Re: [clamav-users] ClamAV reputation rating
Epicon Elysium via clamav-users wrote: > Does ClamAV support in enabling the reputation rating? Seems I couldn't find > any info when searching for it. There's nothing mentioned in the config file > as well. AIUI no, it doesn't have anything for that. However, a very common setup is use AMaViS to scan mail, with ClamAV as just one of the tools it uses - the other tools can include things like reputation rating (eg sender real-time blacklists and so on). You might also want to have a look at PolicyD (aka Cluebringer) which brings other tools to the party - such as greylisting and quotas. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV Central Management tools
Robert Schetterer wrote: > Div monitors should be fine to code for such things > like monit, munin, xymon, icinga, nagios , zabbix etc Nagios has a plugin for it (someone's already done the coding), I used to use it at my last job. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scanning IMAP traffic without user credential storage
Beeblebroxwrote: >> ... If clamd finds something (it does happen), what's the plan? >> The message is *already* in the user's mail box, and I'd say it should >> *not* be there in your scenario, because the user can pick up the bad >> mail simply by connecting other than through your gateway. > > I was thinking "somehow" to move the email to a quarantine folder and > then sending an advisory to the user "message from joe has been > quarantined, please take following steps". Perhaps even some process to > strip all attachments, convert message to text-only (risky?) and send > the text-only content along with the advisory. > > Moving the message to quarantine folder on the host server (Gmail) > would require user credential by MTA, so there's another hole in my > concept. I wonder if there's an MTA that stores hashed credentials but > is also able to auto-update such credentials as received from client > device / MUA so that no direct user interaction with the Gateway is > necessary. Well if you could act as a MiM then you'd act as an IMAP server to the client and get the credentials from them as they log in. You'd then log into the real upstream server using those credentials. You'd have to proxy everything so that the client sees the contents of the mailboxes - but you'd have the access you'd need to move the infected mail and add a new warning message. BUT, two problems. I have no idea at all if there is such a proxy mechanism in existence. Most of all, it can't be done with SSL connections without either the client users getting security warnings which they'd have to accept, or the clients having your own root certificate installed. Neither of these are a good idea - one teaches users to ignore certificate errors, the other opens the door to all manner of "mischief". ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scanning IMAP traffic without user credential storage
Dave McMurtriewrote: > The original poster doesn't mention which IMAP server he's using. As I read it, he's looking at "random users accessing random servers" - eg a user connecting his phone to the guest network and it then accessing Gmail. I really don't think it's possible to do what he wants. In principle it would work for non-SSL connections, but the whole point of SSL is to prevent the sort of MiM connection he is trying to do. For it to work, the proxy would need to talk SSL to the server (no problem), process the non-protected stream internally, and talk SSL to the client. The latter is the problem as the proxy will not be able to sign the connection using a (eg) Google certificate - which is, of course, the whole point of SSL, the client should flash up a big "this site is bogus" warning to the user ! In a corporate environment, with control of the clients, it's possible to install your own root certificate on the clients and then use that to sign the client-side connection. Obviously that won't work with any other clients, and it's a really really bad idea anyway from the security PoV (breaks all client-side verification - eg the "green bar" for banking websites). ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Apparently legitimate Paypal email disguises domain name in links - thus identified as likely phishing
Andy Schmidtwrote: > If Paypal expects their emails to be delivered, then the CONTENT of their > emails must not use phishing techniques. In my experience, most PayPal emails are a catalogue of the things people are told not to do ! Things like "click here to check your account" come immediately to mind ! The fact that they feel the need to put "we've put your full name in to show it's really us" is indicative to me that they must realise what they are doing. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Central management server?
robert k Wildwrote: > Can I install a clamav server and point all my clamav end users ie Mac > Linux windows to the server to get update definitions Yes. Setup your own mirror and point everything at it. > and can I manage my > clients from the server ie see if there online run scans and lock clients > so they can't change settings? As already said, that's the province of enterprise systems. You should be able to "roll your own" with a combination of local permissions management (stop users fiddling with settings), configuration management systems (such as Puppet already mentioned, set configuration), centralised logging and log analysis (see what is running when), and monitoring systems (e.g. I use Nagios to monitor if ClamAV is up to date on my servers). ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] TTL of DNS recode
Tsutomu Oyamadawrote: > Our environment is a local mirror. > However, it does not matter. > > I wanted to know if there is the case that the DNS TXT of ClamAV have > not been updated for few days. > Could it be possibe? > Is this issue caused by the problem on our enviroment of querying DNS? > The daily.cvd is updated in real time now. > Could this issue be happened when the freshclam try to query DNS? Given that no-one else has seen the same issue, it was most likely a problem local to you. It's is unlikely that any of us could guess what that problem was given that we can't see your systems. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] TTL of DNS recode
Tsutomu Oyamadawrote: > ClamAV update process started at Sat Nov 5 05:01:15 2016 > Using IPv6 aware code > Querying current.cvd.clamav.net > TTL: 1797 > Software version from DNS: 0.99.2 > main.cvd version from DNS: 57 > main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: > amishhamner) > daily.cvd version from DNS: 22473 > > This log shows that freshclam was started at 5:01 of 5th Nov. and the result > of querying DNS was "daily.cvd version: 22473". > According to the mail [clamav-virusdb] which is sent daily, the daily.cvd > version should be 22479 at 5:01 of 5th Nov. > > We want to know why freshclam cannot get the latest daily.cvd version. > Is this difference of daily.cvd version caused by cache of DNS? OK, try restarting freshclam and see what comes up in the logs. 5th Nov is quite a while ago ! If it still doesn't get the correct information, give us the output of "dig current.cvd.clamav.net txt" - you may need to install the dig (Domain Internet Groper) package. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] TTL of DNS recode
I realise English is not your main language and this is probably very difficult for you to explain in what is to you a foreign language, but I don't think we are able to figure out just what is not working ... Tsutomu Oyamadawrote: > In the present situation fail. What is failing ? Does your local mirror update ? If not, post logs from freshclam showing the failures to update. Also post your freshclam config. If your local mirror does update, then we assume your local clients are failing to update from your mirror. If that is the case, post the freshclam logs from a failing client, and it's config. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] TTL of DNS recode
Al Varnellwrote: > So I think I have the answer for this one. From my research it would seem > that TTL values are set by the DNS server you are accessing, not by the > ClamAV and is the same for all records on that server. You would have to > check with the DNS ISP to find out if it has changed or not. OK, there seems to be some confusion about how DNS works and what the TTL value does, and what lookups report. Dennis has sort of covered some of this, but it might help to see the whole process. When you do a lookup for a name, your client asks the locally configured resolver the question - eg what is the TXT record for current.cvd.clamav.net. Assuming the resolver has nothing in the cache, then it will go to the root servers and ask the same question. The root servers won't know, so they will reply to the effect of "I don't know, but the name servers have a better answer" - ie the name servers for .net So your resolver goes and asks the same question of one or more of those servers. They'll get the same "I don't know, but ..." answer, this time with a list of name servers handling clamav.net. The resolver will continue in this manner until it reaches far enough down the tree to get find a server that knows the answer. In this case, the nameservers for clamav.net (ns[2-7].clamav.net here*) know the answer and will return it. Using DIG, this is the chain of results, note that when using +trace, DIG deliberately ignores cached records and so the TTL values are those of the records as served by the relevant name server (except for the root servers which I assume it still uses the local resolver cache for - it has to start somewhere !) : $ dig +trace current.cvd.clamav.net txt ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +trace current.cvd.clamav.net txt ;; global options: +cmd . 45003 IN NS h.root-servers.net. . 45003 IN NS b.root-servers.net. . 45003 IN NS l.root-servers.net. . 45003 IN NS e.root-servers.net. . 45003 IN NS g.root-servers.net. . 45003 IN NS m.root-servers.net. . 45003 IN NS j.root-servers.net. . 45003 IN NS c.root-servers.net. . 45003 IN NS i.root-servers.net. . 45003 IN NS a.root-servers.net. . 45003 IN NS d.root-servers.net. . 45003 IN NS f.root-servers.net. . 45003 IN NS k.root-servers.net. ;; Received 508 bytes from 192.168.0.33#53(192.168.0.33) in 21 ms net.172800 IN NS e.gtld-servers.net. net.172800 IN NS m.gtld-servers.net. net.172800 IN NS f.gtld-servers.net. net.172800 IN NS a.gtld-servers.net. net.172800 IN NS l.gtld-servers.net. net.172800 IN NS b.gtld-servers.net. net.172800 IN NS j.gtld-servers.net. net.172800 IN NS c.gtld-servers.net. net.172800 IN NS d.gtld-servers.net. net.172800 IN NS h.gtld-servers.net. net.172800 IN NS k.gtld-servers.net. net.172800 IN NS g.gtld-servers.net. net.172800 IN NS i.gtld-servers.net. ;; Received 509 bytes from 2001:7fe::53#53(2001:7fe::53) in 43 ms clamav.net. 172800 IN NS ns3.clamav.net. clamav.net. 172800 IN NS ns4.clamav.net. clamav.net. 172800 IN NS ns7.clamav.net. clamav.net. 172800 IN NS ns6.clamav.net. clamav.net. 172800 IN NS ns4a.clamav.net. clamav.net. 172800 IN NS ns1a.clamav.net. ;; Received 302 bytes from 192.42.93.30#53(192.42.93.30) in 44 ms current.cvd.clamav.net. 1800IN TXT "0.99.2:57:22593:1479972755:1:63:45272:285" cvd.clamav.net. 7200IN NS ns3.clamav.net. cvd.clamav.net. 7200IN NS ns4.clamav.net. cvd.clamav.net. 7200IN NS ns5.clamav.net. cvd.clamav.net. 7200IN NS ns6.clamav.net. cvd.clamav.net. 7200IN NS ns7.clamav.net. ;; Received 184 bytes from 2a01:4f8:160:8421::2#53(2a01:4f8:160:8421::2) in 38 ms Naturally it would be wasteful if the resolver did all these lookups every time, so it stores all the results it gets back in a local cache. So next time you lookup the same answer, it already has it. If you lookup a different .net address, it already knows which servers handle .net. And so on.
Re: [clamav-users] GPL license question
Borough Rumfordwrote: > I know clamav is released under GPL license, and third-party commercial app > shouldn’t link libclamav. Is the library under the GPL or LGPL - the answer is different for the two licences ? https://www.gnu.org/licenses/gpl-faq.en.html#GPLStaticVsDynamic https://www.gnu.org/licenses/gpl-faq.en.html#LGPLStaticVsDynamic AIUI, if you link against a GPL library then your code needs to be compatible with the GPL, if you link dynamically against an LGPL library then it doesn't. That's the reason for having the LGPL. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Threading (Was: How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?)
Mark Allanwrote: > >> For my, I use Mail.app the majority of the time. Apparently if I delete >> lines and inline reply like I do in Thunderbird, Mail.app just tells me to >> eat dust and unthreads the whole thing. Guess I should file a bug with >> Apple. > > That's strange. I use Mail.app as well, and as far as I'm aware, there's > never been a problem replying to emails and keeping the threading and quoted > text. Me too, never come across that. But then I'm still on 10.8 (Mountain Lion) so can't speak for later versions, I know Apple does have a history of taking something that works and "fixing" it - in the same way people talk of taking their dog to the vet to be "fixed" (by removing bits that worked). Groach wrote: > Consider my explanation of 'notification' above. So now, how do I post a > 'reply' to someone elses comment if I no longer have an "email notification" > (to click 'REPLY' on)? What I usually do in that situation is to carefully copy the email subject as it appears in the archives and create a new email. The new email won't have any references headers to link it to the thread, but any half decent client and list archive should be capable of recognising the subject as being the same as the existing thread and link it in that way. Your message won't appear in the right place in the threaded view in the archives, but it should appear in the same thread. The same issue occurs for people getting a list digest. In theory, if it's presented, you could copy the message header from the archive and add that as a custom header (In-Replay-To:) to your email. Looking at the Mailman archive for the list it doesn't seem to be presented, but I suspect some archives may keep and display it. The key headers are : Message-Id: This should be a globally unique ID generated by your mail client. In-Reply-To: If you reply to an email, the In-Reply-To: header should be set to the Message-Id: of the message you reply to. References: This builds up as a message gets replied to over time. Each reply should be adding the Message-Id: to this so there ends up a chain of which messages let to this one. In-Reply-To: should be sufficient to put your message in the right place in the thread. What you must never ever do is select some random list message in an unrelated thread and hit reply - either to respond to an existing thread or to start a new one. Because this reply will include In-Reply-To: and probably References: headers, this will cause your unrelated message to get threaded into the wrong thread. If you are browsing an archive and find a seemingly unrelated thread intermingled with another one - this is probably the cause. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] mail server and clamav in different machine
M.hafez wdeln...@yahoo.com wrote: can i install the mail server (win or Linux based ) and the clamav in different machine, that may allow me to filter more than one mailer server using the same Clamav machine. In principle yes, though it very much depends on how you are going to pass the email to it. If you do file based scanning - ie the server saves a file (or files) and then calls ClamAV - you will need to arrange shared files and ensure the file paths remain consistent for both ends. If you run it as a filter and pass the message in via that, then it should only be a case of pointing each mail server at the right socket. But why not duplicate the ClamAV installation and distribute the workload ? I built a small cluster (Postfix+PostfixAdmin+MySQL+Courier+Amavis+ClamAV) and configured each server to do before-queue scanning of inbound emails. I made so there is one master machine which holds the mail store, and a number of other mail servers that will accept connections, scan the mail, and if accepted put it in the mail store via NFS. This was because of the potential delays introduced by before-acceptance scanning and to spread the load of that scanning across multiple hosts. My experience is that by far the highest load on my mail servers is the scanning. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamd and Systemd
Scott Kitterman deb...@kitterman.com wrote: Is harmless supposed to include not installable ? No. What's not installable? Install clamav-daemon (with the lib) and don't worry about it. Given that I wouldn't be bothered at all if SystemD was just an init system, it's all the other crap I want to keep out. Do you really think I'm going to allow a SystemD library (who's package description gives no clues about it's functions or intentions) onboard ? If ClamD is only using this library if SystemD is installed, then presumably it'll work without that library when SystemD isn't installed ? So all I need is a dummy (empty) package that provides whatever apt is looking for to satisfy the installation dependency ? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamd and Systemd
G.W. Haywood cla...@jubileegroup.co.uk wrote: I would http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installation Been there, done that, but what a right PITA it creates - specifically trying to figure what package is triggering a chain of dependencies that's trying to pull in part of SystemD and then install ClamAV from source. I wouldn't use packages for things like ClamAV anyway. I have to consider maintainability - and given the skills (or lack of) left in the business when I find a better job or get hit by the proverbial bus, I've been making a point of sticking to packages. Not at all, it's just Debian doing what Debian does (i.e. drive me nuts). It's been driving me nuts today. Perhaps it's just what I'm used to but I prefer Debian to most other distros - I learned my first Unix with SCO Xenix and then Openserver5. Scott Kitterman deb...@kitterman.com wrote: Also, does anyone know how important this dependency is ? Is it just some small optional features, or something fundamental that can't be removed ? My gut feeling is that given the range or platforms ClamAV runs on (inc many without SystemD), it can't be that important. It's there because of the way we build the package to support the default init system. I don't recall exactly why. It doesn't, however, do anything if systemd isn't the active init system. Other than taking a small amount of disk space it's harmless. Is harmless supposed to include not installable ? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] unsubscribe
Cmos35 x.lep...@laposte.net wrote: I never asked to be unsubscribed, I asked a question and I unsubscribed by David Barr No, he didn't unsubscribe you - only you can do that (or someone forging your email address in the sender field) I assume he wanted to unsubscribe from the list, but ignored the email he would have had when first signing up (which contained information) and made no effort to find out how to do it properly. If he'd made any effort at all, he'd have found these helpful headers in any list email : List-Id: ClamAV users ML clamav-users.lists.clamav.net List-Unsubscribe: http://lists.clamav.net/cgi-bin/mailman/options/clamav-users, mailto:clamav-users-requ...@lists.clamav.net?subject=unsubscribe List-Archive: http://lists.clamav.net/pipermail/clamav-users/ List-Post: mailto:clamav-users@lists.clamav.net List-Help: mailto:clamav-users-requ...@lists.clamav.net?subject=help List-Subscribe: http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users, mailto:clamav-users-requ...@lists.clamav.net?subject=subscribe Like most mailing lists, all he had to do was to send a blank message to whatever the list is-request with unsubscribe in the subject - or click on the link and go to the mail manager website and do it. I see this periodically on every mailing list I'm on - even the ones where there is a help message clearly visible in the footer of every list message :-/ ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV installation is OUTDATE!
Marcio Fiorette marcio.fiore...@gmail.com wrote: Não estou conseguindo atualizar o ClamAV da versão 0.98.5 para 0.98.6 no Debian 7. Já segui os procedimentos que estão no site www.clamav.net e mesmo assim não obtive sucesso. Google tells me you're trying to update but it's not working. Did you install ClamAV as a Debian package ? If so then do NOT use any other tools to update it, just use the Debian supplied package tools. This applies to any distribution - if you installed the distribution package then you should update using the distro specific tools/packages. If you include wheezy-updates as a repository (see /etc/apt/sources) then 0.98.6 is already there - apt-get update apt-get upgrade should update it (and anything else that needs updating. If you don't include wheezy-updates (which you should do - it's your security updates) then you'll still only get 0.98.5 https://packages.debian.org/search?keywords=clamavsearchon=namessuite=allsection=all ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
Daniel Spies ds20150222c...@pskx.net wrote: I don't get how you find it more appropriate to silently reject someone's e-mail I don't. I don't know where you got that from - perhaps it's from seeing so many examples of bad practice that's become the norm so you assume everyone is that bad ? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
Daniel Spies ds20150222c...@pskx.net wrote: In my opinion, it doesn't make any sense to scan e-mail leaving the server. The recipient will never trust these tags anyway. So why scan at all? It's important to scan incoming mail, be it from a local or an external client. I disagree. Recipients may not trust the tags, but it *should* stop outbound spam/infected mail should your machine (or one of the clients) get compromised. IMO spam and malware is not just something to stop coming in, it's something to porevent going out - if more networks prevented it going out then there'd be less of a problem. On my systems I scan *everything*, and I firewall off everything I can - including preventing outbound connections to port 25. At work I run mail servers that are used by customers - including as smart relays. It's not all that uncommon to find one of the customer compromised and sending out thousands (or millions) of spam emails - so my latest server also does rate limiting to limit the damage done before it gets spotted and blocked. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
OK, this is getting well off-topic for this list, this will be my final say on the matter - and from some of the other comments I see I'm not alone in considering you part of the problem. Daniel Spies ds20150222c...@pskx.net wrote: Recipients may not trust the tags, but it *should* stop outbound spam/infected mail should your machine (or one of the clients) get compromised. IMO spam and malware is not just something to stop coming in, it's something to porevent going out - if more networks prevented it going out then there'd be less of a problem. It's not always black and white. I assume you're responsible for the clients you're talking about, i.e. they are your customers or colleagues. It varies, but in the general case they may be managed customers (where we look after the network, servers, and clients) through to customers only in that they use our mail servers. Regardless, all mail they send through my servers is scanned - and I do block anything that reaches a sufficient spamminess score or fails the AV checks. While spoon-feeding colleagues or customers may be okay for the sake of security, my clients would certainly raise hell if they would receive errors due to false positives. Most people expect their system to just work -- no matter what. Which is one reason it's very important to make sure you are not part of the problem. Allowing a customer to sent nasties through your mail server is a good way of getting it blacklisted - and then it certainly doesn't just work. I can assure you that when your server gets on a blacklist, your customers do complain - and they complain a lot louder than if you block one or two spammy messages. The best way to stay off blacklists is to block spam and nasties at source - not just rely on the recipient to catch it later ... By the way: I don't even reject virus/spam mail, I just tag them. If a client is dumb enough to open the attachment of a tagged e-mail, so be it. So you are part of the problem. It's already been said that tagging is meaningless - yet you assume it's reasonable to expect others to act on your tags. On my systems I scan *everything*, and I firewall off everything I can - including preventing outbound connections to port 25. I am not in the situation where all my clients sit in a firewalled private network; it's more the free-mail kind of situation. What and when my clients send e-mail is non of my concern, as long as they do it in common dimensions, i.e. in a way that matches a real person. Most of the customers are also not on managed networks. But on my own systems I block outbound connections to port 25 other than what's needed (actually, I mostly have a block everything and allow what's needed policy). It's all part of a layered approach - you protect your systems, but you also add a layer that limits the damage if they do get compromised. However, rejecting outgoing e-mail right away is not an option, which ultimately makes the scanning of these messages redundant. Which makes you part of the problem. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-users-bounces DKIM signature verify error
Scott Kitterman ubu...@kitterman.com wrote: ... but isn't this a bit off topic? Yes it is - but the OP asked here as he was having problems with this list. In this particular case, he's got a local configuration issue nothing really to do with clamav, SPF, or DKIM (as a protocol). Yes it's a local config problem (he needs to turn off DKIM, or at least turn it down to the point where it's virtually useless), but it's a hard stretch to say it's nothing to do with DKIM since DKIM *IS* his problem ! ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav-users-bounces DKIM signature verify error
Scott Kitterman ubu...@kitterman.com wrote: No, sending bounces to the list is his problem. Sorry, but that's a relatively common techie attitude - ignore the fact that the end user probably has no idea what's going on (else why ask for help about it ?) From the USER perspective, he has a problem with using this list, and has asked for help identifying WHY. His problem is **NOT** sending bounces, his problem is list server is unsubbing him and/or he isn't getting all the mails - bouncing mails is a *cause* of that, and DKIM is a *cause* of that. As you say, the discussion of the merits or otherwise of DKIM and/or SPF out OT for this list, but the OP didn't know that that was the problem until he asked the question. Now he knows what the underlying issue is - he can address it, asking for help in an appropriate forum if required. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav-users-bounces DKIM signature verify error
Marcello Lupo ml...@itspecialist.it wrote: Have you any idea of the reason for this problem and how to let it go away? Other than DKIM breaks stuff As now I’m loosing some messages from the list for sure. Stop using mailing lists OR stop using DKIM Or you might be able to tune DKIM to exclude the message content - which rather defeats the object. http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail#Annotations_by_mailing_lists SPF has the same problem. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav stops boot
Alain Zidouemba azidoue...@sourcefire.com wrote: The ClamAV engine won't update itself automatically. You will have to manually perform that operation. The latest version of ClamAV (version 0.98.1) can be downloaded here: http://www.clamav.net/lang/en/download/sources/ However, as the OP is using Debian, is new to Debian, and assuming it's been installed as a package, then he'd be better just using the system update tools. apt-get update apt-get upgrade to upgrade everything, or apt-get upgrade followed by apt-get install clamav-daemon clamav-freshclam should pull in updates for the ClamAv stuff. That is, assuming it's a moderately up to date Debian version. But he has to get it booted first ! The system should continue past that message, so I'm not sure what's going on. As a quick hack, booting into recovery mode (should be a boot option at the Grub menu) and rm /etc/rc2.d/S*clamav-daemon should get the machine to a bootable state. Once the system boots, dpkg -l '*clamav*' should show what's installed. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Problem with Freshclam and local mirror
Shawn Webb sw...@sourcefire.com wrote: I suspect the fault lies in a rather small piece of code that was supposed to make the call to recv() a little more robust. If you have the ability (or desire) to compile from source, can you please try the attached patch? If the patch works, I'll integrate it into our next release. Thanks, but I'm not really in a position to test it - I don't have build tools on any of my machines, and don't really have the skills to use them anyway. In response to my bug report (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743305), Andreas Cadhalpun has pointed out that there is now a PrivateMirror option in freshclam.conf. I've configured this and things now seem to work, though I need to leave it for a while to be sure. The only reference to the new option I could find on my system was on line 962 of the changelog. And thanks for the other suggestions. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] Problem with Freshclam and local mirror
Because I've several machines using it, I've setup one to act as a local server, with the others pulling their updates from it. It's been generally reliable for years, but since updating to 0.98.1 I'm having repeated problems where the slaves just stop fetching updates. As an example, one of them as of this morning was 7 revisions out of date. Freshclam log says : main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) ERROR: Can't download daily.cvd from virusdb.back.mydomain Giving up on virusdb.back.mydomain... Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/support/mirror-problem for possible reasons. Invariably, if I delete mirrors.dat and restart Freshclam it will then download daily.cvd : main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) Downloading daily.cvd [100%] daily.cvd updated (version: 18725, sigs: 863475, f-level: 63, builder: neo) bytecode.cvd is up to date (version: 236, sigs: 43, f-level: 63, builder: dgoddard) Database updated (3287743 signatures) from virusdb.back.mydomain (IP: 172.nn.nn.nn) Systems are running Debian Wheezy and fully up to date. Checking the logs, I can see one system at 6:50 said : ClamAV update process started at Tue Apr 1 06:50:35 2014 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) Downloading daily.cvd [100%] WARNING: Mirror 172.nn.nn.nn is not synchronized. Trying again in 5 secs... ClamAV update process started at Tue Apr 1 06:50:42 2014 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) WARNING: Can't download daily.cvd from virusdb.back.mydomain Trying again in 5 secs... And on the Apache logs of the main server, I can see daily.cvd being fetched at 06:50 then nothing at all after that. It looks like Freshclam just flags the mirror as bad and never checks it again. Any ideas ? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Problem with Freshclam and local mirror
Greg Folkert g...@donor.com wrote: I had this problem and have used a brute force solution to remove the mirrors.dat file every day so it'll ignore previous problems (like the machine being unavailable or other such issues) I had already considered the same. Since I've got two machines that have dropped 3 revisions behind already today (ie in the last 8 hours) I'll do that unless anyone has any more elegant suggestions or knows how to fix the underlying problem. In the meantime, I've logged a bug against the Debian package. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Debian packaging
Greg Folkert g...@donor.com wrote: Debian Stable is that. If you must have 0.98.1, you should also be using backports... at least I used to until I just used Sid for everything. Backports help extend Stable's longevity and freshness a bit... but it is no guarantee 0.98.1 will be there. Actually it should filter down once it's gone through some testing. Stable means different things to different packages - and AFAIK policy hasn't changed much in terms of updating volatile security related packages like ClamAV. Matthew Newton m...@leicester.ac.uk wrote: Debian's policy is to ensure that stable means stable - so they only generally apply security patches. There was a volatile repository once as they realised that software like ClamAV needs updating more but conflicted with normal policy; it looks like it's been replaced, but I don't know if they still maintain the ClamAV package there. It is still there, just under a different name - should be covered by the version/updates (eg wheezy/updates) source. http://www.debian.org/security/ As for installing the update, as pointed out there are several options. If you have wheezy/updates in your apt-sources list then it should appear (eventually) after passing through Debian's quality processes. If you want it sooner, then pull it from testing - something I've done with a few packages from time to time. I've found that mostly things are fairly reliable by the time they reach testing - but it's worth a scan of the bugs list first. Or if you want bleeding edge - either install from upstream source, or install from unstable. Unstable can be, well, unstable - so you roll your dice and take your chances. Personally, I try to avoid installing from source. Not because I can't do it (I have done it when I've had no option), but I have to consider maintainability - especially if I've moved on and the system gets inherited by someone with limited Linux/FOSS skills. YMMV - what you do on a home system (only you to consider) or in an environment where there are plenty of experienced Linux/FOSS admins is one thing; what you do when there's no such people around is another. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Is there any chance of the 97.8 version as shipped by ubuntu 10.04.4 LTS, working?
Gene Heskett ghesk...@wdtv.com wrote: So, is there any hope of making it work again using what the repo's for ubuntu 10.04.4 LTS will put back in (version 97.8) using synaptic? Or has the data format changed so much its hopeless? 97.8 is the current stable version in Debian (98 has just hit unstable) and Freshclam is working fine for me. I don't see there being any problems. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Debian packaging
Greg Folkert wrote: Simon, Why not open a Bug, or look to see if there is one. Oh wait: In Pending Upload bugs for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727027 Just gotta look. Rending since Oct 2013 Yes indeed. And lookit that, some Simon Hobson li...@thehobsons.co.uk Commented on it Fri, 15 Nov 2013 9:54:48 +. And look what a positive response it's had so far ! Make noise on the list or continue to bomb the bug(s)... This place ain't gonna be helpful in this regard. Well since no-one's come back with something like the package maintainer's gone AWOL or similar, I'll keep bumping that bug ticket. Does seem strange, I don't recall such a long delay in the past. Updating from source isn't really an option since I need to leave these systems maintainable by people who need the simplicity of apt-get upgrade. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] Debian packaging
Does anyone know what the situation is with Debian packages ? It's been something like 2 months now and 0.98 still doesn't appear to have made it to unstable, let alone testing. I'm assuming this also affects Debian derived distros like Mint and Ubuntu. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Virus names - a rose by any name?
Pancho wrote: Hi - thanks to everyone for the replies. I have seen 2 replies now and it may well be that I have not been clear enough because both are at cross purposes. Then it might help if you alaborated on what you meant. Unfortunately I don't have further time to invest in this topic but I do hope that someone at ClamAV sees value in the suggestions. They might if they could understand what the suggestions were. It;s clear from your response that what people took away from your post is not what you meant. Hence it's unlikely that anyone will see value in something they haven't seen. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus names - a rose by any name?
Pancho wrote: While I understand the comment, it makes it risky I believe from a security perspective to tell users anything more than file contains virus. I say this because if we find a virus and provide the message file contains virus with name ClamAV proprietary virus name XYZ then malicious users can effectively deduce our virus engine simply by using the custom name. See the site http://virusscan.jotti.org/en for a very easy illustration of how to do this. Once the malicious user knows this again, it is a fairly straightforward thing for them to test exploits against a site like jotti until they find one not detected by ClamAV - then submit that exploit to our site knowing that it will successfully bypass our anti virus. AFAIK ClamAV doesn't tell outside users anything - that is up to the software that calls it and the administrator that set it up. For example, suppose we are using ClamAV to scan inbound mail - using Amavis as integration software as that's a fairly common setup. So when the email is submitted by the outside MTA, our MTA hands off the message the Amavis, and Amavis (amongst other things) halds it off to ClamAV. The response sent to the outside MTA can be anything from message blocked at one extreme to ClamAV found XXX at the other - and where in that spectrum is down to not just ClamAV (which should correctly identify what it found IMO), but also the config of Amavis and the config of our MTA. Of course, what is reported to the outside MTA can be different to what is logged in our mail log. We may just report blocked to outside while logging full details (as is usually the case) in the mail log so that the administrator has more information if the reason is queried. Much the same applies if you scan innbound file on a web site that allows uploads - what ClamAV reports to your software, and what your software reports to the end user may be different things. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] linux scan of WordPress directories
Vid Luther wrote: I'm wondering if it's possible to run ClamAV on a file system that has a ton of WordPress installs. Yes, use (IIRC) clamscan to scan the directories. I've done that on my servers when there's been any question about a customer site. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Licensing DLLs
Chuck Swiger wrote: What if WE made an AV plugin DLL to link our software with libclamav? If your software license isn't GPL-miscible, then you should not redistribute the combination of your software, the plugin, and ClamAV. Isn't this a case where the component they've linked with (in this case) ClamAV would need to be GPL, but the other component it talks to doesn't need to be ? I'm assuming these are separate units - ie there's the closed main system, and the GPL plugin code linked with ClamAV. The fact that the closed main system is distributed alongside the GPL code doesn't mean it has to be GPL - provided they are clear in the documentation etc which parts are closed, and which are GPL. Very much a flip round of the case where software uses non-free libraries (http://www.gnu.org/licenses/gpl-faq.html#FSWithNFLibs) Also, http://www.gnu.org/licenses/gpl-faq.html#GPLInProprietarySystem says : However, in many cases you can distribute the GPL-covered software alongside your proprietary system. To do this validly, you must make sure that the free and non-free programs communicate at arms length, that they are not combined in a way that would make them effectively a single program. It then goes on to say : The difference between this and incorporating the GPL-covered software is partly a matter of substance and partly form. The substantive part is this: if the two programs are combined so that they become effectively two parts of one program, then you can't treat them as two separate programs. So the GPL has to cover the whole thing. My interpretation of this would be that in the case the OP asked about, provided he makes the plugin a distinctly separate program (and GPLs any code he adds to the GPLd code to make it work with his API) then it would qualify. It would require the plugin to be separate and optional - but i see no reason it can't be shipped on the same disk. The GPL is actually not as all encompasing and restricted as many believe - it *IS* possible to combine GPL and non-free software in a system if you do it right, and using GPL software does *NOT* automatically mean the entire system has to be GPL. Perpetuating these myths doesn't do anyone any good. If in doubt, the OP could always as FSF who I'm sure would be quite happy to have someone ask them rather than make assumptions and/or get it wrong. I dare say they'd be happier if the whole lot was GPLd, but Rome wasn't built in a day. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Some questions about setting up ClamAV
Andy Newby wrote: How can we have clamAV automatically scan the images after they are uploaded (to catch any viruses as quickly as possible)? You'd need to get your software to do that. Between accepting the upload and doing anything with it, call Clamscan to scan it. Alternatively, and I don't know if this is possible, I believe some OSs have facilities to monitor a filesystem for changes. If you can get the system to tell you when a new file has been created in your upload directory, then you could scan it then - but of course you may need to wait for the upload to complete. If it is not possible to set up clamAV like this, how can we set up a cron job to scan the image folders and domain / server ? You create a cron job, to run at whatever schedule you want, that calls Clamscan with the options you want. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Some questions about setting up ClamAV
Andy Newby wrote: We're using ClamAV on a Unix Centos Server, with WHM and Cpanel, we would like to do this: 1) Set up a cron job to scan a single domain (via Cpanel), and a cron job for the entire server (via WHM), how? Create cron jobs to call clamscan with the options you want ? 2) We would like to set up a cron job to update ClamAV with the latest virus DB on a single domain (via Cpanel), and a cron job for the entire server (via WHM), how? Ditto. Setup cron jobs to call freshclam. Or just let freshclam do it's job automatically. If you have a lot of instances to update, you might consider setting up a central server to fetch updates and then let individual servers/instances fetch from that. 3) our web site allows users to upload images via a standard form. We would like to set up ClamAV to be able to scan their file before it gets uploaded to the server, how can we do this? You can't - it's not there to scan before it's been uploaded. You'd need to look at the software being used and get it to scan all new files before it goes on to use them. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] How can I have clamd reject items that can't be scanned?
Per Jessen wrote: It's not about not being able to scan, it's about not wanting to scan. Regardless, clamav doesn't reject or approve mails, that's for your MTA to do. If you use ClamAV as milter, it's up to ClamAV to tell the MTA what to do so I guess there's a task for ClamAV too.. Well, I guess it depends on your point of view. Personally I see the MTA doing the rejection, possibly based on information from elsewhere (DNS, blacklists, clamav, wherever). This is a rather pointless argument about semantics which doesn't answer the original question. I'll rephrase it for the pedants : I see that there are ways to limit the level of archive that will be scanned as well as the size of the entities to be scanned. Is there a way for CLAMAV to then flag them as not allowed? Oh, I see it works without modification. Is it possible for ClamAV to flag that the message should be rejected if it can't be scanned - seems a reasonable question to me. The OP didn't say is it possible for ClamAV to reject the message, they rather correctly asked about flagging it for rejection. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] How can I have clamd reject items that can't be scanned?
Per Jessen wrote: The OP started by saying there are ways to limit the level of archive that will be scanned as well as the size of the entities to be scanned, which are performance optimizing options one can use if desired. To which I commented that it's not about a message that can't be scanned, but whether your limits allow it to be scanned. Remove the limits, and everything is scanned (presumbly only limited by hardware resources). Well of course there have to be limits somewhere, and I recall one issue is malevalent attachments designed specifically to crash extractors. A second issue I recall from the past is the sending of password protected archives - the scanner is unable to check it, but of course a user taken in by the message may well open it. So that's a separate consideration - whether to allow password protected archives or to reject them. Nonetheless, it is actually an interesting question - should/does clamav return not-scanned-due-to-user-restriction in such cases? I guess that's the key question, and is it possible to set the reported result to reject in that case ? -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Clamav 0.97.0 to 0.97.1 on squeeze(Debian 6.0)
OLCESE, Marcelo Oscar. wrote: Query, why is not avaible in the repositories squeeze 0.97.1 version? Nor are the volatile repositories. Simple - because it hasn't made it yet. It has made it into Unstable (Sid), and in time it will work it's way through. http://packages.debian.org/search?keywords=clamavsearchon=namessuite=allsection=all The way things work is : The main program gets updated - known as the upstream package from the perspective of a distribution. The maintainer of the packaged version for the distribution spots that it's been updated. He'll pull down the new version, apply any changes to distributionise it, and build a package for the distribution. This distribution specific package then goes through a testing process before being released through the distribution specific mechanisms. In the case of Debian, this means that one of several package maintainers (there are three individuals, plus ClamAV Team listed) has observed the new upstream version. It's been debianised, and put into Sid. At some point, when it's been decided that it's stable etc, it will migrate to testing, volatile and backports as appropriate. Eventually, when the next Debian release happens, it will migrate to stable. Many of these steps will be automated, but still need checking. For example, part of Debianising a package involves moving components from wherever the upstream package normally puts them to the locations used by Debian, and creating distribution specific files (such as the startup/shutdown script for /etc/init.d). While this would be done with automated scripts and patch files, each time the upstream version changes, these need to be checked to see that they still work correctly - and of course, the scripts/patches updated if something has changed. There may of course be distribution specific bugs/issues to be dealt with, and some of those may well involve creating a fix to be passed up to the upstream package maintainers. The price you pay for using a distribution rather than doing it yourself is that you get a delay between the upstream package getting updated and your distribution reflecting that. The upside is that others have done a **LOT** of work so that you don't have to. You have a choice - either wait, try installing the package from Sid, or download the upstream package and install it manually. All of these have their pros and cons - you would have to work which is best for you. I hope this gives you some idea of the process involved, and why there is inevitably a delay before an update appears when you apt-get update apt-get upgrade. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] daily database broken again
Nathan Gibbs wrote: I am not aware of the team issuing a new major version number that they then break in a few months with a new major version update. 0.95.x was the latest version less than a year ago. To me, it seems a little soon to EOL it. At some point the end user has to accept his/her responsibility for keeping their machines properly updated. I am not talking about every day, but at least every few months, Agreed. six at most, That is a good way to do it. That is also your policy/opinion. It may not work for someone else. a user should inventory their system and take appropriate maintenance. To expect others to waste valuable time in developing a product and keeping it fully compatible with older versions is ludicrous. Agreed. Supporting 0.94.x or earlier now would be a waste of resources. I did feel bad for the 0.94x and 0.93x users who got caught in last years flag day, but it was a flag day what are you gonna do. Those running 0.92x or older, IMNSHO were just plain stupid and got what they deserved. But I do realize that it is just my not so humble opinion, and they just might have had good reasons for running software that old. If you blame others for your failures, do you credit them with your success? Thats an unsafe question to answer. No matter how its answered, you shoot yourself in the foot. Its like Have you quit beating your wife? Yes - You were beating her. No - You are beating her. The failures are usually all mine. The successes usually involve other people. And attribution is always the right way. Open Source wouldn't work otherwise. :-) Thanks Nathan for articulating what I suspect quite a lot of us think. I too am grateful to the ClamAV team - but I also sometimes think their attitude to users lacks sensitivity at times. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] block attachment with certain file endings (also in archives)
Erwan David wrote: gmail blocks attachments with certain file endings (also if the files are in certain archives): http://mail.google.com/support/bin/answer.py?answer=6590 I am using clamav-milter with postfix. Is it possible to implement this policy through custom clamav signatures? From the signatures pdf I was not able to figure it out so far. amavis may do this (and call clamd for handling viruses) Yes, Amavis will do it. IIRC it defaults to blocking a small number of extensions (such as .exe and .scr). It also unpacks archives (zip, tar, etc) to check the contents. My knowledge isn't enough to say (without searching) where it's configured - but I do recall there is a Perl array with a list of extensions to block. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Tiered freshclam updates on port443
Shawn Bakhtiar wrote: I still say having firewalls from higher security zones to lower ones, does not make sense. Security is only valid when it is INBOUND. Outbound security is no security at all, just a pain for your users. I used to think like that, but now I'd respectfully disagree. It's not an answer in it's own right, but used intelligently it provides another layer of protection. OK, if your server gets compromised then it doesn't protect the server, but it does restrict the damage it can do. For example, if you don't require to access external FTP servers, then don't allow outbound FTP connections. Should your server get compromised and the use it to try and brute-force attack other FTP servers, instead of using up your bandwidth and causing a headache for the targets, the connections fail. On the other hand, if the basic software installed by the hack is unable to contact it's command centre for instructions (or to install additional software), then it's going to be useless to the attacker. In a similar vein, I ALWAYS configure my routers etc to only allow outbound SMTP connections that are actually required. In the general case, end user machines should not be sending mail other than through specific servers - and if they are trying to send mail elsewhere then most likely it's spam from an infected machine. If a user has a genuine reason for sending mail, then the Submission port (which I do allow) is the way to do it. Again, it's not protecting your systems which are already compromised, but it's limiting the damage that then follows - damage in bandwidth costs, and reputational damage from getting blacklisted. Just two examples that came to mind for no particular reason - and if you believe that you'll believe anything ! Yes it needs more work to set up, and figure out what connections you require - but IMO it's worth it in many cases. As you say, there are cases where it's not appropriate, and you need to judge each case on it's merits in an intelligent way. Strike a reasonable balance between protection, being a good netizen, and allowing users to do their jobs. Having said all that, in this case, I'm inclined to agree that the requested functionality isn't really a generally useful think to be doing. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Some doubts about Clamav upgrade
Freddie Cash wrote: Does it first uninstall the existing version? If it was installed as a .deb package (via dpkg, apt, aptitude, whatever), then yes. dpkg -l | grep clam will show if it was installed as a deb package - it should show clamav and freshclam as installed. If it lists nothing then they may have been installed manually and the OP will have to figure out how and where they are installed - ideally removing them before installing the new deb packages. It may be useful to know which Debian version the OP is using - since it it's Lenny he wouldn't have 0.93 installed, and if it's older then there isn't an up to date version in the repositories. If it's Sarge, then Gianluigi Tiesi posted this back on 16th April, it worked for me on one of my systems : Temporary fix for debian sarge, I suggest anyway to upgrade your distribution: download packages from: http://falco.netfarm.it/clamav/clamav-sarge/ then /etc/init.d/clamav-daemon stop /etc/init.d/clamav-freshclam stop apt-get remove libclamav3 rm -fr /var/lib/clamav/* rm -f /var/log/clamav/* dpkg -i *.deb (you can skip docs and testfiles) apt-get -f install if some deps is broken ah forgot, then dpkg --purge libclamav3 -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Some doubts about Clamav upgrade
Wagner Pereira wrote: 1. My Debian is a Etch 4.0 2. My sources.list file has deb http://volatile.debian.org/debian-volatile etch/volatile main contrib non-free 3. That's my dpkg -l | grep clam output ii clamav 0.93~dfsg-volatile1 anti-virus utility for Unix - command-line i ii clamav-base 0.95.3+dfsg-1~volatile1~etch2 anti-virus utility for Unix - base package ii clamav-daemon0.93~dfsg-volatile1 anti-virus utility for Unix - scanner daemon ii clamav-freshclam 0.93~dfsg-volatile1 anti-virus utility for Unix - virus database ii libclamav4 0.93~dfsg-volatile1 anti-virus utility for Unix - library What should I do to upgrade my Clamav? Do I need to backup something from Clamav before? OK, according to http://packages.debian.org/search?keywords=clamavsearchon=namessuite=allsection=all, etch-voltile has 0.95.3 for i386. So you should be able to upgrade with : apt-get update apt-get upgrade this will upgrade everything on your box to the latest versions. Alternatively, you can apt-get update to update your local package indexes, and then apt-get install clamav freshclam to upgrade just those two packages and any thing that needs updating to meet dependencies. apt-get --no-install-recommends install clamav freshclam will limit upgrades to only those that are required. As with any upgrades, it's always worth having a full backup and a means of reverting back if something goes wrong. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
Dennis Peterson wrote: What they did was a bad call. They wilfully let freshclam download an update which they knew would crash the clamd service. This was going to happen anyway when the signatures grew to take advantage of the new format. Older versions of clamd were going to die sooner or later. It was inevitable this would happen. The rest only makes sense IF that statement is true. It's already been pointed out that it was not inevitable, and had the team cared then there were ways of not making old versions die. More than one technique has been mentioned, and at least one of them would have been viable. The rest of your response rather reinforces Marks point. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
Jim Preston wrote: The rest only makes sense IF that statement is true. It's already been pointed out that it was not inevitable, and had the team cared then there were ways of not making old versions die. More than one technique has been mentioned, and at least one of them would have been viable. The rest of your response rather reinforces Marks point. Simon, Mark, Are you ever going to get over it and move on? If you are unhappy with ClamAVs decision take your bat and ball and go to some other ball park. I am over it, and I have moved on. However, as long as people keep making untrue statements ... It was the only way and it was inevitable and ClamAV **was** going to break sooner or later are all untrue statements. On the other hand It was the only way **that the ClamAv team were prepared to act** and it was inevitable **given the choices made** and ClamAV **was** going to break sooner or later **given the decision to make it do so** are all true statements. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
Chris Meadors wrote: Rsync treats all files as binary. When finding changes it splits a file into blocks, computes a checksum for each block and performs a comparison between the sending and receiving side. Then it only sends the blocks which have changed. When dealing with a text file which has been appended to, like a log, all the initial blocks are the same. But if the file is sorted, it's possible only a few additional lines will disrupt most every block by changing the start offsets through out the entire file. It's actually more efficient than that ! It uses something similar to a rolling checksum to find throughout the file. So in principal, you can add a short bit to the front of a large file, or even chop a file up into chunks and rearrange them, and it will still only transfer the changes. Andrew Tridgell's research paper is available at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.123.1530rep=rep1type=pdf rsync is covered from section 3 onwards. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
Bill Landry wrote: Why, are you blocking outbound rsync traffic? If so, after 3 years of maintaining this script and many thousands of users, this is the first time I've heard this request. Some of do this by default - set an outbound policy of block and allow specific traffic that's allowed. It means that should a machine get compromised despite all other precautions, it can't* then be used to launch an attack on others (or other servers in your own network) and/or is unable to communicate with it's control centre. Just another layer of security. * Yes the attacker (assuming they got root equivalent access) can clear iptables - but that means they have to be proactive and risk making themselves more visible, not to mention they risk their remote install breaking networking (and also making their presence visible). But then what would I know about administering servers :-/ -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Yet more clubbing of deceased equine.
Sarocet wrote: The new hostname updates would still have needed the kill signature. Otherwise, you have the same problem as before, but with a different hostname. Someone wasn't reading. The scheme was to remove the original hostname BEFORE using any updates that would kill the software. At that point, older versions would just stop updating and wouldn't break. Now it's been pointed out that there are a sizeable number of third parties providing mirrors, I now agree that this would not have been reasonably practical. It may have still worked with different filenames, with the added bonus of being able to examine logs and work out the scale of the problem - ie how many installations were still accessing the old names vs the new names. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
Daniel McDonald wrote: I'm a little confused by this (still), is it not true that simply turning off freshclam will allow clamav to continue working indefinitely on the existing signature set? No, you need to turn off freshclam *and* delete one signature, or grab an older copy of the signature file. You missed a few steps : - Find out what has happened to your software that was working fine yesterday. - Work out what to do RIGHT NOW because your phone is ringing with people asking where their mail is* - Put in place a quick workaround (disable scanning) to allow the mail queues to get flowing - Work out what options are available for dealing with it medium term - Work out where the dig files are stored - and then disable freshclam and put yesterdays sig files back - work out what to to get onto newer version * Yes, we've already heard the arguments that mail shouldn't stop when ClamAV does - even though that is logically inconsistent with the argument that old versions couldn't be allowed to continue without updates. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Yet more clubbing of deceased equine.
Chris Knight wrote: 1) Release a new version that pulls updates from a new hostname. 2) Wait a couple of weeks, or even six months 3) Shut down old servers, 4. Orphan *all* previous versions, including the still heavily used, and valid, 0.95s which were released before the hostname change, not just the buggy 0.94 and older. What? Somebody was running .95 and not the absolute latest? Why would anyone do that? I am in absolute shock. Shock and horror and sarcasm. Yes, lots of sarcasm. Forget it, it's been covered, and you'll never persuade this group of people that a) there was any alternative, or b) that there was anything ethically or legally wrong with the course of action they did take. Also, when I suggested this, it was in some way interpreted that I meant running two different upgrade servers/processes in parallel. There is one thing though, under step 3, it should have read remove old DNS entries As for orphaning 0.95 versions, lets take a look. According to an earlier post, the bug report was filed in Feb last year. 0.95 was released in march last year, and 0.95.2 in June last year. Had they added another hostname to the DNS prior to the 0.95 release, then not a single 0.95 release would have been affected. Had they done it in June then only two versions, both more than 6 months old would have been affected. It could have gone into 0.95.3 which was released after the EOL announcement - and it would still have only affected versions older than 6 months. All this has been pointed out, and rubbished already. Of course, they could have taken the precaution of adding new DNS entries, and then not used them if they decided to take a different course of action (such as issuing a poison pill ... If anyone was running an old enough 0.95 version, then their software wouldn't have died, they would have seen update errors in their logs, and the fix would have been to change just one or two hostnames in their freshclam.conf. As you point out, according to the ClamAV supporters, they would have been idiots for using such old software, and it would have been their fault - so why would the ClamAV team be worried about that when they are happy to make other versions actually stop running.* The other 'reason' not to do that is an argument of why should the ClamAV team go to the effort and expense of changing the DNS ?, and my suggestion that it would have cost next to nothing in both cash and effort terms has been completely dismissed. The only argument put forward being you don't know what it costs to change a DNS entry - well actually I have a pretty good idea of the cost base for a number of common scenarios. * Oh yes, and some people are still clinging to an argument that the ClamAV team did not stop any software from working. It's the sort of argument that someone would use to claim he didn't poison his neighbour's dog : he didn't give any poison to the dog, the dog took it when he put it in a piece of meat and left it where the owner takes the dog for a walk - so the dog took it, he didn't give it to the dog. It's linguistic/logics gymnastics to try and get around the fact that they misused the victims actions to cause harm rather than going and directly causing that harm first hand - the motive and end results were identical, only the means differs. Actions designed to cause harm to a computer system, and a criminal offence in the UK. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
Robert Wyatt wrote: You missed a few steps : - Find out what has happened to your software that was working fine yesterday. - Work out what to do RIGHT NOW because your phone is ringing with people asking where their mail is* - Put in place a quick workaround (disable scanning) to allow the mail queues to get flowing - Work out what options are available for dealing with it medium term - Work out where the dig files are stored - and then disable freshclam and put yesterdays sig files back - work out what to to get onto newer version * Yes, we've already heard the arguments that mail shouldn't stop when ClamAV does - even though that is logically inconsistent with the argument that old versions couldn't be allowed to continue without updates. I was talking about turning off freshclam anytime in the last two years, not the day after your system broke. Again, you're behaving as though you had no way of knowing when that is not true. That assumes one knows in advance that one has to do that - which we've already determined was not the case for quite a few people. Most people could have upgraded if they knew in advance it was going to be forced - but other than that, why would someone turn off updates that are working ? -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Yet more clubbing of deceased equine.
Stephen Gran wrote: 1) Release a new version that pulls updates from a new hostname. You mean, deploy a parallel infrastructure of vhosting, monitoring, pushing updates, etc? When most of the mirrors are on third party servers not under the control of the clamav team? Do you really think that's trivial, or were you just making up a solution without knowing anything about the problem? There is no parallel infrastructure - though I accept the point about mirrors not being under the ClamAv teams control. Presumably they aren't going to claim they have no knowledge of who runs mirrors ? How about this for yet another option that could have been done at the 0.95 release : Just check for slightly different file names on the same servers. Before you shout me down about maintaining two sets of sigs etc, I do not mean that - you just hard link another file name to the original. IFF (and yes, I don't know how the mirrors are updating) the mirrors use something like rsync which will deal with hardlinked files, then there's no extra bandwidth for updating the mirrors. When you're ready to cut 0.94 and earlier loose, just stop providing the files it looks for. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Yet more clubbing of deceased equine.
Stephen Gran wrote: Sigh. I guess you didn't bother to read the part about third party servers not under the control of the clamav team. This means updating the actual edge servers is not trivial. The 'parallel infrastructure' wasn't referring to deploying new hardware, it was referring to getting all the same monitoring, syncing, deploying, serving, etc working with the new name. This is fine, although slightly non-trivial given the number of machines, even when you are the sole admins. When you're relying on third parties donating bandwidth and space on 100s of shared servers, it's less approachable. But anyway, I think this is end of thread for me. If you really think that the clamav team's time is best spent chasing up hundreds of local admins to make changes to their rsync/webserver/etc vhost configs, then deploying and testing all the changes necessary to make this work, instead of working on clamav just to save a few admins a small amount of work that they should have been doing anyway, you're welcome to your opinion, and I won't bother you with mine any more. I just disagree. Actually, I will thank you for actually putting forward a reasoned argument rather than just can't be done. Now the external factors have been pointed out, that is somewhat harder than it first appears. See, contrary to what some people may be thinking, I can be persuaded by **reasoned** debate. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
Thomas Hochstein wrote: OK, how's this then. 9.5.3 (IIRC) came out about the time the notice was published. It costs virtually nothing to add an extra DNS entry, and the release could have had the default server URL changed for Freshclam to fetch updates. it wouldn't even have been a great issue to have a 9.5.4 just for that - and of course the change would be quite prominent in the release notes then as well. Why didn't you suggest that beforehand? Because, as has been made quite clear beforehand, I did not know this was happening - and I'm far from alone in that. If I had been aware at the right time* then I would have suggested it. * Note that right time does NOT mean spotting the EOL announcement when it was made. That was too late as the decisions had already been made then. Why didn't you just DO that if you consider it necessary as it costs virtually nothing, neither time nor money? Eh ? Are you suggesting that I have the ability to go back in time and make changes to someone else's DNS and code ? As for costs virtually nothing, yes I believe that is a good description of what it would have cost - and don't forget that deciding to EOL and forcibly block older versions was not without cost. Unless the project has some strange ways to make things tedious and difficult to change, then it would probably have cost less in time than the discussions (if there were any) on the ethics of issuing a kill signal to older software. But it's a moot point - the team didn't do that, we are where we are, and a lot of people are unhappy for various reasons. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
Rob Sterenborg wrote: Message of freshclam did not specify that older versions would stop. It was the same message as for minor upgrades. This did not give the information that something different than usual was planned. It still means you should upgrade and the message was ignored long enough that ClamAV stopped working. The fact that there is no *immediate* need to upgrade when the message is first seen, does not mean you can wait that long. The OP use(s|d) an EOL Debian and an EOL ClamAV. If the OP upgrades ClamAV to a more recent version then he's back in business, even with an EOL Debian. And ... it proves your argument that there was a warning message so it's entirely the users fault is completely bogus. Guess what, with a fully up to date installation, with ALL updates installed, freshclam still reports THE SAME WARNING. So does that mean we should expect our fully up to date installation to just stop working ? And when, tomorrow, next week, next month, ... ? Do we have to start checking the ClamAv website to see if 9.5 is going to be EOL'd and remotely killed before 9.6 gets into Debian ? Note that just updating a fresh install isn't sufficient to give a working system - a fresh Debian install, with all updates installed, does not have a working ClamAV on it. Users need to add Volatile for that to work. Yes, it would be an idea to keep a bit more current, but that **SHOULD** be the decision of whoever is responsible for the box having balanced all the factors that affect his (or her) operations. It may not be the case for this particular package, but there are often other things that prevent upgrades - I've got several systems running various old versions of various OS's for the simple reason that I've got various items of hardware that have no support in current versions. I have a system still running DOS 3.something - it's part of a system that no longer has any vendor support but which still does the job I require it to do. I have a VM running Windows 98 because I have some software I need to run on it. I have a pile of CD's here that are unreadable in Vista or Win7 - so to access the manuals on them I must run an outdated system. I have an old laptop with Mac OS 10.4 because my scanner software won't run on 10.5 or 10.6 and the vendor has dropped support. And I've got boxes here (still doing useful jobs) for which 10.5 is not a supported OS. And those are only the 'hard' limits - ie stuff that *cannot* be upgraded. there are 'soft' reasons too - such as balancing the risk of upgrading vs the risk of not upgrading. I have one system where I know 100% that applying all updates *will* break it - so I have to hold back certain packages until one or other of the imcompatible bits gets fixed. Applying the logic used with some venom here, every one of those systems should have been upgraded and/or scrapped - never mind whether they would still be capable of doing the job they are there for. Again, not aiming this at you specifically, but at all those who have been advocating with religious zeal that there should be, and cannot be, any other policy that all updates applied all the time as soon as they come out - or something very close to that. And then I note that one of those busy telling people they are complete idiots and unfit to be running a toaster (OK, slight exaggeration for dramatic effect) for running anything but the very latest versions ... ... earlier today admitted that he has a system to take through six - yes SIX - OS upgrades to bring it up to date. I can only assume he had his reasons, and that he balanced the risks (upgrade vs leave alone), and most importantly that if left for as long as it has ... he had some expectation that it wouldn't be artificially crippled by some outside influence before he got around to upgrading it. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
Jerry wrote: By the way, I still also have an old 8086 with DOS 3? (I don't remember the version) that still works. I still use it on occasion to copy old 5.25 floppys to other media. Yes, some local government agencies have valuable documents archived in that format. However, I would never expect it run Win7, nor do I bitch to Microsoft about it either. So, it still runs the software it used to run ? Yes It's running software that is EOL ? Most definitely And Microsoft have sent it a poison pill ? No they haven't There's a difference between not providing any more updates and killing something off. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
Dennis Peterson wrote: I believe that best practice with this sort of thing is to only issue warnings and not to actually force a potentially harmful change without *express* consent of the user. Suggest at least one way to inform all the users successfully that obsolete software is going to die soon - and don't let it slip past you in your solution that the ClamAV people have know way of knowing who they need to inform. And recall too, this: Filling their logs with warnings didn't work. Posting the notice on the front page of their website didn't work. Running commentary in this list didn't work. Announcing it in their Announcements list didn't work. You don't know a way, they don't know a way, and I know for a fact it cannot be done If you start with the pre-requisite that you must stop old versions working then you are correct. Remove that pre-requisite and you are not. More than one suggestion has been made of how the team could have just moved on and left the old versions behind - without having to kill them. These suggestions have been rubbished for various (mostly false) reasons. People keep saying it's the user/admin's fault, that the user/admin should take all the blame, and that the user/admin should suffer the consequences. Fair enough - how this for a really odd idea - why not just stop providing AV updates to the older versions, and let the users/admins take the responsibility and consequences if they continue to ignore the warnings that updates have stopped working. If they ignore things aren't working errors then I'd agree with you - let them deal with it. I don't agree with the argument that things are not optimal is a warning to upgrade before things go bang. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
available to them - so there isn't even any defence of it being absolutely necessary for the public good. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
Christer Boräng wrote: In message 1271831753.5073.28.ca...@localhost, lists writes: For instance, if I go to a shop and they give me a radio free. I take that radio home and use it. If that shop then calls me up and says 'If you don't change that radio, I'm going to break it' it is a case of blackmail. A better analogy would be that the shop calls you up to say We're switching to digital, your analog radio will stop working in six months, and, in six months time, the radio no longer has anything to listen to... Not a good analogy either. If you want to use that one, it's more like a major broadcaster deciding to go digital - and then comeing round to blow up your radio to stop you listening to the local station you actually want to listen to that is still on analogue. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
h...@dip-systems.de wrote: After the last signature update, clam av stopped working on our woody installation. Is there no more support for this Debian Release? No, according to certain people on this list, you are a cretin, and incompetent to even handle the off switch of a computer. If you check the list archives - particular for threads (no subject) and Those EOL tweets you'll see that you are far from alone. There seen to be three groups - those who think it was handled really badly and were affected, a small group who think it was handled badly but weren't affected, and a group that thinks there is nothing wrong and it's all the end users fault - and especially that the ClamAV team did nothing wrong, deliberately interfering with other peoples servers is both morally and legally acceptable as long as they pretended to tell you first, and there was no other possible way they could have acted. Even now when their stance has been shown to be full of logical holes, they still persist that anyone disagreeing with their we did nothing wrong stance are a bunch of whining losers. That's how it comes across to me anyway. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
Christopher X. Candreva wrote: Oh come on. If I tell you you'll get wet when if you go out in the rain without an umbrella, is that blackmail ? OK, so if I tell you that if you keep on going out without an umbrella, then I'll throw a bucket of acid over you ... then by your argument that's not blackmail, and by other arguments, it's perfectly OK because I warned you in advance. That wouldn't be assault, it wouldn't be a criminal act - it would be all your fault for ignoring the warning I gave. And by the way, I won't tell you directly, I'll put a notice up in my front window that you may or may not walk past and may or may not see. Old versions of Clam crashed on certain input. You were told when that input was comming. It's sounding like the Clam team would have been better off releaseing a too-large signature and going Whoops, I guess old versions can't handle this. You better upgrade, sorry ! By warning people and releaseing a known-bad signature with a message, somehow it's their fault now. No, it's not all their fault. But they sure did handle it badly. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
Jerry wrote: I had thought by now that this thread would have died a natural death. Obviously, I was mistaken. It has continued to pollute this forum for nearly a week. What has become conspicuously apparent is that if those who are doing the most complaining had spend even one percent of that time keeping their systems up-to-date and keeping themselves abreast of current development and deployment strategies with the software they employ, this whole discussion would be academic. In the interest of eliminating any further waste of my time or computer resources, I am now instigating a kill filter on this thread. That's right - if I can't bully everyone round to my way of thinking, then I'm taking my ball home. A very grown up attitude ! You (and I mean a small subset of people who are unconditionally supporting the action taken by the ClamAV team) have consistently used false logic, outright lies, personal insults, and arguments worthy of criminal defences to try and weasel out of any blame whatsoever for having misjudged things rather badly. Put bluntly, if people had admitted early on that perhaps it could have been handled better, that perhaps they didn't consider all classes/types of user, and that it is perhaps not unreasonable that users could be a trifle annoyed ... then this **WOULD** have blown over ages ago. It's not that you had to do something that people are complaining about, it's not that you ended support for updates to older versions that people are complaining about, it's the way you did it and the way you refuse to accept that there can be any other valid viewpoint that really p***es people off. You may, if you'd read the messages, have noted that even people who were not affected by this thought you got it wrong. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
At 12:12 -0400 21/4/10, Christopher X. Candreva wrote: Knowingly disabling running software on computers that is not your own is not acceptable. It is immoral, unethical and perhaps illegal. But that's not what happened. Wierd idea of did not happen - in what way does we will push an update that has the sole purpose of making your software stop working NOT constitute Knowingly disabling running software ? - It is a simple fact - the team made the decision to push this update. - It is a simple fact that the purpose of this update was to make running software break. - It is a simple fact that this was a desired outcome of the update. These are simple facts supported by their statement that they were going to do this, and what the expected outcome was going to be. Given these simple facts, I really, really cannot understand the mindset that still claims that the ClamAV team did NOT knowingly disable software running on other people's machines. Could someone please explain how on earth you can still claim that this didn't happen - and by what logic process you arrive at such a statement ? The **ONLY** defence I can think of is that they assumed an implicit permission by virtue of the user running the update process to fetch signature updates. That's a very tenuous thing to infer when pushing an update that is so different in purpose to what would normally be fetched. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
Eric Rostetter wrote: Put bluntly, if people had admitted early on that perhaps it could have been handled better, that perhaps they didn't consider all classes/types of user, and that it is perhaps not unreasonable that users could be a trifle annoyed ... then this **WOULD** have blown over ages ago. I've admitted this often, from the beginning, and my posts are largely ignored, or refuted, or I'm insulted/slandered/etc. So, this isn't a true statement. If I've overlooked the one person who did admit that, then I apologise to you. there are plenty of people who have not, and it appears will never, make such an admission. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] illegal or not, make a valid argument (was no subject)
the roses unless they were directly causing a threat to the property - and you cannot say that me running out of date (ie not updated) AV sigs was directly threatening the ClamAv project. You also cannot claim that my downloading of updates constitutes an invite - it constitutes an invite to put AV sig updates on there for the purpose of detecting new threats. A poison pill update doesn't fit that description. It is a free service they provide, not to you, but to anyone. So they owe you nothing. You didn't sign any contact with them that they would provide only valid signatures, or any at all. You assume the risk in using the feed. As a point of law, a contract does not need a signature, nor does it even need anything in writing - all it needs is an offer and acceptance. In the absence of a definitive statement, the legal situation would be whatever the court could determine were the facts of the case. In that respect, man freshclam says : freshclam is a virus database update tool for ClamAV. In any dispute therefore, unless there was something of equal prominence to contradict it, then it would be inferred that the purpose of the tool was to deliver AV signature updates - not a poison pill designed to stop the software working. This goes beyond any clause designed to avoid liability for errors in the program. Yes, the clauses above would absolve you of liability for any reasonable errors, but it still would not absolve you of liability for deliberate malice. I assume you will have similar laws over their, but over here, there are some rights you CANNOT sign away. The extent varies according to the situation (eg consumers have more rights than business). As a consumer, even if I sign a contract that a supplier is not liable for anything (such as the clauses quoted above), that agreement is totally worthless as the law says I cannot sign away those rights - and in court the clauses would be declared unlawful and unenforceable. Similarly, even if I said I didn't mind if you shot me, if you took me at my word, you would still find yourself in court - my permission might well be accepted as mitigating when it comes to the charge laid or the sentence, but it would not absolve you of a crime committed. I'm just saying that the arguments are lame (calling it blackmail when it isn't, saying they need permission from each and every user when they don't, etc). Come on folks, make your arguments at least reasonable! I didn't make those suggestions BTW. Christopher X. Candreva wrote: Let me drive this home. In the state of New York, until recently if the government wanted to use eminant domain to take your property, all they had to do was take out an ad in the paper. They do not need to track down the owner of the building or land, just take out an ad. If you don't read the paper that day, the first you hear that your building was being knocked down may be when the wrecking ball shows up. This was only amended in 2004 after some particularly nasty battles. http://ownerscounsel.blogspot.com/2009/06/port-chester-offers-apology-for-taking.html Now that's a very interesting argument to throw in ! Are you now claiming that the ClamAV team are now part of government and are entitled to my server by Eminent Domain ? If you are, then poppycock, if not, then why bring it up. You even point out that the law has been changed on that. Over here we have Compulsory Purchase to cover situation where a government body needs to acquire property for a project - but they cannot just take it like that. Yes, over here there are notifications for which public notice is sufficient action. If someone wants to build in the fields behind my house, then they only have to post notices about the planning application on the site - but they must post the notice AT THE SITE, not at the developers home. They still cannot come and build on my land without my permission - even if they've got planning permission and misled the planning board into believing that they have the landowners permission or own the land. Note that building in the field will not stop me living in my house. It may affect my amenity value, but it won't stop me living there - in the same way that not providing AV updates will affect the amenity value of my server, but it won't stop me running it. On the other hand, knocking down my house would most certainly affect my ability to live there - and you cannot do that in this country without serving notice to the property and the registered owner (unless the latter cannot be found after reasonable efforts I believe). As a complete aside, there have been cases (one was local-ish) where there's been a mix up (for want of a better polite expression) and a contractor has knocked the wrong house down. It usually results in serious compensation - and some rather negative PR for those responsible. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk
Re: [Clamav-users] No debian woody support anymore?
Eric Rostetter wrote: Faced with an old release of software that will die if the team uses new functionality due to a known bug, and people who will not upgrade to the version that fixes this bug, and a reasonably urgent need to use the new functionality, what exactly would you have done differently? They have already answered this. They would force sourcefire/clamav to spend lots of time, money, and effort to setup a parallel signature system; one for older versions, one for newer systems. They seem to have no qualm with the idea of making sourcefire/clamav pay this price so they can use the results free of charge... OK, how's this then. 9.5.3 (IIRC) came out about the time the notice was published. It costs virtually nothing to add an extra DNS entry, and the release could have had the default server URL changed for Freshclam to fetch updates. it wouldn't even have been a great issue to have a 9.5.4 just for that - and of course the change would be quite prominent in the release notes then as well. According to the arguments made in support, all responsible/competent admins would have been running this or a later version by the time support for 9.5 was dropped. On that basis, no responsible/competent admin would have been affected by removing the DNS entry used by the older versions. Even if someone was still running a 9,5 version earlier than the one with the update, it would be one tiny change in freshclam.conf to fix it. Of course, all this would have a prominent entry, not just on the ClanAV homepage, but also on the FAQ page whose URL appears in the freshclam logs. Come cutoff date, support is dropped for older versions, but they will continue to run. It will not be silent, as freshclam will complain several times a day that it can't get updates. This is a lot different to mentioning in passing that your version isn't current and you might consider upgrading. So probably even less work than fashioning the poison pill update. Less collateral damage. And these threads would have died several days ago with a oh, so that's it ! No parallel signature system at all, in fact no changes at all other than a slight change to a DNS entry. But I can see how this would be rejected by those who appear religious attitude to there being only one true way to run a server. The biggest problem with this suggestion is that it came after the fact, so it isn't a useful suggestion. No one bothered to offer this advice before the change was made. Well, if I'd known, I could have suggested the above ! And I probably would have, even if I'd not been running affected software. If any project I *am* involved with suggested such a thing then I would speak up on that. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
h...@dip-systems.de wrote: After the last signature update, clam av stopped working on our woody installation. Is there no more support for this Debian Release? But Gianluigi Tiesi did post this a few days ago - dunno if it will work for Woody though. Temporary fix for debian sarge, I suggest anyway to upgrade your distribution: download packages from: http://falco.netfarm.it/clamav/clamav-sarge/ then /etc/init.d/clamav-daemon stop /etc/init.d/clamav-freshclam stop apt-get remove libclamav3 rm -fr /var/lib/clamav/* rm -f /var/log/clamav/* dpkg -i *.deb (you can skip docs and testfiles) apt-get -f install if some deps is broken ah forgot, then dpkg --purge libclamav3 -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
Eric Rostetter wrote: Knowingly disabling running software on computers that is not your own is not acceptable. It is immoral, unethical and perhaps illegal. But that's not what happened. Yes, it is what happened... People are just confused because of all the bogus complaints like they shutdown my server or they shutdown my email. But they did indeed shutdown clamd for some set of older versions. I'm confused - are you saying they did, or didn't shut down software that people were running on their servers ? I think you are admitting (thank you) that the update did what it was supposed to do and remotely stopped some versions of ClamAV from running. The **ONLY** defence I can think of is that they assumed an implicit permission by virtue of the user running the update process to fetch signature updates. That's a very tenuous thing to infer when pushing an update that is so different in purpose to what would normally be fetched. Well, since you pull the updates (they are not pushed to you), and since while this one signature was indeed different in purpose than the normal, you have a point. But, this different in purpose signature was just a way of warning that soon the same in purpose signatures _would_ stop the software. Would you rather they just started pushing the normal in purpose signatures that crashed it, or that they pushed a different in purpose one first, where the purpose was to notify users of both the issue, and how to fix it? They didn't HAVE to push either to the older software - I'm not the first to point out that there was a completely viable alternative that would just stop supplying updates to the older software. So my preference would be simply that they did nothing to my software. If they want to stop supporting it with updates, that's fine and it still leaves me in control of what I run and when I update it. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
Dennis Peterson wrote: The question wasn't directed to my but I'd like to see them be more selective as to who should be allowed to use this product. Maybe an IQ test. Really that is an insulting statement - and completely un called for. It's exactly the sort of attitude that drives people away from the FOSS movement - an almost religious zeal in supporting a closed shop mentality. On one hand, people see a FOSS world inhabited by these religious zealots espousing the notion that to use a computer you must be some sort of uber nerd, fluent in multiple languages, and capable of programming a bare metal computer by thought transference (OK, so that's a slight exaggeration !). On the other hand, they see commercial offerings that appear to be made by people who actually care about people using their stuff - ie making it usable by mere human beings. Some people in the FOSS movement understand this - that's why there's so much work to make things usable by ordinary people. It's just a pity there are still the bigots around espousing your view. Now, if you want a project that employs such restrictions - go and build one. Being under an open licence, this one is available to all - either like it or lump it, but either way, keep your insults to yourself. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
Jim Preston wrote: Forcing an upgrade by flipping a kill switch was AN option, but it wasn't the only one. No one is arguing that there weren't other options. However, it was their decision to make to move forward with incompatible signatures to support new features. Code changes were put into 0.95.3 (and maybe earlier in the 0.95 tree) which allows clamd to continue running with the new signatures and just does not use them. That is not the issue, the issue is pre 0.95 could not handle the new signatures and everyone had 6 months do something about it. Yes, we all know that something had to be done, but just two days ago, the argument most definitely was that there was **NO** other option - absolutely no other option and this was the **ONLY** way to do it. Now you at least are coming round to the acceptance that there were other options. That has been part of people's objections - apart from choosing the option they did, at least in these threads, the argument has been that there was **NO** other option, which quite frankly was never accepted as true or reasonable. Lessons to be learned on both sides I think. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
Jim Preston wrote: Yes, we all know that something had to be done, but just two days ago, the argument most definitely was that there was **NO** other option - absolutely no other option and this was the **ONLY** way to do it. Now you at least are coming round to the acceptance that there were other options. That has been part of people's objections - apart from choosing the option they did, at least in these threads, the argument has been that there was **NO** other option, which quite frankly was never accepted as true or reasonable. No, Simon, if you read some of my earlier posts I stated it was their decision to make and had taken measures to give users / admins 6 months to do something about. I can't recall who said what - but there were voices suggesting there was no alternative. I wasn't specifically saying you said it, though I can see how it probably looked that way. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
Yes, and most likely the case and most likely the managers screaming that it should not have failed because they did not authorize the server to fail. And yes this a weak attempt at humor on my part and not in need of retort. Not so weak - but it sounds like you've met some of my past managers ! -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
Eric Rostetter wrote: Let's look at this from the OS community point of view... ... I thought, yeah, I can live with that. That won't impact me in any real way. I don't have a problem with that. I didn't think about others. I didn't try to come up with other solutions. I didn't try to foresee problems and try to correct them. I didn't think to check that the documentation was in place. I didn't think to notify distributions, or packagers, or any one else. I didn't seek to publicize this in either a positive or negative light. In short, I failed as a community member. And a lot of others did too. So let's learn from this. Let's make this a better community around clamav. The best way to stop this kind of stuff is to take an active role in the community, not to bitch about it to the project leaders after we fail to show any interest in it. Yes, we all know that something had to be done, but just two days ago, the argument most definitely was that there was **NO** other option - absolutely no other option and this was the **ONLY** way to do it. For six months, there was NO argument at all. That is where the system failed... What happened in the last week is not the problem. It is the fall out of the problem. The problem is apathy. The solution is an active community. Thanks. That is probably the most constructive thing said in the last few days. Not in this particular saga as I wasn't involved, but in other areas I would have to say I could hold my hand up and say guilty of all those at some time or other - it can be hard to see things from a perspective outside of your own little box. And it's even easier to look back after the fact and say that's not how I'd do it - I've even done that about some of my own decisions from time to time. It was a real eye opener for me when I changed jobs a few years ago - going from being personally responsible for all the technical stuff (and then some more) in the company and having an intimate knowledge of the networks, servers etc; and suddenly there I was on the other side of the fence having to deal with a multitude of different setups that I wasn't familiar with. I suddenly realised just what a hard time I'd given some of those (well paid) consultants over the previous years. What we may, in hindsight, think of as being a ridiculous decision, probably seemed like a good idea at the time to those who had to make it - given their perspective of the world. The positive thing everyone can take away from this is a better realisation of the diversity of ways people manage systems, and the diversity of views on how it should be done. Paul Reading wrote: Sorry to but-in.. I have just wasted a day trying to get my companies mail working again. We have an Apple xServe and knew nothing about clamav until we stopped receiving our email this morning. I don't know how you could have communicated with us on this one but perhaps it would have been better if you had somehow got Apple to update their customers by software update so that the un-initiated would not have needed to worry about this. Here we have a prime example of the sort of user that's been really let down over this. I would have to hold my hand up and admit that it is to a certain extent my own fault for running older software, and that I have a route to fix it myself, but this chap is running what to him is an appliance. There are a great many such appliances about, and many of them will be running older software for various reasons - in the case of OSX, there's a not inconsiderable cost in upgrading the server version between major releases, and (probably not relevant to an Xserve) an artificial restriction on age of hardware the newer versiosn will install on. For this class of user, a vendor (in this case Apple) has done all the porting and integration so that the user just has to administer it via a front end GUI - it's not reasonable to expect the user to learn about coding, building software etc. It would be a good idea though for the vendor to be proactive in making sure the user they took money from isn't left in such a situation. Reading a few of the comments suggests Apple don't really have an official EoL policy/statement for OS X, and that they do sometimes do updates for older versions. At least in Apple's case, they will have a partial list of users since the default is for a new install of the OS to bring up a registration program so you can register with Apple. it would have been nice if they'd used some of that information to notify those they could. What version Apple provide I don't know - whilst I've run Xserves, I wasn't using the mail on them and it was some time ago. AFAIK, Apple do push updates to such third party packages with Software Update - as far as the user is concerned, this is an Apple supplied package and Apple provide the updates even if it is an open source program. -- Simon Hobson Visit
Re: [Clamav-users] EOL
Jim Preston wrote: Over here, if I step out into traffic and get hit it is my fault. But suppose you walk out across a crossing where the WALK is lit (green man over here) and the traffic has a red light - but someone screams through ignoring the red light and gets you ? That is a better analogy. The **expectation** of any sane admin isn't that some random project will push out random updates deliberately designed to stop his working system from working. And you can cut the crap about well you should have configured your system to not stop when ClamAV stopped - that's rubbish because it's already been made perfectly clear right at the start of one of these threads that the project team consider any configuration that doesn't break if ClamAV isn't working right to be broken. Yes, it would have been nice to be in a position to have done a distro upgrade (with all the testing required) before now, but some of us haven't been able to for a variety of reasons. That does not give ANYONE (other than my management or users) the right to set out to punish me (and my users) for it - because that is what is happened, and some of you seem proud of that. Yes, it would be better if I was running more up to date software - but I made a decision based on certain constraints and assumptions. One of those assumptions was that some third party would take it upon themselves to deliberately stop it working. Many people will now be wondering how safe it is to trust this project (and FOSS in general) - trust can take a lifetime to build up, and a moment to destroy. Like I said, I can think of several ways it could have been handled without any significant effort (certainly less that has been expended on dealing with the backlash) and without significant (or with one option, any) inconvenience to people running up to date versions. The way it's been done, and especially the way it's been defended, makes certain people come across as very arrogant people who need to be careful they don't hurt themselves - it's long way down off a high horse. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
Dan wrote: Yes, some updates can be problematic. But in this case, surely, there were updates during the year that worked just fine. In most cases, tho, I'm thinking the people complaining slacked off completely - unlike you, they didn't even bother to test the releases. And cf todays thread (LibClamAV Error: Can't load), which can be summararised as : It was working fine You broke it for me I've installed an update to try and fix it and now it's even more broke The only difference had the user done the update last week would be - he had a working system, he upgraded it, it's now broken and he has downtime as a direct result of the upgrade. Those two lines look fairly clear to me. Essentially they're telling you to get moving, get the update onto your to-be-done list. OK, so it suggests an upgrade would be a good idea. I've yet to see any explanation of where in that message (or the page referenced) it sets a deadline, where it says anything will die, and that this will be a deliberate act of sabotage. Yea, I agree, the Clam team probably could have done things better. But would more announcements or warnings have really made a difference? Why would the people, that regularly ignore the Freshclam warnings, pay attention? Actually, I believe at least some of those complaining here would have done. **HAD I KNOWN** about this killer update, then I would have applied pressure on management to give me the resources to roll out the new build I have - that's all I'm waiting on in order to be running completely up to date versions of everything - and because it's more than one server, in future I'll be able to update (one at a time) with less risk. OTOH, I wonder how many of these upset admins have taken even partial responsibility - by admitting to their bosses that they failed to apply any updates to a critical piece of software, for over a YEAR? I have - that probably surprises you. Can't speak for anyone else. Dan wrote: They do not have any right to deliberately mess with a running system... Please explain this right that makes thy system so sacrosanct. I've never heard of that. May I suggest that you'd change your tune if your house was ransacked and the burglar defended his action on the basis that he'd kept a key from before you bought the house and he's left a note (somewhere you probably wouldn't see it) telling you to upgrade your locks or else ? My servers are my property (or that of those I manage them for). No third party has the right (legal or moral) to interfere with that unless there is a contractual agreement that they can do so - and then only in ways allowed by that arrangement. In this case, there's an implicit agreement between admins/operators and the ClamAV team that allows the ClamAV team to apply AV signature updates - this being implicit by the admin running Freshclam. In no way can pushing a poison pill designed to stop the service be considered a normal AV signature update. The Clam team had one and only one responsible choice: to remove the aged product from service before it became a road hazard, er a liability around their necks. No, that is NOT their responsibility, nor their right. Not only that, it's inconsistent with the attitude expressed here towards people running old software. Contrast : 1) No-one should be running old software, they deserve all they've got. 2) We can't allow people to run old software, our only option is to kill it to protect people from themselves. OK, lets suppose that a car manufacturer finds out that one of their old models, of which there are many still in use, has a defect that could potentially expose the user to a higher risk of something. In this country, and in the US I believe, there is a system for a recall if it's serious enough - or the manufacturer can put adverts in appropriate places to warn the user. Have you ever heard of the manufacturer deciding that the only responsible way is to go round with a fleet of lorries (trucks), lift the old vehicles off the owners drives without even ringing the doorbell, and take them off to the crusher ? They have a right, and a responsibility to try and make as many owners/users aware of the risks - but it is still the owner/users decision on whether that risk is acceptable TO THEM. They were even nice enough to give months of warnings. The efficacy of such is subject to a certain amount of debate. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
Stephen Gran wrote: You seem to be massively missing the point. In a short while, there will be signatures in the database that will have the same effect for older versions of clamd, because they will trigger the same bug. Which way would you prefer clamd to die - with a helpful error message, or with a hex string that makes no sense to you? That was the only choice. So you haven't actually been reading these threads then. It absolutely was **NOT** the only choice, it was the one choice of several that they took. I can think of **at least two** alternatives - one would have required minimal effort (probably less than has been expended in defending the decision) and zero inconvenience for those who run all the latest updates. So it IS NOT TRUE that there were no other options. It IS NOT TRUE that the only choice was this or have it die n a few weeks with a cryptic error message. As has already been said - it's done, it's not going to get undone, trust has been severely damaged. But most of all, this constant it was the only way, anyone affected was a complete imbecile who should be allowed near a computer attitude really makes you sound like a bunch of people most of us wouldn't want to be associated with. It most certainly doesn't make you sound like the professional sysadmnins that you claim to be. I think you've got to go to one of a number of churches, or an Apple event, to hear such this is the one true way message defended any louder ! There really doesn't seem any point in debating this any more. It's been proven time and time again that the most fervent religous believers won't be for hearing any criticism of their one true way - and that is exactly what these threads have sounded like for those of us outside the church. You may be nice people - but I speak as I find. The above is how I find. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] EOL
Christopher X. Candreva wrote: And you can cut the crap about well you should have configured your system to not stop when ClamAV stopped - that's rubbish because it's already been made perfectly clear right at the start of one of these threads that the project team consider any configuration that doesn't break if ClamAV isn't working right to be broken. As the originator of those comments, you have misquoted me. The project team consider any CLAMD configuration -- not any MAIL configuration -- that doesn't break CLAMD if ClamAV isn't working right to be broken. Because of this, it has been recomended, repeatedly, for years, that mail systems be configured to deliver mail unfiltered if the milter fails. Ah, now that is being very disingenious again - and it's logically inconsistent with the stated position. What you are saying is that ClamAV should NOT work if there is a problem because to not work would expose people to having their mail not checked when they expect it to be. But they also recommend configuring your system so that if ClamAV doesn't work, it will pass the mail unfiltered. So ClamAV as a package won't silently 'not work' for the safety of users - and this has been the justification for their approach to this issue. But at the very same time they are recommending a setup which will silently not scan mail if there's a problem with ClamAV. Interesting logic there guys. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Thanks for the weekend entertainment
Cody Konior wrote: I don't know Simon, though I can't help but see his attitude and comments as a reflection of some other consultants / systems administrators whom I intensely dislike. Then I think you have got the wrong impression of what I do and how I do it. If it's any consolation though, some of the other posters have been worse, to the point of being almost comical. Some people really don't help their own cause. Giampaolo, you're one of us. You may have a dissenting opinion That's interesting. The impression I have is that he has similar opinions to me. I believe I am also one of you, but without the religious zeal some people have exhibited in these threads. I too try and provide value to my clients (I'm not a consultant BTW, I'm a technical specialist in a small IT services hosting company though I guess the line is a bit blurred), I do it because I like it (mostly, and I certainly aren't in my current post for the money), and I try to do things with professional ethical standards (and I've had disagreements with managers over the years when their lack of ethics has conflicted with mine). And I do actually contribute to a number of FOSS projects - not in cash, but in things like answering users (frequently FAQ) queries on mailing lists and so on. And of course, taking every opportunity to demonstrate that it can be an alternative option. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
Dan wrote: So keeping up to date has it's own risks - hence why many people take the attitude of if it aint broke, don't fix it. But being a YEAR out of date? Time is an illusion, lunchtime doubly so. Like I said, there ARE legitimate reasons for not always updating every bit of software every time an update comes out. Looking back, I've had more problems caused by updates (as in it worked, I fixed it with updates, it stopped working) than I have from lack of them. Clearly up in the skies as some of you guys seem to be given the height of your horses, things are different - perhaps your software works differently at altitude ! Wow. Freshclam has told you every day for a year+, that your installation was out of date. Plus the 6 months of messages about the EOL that have been posted. How much more notice do you need? **Any** notice would be nice. As I've already asked before, please tell me where in the message below (or the URL it includes) it says anything whatsoever about your software will die ? Received signal: wake up ClamAV update process started at Fri Apr 16 10:26:14 2010 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.95.3 Recommended version: 0.96 DON'T PANIC! Read http://www.clamav.net/support/faq main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven) daily.cvd is up to date (version: 10751, sigs: 52057, f-level: 51, builder: guitar) It doesn't. So please cut the dung about freshclam having been warning me for a long time about this. It did no such thing - there is a difference between noting that there may be some of the newest features not supported and it turning it's toes up and going to meet it's maker. As to the policy having been published, well it would appear many of us have the same problem as Arthur Dent. Of course, if you insist on keeping your system out-of-date, you could just restore the database from your backup, and disable freshclam. You do have backups, don't you? As I've already said several times, YES I HAVE AND YES THAT IS WHAT I'VE DONE until I can fix it. I can think of two other ways this could have been done, with very little effort, and with little or no inconvenience to what you would consider superior admins. That's irrelevant now, you've done what you've done and it's not going to be undone. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
Richard Bishop wrote: You are running Debian Sarge! That's been EOL and unsupported for over 2 years (March 2008). See here - http://www.debian.org/releases/sarge/ Yes, I am as well - and for several good reasons. 1) If it aint broke, don't fix it. It works, has worked reliably for several years, and was working fine yesterday. It's uptime is currently 405 days, and then the last downtime was to physically move the server. 2) If it aint broke - don't fix it. There's no way I'd attempt a major upgrade in-place when it's a live server used 24*7. For various internal reasons (which I'm sure you can guess) I don't have the resources to do anything but an in-place upgrade if I want to upgrade. 3) I can accept that software will go out of support - but I never expected a Miscrosoft-esque remote shutdown. Recognising that Sarge is quite old, I have in fact got a new server about ready to go - and I've taken the opportunity to roll in some better features that the current live one. However, I don't have the hardware to deploy it with yet - and I probably won't for several months. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Debian Sarge - what now ?
OK, so I get into work this morning to be told there's a problem with the mail server - and the helpdesk have had calls from several clients who aren't getting any mail. The first hint I have is a delayed mail message from one of the servers which included the following : xx...@x.xxx (expanded from root): host 127.0.0.1[127.0.0.1] said: 451-4.5.0 Error in processing, id=20146-06, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: Too many retries to talk to /var/run/clamav/clamd.ctl (Can't connect to UNIX socket /var/run/clamav/clamd.ctl: No such file or directory) at (eval 42) line 268.; ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan unexpected exit 50, output=LibClamAV Error: cli_hex2str(): Malformed hexstring: This ClamAV version has reached End of Life! Please upgrade to version 0.95 or l 451-4.5.0 ater. For more information see www.clamav.net/eol-clamav-094 and www.clamav.net/download (length: 169) 451-4.5.0 LibClamAV Error: Problem parsing signature at line 742 451-4.5.0 LibClamAV Error: Problem parsing database at line 742 451-4.5.0 LibClamAV Error: Can't load /var/lib/clamav//daily.inc/daily.ndb: Malformed database 451 4.5.0 ERROR: Malformed database at (eval 42) line 462. (in reply to end of DATA command) To which my first reaction is WTF ? So I find that **without warning** my mail server has been remotely disabled. Yes, I do mean **WITHOUT WARNING** - there has not, at any point, been anything remotely resembling any warning that things were going to be turned off. A notice on your website doesn't count unless you think it's reasonable for all admins to have to visit the project website for all their packages on a regular basis just in case the project plans something crazy like remotely disabling your server ! WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.92.1 Recommended version: 0.96 DON'T PANIC! Read http://www.clamav.net/support/faq doesn't count as any sort of warning that things WILL BE TURNED OFF What's more, the language of the notice that I have now seen makes it quite clear that you knew **BEFORE** you did this what the effects would be. This move is needed to push more people to upgrade to 0.95 This makes it quite clear that there are still a lot of people running the older version, so it's hard to imagine what sort of response you expected from people. Anyway, rant over, how to move forward. The mail server is running Debian Sarge, and upgrading is not an option for now - that's why it's still running Sarge. Even if it were running Lenny, then the stable version in that is still affected. I have a newer server built, but I won't have the hardware to run it on for a few months. 0.95 won't install - unmet dependencies and I'm not going to try manually frigging stuff on a production server to work round that. So for now I've had to completely disable AV scanning on the server. The obvious workaround for me at the moment is to disable Freshclam and rollback to where I was before the update that broke things. Can anyone tell me exactly which files I need to rollback ? Yes, using an old AV db is bad, but it's less bad than not using one at all which is where I am now. So, like the title above - now what ? Could I suggest the following ? 1) Roll out an update to re-enable peoples servers. 2) Roll out a less damaging update - how about NOT updating the DB and announce that it's not being updated ? Still annoying, but far less annoying that having your server taken down without warning. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Upgrading System for latest ClamAV version
Jerry wrote: In any case, at some point in time, when it comes to updating software, or whole operating systems, you just have to bite the bullet. http://en.wikipedia.org/wiki/Bite_the_bullet http://www.phrases.org.uk/meanings/bite-the-bullet.html Or, to put it in simpler terms, It's better to light a candle than curse the darkness. Still, it would be better still if someone didn't break in and snuff our candles out to force us to switch to electricity ! I am in the process of preparing to upgrade an older FreeBSD system to the latest version. I could bitch and complain; however, in the time I would waste doing that, I could have completed the job. Well IFF I had the skills, and IFF the server had the tools installed, then I suppose I might be able to compile the source (having figured out how to deal with the broken dependencies). On the first, I don't - that's why I'm using packaged software. On the second, I don't know - it probably doesn't have everything installed since I don't build software on it. What might have been a few minutes to you, is in fact a week or two for me - building a new server, configuring it (the old configs aren't really useful when the software has progressed over the years), tested it fully, and then migrated all the users and their data. That would, of course, be assuming I had the hardware to host a new server on - which I don't. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
Francesco Peeters wrote: How long back do McAfee or Norton, etc. support their clients? Only difference (aside from the fact you have to pay them for the privilege) is they just force the upgrade on you during the standard upgrades, no matter how inconvenient it may be... ClamAV gives you 6 months... Now which one is more appreciative of the issues system admins may face when upgrading software? Well my experience over 20+ years ... No, I've never had my commercial AV licenced software turned off with no warning. Forget the 6 months stuff, this was NO WARNING to most people. If you'd given 6 months notice then I'd have had grounds for going to management and making sure I had the resources to do something about it - I'm running Debian Sarge so it's not a matter of just using the Volatile repo. At no point have I seen anything in the logs on my servers to say it was going to be turned off. Like many others, the first I knew was when I got to work this morning and the server wasn't working. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Upgrading System for latest ClamAV version
Jerry wrote: Still, it would be better still if someone didn't break in and snuff our candles out to force us to switch to electricity ! At some point a candle will burn out. Simple fact of life. OK, so perhaps bad analogy - if it were an oil lamp, I could keep adding oil ! What might have been a few minutes to you, is in fact a week or two for me - building a new server, configuring it (the old configs aren't really useful when the software has progressed over the years), tested it fully, and then migrated all the users and their data. That would, of course, be assuming I had the hardware to host a new server on - which I don't. Nothing personal; however, is this network a simple home one or are you maintaining a mail server for a [business|group|organization]. If (1), then this is a great time to acquire those skills and install those pesky tools. If (2), then perhaps it is time to call in a professional. This job is obviously beyond your capabilities. Nothing personal; however, this sounds like a text book definition of the Peter Principal (http://en.wikipedia.org/wiki/Peter_Principle). If you are going to run a mail server and hope to run it proficiently, then acquiring the skills to do so are paramount to you. There are many individuals on several assorted lists that would be glad to help you get started acquiring those skills. Yes, that is very personal and I take it as an insult. It's the very reason OSS has such a bad reputation in some quarters - this apparent insistence that you are not competent to do anything unless you can write code. That IS the inference - that if I'm not capable of compiling my code from scratch then I shouldn't be running a server. If that was true, then why should all those people spend all that effort packaging up software so that incompetent (according you you) people should be able to install and use it ? In the same vein, then it's an obvious extension that there is no such thing as a competently run server using closed source code - after all, the admin cannot compile the Windows or Exchange or ISS or ... their server runs. So please get off the high horse before you fall and hurt yourself. Just because I don't build the software from source does not mean I cannot competently configure and run a service. That is exactly what I did several years ago for this particular server, and it's been running very nicely until someone actively pulled the plug on it, in practical terms, **WITHOUT ANY WARNING**. I'd love to have enough hardware to run up a new server, with all the latest software, and migrate all the users etc. Unfortunately, due to internal politics I won't get that until all the other stuff gets upgraded. I can't say more, but suffice it to say, there are a lot more services running on OSS than there were when I started here - but there has been no new hardware provided to run it - I only get the hand-me-downs when it won't run the latest tech from a certain well known closed source vendor. That's politics for you - wish it wasn't the case, but that's how it is. Now, I've always thought ClamAV was great - but when shit like this happens it suddenly gets harder to justify OSS when one of your vendors does exactly what you accuse the closed source outfits of doing. I can appreciate why it's been done, I just think it was done very badly. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
Török Edwin wrote: On 04/16/2010 03:17 PM, Giampaolo Tomassoni wrote: It was explicitly stated that clamd will be disabled. In which language? Starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 http://www.clamav.net/lang/en/2009/10/05/eol-clamav-094/ Could you please point out where in this log extract it mentions anything about the software getting remotely turned off ? Received signal: wake up ClamAV update process started at Fri Apr 16 10:26:14 2010 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.95.3 Recommended version: 0.96 DON'T PANIC! Read http://www.clamav.net/support/faq main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven) daily.cvd is up to date (version: 10751, sigs: 52057, f-level: 51, builder: guitar) That log message links to http://www.clamav.net/support/faq Could you please point out where on that page it mentions anything about the problem ? As it happens, I HAVE been to that page several times in the last few months, because I've been setting up new mail servers and was looking for info on downloading the updates just once and passing them round to the others - see, even though it's a small setup, I still try and minimise my load on the upstream project servers. That is why people are so upset about this - in practical terms, to most users, it was **NOT** announced 6 months ago - it was sprung on them with no warning this morning. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
Török Edwin wrote: Could you please point out where in this log extract it mentions anything about the software getting remotely turned off ? Received signal: wake up ClamAV update process started at Fri Apr 16 10:26:14 2010 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.95.3 Recommended version: 0.96 DON'T PANIC! Read http://www.clamav.net/support/faq main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven) daily.cvd is up to date (version: 10751, sigs: 52057, f-level: 51, builder: guitar) If you manually start clamscan/clamd it shows this message: LibClamAV Warning: *** LibClamAV Warning: *** This version of the ClamAV engine is outdated.*** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *** LibClamAV Error: cli_hex2str(): Malformed hexstring: This ClamAV version has reached End of Life! Please upgrade to version 0.95 or later. For more information see www.clamav.net/eol-clamav-094 and www.clamav.net/download (length: 169) LibClamAV Error: Problem parsing database at line 742 LibClamAV Error: Can't load /tmp/clamav-87fcebeda696335ed02c4a74df419b38/daily.ndb: Malformed database LibClamAV Error: Can't load /usr/share/clamav/daily.cvd: Malformed database ERROR: Malformed database No, that's what it says NOW, **AFTER** it's borked the server. Where in that log message I quoted above does it say that at any point in the future is will be turned off ? I've had no reason to run freshclam manually on that server in the last 6 months, for several years in fact. That demonstrates the quality of the code/project prior to this issue. That log message links to http://www.clamav.net/support/faq You are right, the FAQ should link to the EOL message. Could you please point out where on that page it mentions anything about the problem ? www.clamav.net IMPORTANT ANNOUNCEMENT (red) That is **NOT** on the page referenced. I hope that by now you may be realising that many people quite legitimately did not know anything until things broke this morning. We did not have 6 months notice - our servers just broke. Aecio F. Neto wrote: I use clamav, I think it is great and I recommend it to all my customers. I agree. Even though, I do not agree with fact that a vendor (open source or not) disable and break services on my endpoint. There are many other ways to do it and this is bad for the endpoint and for the vendor. Team should review this practice, no matter if they announce it earlier or not. Ditto. Today I've gone from having a server that just runs and has run with virtually no oversight for several years to one that just broke. I had to disable AV scanning this morning in order to get the mail moving, now I've disabled freshclam and rolled back the database to yesterdays version. Luckily it's not been a busy day today ! -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
Maurice Lucas - TAOS-IT wrote: I dont know in which world you live ... but in the REAL world i live, not all systems are managed by proactive admins. In fact, in the REAL world, LOTS of systems are just left alone running. And it works most of the time, despite of all the theorical and practical considerations against it. I know that isn't right, that isn't secure, that's not the optimal situation . but thats the REAL situation. If you don't have the time, knowledge, or whatever. Don't be a sysadmin. Being a sysadmin for a PRODUCTION server is a real job. I hire someone to fix my car and repair my roof. Why because I could try and fix something but I know I can't complain if I break something. Ohh, bad analogy. According to comments already made, to be a competent car owner you've got to periodically check the websites of all the bits that go into it. So we'll start with (for example) Ford for the base vehicle, and (for example) Michelin for the tyres, and Bosch for the engine management, Girling for the brakes, But then again, if I don't I don't find myself sat in the middle of the road with a dead car - I've yet to hear of a vendor building in a facility with the sole function of bricking your car if you don't keep going to them for updates. And guess what, when you take your car to be serviced, the guy that services it won't go and check with all the vendors to check, just in case, that someone has plans to remotely brick it in the next 6 months. IFF he's a (say) Ford main dealer then he'll check with Ford if there are any bulletins that apply to it. despite of all the warnings, the EOL signature was a bad move in my opinion. We are talking about a message send to everyone who cares for there system of October 5th, 2009. As pointed out, it was ***NOT*** sent to people running the servers - you've done the equivalent of Ford putting a notice up in it's corporate reception and expecting all owners to know about it. Had I known 6 months ago rather than this morning, I'd not be complaining for the simple reason that I'd have been able to deal with it. An old version of ClamAV can't find the newest viruses. The really old ones don't run in the wild anymore. For half the day I've been forced to detect no virus's. Now I'm only detecting the ones known about up till yesterday. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Upgrading System for latest ClamAV version
be interested to here how you would have fixed the problem without compiling the code or using the compatible binary package that doesn't appear to exist - but then that applied to any closed source server. If a Windows admin can't fix a problem by fixing the code they don't have, does that mean they aren't competent either ? That was your inference. Now, I've always thought ClamAV was great - but when shit like this happens it suddenly gets harder to justify OSS when one of your vendors does exactly what you accuse the closed source outfits of doing. I use FreeBSD myself. I am upgrading to take advantage of the latest wifi, drivers, etc available in the new version. I guess I could cry and complain that they _SHOULD_ have back ported those features, or I could just upgrade and avoid the whole tantrum act entirely. You are effectively in the same boat. Have I at any time complained that a feature hasn't been back-ported to Sarge ? NO I have not. If I need/want features in the newer software, then I'll upgrade - something I've already done but don't have the resources at the moment to deploy. Presumably, your old FreeBSD installation didn't just stop working one morning ? By stop working, I mean it worked, then the next day it didn't - not having features in newer software isn't stopped working. Out of morbid curiosity, what is you fear of 'compiling' anyway? While I prefer to use the distros provided by the OS vendor whenever possible, I realize that, that is not always possible. If you are not going to be running a Microsoft or equivalent system exclusively, it is not a bad skill to acquire. It's not a 'fear' as such - just another of those skills I've not learned, though it's something I have on my list to do sometime. Administering Linux boxes is just part of my job - it would be nice to just concentrate on one area and learn it thoroughly, but I have a lot and so I tend to select options that minimise effort/return. In general, packaged software has been OK (though I've had to tweak a few scripts to make it all hang together). Or put another way, if you can do it with pre-packaged units, why duplicate the effort if you don't have to (and don't have the time) ? Another factor is that I've been trying very hard to NOT have anything 'non standard' on the servers. That's a matter of making things as easy as possible should someone else have to pick up the pieces. Apart from whether I might change jobs, there's always the proverbial bus to get knocked down with. I have lost friends killed in accidents, and I've seen what it';s like when others have to pick up what they were doing from a cold start. And then of course, there's an element of which language ? It's one thing if I can just hit make clean ; make and it all works - but when it doesn't - then being able to at least read whatever language is kinda useful. I do have some programming experience (done Pascal and PLM/51 in the past, mostly stick to shell now) - and yes I've managed to tweak a few things in the past when I've had to. Next week I might well download the source and see what happens. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
Bowie Bailey wrote: Personally, I keep my servers updated, so the EOL issue didn't affect me, And on another server (that's newer and is updated), I got bitten by that as well when an update broke something and I had to manually figure out which update was responsible and find versions of which packages to roll back to (which had been deleted from the repos - now I keep backup copies !) So keeping up to date has it's own risks - hence why many people take the attitude of if it aint broke, don't fix it. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Upgrading System for latest ClamAV version
Jerry wrote: The bottom line is: 1) You and you alone are responsible for your system. You failed to keep it up-to-date and are now suffering the consequences. Trying to off-load that onto someone else's plate just isn't going to cut it. Please stop telling me what I said - at least until you get it right ! Where did I say it's anyone's responsibility but my own if I'm not running the latest version ? I'm not complaining that no-one came and updated my system for me - but I am complaining that someone who was watering the plants for me, one day fed them a strong dose of weedkiller ! Perhaps they left a post it, at the back of a cupboard where I don't go very often (if at all) telling me they were going to kill my plants - does that make it right that they did so (even if I'm not paying them to water my plants) ? 2) There were notices of the change (read EOL) posted. If you are too busy to keep current for a system that you apparently are administering, they you have a serious problem. Either the job is beyond you or you are not attending to it seriously enough. That is not to be taken as an insult, but rather as a statement of fact. And as already pointed out. 1) I am not alone in thinking that the notices weren't as obvious as they could have been. 2) There were other options besides killing my system. Right now you should be backing up your precious configuration files, etc. If you suddenly had a catastrophic HD failure, what would you do; bitch to the HD manufacturer? Even if you did, it would accomplish nothing. The hardest part of any OS installation, at least in my opinion, is the configuration. If I have a complete backup of those files and settings, the rest is usually uneventful. The added bonus is I get (in most cases) better software and a chance to further optimize settings that I might have long ago forgotten about, or are now deprecated. I go one further, I have multiple backups of all my servers, so I can restore them from bare metal to the last state they were backed up. So yes, I can recover from a disk failure - and indeed have had the opportunity to do so. What I wasn't expecting was someone nipping in and killing the software ! As it is, using the backups that sometimes do seem like a lot of hassle, I've been able to roll back the AV database to yesterday and carry on. Yes I know I won't get updates, but scanning with yesterdays database is better than not at all. As to restoring settings to a fresh install. I generally find that to be a whole load of hassle - unless the versions are reasonably close, so much tends to change that I end up having to go and sort things out. I wouldn't consider that as an acceptable DR solution due to the time required to get the new system plus old settings to be fully working and tested. YMMV as they say. Anyway, I've had my say, others have said theirs, I don't think there's anything new to be said. Francis Stevens wrote: It is possible to build clam on Sarge (I've just verified that is true). If your going to try this next week the following may help... Thanks, that's possibly the most constructive thing written all day ! -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
Jerry wrote: So, rather than update ClamAV and/or their OS, which in the majority of cases would involve no monetary expense, users will purchase new servers and flock en masse to Microsoft, spend thousands more on Microsoft Windows Server 2010, Exchange, etc and learn new skills to administer said network. Could I ask you a personal question; are you on drugs and if so, can I have some because that is one hell of a trip you are on? You really think they don't do that ? In the real world, PHBs all over do take just that sort of decision - how else do you think MS got where they are. Furthermore, why wouldn't these quotesmall companies running their crappy and old mailing systems/quote install updated versions of the OS, etc they all ready have installed? In many cases, they will have systems that were installed for them some time ago, and that they no longer have paid support for. When it dies they'll go to someone to fix it - and lets face it, there are a lot more outfits that will tell them they need an Exchange server than there are that will tell them it's an easy fix. I've seen it more than once. IN fact, I was thinking about the mail server at my last job as I wrote the previous paragraph - then thought I ought to warn the guy left to run it - and then remembered that it dies a while ago with a disk failure and they switched to using hosted Exchange. So yes, a real example where they decided to replace the free and functional software with something they pay for and which does less. That's PHBs for you. Weird, but believe me, it happens - and incidentally, guess what my current employer loves to sell :-/ Eric Rostetter wrote: At no point have I seen anything in the logs on my servers to say it was going to be turned off. Like many others, the first I knew was when I got to work this morning and the server wasn't working. Because they should have obviously jumped in the way-back-machine and changed the 5 year old software you use to warn you about a future event that wasn't known 5 years ago? Or because they should have hacked into your machine and placed the notice there for you? Or should they have gone personally to your house last night and knocked on your door to tell you? Or they could have put it on their website at the one page that does appear in the log - but they didn't put it on the FAQ page at all. As it happens, I **HAVE** been to the FAQ page in the last few months and had it been there like it is on the front page then I would have seen it. So in that respect, a very simple edit to the website could have made a significant difference - I doubt I'm alone. Jason Bertoch ja...@i6ix.com wrote: It's broke It is now please go fix it. I will, now I know about it. But it would have been nice to do it at a more convenient time, and with advance notice so I could use it to get some resource allocated by management. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Upgrading System for latest ClamAV version
Hmm, getting somewhat off-topic here ... Jim Preston wrote: Except you do not need to move all your applications, users, and data. All you need to do is build an expensive server and have it host ONLY email. I already have a server that hosts ONLY mail. Then your email server will be able to run clamav and your other services will not be affected or forced to upgrade. I needed to do this very thing for another company I worked for. We too had RH9 (other posts in this thread mention RH9) and found it to be just fine for what we were using it for. Yes, there were no security updates and yes we did have to make changes to the way some services were run to keep it secure, but that was the price we were willing to pay since upgrading did not yield any significant improvements for that server. When we needed services that could not be provided securely by the RH9 server we built a new server to host those new services. Now, a question - if you have only the settings, and install a later version of RH, then will those settings create a system that runs identically as far as the important stuff is concerned ? Re your later clarification - yes I do that too, compare old and new side-by-side. But of course it's not just Postfix, there's spamassasin, clamav, freshclam, courier-[pop|imap], SASL stuff, Squirrelmail, PostFixAdmin, MySQL, Apache2. And of course, it's likely that more than one of those has added/changed some features and you end up going off to learn about them. It's not a 5 minute job, so I wouldn't rely on that as a DR mechanism. In addition, as of last time I updated my new server that's waiting to go live when I get something to run it on, the versions of certain packages in Lenny were incompatible - and Squirrelmail broke. I was able to backtrack and revert to earlier version by checking the logs to remind myself which packages had been upgraded - but I struggled finding debs for one or two since the versions I'd been running were no longer in the repositories. Were I installing a new machine from scratch - I'd have been faced with a broken system and not known if it was a config issue or a compatibility issue. And all the while, managers leaning over your shoulder like kids on a car journey - are we nearly there yet ? And of course, this isn't the only server I've got - hopefully I won't have to do a bare metal recovery of any of my Xen hosts, otherwise I've potentially quite a few machines to restore. I can of course restore all of them as they were from regular backups - I wouldn't want to try and rebuild them all against the clock. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
Jerry wrote (having given up reading I think): So, rather than update ClamAV and/or their OS, which in the majority of cases would involve no monetary expense, users will purchase new servers and flock en masse to Microsoft, spend thousands more on Microsoft Windows Server 2010, Exchange, etc and learn new skills to administer said network. Could I ask you a personal question; are you on drugs and if so, can I have some because that is one hell of a trip you are on? You really think they don't do that ? In the real world, PHBs all over do take just that sort of decision - how else do you think MS got where they are. The reasons are legion; however, for starters a fully functional GUI has to listed at or near the top. For instance, one of the more requested features I have seen on the Postfix forum is a GUI. There have even been inquires about one for Dovecot. NetManager http://projects.gnome.org/NetworkManager/ is becoming very popular in the *nix community. One of Microsoft's greatest accomplishments was their GUI and early use of hot plugging devices and plug play capability. I seriously doubt that some FOSS EOLing their software had any discernible influence on its success. In any case, none of this has anything to do with ClamAV + EOL. Err, it does have something to do with it. You made the assertion that no-one would spend money replacing a system rather than upgrade it. Two of us now have pointed out that real world PHB do exactly that sort of thing - and this issue with clamav getting the kill switch can be just the sort of excuse they need. It may not be a valid reason, but then so many business decisions are based on having enough excuses to do what you want rather than doing what would logically be right. As Giampaolo comments, some people (especially PHBs) simply see it as that Linux stuff blew up, best go with Microsoft like everyone else. Fortunately that's not the case where I am - this box replaced an iMail server running on NT4 which was forever crashing and getting used for spamming. No-one on the engineering or support teams mourned it's loss ! But equally, if it wasn't for the licence costs, management would still be happier with a Microsoft 'solution'. Furthermore, why wouldn't these quotesmall companies running their crappy and old mailing systems/quote install updated versions of the OS, etc they all ready have installed? In many cases, they will have systems that were installed for them some time ago, and that they no longer have paid support for. When it dies they'll go to someone to fix it - and lets face it, there are a lot more outfits that will tell them they need an Exchange server than there are that will tell them it's an easy fix. There isn't, at least as far as I know, a fully functional *.nix replacement that is equivalent to Exchange. I never suggested there was. What I did say is that there are plenty of people who will be happy to tell the PHB that what they really need is this nice shiny Exchange server (ie something that gets them points for their sales targets, and of course commission) rather than I can fix this in a few minutes. Plenty of PHBs will believe that, because it's an expert telling them right ? Trust me, I've been in situations where they've made a point of not letting me near a customer in case I point out these things. As my mother use to tell me (paraphrased): I shouldn't have to tell you to pick up your toys; you should know enough to do it. Did she ever lock you in the cupboard (or insert other punishment) because you didn't follow some instruction she left on a piece of paper in a place you never look ? The point being is that you procrastinated and now are paying the price. Made a decision, based on resources available, what else is going on, and an assumption (now proven false) that my working software wouldn't break without me doing something to break it. it's uptime is 405 days, cf the comments above about people with systems setup by others that just sit in the corner and work. The timing is naff - in (hopefully) a few months, I'd have a better hand me down server and I've have migrated the system anyway. Perhaps this is a good learning experience. Yes, I've learned that commercial companies don't have a monopoly on these things ! I suppose I could just copy the guys running the Windows servers - and just configure all the systems to automatically install any and every update automatically. And then just fix things as they break - how I love watching the going on on patch Tuesdays :-) -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] The EOL tweets
Jerry wrote: Err, it does have something to do with it. You made the assertion that no-one would spend money replacing a system rather than upgrade it. Two of us now have pointed out that real world PHB do exactly that sort of thing - and this issue with clamav getting the kill switch can be just the sort of excuse they need. It may not be a valid reason, but then so many business decisions are based on having enough excuses to do what you want rather than doing what would logically be right. As Giampaolo comments, some people (especially PHBs) simply see it as that Linux stuff blew up, best go with Microsoft like everyone else. The two who have pointed out that real world PHB do exactly that sort of thing now are operating broken systems. So much for credibility. There you are again - that attitude is rubbing people up the wrong way and not helping. May I point out that my system was working fine until fed sour data ? Your analogy would be like saying that a car is broken if someone put sugar in the tank, and it would be all the owners fault as long as the vandal (it's claimed) told them in advance to fit a sugar filter. Fortunately that's not the case where I am - this box replaced an iMail server running on NT4 which was forever crashing and getting used for spamming. No-one on the engineering or support teams mourned it's loss ! But equally, if it wasn't for the licence costs, management would still be happier with a Microsoft 'solution'. NT is ancient history. Why you would even mention it is beyond me, although it might be interesting to know when they actually did get around to swapping it out. Then again, maybe I don't want to know. Yet guess what, NT is still in use in many places (and it's why MS bought Connectix so they could rebrand their virtualisation software and sell it to customers so they could run their NT systems on newer systems). There are many reasons for using old software - in fact I have a PC down in the garage that still runs DOS/Windows3. In that case, it's an embedded system and it really, really wouldn't be worth trying to touch it - only to scrap it and buy another machine. We've got customers running similarly old software because that's what the package works with - and it would be horrendously expensive to upgrade (in many cases meaning scrapping the machine it runs). Another server I run is also not updated. In this case, not only would I have to fix any issues related to the server itself - but I'd also risk breaking any of the customer sites it runs. Just before it was handed to me, the guy that built it did some updates - and then handed it over with an oops, can you fix it yes I've had a security issue with it, but that was a config issue. If customers want to upgrade - I move them to a newer server. What I'm trying to get through is that there are valid reasons for not running the very latest bleeding edge stuff. I agree that with something like Clamav there aren't that many show stoppers, but you come across as having the attitude that old versions should simply cease to exist and anyone running then is automatically an idiot. It would be nice to have a job where all I have to do is run a few servers - and I have all the time I need to update them (and fix them when the update breaks it*), but I have a real world job where that isn't the case. * BTW - thinking back, I've had more things break from updates, than I have had problems from not updating. In that respect, even with this issue, it's not been too bad a return from the policy decisions I've taken. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml