two different copies of freshclam, one of them is
> > the old version 0.81.
>
> I was thinking the same thing, but there is only one (like
> highlander).  I have only installed it through the BSD ports
> collection, and after I removed 0.81, I went through and manually
> nuked anything that looked to be lingering.
>
> > Perhaps it's runnig (and installed) under a user account, as a
> > cronjob. Do the timestamps on the log show there are two regular
> > frequencies of updating?
>
> Here is a snippet from the logs.  After freshclam starts up, I get
> one or two normal looking cycles, then it start puking:
>
> Received signal 14, wake up
> ClamAV update process started at Wed Mar  9 14:56:29 2005
> main.cvd is up to date (version: 30, sigs: 31086, f-level: 4,
> builder: tkojm) daily.cvd is up to date (version: 760, sigs: 464,
> f-level: 4, builder: diego) --
> Received signal 14, wake up
> ClamAV update process started at Wed Mar  9 15:25:17 2005
> main.cvd is up to date (version: 30, sigs: 31086, f-level: 4,
> builder: tkojm) daily.cvd is up to date (version: 760, sigs: 464,
> f-level: 4, builder: diego) --
> Received signal 14, wake up
> ClamAV update process started at Wed Mar  9 15:32:30 2005
> WARNING: Your ClamAV installation is OUTDATED - please update
> immediately! WARNING: Local version: 0.81 Recommended version: 0.83
> ERROR: Can't create new file ./clamav-c323f26f7af853b0 in
> ERROR: The database directory must be writable for UID 106 or GID 106
> ERROR: Can't download main.cvd from db.us.clamav.net (IP:
> 69.44.153.29) --
> Received signal 14, wake up
> ClamAV update process started at Wed Mar  9 15:32:30 2005
> WARNING: Your ClamAV installation is OUTDATED - please update
> immediately! WARNING: Local version: 0.81 Recommended version: 0.83
> ERROR: Can't create new file ./clamav-a216c38f78d832db in
> ERROR: The database directory must be writable for UID 106 or GID 106
> ERROR: Can't download main.cvd from db.us.clamav.net (IP:
> 66.111.55.10) --
> Received signal 14, wake up
> ClamAV update process started at Wed Mar  9 15:54:05 2005
> main.cvd is up to date (version: 30, sigs: 31086, f-level: 4,
> builder: tkojm) daily.cvd is up to date (version: 760, sigs: 464,
> f-level: 4, builder: diego) --
> Received signal 14, wake up
> ClamAV update process started at Wed Mar  9 16:22:53 2005
> main.cvd is up to date (version: 30, sigs: 31086, f-level: 4,
> builder: tkojm) daily.cvd is up to date (version: 760, sigs: 464,
> f-level: 4, builder: diego)
>
>
> I still have the "cannot open new file" message.  That's a separate
> problem it would seem.
>
> > In another message you said you found the string "0.81" inside the
> > library, is this correct?  If it is, then that library IS the old
> > one, the new one (using strings  | grep "0\.8") only
> > shows 0.83.
>
> I've done that and only come up with 0.83.  If I said 0.81 was found,
> I was having one of them chair<->keyboard interface problems.

Stop freshclam.  Then check the output of ps to see if you have another 
one still running from a previous install.

Looking at the log output, it looks like you have two separate processes 
running.  One that wakes up every 30 minutes at 22 after and 52 after.  
The other that wakes up at half-past (at least, there's not enough log 
output to confirm the pattern).  The entries are very regular except 
that the OUTDATED entries don't follow that pattern.

Could it be that you did not stop freshclam before doing the upgrade, 
and there's still an old version running in memory?
-- 
Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech.
School District 73 (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Two persistent problems with clamav

[Freddie Cash]

On March 9, 2005 11:44 am, Jerry Bell wrote:
> > find -X / -name "libclamav.so.1" | xargs ls -la

> No luck there :(

> >> /usr/local/lib//usr/local/lib/libclamav.so.1.
> That is what you call a careless cut and paste.  It is really
> /usr/local/lib/libclamav.so.1

> I would have expected *some* trace of an old lib somewhere.  I can't
> find anything anywhere that has a version number of 0.81.

You wouldn't happen to have a cronjob setup to run freshclam, or copy 
over anything from another server, or anything like that?  Maybe a 
custom script or tarball lurking under ~/bin or ~/home?

-- 
Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech.
School District 73 (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamav on gateway + sniffer to intercept mail attachments

[Freddie Cash]

On February 16, 2005 12:13 pm, vaida bogdan wrote:
> Hy, I use postfix+mailscanner on my mail server to block a lot of
> virii comming from my internal network. I would like to implement a
> solution to block virii traffic on the internal gateway. The network
> looks like this:

> WIN-
> WIN-   GW1-   -MAIL SERVER-   -GW2
> WIN-

Install Postfix on GW1.  Configure it to use MAIL SERVER as the 
relay_host.  Add a packet filter rules to redirect all outgoing port 25 
traffic to this instance of Postfix.

You now have a complete audit trail of every mail message leaving your 
network.

Go through the logs on the MAIL SERVER to find out which message is 
infected.  Trace that message back to GW1.  In the logs on GW1 will be 
the IP of the infected station.

This is the setup we use.  Each school has a firewall that does NAT.  On 
the firewall is a very basic Postfix install that relays all messages 
through our main mail server.  This lets us trace back infected 
messages to the source computer, which has a private IP address.  Quite 
handy.  Not fully automated, but it works.

-- 
Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech.
School District 73 (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] M$ preparing AV software ?

[Freddie Cash]

On February 9, 2005 09:26 am, BogusÅaw Brandys wrote:
> A little bit off topic, but I'd like to ask if M$ is trying to
> prepare own AV software  ?
> I found this :
> http://www.microsoft.com/security/malwareremove/default.mspx

> a tool to remove MyDoom, Zafi,Netsky and a few others.

They've been trying for awhile (and they used to have their own AV tool 
back in the DOS/Win3.1 days).  They purchased RAV a year or two ago.  
Then they bought a spyware cleaning company last year (and released a 
beta spyware cleaner recently).  And they just recently bought another 
enterprise anti-virus company that also has some security tools.  Soon, 
they'll be releasing "something" that covers security, AV, and spyware 
cleaning all in one.

What would be nicer, though, is if MS would fix the security model in 
the base OS that allows for these things to spread so easily, instead 
of adding more and more layers of bandaids on top.  Fix the foundation, 
don't try to prop up the walls with two-by-fours.

-- 
Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech.
School District 73 (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Phishing Questions

[Freddie Cash]

Since ClamAV already has a naming scheme in place (Worm, Phishing, etc), 
why not just add a config file option to disable each classification 
(with all of them enabled by default)?

Voila!  Admins who want to block everything can do so.  Admin who only 
want to block worms can do so.  Admins who don't want to block 
anything, can do so.

Make ClamAV the best  scanner out there, but give the users 
the ability to turn it into the best  scanner.  :)

-- 
Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech.
School District 73 (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Re: Any way to add a line to cleaned email?

[Freddie Cash]

On January 10, 2005 08:58 am, Trog wrote:
> On Mon, 2005-01-10 at 16:53, Freddie Cash wrote:
> > You're missing the main point of ClamAV:  it's a server-based virus
> > scanner for e-mail.

> > It's not a workstation AV solution.  Just because some people try
> > to shoe-horn it into a workstation AV solution does not mean that
> > it is designed for that purpose.  Look at the virus database for
> > ClamAV: there's only ~22,000 viruses listed, 95% of which are all
> > spread through e-mail.  Compare that to a commercial, workstation
> > AV solution that has over ~80,000 different viruses, from true
> > file-borne viruses, to boot-sector viruses, to polymorphic Win32
> > viruses.

> To keep your numbers in perspective, there are only ~1500 viruses
> listed in the entire WildList. And I don't believe that 95% figure
> either.

I'm going by what freshclam reports for the number of virus signatures 
in the DB.  Today's freshclam update shows 29,374 signatures in the 
database.

The 95% I pretty much pulled out of the air based on all the docs on the 
ClamAV site that say ClamAV is mainly concerned with e-mail-borne 
viruses, and not old boot-sector, or file-based viruses and such.  I 
think it was in a FAQ about why ClamAV only detects ~20,000 viruses 
while AV App X detects ~80,000.  I can't find the reference now, but 
there was mention of it on the clamav.net website at one point.

-- 
Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech.
School District 73 (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Re: Any way to add a line to cleaned email?

[Freddie Cash]

You're missing the main point of ClamAV:  it's a server-based virus 
scanner for e-mail.

It's not a workstation AV solution.  Just because some people try to 
shoe-horn it into a workstation AV solution does not mean that it is 
designed for that purpose.  Look at the virus database for ClamAV:  
there's only ~22,000 viruses listed, 95% of which are all spread 
through e-mail.  Compare that to a commercial, workstation AV solution 
that has over ~80,000 different viruses, from true file-borne viruses, 
to boot-sector viruses, to polymorphic Win32 viruses.

These are two very different beasts.  ClamAV is mainly used to prevent 
the spread of viruses.  It's sole purpose, really, is to prevent 
viruses from entering your network through e-mail.  If a virus does get 
through, it's up to you to find another AV solution to clean it off the 
individual workstations.

Think of ClamAV as a plastic bubble around your house that prevents 
airborne viruses from entering your house.  It keeps new viruses out, 
but you can't use it to clean a virus off your piano.

-- 
Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech.
School District 73 (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] clamav as HTTP scanner?

[Freddie Cash]

On December 15, 2004 08:57 am, Rainer Zocholl wrote:
> In the really meanwhile long long linear list of mail scanners
> I only see the (non GPLed) "DansGuardian Anti-Virus Patch".
> Do you mean that?
> AFAIK is DansGuardian payware except for private use.

Please do at least the bare minimum research before posting things like
the above.  Opening even the first page of the DansGuardian website
will show that it is available free (as in no money), for anyone to use
(at home, at work, at school, whereever).

Yes, there is a commercial web content filter that uses a lot of the
DansGuardian technology, and even employs the primary DG programmer,
but DG is available for anybody to use, completely free, and even
includes the sourcecode.

> And there is still the question:
> Does it make sense to use clamav in the http stream?
> Are there signatures for http-specific-exploits?
> Protecting against dowloading bad files does not
> need http stream filtering, it can be done on the disk
> too.

It depends on your usage of the 'Net.  If you do a lot of file
downloading via web browsers using HTTP, then it might be a good idea
to have a central server that scans all those downloads.  If most of
the file downloading is done via FTP or HTTPS, having a scanner might
not make sense.  Or, if you have a centrally-managed desktop AV system,
it might not be worth putting in an HTTP virus scanner.  It all depends
on your uses.

--
Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech.
School District 73 (250) 377-HELP [377-4357]
[EMAIL PROTECTED]   [EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] clamav as HTTP scanner?

[Freddie Cash]

On December 15, 2004 09:00 am, roliver wrote:
> I use scavr with squid for a school district with great success.
> Neither Dansguardian or Safesquid can handle very heavy loads in my
> experience.

Depends which version of DansGuardian you are using, and you're 
definition of "heavy load".  We're running DG 2.4 on P3 866 MHz systems 
with 512 MB RAM, serving high schools with up to 250 student computers 
online at once.  Most sites have 2 Mbit cable connections, one has a 4 
Mbit wireless connection.  The servers are running FreeBSD 4.10, and 
the load rarely hits 5.0, swap usage generally stays below 10%, and 
none of the students have ever complained about slow connections.

Others on the DG lists have shown server configs that support 1000s of 
simultaneous connections using DG 2.6 (with fork pooling) and 2.8, 
without problems.  It really depends on the hardware you use, and the 
time you put into configuring things.

DG 1.x, 2.0, and 2.2 did have problems with heavy usage and could easily 
bring a dual-proc system with oodles of RAM to its knees.  But those 
issues have been fixed.

Adding in ClamAV scanning to the mix does slow things down a bit as the 
proxy now needs to download the file, then scan it, then send it to the 
client.  Depending on the DG+ClamAV setup, this can cause all kinds of 
timeout issues.  The ClamAV patch developers have come up with a few 
different solutions to this.  The main one, sending a small trickle of 
data to the client while it scans the file, does make it seems like 
your connection is super slow.

-- 
Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech.
School District 73 (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] daily.cvd and main.cvd

[Freddie Cash]

> While I am very happy with clamav, I see room for expansion and
> potential in a limited global environment.

> Is it possible to have clamd on other servers utilize the db files on
> a dedicated server in a local network?

> I think that it makes sense to have the ability to use a single
> instance of freshclamd to update the db files while different servers
> on the local network can utilize them.

If they are on a local network, why not just share out the directory
via NFS or SMBFS or other networked file system?  That would be a lot
simpler than trying to code yet another network protocol and writing
yet another network daemon.

Or, just configure rsync to keep the various servers' DB directory in
sync.

Then its just a matter of telling the remote clamd processes to reload
the DB files.  A simple script to check the modification time on the
DB files will work for this.  Or a FAM script.

Granted, this wouldn't work across a WAN, but it would work fine for a
bunch of servers on a LAN.

-- 
Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech.
School District 73 (250) 377-HELP [377-4357]
[EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] TCP/IP + ClamAV

[Freddie Cash]

On July 28, 2004 08:20 am, KriÅtof Petr wrote:
> Me Its wrote:
> >I am looking forward to implement tcp/ip filtering for my firewall,
> >the only solution that I found on the net is using a patched squid
> >which can work with clamav.

> >I am looking for a better solution like implemented Trend Virus
> >Wall.

If you are looking to scan downloads and web pages, then you can use 
DansGuardian with the AV patch.  DansGuardian works together with Squid 
to provide a full content filtering proxy server.  Add the AV patch, 
and you can use ClamAV to scan all file downloads for viruses.

http://www.dansguardian.org
http://www.harvest.com.br/asp/afn/wcfp.nsf

Runs on FreeBSD, OpenBSD, NetBSD, Solaris, and several Linux distros.

-- 
Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech.
School District 73 (250) 377-HELP [377-4357]
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] upgrade

[Freddie Cash]

On July 27, 2004 10:54 am, Jona Tallieu wrote:
> Just upgraded to 0.75 on OSX 10.3.

> When checking CLAMAV version to be sure the upgrade was ok I get:
> mail:/usr/local/bin root# ./clamscan --version
> clamscan / ClamAV version 0.75

> But when I forgot the ./, I get this:
> mail:/usr/local/bin root# clamscan --version
> clamscan / ClamAV version 0.70

> Is this normal (difference in version)?

You have two different versions installed.  One located 
in /usr/local/bin, the other somewhere else in your PATH 
(probably /usr/bin).  Try "whereis clamscan" to find where the other 
one is and remove it.

-- 
Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech.
School District 73 (250) 377-HELP [377-4357]
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users