Re: [clamav-users] ClamAV reputation rating

[Simon Hobson via clamav-users]

Epicon Elysium via clamav-users  wrote:

> Does ClamAV support in enabling the reputation rating? Seems I couldn't find 
> any info when searching for it. There's nothing mentioned in the config file 
> as well.

AIUI no, it doesn't have anything for that.
However, a very common setup is use AMaViS to scan mail, with ClamAV as just 
one of the tools it uses - the other tools can include things like reputation 
rating (eg sender real-time blacklists and so on).
You might also want to have a look at PolicyD (aka Cluebringer) which brings 
other tools to the party - such as greylisting and quotas.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV Central Management tools

[Simon Hobson]

Robert Schetterer  wrote:

> Div monitors should be fine to code for such things
> like monit, munin, xymon, icinga, nagios , zabbix etc

Nagios has a plugin for it (someone's already done the coding), I used to use 
it at my last job.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Scanning IMAP traffic without user credential storage

[Simon Hobson]

Beeblebrox  wrote:

>> ... If clamd finds something (it does happen), what's the plan?
>> The message is *already* in the user's mail box, and I'd say it should
>> *not* be there in your scenario, because the user can pick up the bad
>> mail simply by connecting other than through your gateway.
> 
> I was thinking "somehow" to move the email to a quarantine folder and
> then sending an advisory to the user "message from joe has been
> quarantined, please take following steps". Perhaps even some process to
> strip all attachments, convert message to text-only (risky?) and send
> the text-only content along with the advisory.
> 
> Moving the message to quarantine folder on the host server (Gmail)
> would require user credential by MTA, so there's another hole in my
> concept. I wonder if there's an MTA that stores hashed credentials but
> is also able to auto-update such credentials as received from client
> device / MUA so that no direct user interaction with the Gateway is
> necessary.

Well if you could act as a MiM then you'd act as an IMAP server to the client 
and get the credentials from them as they log in. You'd then log into the real 
upstream server using those credentials. You'd have to proxy everything so that 
the client sees the contents of the mailboxes - but you'd have the access you'd 
need to move the infected mail and add a new warning message.

BUT, two problems.
I have no idea at all if there is such a proxy mechanism in existence.

Most of all, it can't be done with SSL connections without either the client 
users getting security warnings which they'd have to accept, or the clients 
having your own root certificate installed. Neither of these are a good idea - 
one teaches users to ignore certificate errors, the other opens the door to all 
manner of "mischief".

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Scanning IMAP traffic without user credential storage

[Simon Hobson]

Dave McMurtrie  wrote:

> The original poster doesn't mention which IMAP server he's using.

As I read it, he's looking at "random users accessing random servers" - eg a 
user connecting his phone to the guest network and it then accessing Gmail.
I really don't think it's possible to do what he wants. In principle it would 
work for non-SSL connections, but the whole point of SSL is to prevent the sort 
of MiM connection he is trying to do. For it to work, the proxy would need to 
talk SSL to the server (no problem), process the non-protected stream 
internally, and talk SSL to the client. The latter is the problem as the proxy 
will not be able to sign the connection using a (eg) Google certificate - which 
is, of course, the whole point of SSL, the client should flash up a big "this 
site is bogus" warning to the user !

In a corporate environment, with control of the clients, it's possible to 
install your own root certificate on the clients and then use that to sign the 
client-side connection. Obviously that won't work with any other clients, and 
it's a really really bad idea anyway from the security PoV (breaks all 
client-side verification - eg the "green bar" for banking websites).

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Apparently legitimate Paypal email disguises domain name in links - thus identified as likely phishing

[Simon Hobson]

Andy Schmidt  wrote:

> If Paypal expects their emails to be delivered, then the CONTENT of their
> emails must not use phishing techniques.

In my experience, most PayPal emails are a catalogue of the things people are 
told not to do ! Things like "click here to check your account" come 
immediately to mind !

The fact that they feel the need to put "we've put your full name in to show 
it's really us" is indicative to me that they must realise what they are doing.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Central management server?

[Simon Hobson]

robert k Wild  wrote:

> Can I install a clamav server and point all my clamav end users ie Mac
> Linux windows to the server to get update definitions

Yes. Setup your own mirror and point everything at it.

> and can I manage my
> clients from the server ie see if there online run scans and lock clients
> so they can't change settings?

As already said, that's the province of enterprise systems.
You should be able to "roll your own" with a combination of local permissions 
management (stop users fiddling with settings), configuration management 
systems (such as Puppet already mentioned, set configuration), centralised 
logging and log analysis (see what is running when), and monitoring systems 
(e.g. I use Nagios to monitor if ClamAV is up to date on my servers).

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

[Simon Hobson]

Tsutomu Oyamada  wrote:

> Our environment is a local mirror.
> However, it does not matter.
> 
> I wanted to know if there is the case that the DNS TXT of ClamAV have
> not been updated for few days.
> Could it be possibe?
> Is this issue caused by the problem on our enviroment of querying DNS?
> The daily.cvd is updated in real time now.
> Could this issue be happened when the freshclam try to query DNS?

Given that no-one else has seen the same issue, it was most likely a problem 
local to you. It's is unlikely that any of us could guess what that problem was 
given that we can't see your systems.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

[Simon Hobson]

Tsutomu Oyamada  wrote:

> ClamAV update process started at Sat Nov  5 05:01:15 2016
> Using IPv6 aware code
> Querying current.cvd.clamav.net
> TTL: 1797
> Software version from DNS: 0.99.2
> main.cvd version from DNS: 57
> main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: 
> amishhamner)
> daily.cvd version from DNS: 22473
> 
> This log shows that freshclam was started at 5:01 of 5th Nov. and the result 
> of querying DNS was "daily.cvd version: 22473".
> According to the mail [clamav-virusdb] which is sent daily, the daily.cvd 
> version should be 22479 at 5:01 of 5th Nov.
> 
> We want to know why freshclam cannot get the latest daily.cvd version.
> Is this difference of daily.cvd version caused by cache of DNS?

OK, try restarting freshclam and see what comes up in the logs. 5th Nov is 
quite a while ago !
If it still doesn't get the correct information, give us the output of "dig 
current.cvd.clamav.net txt" - you may need to install the dig (Domain Internet 
Groper) package.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

[Simon Hobson]

I realise English is not your main language and this is probably very difficult 
for you to explain in what is to you a foreign language, but I don't think we 
are able to figure out just what is not working ...

Tsutomu Oyamada  wrote:

> In the present situation fail.

What is failing ?

Does your local mirror update ?
If not, post logs from freshclam showing the failures to update.
Also post your freshclam config.

If your local mirror does update, then we assume your local clients are failing 
to update from your mirror.
If that is the case, post the freshclam logs from a failing client, and it's 
config.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

[Simon Hobson]

Al Varnell  wrote:

> So I think I have the answer for this one. From my research it would seem 
> that TTL values are set by the DNS server you are accessing, not by the 
> ClamAV and is the same for all records on that server.  You would have to 
> check with the DNS ISP to find out if it has changed or not.

OK, there seems to be some confusion about how DNS works and what the TTL value 
does, and what lookups report. Dennis has sort of covered some of this, but it 
might help to see the whole process.

When you do a lookup for a name, your client asks the locally configured 
resolver the question - eg what is the TXT record for current.cvd.clamav.net.

Assuming the resolver has nothing in the cache, then it will go to the root 
servers and ask the same question. The root servers won't know, so they will 
reply to the effect of "I don't know, but the name servers  
have a better answer" - ie the name servers for .net
So your resolver goes and asks the same question of one or more of those 
servers. They'll get the same "I don't know, but ..." answer, this time with a 
list of name servers handling clamav.net.
The resolver will continue in this manner until it reaches far enough down the 
tree to get find a server that knows the answer. In this case, the nameservers 
for clamav.net (ns[2-7].clamav.net here*) know the answer and will return it.

Using DIG, this is the chain of results, note that when using +trace, DIG 
deliberately ignores cached records and so the TTL values are those of the 
records as served by the relevant name server (except for the root servers 
which I assume it still uses the local resolver cache for - it has to start 
somewhere !)  :

$ dig +trace current.cvd.clamav.net txt

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +trace current.cvd.clamav.net txt
;; global options: +cmd
.   45003   IN  NS  h.root-servers.net.
.   45003   IN  NS  b.root-servers.net.
.   45003   IN  NS  l.root-servers.net.
.   45003   IN  NS  e.root-servers.net.
.   45003   IN  NS  g.root-servers.net.
.   45003   IN  NS  m.root-servers.net.
.   45003   IN  NS  j.root-servers.net.
.   45003   IN  NS  c.root-servers.net.
.   45003   IN  NS  i.root-servers.net.
.   45003   IN  NS  a.root-servers.net.
.   45003   IN  NS  d.root-servers.net.
.   45003   IN  NS  f.root-servers.net.
.   45003   IN  NS  k.root-servers.net.
;; Received 508 bytes from 192.168.0.33#53(192.168.0.33) in 21 ms

net.172800  IN  NS  e.gtld-servers.net.
net.172800  IN  NS  m.gtld-servers.net.
net.172800  IN  NS  f.gtld-servers.net.
net.172800  IN  NS  a.gtld-servers.net.
net.172800  IN  NS  l.gtld-servers.net.
net.172800  IN  NS  b.gtld-servers.net.
net.172800  IN  NS  j.gtld-servers.net.
net.172800  IN  NS  c.gtld-servers.net.
net.172800  IN  NS  d.gtld-servers.net.
net.172800  IN  NS  h.gtld-servers.net.
net.172800  IN  NS  k.gtld-servers.net.
net.172800  IN  NS  g.gtld-servers.net.
net.172800  IN  NS  i.gtld-servers.net.
;; Received 509 bytes from 2001:7fe::53#53(2001:7fe::53) in 43 ms

clamav.net. 172800  IN  NS  ns3.clamav.net.
clamav.net. 172800  IN  NS  ns4.clamav.net.
clamav.net. 172800  IN  NS  ns7.clamav.net.
clamav.net. 172800  IN  NS  ns6.clamav.net.
clamav.net. 172800  IN  NS  ns4a.clamav.net.
clamav.net. 172800  IN  NS  ns1a.clamav.net.
;; Received 302 bytes from 192.42.93.30#53(192.42.93.30) in 44 ms

current.cvd.clamav.net. 1800IN  TXT 
"0.99.2:57:22593:1479972755:1:63:45272:285"
cvd.clamav.net. 7200IN  NS  ns3.clamav.net.
cvd.clamav.net. 7200IN  NS  ns4.clamav.net.
cvd.clamav.net. 7200IN  NS  ns5.clamav.net.
cvd.clamav.net. 7200IN  NS  ns6.clamav.net.
cvd.clamav.net. 7200IN  NS  ns7.clamav.net.
;; Received 184 bytes from 2a01:4f8:160:8421::2#53(2a01:4f8:160:8421::2) in 38 
ms


Naturally it would be wasteful if the resolver did all these lookups every 
time, so it stores all the results it gets back in a local cache. So next time 
you lookup the same answer, it already has it. If you lookup a different .net 
address, it already knows which servers handle .net. And so on.

Re: [clamav-users] GPL license question

[Simon Hobson]

Borough Rumford  wrote:

> I know clamav is released under GPL license, and third-party commercial app 
> shouldn’t link libclamav.

Is the library under the GPL or LGPL - the answer is different for the two 
licences ?
https://www.gnu.org/licenses/gpl-faq.en.html#GPLStaticVsDynamic
https://www.gnu.org/licenses/gpl-faq.en.html#LGPLStaticVsDynamic

AIUI, if you link against a GPL library then your code needs to be compatible 
with the GPL, if you link dynamically against an LGPL library then it doesn't.
That's the reason for having the LGPL.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Threading (Was: How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?)

[Simon Hobson]

Mark Allan  wrote:

> 
>> For my, I use Mail.app the majority of the time.  Apparently if I delete 
>> lines and inline reply like I do in Thunderbird, Mail.app just tells me to 
>> eat dust and unthreads the whole thing.  Guess I should file a bug with 
>> Apple.
> 
> That's strange. I use Mail.app as well, and as far as I'm aware, there's 
> never been a problem replying to emails and keeping the threading and quoted 
> text.

Me too, never come across that. But then I'm still on 10.8 (Mountain Lion) so 
can't speak for later versions, I know Apple does have a history of taking 
something that works and "fixing" it - in the same way people talk of taking 
their dog to the vet to be "fixed" (by removing bits that worked).


Groach  wrote:

> Consider my explanation of 'notification' above.  So now, how do I post a 
> 'reply' to someone elses comment if I no longer have an "email notification" 
> (to click 'REPLY' on)?

What I usually do in that situation is to carefully copy the email subject as 
it appears in the archives and create a new email. The new email won't have any 
references headers to link it to the thread, but any half decent client and 
list archive should be capable of recognising the subject as being the same as 
the existing thread and link it in that way.
Your message won't appear in the right place in the threaded view in the 
archives, but it should appear in the same thread.

The same issue occurs for people getting a list digest.


In theory, if it's presented, you could copy the message header from the 
archive and add that as a custom header (In-Replay-To:) to your email. Looking 
at the Mailman archive for the list it doesn't seem to be presented, but I 
suspect some archives may keep and display it.
The key headers are :

Message-Id:
This should be a globally unique ID generated by your mail client.

In-Reply-To:
If you reply to an email, the In-Reply-To: header should be set to the 
Message-Id: of the message you reply to.

References:
This builds up as a message gets replied to over time. Each reply should be 
adding the Message-Id: to this so there ends up a chain of which messages let 
to this one.

In-Reply-To: should be sufficient to put your message in the right place in the 
thread.



What you must never ever do is select some random list message in an unrelated 
thread and hit reply - either to respond to an existing thread or to start a 
new one. Because this reply will include In-Reply-To: and probably References: 
headers, this will cause your unrelated message to get threaded into the wrong 
thread. If you are browsing an archive and find a seemingly unrelated thread 
intermingled with another one - this is probably the cause.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] mail server and clamav in different machine

[Simon Hobson]

M.hafez wdeln...@yahoo.com wrote:

 can i install the mail server (win or Linux based ) and the clamav in 
 different machine, that may allow me to filter more than one mailer server 
 using the same Clamav machine.

In principle yes, though it very much depends on how you are going to pass the 
email to it.

If you do file based scanning - ie the server saves a file (or files) and then 
calls ClamAV - you will need to arrange shared files and ensure the file paths 
remain consistent for both ends.
If you run it as a filter and pass the message in via that, then it should only 
be a case of pointing each mail server at the right socket.

But why not duplicate the ClamAV installation and distribute the workload ?
I built a small cluster (Postfix+PostfixAdmin+MySQL+Courier+Amavis+ClamAV) 
and configured each server to do before-queue scanning of inbound emails. I 
made so there is one master machine which holds the mail store, and a number of 
other mail servers that will accept connections, scan the mail, and if accepted 
put it in the mail store via NFS. This was because of the potential delays 
introduced by before-acceptance scanning and to spread the load of that 
scanning across multiple hosts.
My experience is that by far the highest load on my mail servers is the 
scanning.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamd and Systemd

[Simon Hobson]

Scott Kitterman deb...@kitterman.com wrote:

 Is harmless supposed to include not installable ?
 
 No.  What's not installable? 
 
 Install clamav-daemon (with the lib) and don't worry about it.

Given that I wouldn't be bothered at all if SystemD was just an init system, 
it's all the other crap I want to keep out. Do you really think I'm going to 
allow a SystemD library (who's package description gives no clues about it's 
functions or intentions) onboard ?

If ClamD is only using this library if SystemD is installed, then presumably 
it'll work without that library when SystemD isn't installed ? So all I need is 
a dummy (empty) package that provides whatever apt is looking for to satisfy 
the installation dependency ?

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamd and Systemd

[Simon Hobson]

G.W. Haywood cla...@jubileegroup.co.uk wrote:

 I would
 
 http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installation

Been there, done that, but what a right PITA it creates - specifically trying 
to figure what package is triggering a chain of dependencies that's trying to 
pull in part of SystemD

 and then install ClamAV from source.  I wouldn't use packages for
 things like ClamAV anyway.

I have to consider maintainability - and given the skills (or lack of) left in 
the business when I find a better job or get hit by the proverbial bus, I've 
been making a point of sticking to packages.

 Not at all, it's just Debian doing what Debian does (i.e. drive me nuts).

It's been driving me nuts today. Perhaps it's just what I'm used to but I 
prefer Debian to most other distros - I learned my first Unix with SCO Xenix 
and then Openserver5.


Scott Kitterman deb...@kitterman.com wrote:

 Also, does anyone know how important this dependency is ? Is it just
 some small optional features, or something fundamental that can't be
 removed ? My gut feeling is that given the range or platforms ClamAV
 runs on (inc many without SystemD), it can't be that important.
 
 It's there because of the way we build the package to support the default 
 init system.  I don't recall exactly why. It doesn't, however, do anything if 
 systemd isn't the active init system. Other than taking a small amount of 
 disk space it's harmless. 

Is harmless supposed to include not installable ?

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] unsubscribe

[Simon Hobson]

Cmos35 x.lep...@laposte.net wrote:

 I never asked to be unsubscribed, I asked a question and I unsubscribed by 
 David Barr

No, he didn't unsubscribe you - only you can do that (or someone forging your 
email address in the sender field)

I assume he wanted to unsubscribe from the list, but ignored the email he would 
have had when first signing up (which contained information) and made no effort 
to find out how to do it properly.
If he'd made any effort at all, he'd have found these helpful headers in any 
list email :
 List-Id: ClamAV users ML clamav-users.lists.clamav.net
 List-Unsubscribe: 
 http://lists.clamav.net/cgi-bin/mailman/options/clamav-users,  
 mailto:clamav-users-requ...@lists.clamav.net?subject=unsubscribe
 List-Archive: http://lists.clamav.net/pipermail/clamav-users/
 List-Post: mailto:clamav-users@lists.clamav.net
 List-Help: mailto:clamav-users-requ...@lists.clamav.net?subject=help
 List-Subscribe: 
 http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users,  
 mailto:clamav-users-requ...@lists.clamav.net?subject=subscribe

Like most mailing lists, all he had to do was to send a blank message to 
whatever the list is-request with unsubscribe in the subject - or click on 
the link and go to the mail manager website and do it. I see this periodically 
on every mailing list I'm on - even the ones where there is a help message 
clearly visible in the footer of every list message :-/

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV installation is OUTDATE!

[Simon Hobson]

Marcio Fiorette marcio.fiore...@gmail.com wrote:

 Não estou conseguindo atualizar o ClamAV da versão 0.98.5 para 0.98.6
 no Debian 7. Já segui os procedimentos que estão no site
 www.clamav.net e mesmo assim não obtive sucesso.

Google tells me you're trying to update but it's not working.

Did you install ClamAV as a Debian package ? If so then do NOT use any other 
tools to update it, just use the Debian supplied package tools. This applies to 
any distribution - if you installed the distribution package then you should 
update using the distro specific tools/packages.

If you include wheezy-updates as a repository (see /etc/apt/sources) then 
0.98.6 is already there - apt-get update  apt-get upgrade should update it 
(and anything else that needs updating.

If you don't include wheezy-updates (which you should do - it's your security 
updates) then you'll still only get 0.98.5

https://packages.debian.org/search?keywords=clamavsearchon=namessuite=allsection=all

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)

[Simon Hobson]

Daniel Spies ds20150222c...@pskx.net wrote:

 I don't get how you find it more appropriate to silently reject someone's 
 e-mail

I don't. I don't know where you got that from - perhaps it's from seeing so 
many examples of bad practice that's become the norm so you assume everyone is 
that bad ?

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)

[Simon Hobson]

Daniel Spies ds20150222c...@pskx.net wrote:

 In my opinion, it doesn't make any sense to scan e-mail leaving the server. 
 The recipient will never trust these tags anyway. So why scan at all? It's 
 important to scan incoming mail, be it from a local or an external client.

I disagree.
Recipients may not trust the tags, but it *should* stop outbound spam/infected 
mail should your machine (or one of the clients) get compromised. IMO spam and 
malware is not just something to stop coming in, it's something to porevent 
going out - if more networks prevented it going out then there'd be less of a 
problem.

On my systems I scan *everything*, and I firewall off everything I can - 
including preventing outbound connections to port 25.

At work I run mail servers that are used by customers - including as smart 
relays. It's not all that uncommon to find one of the customer compromised and 
sending out thousands (or millions) of spam emails - so my latest server also 
does rate limiting to limit the damage done before it gets spotted and blocked.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)

[Simon Hobson]

OK, this is getting well off-topic for this list, this will be my final say on 
the matter - and from some of the other comments I see I'm not alone in 
considering you part of the problem.


Daniel Spies ds20150222c...@pskx.net wrote:

 Recipients may not trust the tags, but it *should* stop outbound 
 spam/infected mail should your machine (or one of the clients) get 
 compromised. IMO spam and malware is not just something to stop coming in, 
 it's something to porevent going out - if more networks prevented it going 
 out then there'd be less of a problem.
 
 It's not always black and white. I assume you're responsible for the clients 
 you're talking about, i.e. they are your customers or colleagues.

It varies, but in the general case they may be managed customers (where we 
look after the network, servers, and clients) through to customers only in 
that they use our mail servers. Regardless, all mail they send through my 
servers is scanned - and I do block anything that reaches a sufficient 
spamminess score or fails the AV checks.

 While spoon-feeding colleagues or customers may be okay for the sake of 
 security, my clients would certainly raise hell if they would receive errors 
 due to false positives. Most people expect their system to just work -- no 
 matter what.

Which is one reason it's very important to make sure you are not part of the 
problem. Allowing a customer to sent nasties through your mail server is a 
good way of getting it blacklisted - and then it certainly doesn't just work. 
I can assure you that when your server gets on a blacklist, your customers do 
complain - and they complain a lot louder than if you block one or two spammy 
messages.
The best way to stay off blacklists is to block spam and nasties at source - 
not just rely on the recipient to catch it later ...

 By the way: I don't even reject virus/spam mail, I just tag them. If a client 
 is dumb enough to open the attachment of a tagged e-mail, so be it.

So you are part of the problem. It's already been said that tagging is 
meaningless - yet you assume it's reasonable to expect others to act on your 
tags.

 On my systems I scan *everything*, and I firewall off everything I can - 
 including preventing outbound connections to port 25.
 
 I am not in the situation where all my clients sit in a firewalled private 
 network; it's more the free-mail kind of situation. What and when my clients 
 send e-mail is non of my concern, as long as they do it in common dimensions, 
 i.e. in a way that matches a real person.

Most of the customers are also not on managed networks. But on my own systems I 
block outbound connections to port 25 other than what's needed (actually, I 
mostly have a block everything and allow what's needed policy). It's all part 
of a layered approach - you protect your systems, but you also add a layer that 
limits the damage if they do get compromised.

 However, rejecting outgoing e-mail right away is not an option, which 
 ultimately makes the scanning of these messages redundant.

Which makes you part of the problem.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-users-bounces DKIM signature verify error

[Simon Hobson]

Scott Kitterman ubu...@kitterman.com wrote:

 ... but isn't this a bit off topic?

Yes it is - but the OP asked here as he was having problems with this list.

 In this particular case, he's got a local configuration issue nothing really 
 to 
 do with clamav, SPF, or DKIM (as a protocol).

Yes it's a local config problem (he needs to turn off DKIM, or at least turn it 
down to the point where it's virtually useless), but it's a hard stretch to say 
it's nothing to do with DKIM since DKIM *IS* his problem !

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] clamav-users-bounces DKIM signature verify error

[Simon Hobson]

Scott Kitterman ubu...@kitterman.com wrote:

 No, sending bounces to the list is his problem.

Sorry, but that's a relatively common techie attitude - ignore the fact that 
the end user probably has no idea what's going on (else why ask for help about 
it ?) From the USER perspective, he has a problem with using this list, and 
has asked for help identifying WHY. His problem is **NOT** sending bounces, his 
problem is list server is unsubbing him and/or he isn't getting all the mails 
- bouncing mails is a *cause* of that, and DKIM is a *cause* of that.

As you say, the discussion of the merits or otherwise of DKIM and/or SPF out OT 
for this list, but the OP didn't know that that was the problem until he asked 
the question. Now he knows what the underlying issue is - he can address it, 
asking for help in an appropriate forum if required.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] clamav-users-bounces DKIM signature verify error

[Simon Hobson]

Marcello Lupo ml...@itspecialist.it wrote:

 Have you any idea of the reason for this problem and how to let it go away?

Other than DKIM breaks stuff

 As now I’m loosing some messages from the list for sure.

Stop using mailing lists OR stop using DKIM
Or you might be able to tune DKIM to exclude the message content - which rather 
defeats the object.

http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail#Annotations_by_mailing_lists


SPF has the same problem.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] clamav stops boot

[Simon Hobson]

Alain Zidouemba azidoue...@sourcefire.com wrote:

 The ClamAV engine won't update itself automatically. You will have to
 manually perform that operation. The latest version of ClamAV (version
 0.98.1) can be downloaded here:
 http://www.clamav.net/lang/en/download/sources/

However, as the OP is using Debian, is new to Debian, and assuming it's been 
installed as a package, then he'd be better just using the system update tools.

apt-get update  apt-get upgrade to upgrade everything, or apt-get upgrade 
followed by apt-get install clamav-daemon clamav-freshclam should pull in 
updates for the ClamAv stuff. That is, assuming it's a moderately up to date 
Debian version.

But he has to get it booted first ! The system should continue past that 
message, so I'm not sure what's going on. As a quick hack, booting into 
recovery mode (should be a boot option at the Grub menu) and rm 
/etc/rc2.d/S*clamav-daemon should get the machine to a bootable state.
Once the system boots, dpkg -l '*clamav*' should show what's installed.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Problem with Freshclam and local mirror

[Simon Hobson]

Shawn Webb sw...@sourcefire.com wrote:

 I suspect the fault lies in a rather small piece of code that was supposed
 to make the call to recv() a little more robust. If you have the ability
 (or desire) to compile from source, can you please try the attached patch?
 If the patch works, I'll integrate it into our next release.

Thanks, but I'm not really in a position to test it - I don't have build tools 
on any of my machines, and don't really have the skills to use them anyway.

In response to my bug report 
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743305), Andreas Cadhalpun 
has pointed out that there is now a PrivateMirror option in freshclam.conf. 
I've configured this and things now seem to work, though I need to leave it for 
a while to be sure.
The only reference to the new option I could find on my system was on line 962 
of the changelog.


And thanks for the other suggestions.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

[clamav-users] Problem with Freshclam and local mirror

[Simon Hobson]

Because I've several machines using it, I've setup one to act as a local 
server, with the others pulling their updates from it. It's been generally 
reliable for years, but since updating to 0.98.1 I'm having repeated problems 
where the slaves just stop fetching updates.

As an example, one of them as of this morning was 7 revisions out of date. 
Freshclam log says :
 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
 ERROR: Can't download daily.cvd from virusdb.back.mydomain
 Giving up on virusdb.back.mydomain...
 Update failed. Your network may be down or none of the mirrors listed in 
 /etc/clamav/freshclam.conf is working. Check  
 http://www.clamav.net/support/mirror-problem for possible reasons.

Invariably, if I delete mirrors.dat and restart Freshclam it will then download 
daily.cvd :
 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
 Downloading daily.cvd [100%]
 daily.cvd updated (version: 18725, sigs: 863475, f-level: 63, builder: neo)
 bytecode.cvd is up to date (version: 236, sigs: 43, f-level: 63, builder: 
 dgoddard)
 Database updated (3287743 signatures) from virusdb.back.mydomain (IP: 
 172.nn.nn.nn)

Systems are running Debian Wheezy and fully up to date.

Checking the logs, I can see one system at 6:50 said :

 ClamAV update process started at Tue Apr  1 06:50:35 2014
 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
 Downloading daily.cvd [100%]
 WARNING: Mirror 172.nn.nn.nn is not synchronized.
 Trying again in 5 secs...
 ClamAV update process started at Tue Apr  1 06:50:42 2014
 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
 WARNING: Can't download daily.cvd from virusdb.back.mydomain
 Trying again in 5 secs...

And on the Apache logs of the main server, I can see daily.cvd being fetched at 
06:50 then nothing at all after that. It looks like Freshclam just flags the 
mirror as bad and never checks it again.


Any ideas ?

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Problem with Freshclam and local mirror

[Simon Hobson]

Greg Folkert g...@donor.com wrote:

 I had this problem and have used a brute force solution to remove the
 mirrors.dat file every day so it'll ignore previous problems (like the
 machine being unavailable or other such issues)

I had already considered the same. Since I've got two machines that have 
dropped 3 revisions behind already today (ie in the last 8 hours) I'll do that 
unless anyone has any more elegant suggestions or knows how to fix the 
underlying problem.

In the meantime, I've logged a bug against the Debian package.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Debian packaging

[Simon Hobson]

Greg Folkert g...@donor.com wrote:

 Debian Stable is that. If you must have 0.98.1, you should also be using
 backports... at least I used to until I just used Sid for everything.
 Backports help extend Stable's longevity and freshness a bit... but it
 is no guarantee 0.98.1 will be there.

Actually it should filter down once it's gone through some testing. Stable 
means different things to different packages - and AFAIK policy hasn't changed 
much in terms of updating volatile security related packages like ClamAV.



Matthew Newton m...@leicester.ac.uk wrote:

 Debian's policy is to ensure that stable means stable - so they
 only generally apply security patches. There was a volatile
 repository once as they realised that software like ClamAV needs
 updating more but conflicted with normal policy; it looks like
 it's been replaced, but I don't know if they still maintain the
 ClamAV package there.

It is still there, just under a different name - should be covered by the 
version/updates (eg wheezy/updates) source.
http://www.debian.org/security/


As for installing the update, as pointed out there are several options. If you 
have wheezy/updates in your apt-sources list then it should appear (eventually) 
after passing through Debian's quality processes.

If you want it sooner, then pull it from testing - something I've done with a 
few packages from time to time. I've found that mostly things are fairly 
reliable by the time they reach testing - but it's worth a scan of the bugs 
list first.

Or if you want bleeding edge - either install from upstream source, or install 
from unstable. Unstable can be, well, unstable - so you roll your dice and take 
your chances.


Personally, I try to avoid installing from source. Not because I can't do it (I 
have done it when I've had no option), but I have to consider maintainability - 
especially if I've moved on and the system gets inherited by someone with 
limited Linux/FOSS skills. YMMV - what you do on a home system (only you to 
consider) or in an environment where there are plenty of experienced Linux/FOSS 
admins is one thing; what you do when there's no such people around is another.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Is there any chance of the 97.8 version as shipped by ubuntu 10.04.4 LTS, working?

[Simon Hobson]

Gene Heskett ghesk...@wdtv.com wrote:

 So, is there any hope of making it work again using what the repo's for 
 ubuntu 10.04.4 LTS will put back in (version 97.8) using synaptic?  Or has 
 the data format changed so much its hopeless?

97.8 is the current stable version in Debian (98 has just hit unstable) and 
Freshclam is working fine for me. I don't see there being any problems.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Debian packaging

[Simon Hobson]

Greg Folkert wrote:
Simon, 
Why not open a Bug, or look to see if there is one. Oh wait:
In Pending Upload bugs for 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727027

Just gotta look. Rending since Oct 2013

Yes indeed.

And lookit that, some Simon Hobson li...@thehobsons.co.uk

Commented on it Fri, 15 Nov 2013 9:54:48 +.

And look what a positive response it's had so far !

Make noise on the list or continue to bomb the bug(s)... This place
ain't gonna be helpful in this regard.

Well since no-one's come back with something like the package maintainer's 
gone AWOL or similar, I'll keep bumping that bug ticket. Does seem strange, I 
don't recall such a long delay in the past.
Updating from source isn't really an option since I need to leave these systems 
maintainable by people who need the simplicity of apt-get upgrade.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

[clamav-users] Debian packaging

[Simon Hobson]

Does anyone know what the situation is with Debian packages ?
It's been something like 2 months now and 0.98 still doesn't appear to have 
made it to unstable, let alone testing.

I'm assuming this also affects Debian derived distros like Mint and Ubuntu.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Virus names - a rose by any name?

[Simon Hobson]

Pancho wrote:
Hi - thanks to everyone for the replies. I have seen 2 replies now and it
may well be that I have not been clear enough because both are at cross
purposes.

Then it might help if you alaborated on what you meant.

Unfortunately I don't have further time to invest in this topic but I do
hope that someone at ClamAV sees value in the suggestions.

They might if they could understand what the suggestions were. It;s clear from 
your response that what people took away from your post is not what you meant. 
Hence it's unlikely that anyone will see value in something they haven't seen.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Virus names - a rose by any name?

[Simon Hobson]

Pancho wrote:

While I understand the comment, it makes it risky I believe from a security
perspective to tell users anything more than  file contains virus. 

I say this because if we find a virus and provide the message file contains
virus with name ClamAV proprietary virus name XYZ then malicious users
can effectively deduce our virus engine simply by using the custom name.
See the site http://virusscan.jotti.org/en for a very easy illustration of
how to do this.

Once the malicious user knows this again, it is a fairly straightforward
thing for them to test exploits against a site like jotti until they find
one not detected by ClamAV - then submit that exploit to our site knowing
that it will successfully bypass our anti virus.

AFAIK ClamAV doesn't tell outside users anything - that is up to the software 
that calls it and the administrator that set it up.

For example, suppose we are using ClamAV to scan inbound mail - using Amavis as 
integration software as that's a fairly common setup. So when the email is 
submitted by the outside MTA, our MTA hands off the message the Amavis, and 
Amavis (amongst other things) halds it off to ClamAV.

The response sent to the outside MTA can be anything from message blocked at 
one extreme to ClamAV found XXX at the other - and where in that spectrum is 
down to not just ClamAV (which should correctly identify what it found IMO), 
but also the config of Amavis and the config of our MTA.

Of course, what is reported to the outside MTA can be different to what is 
logged in our mail log. We may just report blocked to outside while logging 
full details (as is usually the case) in the mail log so that the administrator 
has more information if the reason is queried.

Much the same applies if you scan innbound file on a web site that allows 
uploads - what ClamAV reports to your software, and what your software reports 
to the end user may be different things.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] linux scan of WordPress directories

[Simon Hobson]

Vid Luther wrote:


 I'm wondering if it's possible to run ClamAV on a file system that has a
ton of WordPress installs.


Yes, use (IIRC) clamscan to scan the directories.
I've done that on my servers when there's been any question about a 
customer site.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Licensing DLLs

[Simon Hobson]

Chuck Swiger wrote:


  What if WE made an AV plugin DLL to link our software with libclamav?

If your software license isn't GPL-miscible, then you should not 
redistribute the combination of your software, the plugin, and 
ClamAV.


Isn't this a case where the component they've linked with (in this 
case) ClamAV would need to be GPL, but the other component it talks 
to doesn't need to be ?
I'm assuming these are separate units - ie there's the closed main 
system, and the GPL plugin code linked with ClamAV.


The fact that the closed main system is distributed alongside the GPL 
code doesn't mean it has to be GPL - provided they are clear in the 
documentation etc which parts are closed, and which are GPL. Very 
much a flip round of the case where software uses non-free libraries 
(http://www.gnu.org/licenses/gpl-faq.html#FSWithNFLibs)



Also,
http://www.gnu.org/licenses/gpl-faq.html#GPLInProprietarySystem
says :

However, in many cases you can distribute the GPL-covered software 
alongside your proprietary system. To do this validly, you must make 
sure that the free and non-free programs communicate at arms length, 
that they are not combined in a way that would make them effectively 
a single program.


It then goes on to say :

The difference between this and incorporating the GPL-covered 
software is partly a matter of substance and partly form. The 
substantive part is this: if the two programs are combined so that 
they become effectively two parts of one program, then you can't 
treat them as two separate programs. So the GPL has to cover the 
whole thing.


My interpretation of this would be that in the case the OP asked 
about, provided he makes the plugin a distinctly separate program 
(and GPLs any code he adds to the GPLd code to make it work with his 
API) then it would qualify. It would require the plugin to be 
separate and optional - but i see no reason it can't be shipped on 
the same disk.




The GPL is actually not as all encompasing and restricted as many 
believe - it *IS* possible to combine GPL and non-free software in a 
system if you do it right, and using GPL software does *NOT* 
automatically mean the entire system has to be GPL. Perpetuating 
these myths doesn't do anyone any good.


If in doubt, the OP could always as FSF who I'm sure would be quite 
happy to have someone ask them rather than make assumptions and/or 
get it wrong. I dare say they'd be happier if the whole lot was GPLd, 
but Rome wasn't built in a day.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Some questions about setting up ClamAV

[Simon Hobson]

Andy Newby wrote:


How can we have clamAV automatically scan the images after they are
uploaded (to catch any viruses as quickly as possible)?


You'd need to get your software to do that. Between accepting the 
upload and doing anything with it, call Clamscan to scan it.


Alternatively, and I don't know if this is possible, I believe some 
OSs have facilities to monitor a filesystem for changes. If you can 
get the system to tell you when a new file has been created in your 
upload directory, then you could scan it then - but of course you may 
need to wait for the upload to complete.


If it is not possible to set up clamAV like this, how can we set up 
a cron job to scan the image folders and domain / server ?


You create a cron job, to run at whatever schedule you want, that 
calls Clamscan with the options you want.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Some questions about setting up ClamAV

[Simon Hobson]

Andy Newby wrote:


We're using ClamAV on a Unix Centos Server, with WHM and Cpanel, we would
like to do this:

1)  Set up a cron job to scan a single domain (via Cpanel), and a cron job
for the entire server (via WHM), how?


Create cron jobs to call clamscan with the options you want ?


2)  We would like to set up a cron job to update ClamAV with the latest
virus DB on a single domain (via Cpanel), and a cron job for the entire
server (via WHM), how?


Ditto. Setup cron jobs to call freshclam. Or just let freshclam do 
it's job automatically. If you have a lot of instances to update, you 
might consider setting up a central server to fetch updates and then 
let individual servers/instances fetch from that.



3)   our web site allows users to upload images via a standard form.   We
would like to set up ClamAV to be able to scan their file before it gets
uploaded to the server, how can we do this?


You can't - it's not there to scan before it's been uploaded. You'd 
need to look at the software being used and get it to scan all new 
files before it goes on to use them.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] How can I have clamd reject items that can't be scanned?

[Simon Hobson]

Per Jessen wrote:


  It's not about not being able to scan, it's about not wanting to

 scan. Regardless, clamav doesn't reject or approve mails, that's for
 your MTA to do.


 If you use ClamAV as milter, it's up to ClamAV to tell the MTA what to
 do so I guess there's a task for ClamAV too..


Well,  I guess it depends on your point of view. Personally I see the
MTA doing the rejection, possibly based on information from elsewhere
(DNS, blacklists, clamav, wherever).


This is a rather pointless argument about semantics which doesn't 
answer the original question. I'll rephrase it for the pedants :


I see that there are ways to limit the level of archive that will be 
scanned as well as the size of the entities to be scanned.  Is there 
a way for CLAMAV to then flag them as not allowed?


Oh, I see it works without modification. Is it possible for ClamAV to 
flag that the message should be rejected if it can't be scanned - 
seems a reasonable question to me. The OP didn't say is it possible 
for ClamAV to reject the message, they rather correctly asked about 
flagging it for rejection.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] How can I have clamd reject items that can't be scanned?

[Simon Hobson]

Per Jessen wrote:


The OP started by saying there are ways to limit the level of archive
that will be scanned as well as the size of the entities to be
scanned, which are performance optimizing options one can use if
desired. To which I commented that it's not about a message that can't
be scanned, but whether your limits allow it to be scanned.  Remove the
limits, and everything is scanned (presumbly only limited by hardware
resources).


Well of course there have to be limits somewhere, and I recall one 
issue is malevalent attachments designed specifically to crash 
extractors.
A second issue I recall from the past is the sending of password 
protected archives - the scanner is unable to check it, but of course 
a user taken in by the message may well open it. So that's a separate 
consideration - whether to allow password protected archives or to 
reject them.



Nonetheless, it is actually an interesting question - should/does clamav
return not-scanned-due-to-user-restriction in such cases?


I guess that's the key question, and is it possible to set the 
reported result to reject in that case ?

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Clamav 0.97.0 to 0.97.1 on squeeze(Debian 6.0)

[Simon Hobson]

OLCESE, Marcelo Oscar. wrote:

Query, why is not avaible in the repositories squeeze 0.97.1 version?
Nor are the volatile repositories.

Simple - because it hasn't made it yet. It has made it into Unstable (Sid), and 
in time it will work it's way through.
http://packages.debian.org/search?keywords=clamavsearchon=namessuite=allsection=all

The way things work is :
The main program gets updated - known as the upstream package from the 
perspective of a distribution.
The maintainer of the packaged version for the distribution spots that it's 
been updated.
He'll pull down the new version, apply any changes to distributionise it, and 
build a package for the distribution.
This distribution specific package then goes through a testing process before 
being released through the distribution specific mechanisms.


In the case of Debian, this means that one of several package maintainers 
(there are three individuals, plus ClamAV Team listed) has observed the new 
upstream version.
It's been debianised, and put into Sid.
At some point, when it's been decided that it's stable etc, it will migrate to 
testing, volatile and backports as appropriate.
Eventually, when the next Debian release happens, it will migrate to stable.


Many of these steps will be automated, but still need checking. For example, 
part of Debianising a package involves moving components from wherever the 
upstream package normally puts them to the locations used by Debian, and 
creating distribution specific files (such as the startup/shutdown script for 
/etc/init.d).
While this would be done with automated scripts and patch files, each time the 
upstream version changes, these need to be checked to see that they still work 
correctly - and of course, the scripts/patches updated if something has changed.

There may of course be distribution specific bugs/issues to be dealt with, and 
some of those may well involve creating a fix to be passed up to the upstream 
package maintainers.


The price you pay for using a distribution rather than doing it yourself is 
that you get a delay between the upstream package getting updated and your 
distribution reflecting that. The upside is that others have done a **LOT** of 
work so that you don't have to.
You have a choice - either wait, try installing the package from Sid, or 
download the upstream package and install it manually. All of these have their 
pros and cons - you would have to work which is best for you.

I hope this gives you some idea of the process involved, and why there is 
inevitably a delay before an update appears when you apt-get update  apt-get 
upgrade.
-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] daily database broken again

[Simon Hobson]

Nathan Gibbs wrote:


  I am not aware of the team issuing a new major version number that they
  then break in a few months with a new major version update.

0.95.x was the latest version less than a year ago.  To me, it seems a little
soon to EOL it.





  At some point the end user has to accept his/her responsibility for keeping

 their machines properly updated. I am not talking about every day, but at
 least every few months,


Agreed.


 six at most,


That is a good way to do it.
That is also your policy/opinion.
It may not work for someone else.


 a user should inventory their system and take appropriate maintenance. To
 expect others to waste valuable time in developing a product and keeping it
  fully compatible with older versions is ludicrous.



Agreed.
Supporting 0.94.x or earlier now would be a waste of resources.

I did feel bad for the 0.94x and 0.93x users who got caught in last years flag
day, but it was a flag day what are you gonna do.
Those running 0.92x or older, IMNSHO were just plain stupid and got what they
deserved.
But I do realize that it is just my not so humble opinion, and they just might
have had good reasons for running software that old.


 If you blame others for your failures, do you credit them with your
 success?



Thats an unsafe question to answer.
No matter how its answered, you shoot yourself in the foot.

Its like  Have you quit beating your wife?
Yes - You were beating her.
No - You are beating her.

The failures are usually all mine.
The successes usually involve other people.

And attribution is always the right way.
Open Source wouldn't work otherwise.
:-)


Thanks Nathan for articulating what I suspect quite a lot of us think.

I too am grateful to the ClamAV team - but I also sometimes think 
their attitude to users lacks sensitivity at times.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] block attachment with certain file endings (also in archives)

[Simon Hobson]

Erwan David wrote:


  gmail blocks attachments with certain file endings (also if the files

 are in certain archives):

 http://mail.google.com/support/bin/answer.py?answer=6590

 I am using clamav-milter with postfix. Is it possible to implement this
 policy through custom clamav signatures? From the signatures pdf I was

  not able to figure it out so far.




amavis may do this (and call clamd for handling viruses)


Yes, Amavis will do it. IIRC it defaults to blocking a small number 
of extensions (such as .exe and .scr). It also unpacks archives (zip, 
tar, etc) to check the contents.


My knowledge isn't enough to say (without searching) where it's 
configured - but I do recall there is a Perl array with a list of 
extensions to block.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Tiered freshclam updates on port443

[Simon Hobson]

Shawn Bakhtiar wrote:

I still say having firewalls from higher security zones to lower 
ones, does not make sense. Security is only valid when it is 
INBOUND. Outbound security is no security at all, just a pain for 
your users.


I used to think like that, but now I'd respectfully disagree.

It's not an answer in it's own right, but used intelligently it 
provides another layer of protection. OK, if your server gets 
compromised then it doesn't protect the server, but it does restrict 
the damage it can do.


For example, if you don't require to access external FTP servers, 
then don't allow outbound FTP connections. Should your server get 
compromised and the  use it to try and brute-force attack other 
FTP servers, instead of using up your bandwidth and causing a 
headache for the targets, the connections fail. On the other hand, if 
the basic software installed by the hack is unable to contact it's 
command centre for instructions (or to install additional software), 
then it's going to be useless to the attacker.


In a similar vein, I ALWAYS configure my routers etc to only allow 
outbound SMTP connections that are actually required. In the general 
case, end user machines should not be sending mail other than through 
specific servers - and if they are trying to send mail elsewhere then 
most likely it's spam from an infected machine. If a user has a 
genuine reason for sending mail, then the Submission port (which I do 
allow) is the way to do it. Again, it's not protecting your systems 
which are already compromised, but it's limiting the damage that then 
follows - damage in bandwidth costs, and reputational damage from 
getting blacklisted.


Just two examples that came to mind for no particular reason - and if 
you believe that you'll believe anything !


Yes it needs more work to set up, and figure out what connections you 
require - but IMO it's worth it in many cases. As you say, there are 
cases where it's not appropriate, and you need to judge each case on 
it's merits in an intelligent way. Strike a reasonable balance 
between protection, being a good netizen, and allowing users to do 
their jobs.



Having said all that, in this case, I'm inclined to agree that the 
requested functionality isn't really a generally useful think to be 
doing.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Some doubts about Clamav upgrade

[Simon Hobson]

Freddie Cash wrote:

  Does it first uninstall the existing version?




If it was installed as a .deb package (via dpkg, apt, aptitude, whatever),
then yes.


dpkg -l | grep clam will show if it was installed as a deb package 
- it should show clamav and freshclam as installed. If it lists 
nothing then they may have been installed manually and the OP will 
have to figure out how and where they are installed - ideally 
removing them before installing the new deb packages.


It may be useful to know which Debian version the OP is using - since 
it it's Lenny he wouldn't have 0.93 installed, and if it's older then 
there isn't an up to date version in the repositories.


If it's Sarge, then Gianluigi Tiesi posted this back on 16th April, 
it worked for me on one of my systems :


  Temporary fix for debian sarge, I suggest anyway to upgrade your 
distribution:

 
  download packages from:
  http://falco.netfarm.it/clamav/clamav-sarge/
 
  then
 
  /etc/init.d/clamav-daemon stop
  /etc/init.d/clamav-freshclam stop
 
  apt-get remove libclamav3
 
  rm -fr /var/lib/clamav/*
  rm -f /var/log/clamav/*
 
  dpkg -i *.deb
  (you can skip docs and testfiles)
 
  apt-get -f install
  if some deps is broken
 

ah forgot, then
dpkg --purge libclamav3



--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Some doubts about Clamav upgrade

[Simon Hobson]

Wagner Pereira wrote:


1. My Debian is a Etch 4.0
2. My sources.list file has
deb http://volatile.debian.org/debian-volatile etch/volatile main 
contrib non-free


3. That's my dpkg -l | grep clam output
ii  clamav   0.93~dfsg-volatile1 
anti-virus utility for Unix - command-line i
ii  clamav-base  0.95.3+dfsg-1~volatile1~etch2   
anti-virus utility for Unix - base package
ii  clamav-daemon0.93~dfsg-volatile1 
anti-virus utility for Unix - scanner daemon
ii  clamav-freshclam 0.93~dfsg-volatile1 
anti-virus utility for Unix - virus database
ii  libclamav4   0.93~dfsg-volatile1 
anti-virus utility for Unix - library


What should I do to upgrade my Clamav? Do I need to backup something 
from Clamav before?


OK, according to 
http://packages.debian.org/search?keywords=clamavsearchon=namessuite=allsection=all, 
etch-voltile has 0.95.3 for i386. So you should be able to upgrade 
with :


apt-get update  apt-get upgrade

this will upgrade everything on your box to the latest versions.

Alternatively, you can apt-get update to update your local package 
indexes, and then apt-get install clamav freshclam to upgrade just 
those two packages and any thing that needs updating to meet 
dependencies. apt-get --no-install-recommends install clamav 
freshclam will limit upgrades to only those that are required.


As with any upgrades, it's always worth having a full backup and a 
means of reverting back if something goes wrong.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

Dennis Peterson wrote:


What they did was a bad call. They wilfully let freshclam download an
update which they knew would crash the clamd service.


This was going to happen anyway when the signatures grew to take 
advantage of the new format. Older versions of clamd were going to 
die sooner or later. It was inevitable this would happen.


The rest only makes sense IF that statement is true. It's already 
been pointed out that it was not inevitable, and had the team cared 
then there were ways of not making old versions die.
More than one technique has been mentioned, and at least one of them 
would have been viable.


The rest of your response rather reinforces Marks point.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

Jim Preston wrote:

The rest only makes sense IF that statement is true. It's already 
been pointed out that it was not inevitable, and had the team cared 
then there were ways of not making old versions die.
More than one technique has been mentioned, and at least one of 
them would have been viable.


The rest of your response rather reinforces Marks point.


Simon, Mark,
Are you ever going to get over it and move on? If you are unhappy 
with ClamAVs decision take your bat and ball and go to some other 
ball park.


I am over it, and I have moved on. However, as long as people keep 
making untrue statements ...


It was the only way
and
it was inevitable
and
ClamAV **was** going to break sooner or later

are all untrue statements.

On the other hand
It was the only way **that the ClamAv team were prepared to act**
and
it was inevitable **given the choices made**
and
ClamAV **was** going to break sooner or later **given the decision 
to make it do so**


are all true statements.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Resources for integrating with spamassassin+amavisd

[Simon Hobson]

Chris Meadors wrote:


Rsync treats all files as binary.  When finding changes it splits a file
into blocks, computes a checksum for each block and performs a
comparison between the sending and receiving side.  Then it only sends
the blocks which have changed.

When dealing with a text file which has been appended to, like a log,
all the initial blocks are the same.  But if the file is sorted, it's
possible only a few additional lines will disrupt most every block by
changing the start offsets through out the entire file.


It's actually more efficient than that !
It uses something similar to a rolling checksum to find throughout 
the file. So in principal, you can add a short bit to the front of a 
large file, or even chop a file up into chunks and rearrange them, 
and it will still only transfer the changes.


Andrew Tridgell's research paper is available at 
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.123.1530rep=rep1type=pdf

rsync is covered from section 3 onwards.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Resources for integrating with spamassassin+amavisd

[Simon Hobson]

Bill Landry wrote:

Why, are you blocking outbound rsync traffic?  If so, after 3 years 
of maintaining this script and many thousands of users, this is the 
first time I've heard this request.


Some of do this by default - set an outbound policy of block and 
allow specific traffic that's allowed. It means that should a machine 
get compromised despite all other precautions, it can't* then be used 
to launch an attack on others (or other servers in your own network) 
and/or is unable to communicate with it's control centre. Just 
another layer of security.


* Yes the attacker (assuming they got root equivalent access) can 
clear iptables - but that means they have to be proactive and risk 
making themselves more visible, not to mention they risk their remote 
install breaking networking (and also making their presence visible).


But then what would I know about administering servers :-/

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Yet more clubbing of deceased equine.

[Simon Hobson]

Sarocet wrote:


The new hostname updates would still have needed the kill signature.
Otherwise, you have the same problem as before, but with a different
hostname.


Someone wasn't reading. The scheme was to remove the original 
hostname BEFORE using any updates that would kill the software. At 
that point, older versions would just stop updating and wouldn't 
break.


Now it's been pointed out that there are a sizeable number of third 
parties providing mirrors, I now agree that this would not have been 
reasonably practical. It may have still worked with different 
filenames, with the added bonus of being able to examine logs and 
work out the scale of the problem - ie how many installations were 
still accessing the old names vs the new names.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

Daniel McDonald wrote:


  I'm a little confused by this (still), is it not true that simply

 turning off freshclam will allow clamav to continue working indefinitely
 on the existing signature set?


No, you need to turn off freshclam *and* delete one signature, or grab an
older copy of the signature file.


You missed a few steps :
- Find out what has happened to your software that was working fine yesterday.
- Work out what to do RIGHT NOW because your phone is ringing with 
people asking where their mail is*
- Put in place a quick workaround (disable scanning) to allow the 
mail queues to get flowing

- Work out what options are available for dealing with it medium term
- Work out where the dig files are stored
- and then disable freshclam and put yesterdays sig files back
- work out what to to get onto newer version


* Yes, we've already heard the arguments that mail shouldn't stop 
when ClamAV does - even though that is logically inconsistent with 
the argument that old versions couldn't be allowed to continue 
without updates.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Yet more clubbing of deceased equine.

[Simon Hobson]

Chris Knight wrote:


  1) Release a new version that pulls updates from a new hostname.

 2) Wait a couple of weeks, or even six months
 3) Shut down old servers,


 4. Orphan *all* previous versions, including the still heavily used, and
 valid, 0.95s which were released before the hostname change, not just the
 buggy 0.94 and older.


What?  Somebody was running .95 and not the absolute latest?  Why
would anyone do that?  I am in absolute shock. Shock and horror and
sarcasm.  Yes, lots of sarcasm.


Forget it, it's been covered, and you'll never persuade this group of 
people that a) there was any alternative, or b) that there was 
anything ethically or legally wrong with the course of action they 
did take. Also, when I suggested this, it was in some way interpreted 
that I meant running two different upgrade servers/processes in 
parallel.


There is one thing though, under step 3, it should have read remove 
old DNS entries


As for orphaning 0.95 versions, lets take a look. According to an 
earlier post, the bug report was filed in Feb last year. 0.95 was 
released in march last year, and 0.95.2 in June last year.


Had they added another hostname to the DNS prior to the 0.95 release, 
then not a single 0.95 release would have been affected. Had they 
done it in June then only two versions, both more than 6 months old 
would have been affected. It could have gone into 0.95.3 which was 
released after the EOL announcement - and it would still have only 
affected versions older than 6 months.

All this has been pointed out, and rubbished already.

Of course, they could have taken the precaution of adding new DNS 
entries, and then not used them if they decided to take a different 
course of action (such as issuing a poison pill ...


If anyone was running an old enough 0.95 version, then their software 
wouldn't have died, they would have seen update errors in their logs, 
and the fix would have been to change just one or two hostnames in 
their freshclam.conf. As you point out, according to the ClamAV 
supporters, they would have been idiots for using such old software, 
and it would have been their fault - so why would the ClamAV team be 
worried about that when they are happy to make other versions 
actually stop running.*


The other 'reason' not to do that is an argument of why should the 
ClamAV team go to the effort and expense of changing the DNS ?, and 
my suggestion that it would have cost next to nothing in both cash 
and effort terms has been completely dismissed. The only argument put 
forward being you don't know what it costs to change a DNS entry - 
well actually I have a pretty good idea of the cost base for a number 
of common scenarios.


* Oh yes, and some people are still clinging to an argument that the 
ClamAV team did not stop any software from working. It's the sort of 
argument that someone would use to claim he didn't poison his 
neighbour's dog : he didn't give any poison to the dog, the dog took 
it when he put it in a piece of meat and left it where the owner 
takes the dog for a walk - so the dog took it, he didn't give it to 
the dog. It's linguistic/logics gymnastics to try and get around the 
fact that they misused the victims actions to cause harm rather than 
going and directly causing that harm first hand - the motive and end 
results were identical, only the means differs.
Actions designed to cause harm to a computer system, and a criminal 
offence in the UK.



--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

Robert Wyatt wrote:


You missed a few steps :
- Find out what has happened to your software that was working fine
yesterday.
- Work out what to do RIGHT NOW because your phone is ringing with
people asking where their mail is*
- Put in place a quick workaround (disable scanning) to allow the mail
queues to get flowing
- Work out what options are available for dealing with it medium term
- Work out where the dig files are stored
- and then disable freshclam and put yesterdays sig files back
- work out what to to get onto newer version


* Yes, we've already heard the arguments that mail shouldn't stop when
ClamAV does - even though that is logically inconsistent with the
argument that old versions couldn't be allowed to continue without updates.


I was talking about turning off freshclam anytime in the last two 
years, not the day after your system broke. Again, you're behaving 
as though you had no way of knowing when that is not true.


That assumes one knows in advance that one has to do that - which 
we've already determined was not the case for quite a few people. 
Most people could have upgraded if they knew in advance it was going 
to be forced - but other than that, why would someone turn off 
updates that are working ?


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Yet more clubbing of deceased equine.

[Simon Hobson]

Stephen Gran wrote:


  1) Release a new version that pulls updates from a new hostname.

You mean, deploy a parallel infrastructure of vhosting, monitoring,
pushing updates, etc?  When most of the mirrors are on third party
servers not under the control of the clamav team?  Do you really think
that's trivial, or were you just making up a solution without knowing
anything about the problem?


There is no parallel infrastructure - though I accept the point about 
mirrors not being under the ClamAv teams control. Presumably they 
aren't going to claim they have no knowledge of who runs mirrors ?


How about this for yet another  option that could have been done at 
the 0.95 release :

Just check for slightly different file names on the same servers.

Before you shout me down about maintaining two sets of sigs etc, I do 
not mean that - you just hard link another file name to the original. 
IFF (and yes, I don't know how the mirrors are updating) the mirrors 
use something like rsync which will deal with hardlinked files, then 
there's no extra bandwidth for updating the mirrors.


When you're ready to cut 0.94 and earlier loose, just stop providing 
the files it looks for.



--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Yet more clubbing of deceased equine.

[Simon Hobson]

Stephen Gran wrote:


Sigh.  I guess you didn't bother to read the part about third party
servers not under the control of the clamav team.  This means updating
the actual edge servers is not trivial.  The 'parallel infrastructure'
wasn't referring to deploying new hardware, it was referring to getting
all the same monitoring, syncing, deploying, serving, etc working with the
new name.  This is fine, although slightly non-trivial given the number
of machines, even when you are the sole admins.  When you're relying on
third parties donating bandwidth and space on 100s of shared servers,
it's less approachable.

But anyway, I think this is end of thread for me.  If you really think
that the clamav team's time is best spent chasing up hundreds of local
admins to make changes to their rsync/webserver/etc vhost configs,
then deploying and testing all the changes necessary to make this work,
instead of working on clamav just to save a few admins a small amount
of work that they should have been doing anyway, you're welcome to your
opinion, and I won't bother you with mine any more.  I just disagree.


Actually, I will thank you for actually putting forward a reasoned 
argument rather than just can't be done. Now the external factors 
have been pointed out, that is somewhat harder than it first 
appears. See, contrary to what some people may be thinking, I can be 
persuaded by **reasoned** debate.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

Thomas Hochstein wrote:


  OK, how's this then. 9.5.3 (IIRC) came out about the time the notice

 was published. It costs virtually nothing to add an extra DNS entry,
 and the release could have had the default server URL changed for
 Freshclam to fetch updates. it wouldn't even have been a great issue
 to have a 9.5.4 just for that - and of course the change would be
 quite prominent in the release notes then as well.


Why didn't you suggest that beforehand?


Because, as has been made quite clear beforehand, I did not know this 
was happening - and I'm far from alone in that. If I had been aware 
at the right time* then I would have suggested it.


* Note that right time does NOT mean spotting the EOL announcement 
when it was made. That was too late as the decisions had already been 
made then.



Why didn't you just DO that if you consider it necessary as it costs
virtually nothing, neither time nor money?


Eh ? Are you suggesting that I have the ability to go back in time 
and make changes to someone else's DNS and code ?


As for costs virtually nothing, yes I believe that is a good 
description of what it would have cost - and don't forget that 
deciding to EOL and forcibly block older versions was not without 
cost. Unless the project has some strange ways to make things tedious 
and difficult to change, then it would probably have cost less in 
time than the discussions (if there were any) on the ethics of 
issuing a kill signal to older software.


But it's a moot point - the team didn't do that, we are where we are, 
and a lot of people are unhappy for various reasons.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

Rob Sterenborg wrote:


  Message of freshclam did not specify that older versions would stop.

 It was the same message as for minor upgrades. This did not give the
 information that something different than usual was planned.


It still means you should upgrade and the message was ignored long 
enough that ClamAV stopped working. The fact that there is no 
*immediate* need to upgrade when the message is first seen, does not 
mean you can wait that long.


The OP use(s|d) an EOL Debian and an EOL ClamAV. If the OP upgrades 
ClamAV to a more recent version then he's back in business, even 
with an EOL Debian.


And ... it proves your argument that there was a warning message so 
it's entirely the users fault is completely bogus. Guess what, with 
a fully up to date installation, with ALL updates installed, 
freshclam still reports THE SAME WARNING.


So does that mean we should expect our fully up to date installation 
to just stop working ? And when, tomorrow, next week, next month, 
... ? Do we have to start checking the ClamAv website to see if 9.5 
is going to be EOL'd and remotely killed before 9.6 gets into Debian 
? Note that just updating a fresh install isn't sufficient to give a 
working system - a fresh Debian install, with all updates installed, 
does not have a working ClamAV on it. Users need to add Volatile for 
that to work.


Yes, it would be an idea to keep a bit more current, but that 
**SHOULD** be the decision of whoever is responsible for the box 
having balanced all the factors that affect his (or her) operations. 
It may not be the case for this particular package, but there are 
often other things that prevent upgrades - I've got several systems 
running various old versions of various OS's for the simple reason 
that I've got various items of hardware that have no support in 
current versions.


I have a system still running DOS 3.something - it's part of a system 
that no longer has any vendor support but which still does the job I 
require it to do. I have a VM running Windows 98 because I have some 
software I need to run on it. I have a pile of CD's here that are 
unreadable in Vista or Win7 - so to access the manuals on them I must 
run an outdated system. I have an old laptop with Mac OS 10.4 because 
my scanner software won't run on 10.5 or 10.6 and the vendor has 
dropped support. And I've got boxes here (still doing useful jobs) 
for which 10.5 is not a supported OS.


And those are only the 'hard' limits - ie stuff that *cannot* be 
upgraded. there are 'soft' reasons too - such as balancing the risk 
of upgrading vs the risk of not upgrading. I have one system where I 
know 100% that applying all updates *will* break it - so I have to 
hold back certain packages until one or other of the imcompatible 
bits gets fixed.


Applying the logic used with some venom here, every one of those 
systems should have been upgraded and/or scrapped - never mind 
whether they would still be capable of doing the job they are there 
for.



Again, not aiming this at you specifically, but at all those who have 
been advocating with religious zeal that there should be, and cannot 
be, any other policy that all updates applied all the time as soon 
as they come out - or something very close to that. And then I note 
that one of those busy telling people they are complete idiots and 
unfit to be running a toaster (OK, slight exaggeration for dramatic 
effect) for running anything but the very latest versions ...


... earlier today admitted that he has a system to take through six - 
yes SIX - OS upgrades to bring it up to date. I can only assume he 
had his reasons, and that he balanced the risks (upgrade vs leave 
alone), and most importantly that if left for as long as it has ... 
he had some expectation that it wouldn't be artificially crippled by 
some outside influence before he got around to upgrading it.



--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

Jerry wrote:


By the way, I still also have an old 8086 with DOS 3? (I don't remember
the version) that still works. I still use it on occasion to copy old
5.25 floppys to other media. Yes, some local government agencies have
valuable documents archived in that format. However, I would never
expect it run Win7, nor do I bitch to Microsoft about it either.


So, it still runs the software it used to run ? Yes
It's running software that is  EOL ? Most definitely
And Microsoft have sent it a poison pill ? No they haven't

There's a difference between not providing any more updates and 
killing something off.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Clubbing a deceased equine

[Simon Hobson]

Dennis Peterson wrote:


I believe that best practice with this sort of thing is to only issue
warnings and not to actually force a potentially harmful change without
*express* consent of the user.


Suggest at least one way to inform all the users successfully that 
obsolete software is going to die soon - and don't let it slip past 
you in your solution that the ClamAV people have know way of knowing 
who they need to inform. And recall too, this: Filling their logs 
with warnings didn't work. Posting the notice on the front page of 
their website didn't work. Running commentary in this list didn't 
work. Announcing it in their Announcements list didn't work.


You don't know a way, they don't know a way, and I know for a fact 
it cannot be done


If you start with the pre-requisite that you must stop old versions 
working then you are correct. Remove that pre-requisite and you are 
not.


More than one suggestion has been made of how the team could have 
just moved on and left the old versions behind - without having to 
kill them. These suggestions have been rubbished for various (mostly 
false) reasons.


People keep saying it's the user/admin's fault, that the user/admin 
should take all the blame, and that the user/admin should suffer the 
consequences. Fair enough - how this for a really odd idea - why not 
just stop providing AV updates to the older versions, and let the 
users/admins take the responsibility and consequences if they 
continue to ignore the warnings that updates have stopped working. If 
they ignore things aren't working errors then I'd agree with you - 
let them deal with it. I don't agree with the argument that things 
are not optimal is a warning to upgrade before things go bang.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] (no subject)

[Simon Hobson]

 available to them - so there isn't 
even any defence of it being absolutely necessary for the public 
good.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] (no subject)

[Simon Hobson]

Christer Boräng wrote:

In message 1271831753.5073.28.ca...@localhost, lists writes:

For instance, if I go to a shop and they give me a radio free. I take
that radio home and use it. If that shop then calls me up and says 'If
you don't change that radio, I'm going to break it' it is a case of
blackmail.


A better analogy would be that the shop calls you up to say We're
switching to digital, your analog radio will stop working in six
months, and, in six months time, the radio no longer has anything to
listen to...


Not a good analogy either.
If you want to use that one, it's more like a 
major broadcaster deciding to go digital - and 
then comeing round to blow up your radio to stop 
you listening to the local station you actually 
want to listen to that is still on analogue.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

h...@dip-systems.de wrote:

After the last signature update, clam av stopped working on our woody
installation.



Is there no more support for this Debian Release?


No, according to certain people on this list, you are a cretin, and 
incompetent to even handle the off switch of a computer. If you check 
the list archives - particular for threads (no subject) and Those 
EOL tweets you'll see that you are far from alone.


There seen to be three groups - those who think it was handled really 
badly and were affected, a small group who think it was handled badly 
but weren't affected, and a group that thinks there is nothing wrong 
and it's all the end users fault - and especially that the ClamAV 
team did nothing wrong, deliberately interfering with other peoples 
servers is both morally and legally acceptable as long as they 
pretended to tell you first, and there was no other possible way they 
could have acted.


Even now when their stance has been shown to be full of logical 
holes, they still persist that anyone disagreeing with their we did 
nothing wrong stance are a bunch of whining losers.


That's how it comes across to me anyway.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Clubbing a deceased equine

[Simon Hobson]

Christopher X. Candreva wrote:


Oh come on. If I tell you you'll get wet when if you go out in the rain
without an umbrella, is that blackmail ?


OK, so if I tell you that if you keep on going out without an 
umbrella, then I'll throw a bucket of acid over you ... then by your 
argument that's not blackmail, and by other arguments, it's perfectly 
OK because I warned you in advance. That wouldn't be assault, it 
wouldn't be a criminal act - it would be all your fault for ignoring 
the warning I gave.


And by the way, I won't tell you directly, I'll put a notice up in my 
front window that you may or may not walk past and may or may not see.



Old versions of Clam crashed on certain input. You were told when that input
was comming.

It's sounding like the Clam team would have been better off releaseing a
too-large signature and going Whoops, I guess old versions can't handle
this. You better upgrade, sorry ! By warning people and releaseing a
known-bad signature with a message, somehow it's their fault now.


No, it's not all their fault. But they sure did handle it badly.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] (no subject)

[Simon Hobson]

Jerry wrote:


I had thought by now that this thread would have died a natural death.
Obviously, I was mistaken. It has continued to pollute this forum for
nearly a week.

What has become conspicuously apparent is that if those who are doing
the most complaining had spend even one percent of that time keeping
their systems up-to-date and keeping themselves abreast of current
development and deployment strategies with the software they employ,
this whole discussion would be academic.

In the interest of eliminating any further waste of my time or computer
resources, I am now instigating a kill filter on this thread.


That's right - if I can't bully everyone round to my way of thinking, 
then I'm taking my ball home. A very grown up attitude !


You (and I mean a small subset of people who are unconditionally 
supporting the action taken by the ClamAV team) have consistently 
used false logic, outright lies, personal insults, and arguments 
worthy of criminal defences to try and weasel out of any blame 
whatsoever for having misjudged things rather badly.


Put bluntly, if people had admitted early on that perhaps it could 
have been handled better, that perhaps they didn't consider all 
classes/types of user, and that it is perhaps not unreasonable that 
users could be a trifle annoyed ... then this **WOULD** have blown 
over ages ago.


It's not that you had to do something that people are complaining 
about, it's not that you ended support for updates to older versions 
that people are complaining about, it's the way you did it and the 
way you refuse to accept that there can be any other valid viewpoint 
that really p***es people off. You may, if you'd read the messages, 
have noted that even people who were not affected by this thought you 
got it wrong.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Clubbing a deceased equine

[Simon Hobson]

At 12:12 -0400 21/4/10, Christopher X. Candreva wrote:


  Knowingly disabling running software on computers that is not your own

 is not acceptable.  It is immoral, unethical and perhaps illegal.


But that's not what happened.


Wierd idea of did not happen - in what way does we will push an 
update that has the sole purpose of making your software stop 
working NOT constitute Knowingly disabling running software ?


- It is a simple fact - the team made the decision to push this update.
- It is a simple fact that the purpose of this update was to make 
running software break.

- It is a simple fact that this was a desired outcome of the update.
These are simple facts supported by their statement that they were 
going to do this, and what the expected outcome was going to be.


Given these simple facts, I really, really cannot understand the 
mindset that still claims that the ClamAV team did NOT knowingly 
disable software running on other people's machines.


Could someone please explain how on earth you can still claim that 
this didn't happen - and by what logic process you arrive at such a 
statement ?


The **ONLY** defence I can think of is that they assumed an implicit 
permission by virtue of the user running the update process to fetch 
signature updates. That's a very tenuous thing to infer when pushing 
an update that is so different in purpose to what would normally be 
fetched.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] (no subject)

[Simon Hobson]

Eric Rostetter wrote:

Put bluntly, if people had admitted early on that perhaps it could 
have been handled better, that perhaps they didn't consider all 
classes/types of user, and that it is perhaps not unreasonable that 
users could be a trifle annoyed ... then this **WOULD** have blown 
over ages ago.


I've admitted this often, from the beginning, and my posts are largely
ignored, or refuted, or I'm insulted/slandered/etc.  So, this isn't
a true statement.


If I've overlooked the one person who did admit that, then I 
apologise to you. there are plenty of people who have not, and it 
appears will never, make such an admission.



--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] illegal or not, make a valid argument (was no subject)

[Simon Hobson]

 the roses unless they 
were directly causing a threat to the property - and you cannot say 
that me running out of date (ie not updated) AV sigs was directly 
threatening the ClamAv project.


You also cannot claim that my downloading of updates constitutes an 
invite - it constitutes an invite to put AV sig updates on there 
for the purpose of detecting new threats. A poison pill update 
doesn't fit that description.


It is a free service they provide, not to you, but to anyone.  So they
owe you nothing.  You didn't sign any contact with them that they would
provide only valid signatures, or any at all.  You assume the risk in
using the feed.


As a point of law, a contract does not need a signature, nor does it 
even need anything in writing - all it needs is an offer and 
acceptance. In the absence of a definitive statement, the legal 
situation would be whatever the court could determine were the facts 
of the case. In that respect, man freshclam says : freshclam is a 
virus database update tool for ClamAV. In any dispute therefore, 
unless there was something of equal prominence to contradict it, then 
it would be inferred that the purpose of the tool was to deliver AV 
signature updates - not a poison pill designed to stop the software 
working.


This goes beyond any clause designed to avoid liability for errors in 
the program. Yes, the clauses above would absolve you of liability 
for any reasonable errors, but it still would not absolve you of 
liability for deliberate malice.


I assume you will have similar laws over their, but over here, there 
are some rights you CANNOT sign away. The extent varies according to 
the situation (eg consumers have more rights than business). As a 
consumer, even if I sign a contract that a supplier is not liable for 
anything (such as the clauses quoted above), that agreement is 
totally worthless as the law says I cannot sign away those rights - 
and in court the clauses would be declared unlawful and 
unenforceable. Similarly, even if I said I didn't mind if you shot 
me, if you took me at my word, you would still find yourself in court 
- my permission might well be accepted as mitigating when it comes to 
the charge laid or the sentence, but it would not absolve you of a 
crime committed.



I'm just saying that the arguments are lame (calling it blackmail when
it isn't, saying they need permission from each and every user when they
don't, etc).  Come on folks, make your arguments at least reasonable!


I didn't make those suggestions BTW.



Christopher X. Candreva wrote:


Let me drive this home. In the state of New York, until recently if the
government wanted to use eminant domain to take your property, all they had
to do was take out an ad in the paper. They do not need to track down the
owner of the building or land, just take out an ad. If you don't read the
paper that day, the first you hear that your building was being knocked down
may be when the wrecking ball shows up.

This was only amended in 2004 after some particularly nasty battles.

http://ownerscounsel.blogspot.com/2009/06/port-chester-offers-apology-for-taking.html


Now that's a very interesting argument to throw in ! Are you now 
claiming that the ClamAV team are now part of government and are 
entitled to my server by Eminent Domain ? If you are, then poppycock, 
if not, then why bring it up. You even point out that the law has 
been changed on that. Over here we have Compulsory Purchase to cover 
situation where a government body needs to acquire property for a 
project - but they cannot just take it like that.


Yes, over here there are notifications for which public notice is 
sufficient action. If someone wants to build in the fields behind my 
house, then they only have to post notices about the planning 
application on the site - but they must post the notice AT THE SITE, 
not at the developers home. They still cannot come and build on my 
land without my permission - even if they've got planning permission 
and misled the planning board into believing that they have the 
landowners permission or own the land.


Note that building in the field will not stop me living in my house. 
It may affect my amenity value, but it won't stop me living there - 
in the same way that not providing AV updates will affect the amenity 
value of my server, but it won't stop me running it. On the other 
hand, knocking down my house would most certainly affect my ability 
to live there - and you cannot do that in this country without 
serving notice to the property and the registered owner (unless the 
latter cannot be found after reasonable efforts I believe).


As a complete aside, there have been cases (one was local-ish) where 
there's been a mix up (for want of a better polite expression) and 
a contractor has knocked the wrong house down. It usually results in 
serious compensation - and some rather negative PR for those 
responsible.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

Eric Rostetter wrote:


Faced with an old release of software that will die if the team uses
new functionality due to a known bug, and people who will not upgrade
to the version that fixes this bug, and a reasonably urgent need to use
the new functionality, what exactly would you have done differently?


They have already answered this.  They would force sourcefire/clamav
to spend lots of time, money, and effort to setup a parallel signature
system; one for older versions, one for newer systems.  They seem to
have no qualm with the idea of making sourcefire/clamav pay this price
so they can use the results free of charge...


OK, how's this then. 9.5.3 (IIRC) came out about the time the notice 
was published. It costs virtually nothing to add an extra DNS entry, 
and the release could have had the default server URL changed for 
Freshclam to fetch updates. it wouldn't even have been a great issue 
to have a 9.5.4 just for that - and of course the change would be 
quite prominent in the release notes then as well.


According to the arguments made in support, all responsible/competent 
admins would have been running this or a later version by the time 
support for 9.5 was dropped. On that basis, no responsible/competent 
admin would have been affected by removing the DNS entry used by the 
older versions. Even if someone was still running a 9,5 version 
earlier than the one with the update, it would be one tiny change in 
freshclam.conf to fix it.


Of course, all this would have a prominent entry, not just on the 
ClanAV homepage, but also on the FAQ page whose URL appears in the 
freshclam logs.


Come cutoff date, support is dropped for older versions, but they 
will continue to run. It will not be silent, as freshclam will 
complain several times a day that it can't get updates. This is a lot 
different to mentioning in passing that your version isn't current 
and you might consider upgrading.


So probably even less work than fashioning the poison pill update. 
Less collateral damage. And these threads would have died several 
days ago with a oh, so that's it !


No parallel signature system at all, in fact no changes at all other 
than a slight change to a DNS entry.



But I can see how this would be rejected by those who appear 
religious attitude to there being only one true way to run a server.




The biggest problem with this suggestion is that it came after the fact,
so it isn't a useful suggestion.  No one bothered to offer this advice
before the change was made.


Well, if I'd known, I could have suggested the above ! And I probably 
would have, even if I'd not been running affected software. If any 
project I *am* involved with suggested such a thing then I would 
speak up on that.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Simon Hobson]

h...@dip-systems.de wrote:

After the last signature update, clam av stopped working on our woody
installation.



Is there no more support for this Debian Release?


But Gianluigi Tiesi did post this a few days ago - dunno if it will 
work for Woody though.


  Temporary fix for debian sarge, I suggest anyway to upgrade your 
distribution:

 
  download packages from:
  http://falco.netfarm.it/clamav/clamav-sarge/
 
  then
 
  /etc/init.d/clamav-daemon stop
  /etc/init.d/clamav-freshclam stop
 
  apt-get remove libclamav3
 
  rm -fr /var/lib/clamav/*
  rm -f /var/log/clamav/*
 
  dpkg -i *.deb
  (you can skip docs and testfiles)
 
  apt-get -f install
  if some deps is broken
 

ah forgot, then
dpkg --purge libclamav3



--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Clubbing a deceased equine

[Simon Hobson]

Eric Rostetter wrote:


  Knowingly disabling running software on computers that is not your own

is not acceptable.  It is immoral, unethical and perhaps illegal.


But that's not what happened.


Yes, it is what happened...  People are just confused because of all
the bogus complaints like they shutdown my server or they shutdown
my email.  But they did indeed shutdown clamd for some set of older
versions.


I'm confused - are you saying they did, or didn't shut down software 
that people were running on their servers ? I think you are admitting 
(thank you) that the update did what it was supposed to do and 
remotely stopped some versions of ClamAV from running.


The **ONLY** defence I can think of is that they assumed an 
implicit permission by virtue of the user running the update 
process to fetch signature updates. That's a very tenuous thing to 
infer when pushing an update that is so different in purpose to 
what would normally be fetched.


Well, since you pull the updates (they are not pushed to you), and since
while this one signature was indeed different in purpose than the normal,
you have a point.  But, this different in purpose signature was just
a way of warning that soon the same in purpose signatures _would_ stop
the software.  Would you rather they just started pushing the normal in
purpose signatures that crashed it, or that they pushed a different
in purpose one first, where the purpose was to notify users of both
the issue, and how to fix it?


They didn't HAVE to push either to the older software - I'm not the 
first to point out that there was a completely viable alternative 
that would just stop supplying updates to the older software.


So my preference would be simply that they did nothing to my 
software. If they want to stop supporting it with updates, that's 
fine and it still leaves me in control of what I run and when I 
update it.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] (no subject)

[Simon Hobson]

Dennis Peterson wrote:

The question wasn't directed to my but I'd like to see them be more 
selective as to who should be allowed to use this product. Maybe an 
IQ test.


Really that is an insulting statement - and completely un called for. 
It's exactly the sort of attitude that drives people away from the 
FOSS movement - an almost religious zeal in supporting a closed shop 
mentality.


On one hand, people see a FOSS world inhabited by these religious 
zealots espousing the notion that to use a computer you must be some 
sort of uber nerd, fluent in multiple languages, and capable of 
programming a bare metal computer by thought transference (OK, so 
that's a slight exaggeration !). On the other hand, they see 
commercial offerings that appear to be made by people who actually 
care about people using their stuff - ie making it usable by mere 
human beings.


Some people in the FOSS movement understand this - that's why there's 
so much work to make things usable by ordinary people. It's just a 
pity there are still the bigots around espousing your view.


Now, if you want a project that employs such restrictions - go and 
build one. Being under an open licence, this one is available to all 
- either like it or lump it, but either way, keep your insults to 
yourself.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Jim Preston wrote:

Forcing an upgrade by flipping a kill switch was AN option, but it 
wasn't the only one.


No one is arguing that there weren't other options. However, it was 
their decision to make to move forward with incompatible signatures 
to support new features. Code changes were put into 0.95.3 (and 
maybe earlier in the 0.95 tree) which allows clamd to continue 
running with the new signatures and just does not use them. That is 
not the issue, the issue is pre 0.95 could not handle the new 
signatures and everyone had 6 months do something about it.


Yes, we all know that something had to be done, but just two days 
ago, the argument most definitely was that there was **NO** other 
option - absolutely no other option and this was the **ONLY** way to 
do it.


Now you at least are coming round to the acceptance that there were 
other options. That has been part of people's objections - apart from 
choosing the option they did, at least in these threads, the argument 
has been that there was **NO** other option, which quite frankly 
was never accepted as true or reasonable.


Lessons to be learned on both sides I think.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Jim Preston wrote:

Yes, we all know that something had to be done, but just two days 
ago, the argument most definitely was that there was **NO** other 
option - absolutely no other option and this was the **ONLY** way 
to do it.


Now you at least are coming round to the acceptance that there were 
other options. That has been part of people's objections - apart 
from choosing the option they did, at least in these threads, the 
argument has been that there was **NO** other option, which quite 
frankly was never accepted as true or reasonable.


No, Simon, if you read some of my earlier posts I stated it was 
their decision to make and had taken measures to give users / admins 
6 months to do something about.


I can't recall who said what - but there were voices suggesting there 
was no alternative. I wasn't specifically saying you said it, though 
I can see how it probably looked that way.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] (no subject)

[Simon Hobson]

Yes, and most likely the case and most likely the managers screaming 
that it should not have failed because they did not authorize the 
server to fail. And yes this a weak attempt at humor on my part and 
not in need of retort.


Not so weak - but it sounds like you've met some of my past managers !

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Eric Rostetter wrote:


Let's look at this from the OS community point of view...


...


I thought, yeah, I
can live with that.  That won't impact me in any real way.  I don't have
a problem with that.  I didn't think about others.  I didn't try to come
up with other solutions.  I didn't try to foresee problems and try to
correct them.  I didn't think to check that the documentation was in place.
I didn't think to notify distributions, or packagers, or any one else.  I
didn't seek to publicize this in either a positive or negative light.  In
short, I failed as a community member.  And a lot of others did too.

So let's learn from this.  Let's make this a better community around
clamav.  The best way to stop this kind of stuff is to take an active
role in the community, not to bitch about it to the project leaders after
we fail to show any interest in it.

Yes, we all know that something had to be done, but just two days 
ago, the argument most definitely was that there was **NO** other 
option - absolutely no other option and this was the **ONLY** way 
to do it.


For six months, there was NO argument at all. That is where the system
failed...  What happened in the last week is not the problem.  It is the
fall out of the problem.  The problem is apathy.  The solution is an active
community.


Thanks. That is probably the most constructive thing said in the last few days.

Not in this particular saga as I wasn't involved, but in other areas 
I would have to say I could hold my hand up and say guilty of all 
those at some time or other - it can be hard to see things from a 
perspective outside of your own little box. And it's even easier to 
look back after the fact and say that's not how I'd do it - I've 
even done that about some of my own decisions from time to time.


It was a real eye opener for me when I changed jobs a few years ago - 
going from being personally responsible for all the technical stuff 
(and then some more) in the company and having an intimate knowledge 
of the networks, servers etc; and suddenly there I was on the other 
side of the fence having to deal with a multitude of different setups 
that I wasn't familiar with. I suddenly realised just what a hard 
time I'd given some of those (well paid) consultants over the 
previous years.


What we may, in hindsight, think of as being a ridiculous decision, 
probably seemed like a good idea at the time to those who had to make 
it - given their perspective of the world.


The positive thing everyone can take away from this is a better 
realisation of the diversity of ways people manage systems, and the 
diversity of views on how it should be done.



Paul Reading wrote:
Sorry to but-in.. I have just wasted a day trying to get my 
companies mail working again. We have an Apple xServe and knew 
nothing about clamav until we stopped receiving our email this 
morning. I don't know how you could have communicated with us on 
this one but perhaps it would have been better if you had somehow 
got Apple to update their customers by software update so that the 
un-initiated would not have needed to worry about this.


Here we have a prime example of the sort of user that's been really 
let down over this. I would have to hold my hand up and admit that it 
is to a certain extent my own fault for running older software, and 
that I have a route to fix it myself, but this chap is running what 
to him is an appliance. There are a great many such appliances 
about, and many of them will be running older software for various 
reasons - in the case of OSX, there's a not inconsiderable cost in 
upgrading the server version between major releases, and (probably 
not relevant to an Xserve) an artificial restriction on age of 
hardware the newer versiosn will install on. For this class of user, 
a vendor (in this case Apple) has done all the porting and 
integration so that the user just has to administer it via a front 
end GUI - it's not reasonable to expect the user to learn about 
coding, building software etc.
It would be a good idea though for the vendor to be proactive in 
making sure the user they took money from isn't left in such a 
situation. Reading a few of the comments suggests Apple don't really 
have an official EoL policy/statement for OS X, and that they do 
sometimes do updates for older versions.


At least in Apple's case, they will have a partial list of users 
since the default is for a new install of the OS to bring up a 
registration program so you can register with Apple. it would have 
been nice if they'd used some of that information to notify those 
they could.


What version Apple provide I don't know - whilst I've run Xserves, I 
wasn't using the mail on them and it was some time ago. AFAIK, Apple 
do push updates to such third party packages with Software Update - 
as far as the user is concerned, this is an Apple supplied package 
and Apple provide the updates even if it is an open source program.



--
Simon Hobson

Visit

Re: [Clamav-users] EOL

[Simon Hobson]

Jim Preston wrote:


Over here, if I step out into traffic and get hit it is my fault.


But suppose you walk out across a crossing where the WALK is lit 
(green man over here) and the traffic has a red light - but someone 
screams through ignoring the red light and gets you ?


That is a better analogy. The **expectation** of any sane admin isn't 
that some random project will push out random updates deliberately 
designed to stop his working system from working.


And you can cut the crap about well you should have configured your 
system to not stop when ClamAV stopped - that's rubbish because it's 
already been made perfectly clear right at the start of one of these 
threads that the project team consider any configuration that doesn't 
break if ClamAV isn't working right to be broken.


Yes, it would have been nice to be in a position to have done a 
distro upgrade (with all the testing required) before now, but some 
of us haven't been able to for a variety of reasons. That does not 
give ANYONE (other than my management or users) the right to set out 
to punish me (and my users) for it - because that is what is 
happened, and some of you seem proud of that.


Yes, it would be better if I was running more up to date software - 
but I made a decision based on certain constraints and assumptions. 
One of those assumptions was that some third party would take it upon 
themselves to deliberately stop it working. Many people will now be 
wondering how safe it is to trust this project (and FOSS in general) 
- trust can take a lifetime to build up, and a moment to destroy.


Like I said, I can think of several ways it could have been handled 
without any significant effort (certainly less that has been expended 
on dealing with the backlash) and without significant (or with one 
option, any) inconvenience to people running up to date versions. The 
way it's been done, and especially the way it's been defended, makes 
certain people come across as very arrogant people who need to be 
careful they don't hurt themselves - it's long way down off a high 
horse.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Dan wrote:

Yes, some updates can be problematic.  But in this case, surely, 
there were updates during the year that worked just fine.  In most 
cases, tho, I'm thinking the people complaining slacked off 
completely - unlike you, they didn't even bother to test the 
releases.


And cf todays thread (LibClamAV Error: Can't load), which can be 
summararised as  :

It was working fine
You broke it for me
I've installed an update to try and fix it and now it's even more broke

The only difference had the user done the update last week would be - 
he had a working system, he upgraded it, it's now broken and he has 
downtime as a direct result of the upgrade.


Those two lines look fairly clear to me.  Essentially they're 
telling you to get moving, get the update onto your to-be-done list.


OK, so it suggests an upgrade would be a good idea. I've yet to see 
any explanation of where in that message (or the page referenced) it 
sets a deadline, where it says anything will die, and that this will 
be a deliberate act of sabotage.


Yea, I agree, the Clam team probably could have done things better. 
But would more announcements or warnings have really made a 
difference?  Why would the people, that regularly ignore the 
Freshclam warnings, pay attention?


Actually, I believe at least some of those complaining here would 
have done. **HAD I KNOWN** about this killer update, then I would 
have applied pressure on management to give me the resources to roll 
out the new build I have - that's all I'm waiting on in order to be 
running completely up to date versions of everything - and because 
it's more than one server, in future I'll be able to update (one at a 
time) with less risk.


OTOH, I wonder how many of these upset admins have taken even 
partial responsibility - by admitting to their bosses that they 
failed to apply any updates to a critical piece of software, for 
over a YEAR?


I have - that probably surprises you. Can't speak for anyone else.



Dan wrote:


They do not have any right to deliberately mess with a running system...


Please explain this right that makes thy system so sacrosanct. 
I've never heard of that.


May I suggest that you'd change your tune if your house was ransacked 
and the burglar defended his action on the basis that he'd kept a key 
from before you bought the house and he's left a note (somewhere you 
probably wouldn't see it) telling you to upgrade your locks or else ?


My servers are my property (or that of those I manage them for). No 
third party has the right (legal or moral) to interfere with that 
unless there is a contractual agreement that they can do so - and 
then only in ways allowed by that arrangement.
In this case, there's an implicit agreement between admins/operators 
and the ClamAV team that allows the ClamAV team to apply AV signature 
updates - this being implicit by the admin running Freshclam. In no 
way can pushing a poison pill designed to stop the service be 
considered a normal AV signature update.



The Clam team had one and only one responsible choice:  to remove 
the aged product from service before it became a road hazard, er a 
liability around their necks.


No, that is NOT their responsibility, nor their right.

Not only that, it's inconsistent with the attitude expressed here 
towards people running old software.

Contrast :
1) No-one should be running old software, they deserve all they've got.
2) We can't allow people to run old software, our only option is to 
kill it to protect people from themselves.



OK, lets suppose that a car manufacturer finds out that one of their 
old models, of which there are many still in use, has a defect that 
could potentially expose the user to a higher risk of something. In 
this country, and in the US I believe, there is a system for a recall 
if it's serious enough - or the manufacturer can put adverts in 
appropriate places to warn the user.


Have you ever heard of the manufacturer deciding that the only 
responsible way is to go round with a fleet of lorries (trucks), lift 
the old vehicles off the owners drives without even ringing the 
doorbell, and take them off to the crusher ?


They have a right, and a responsibility to try and make as many 
owners/users aware of the risks - but it is still the owner/users 
decision on whether that risk is acceptable TO THEM.



They were even nice enough to give months of warnings.


The efficacy of such is subject to a certain amount of debate.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Stephen Gran wrote:


You seem to be massively missing the point.  In a short while, there
will be signatures in the database that will have the same effect for
older versions of clamd, because they will trigger the same bug.  Which
way would you prefer clamd to die - with a helpful error message, or
with a hex string that makes no sense to you?  That was the only choice.


So you haven't actually been reading these threads then. It 
absolutely was **NOT** the only choice, it was the one choice of 
several that they took. I can think of **at least two** alternatives 
- one would have required minimal effort (probably less than has been 
expended in defending the decision) and zero inconvenience for those 
who run all the latest updates.


So it IS NOT TRUE that there were no other options. It IS NOT TRUE 
that the only choice was this or have it die n a few weeks with a 
cryptic error message.


As has already been said - it's done, it's not going to get undone, 
trust has been severely damaged. But most of all, this constant it 
was the only way, anyone affected was a complete imbecile who should 
be allowed near a computer attitude really makes you sound like a 
bunch of people most of us wouldn't want to be associated with. It 
most certainly doesn't make you sound like the professional 
sysadmnins that you claim to be.


I think you've got to go to one of a number of churches, or an Apple 
event, to hear such this is the one true way message defended any 
louder !



There really doesn't seem any point in debating this any more. It's 
been proven time and time again that the most fervent religous 
believers won't be for hearing any criticism of their one true way - 
and that is exactly what these threads have sounded like for those of 
us outside the church.


You may be nice people - but I speak as I find. The above is how I find.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] EOL

[Simon Hobson]

Christopher X. Candreva wrote:


  And you can cut the crap about well you should have configured your

 system to not stop when ClamAV stopped - that's rubbish because it's
 already been made perfectly clear right at the start of one of these
 threads that the project team consider any configuration that doesn't

  break if ClamAV isn't working right to be broken.



As the originator of those comments, you have misquoted me.

The project team consider any CLAMD configuration -- not any MAIL
configuration -- that doesn't break CLAMD if ClamAV isn't working right to
be broken.

Because of this, it has been recomended, repeatedly, for years, that mail
systems be configured to deliver mail unfiltered if the milter fails.


Ah, now that is being very disingenious again - and it's logically 
inconsistent with the stated position.


What you are saying is that ClamAV should NOT work if there is a 
problem because to not work would expose people to having their mail 
not checked when they expect it to be. But they also recommend 
configuring your system so that if ClamAV doesn't work, it will pass 
the mail unfiltered.


So ClamAV as a package won't silently 'not work' for the safety of 
users - and this has been the justification for their approach to 
this issue. But at the very same time they are recommending a setup 
which will silently not scan mail if there's a problem with ClamAV.


Interesting logic there guys.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Thanks for the weekend entertainment

[Simon Hobson]

Cody Konior wrote:

I don't know Simon, though I can't help but see his attitude and 
comments as a reflection of some other consultants / systems 
administrators whom I intensely dislike.


Then I think you have got the wrong impression of what I do and how I do it.

If it's any consolation though, some of the other posters have been 
worse, to the point of being almost comical.


Some people really don't help their own cause.


Giampaolo, you're one of us. You may have a dissenting opinion


That's interesting. The impression I have is that he has similar 
opinions to me.
I believe I am also one of you, but without the religious zeal some 
people have exhibited in these threads. I too try and provide value 
to my clients (I'm not a consultant BTW, I'm a technical specialist 
in a small IT services  hosting company though I guess the line is a 
bit blurred), I do it because I like it (mostly, and I certainly 
aren't in my current post for the money), and I try to do things with 
professional ethical standards (and I've had disagreements with 
managers over the years when their lack of ethics has conflicted with 
mine).


And I do actually contribute to a number of FOSS projects - not in 
cash, but in things like answering users (frequently FAQ) queries on 
mailing lists and so on. And of course, taking every opportunity to 
demonstrate that it can be an alternative option.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Dan wrote:

So keeping up to date has it's own risks - hence why many people 
take the attitude of if it aint broke, don't fix it.


But being a YEAR out of date?


Time is an illusion, lunchtime doubly so.

Like I said, there ARE legitimate reasons for not always updating 
every bit of software every time an update comes out. Looking back, 
I've had more problems caused by updates (as in it worked, I fixed it 
with updates, it stopped working) than I have from lack of them. 
Clearly up in the skies as some of you guys seem to be given the 
height of your horses, things are different - perhaps your software 
works differently at altitude !



Wow.  Freshclam has told you every day for  a year+, that your 
installation was out of date.  Plus the 6 months of messages about 
the EOL that have been posted.  How much more notice do you need?


**Any** notice would be nice.
As I've already asked before, please tell me where in the message 
below (or the URL it includes) it says anything whatsoever about 
your software will die ?

Received signal: wake up
ClamAV update process started at Fri Apr 16 10:26:14 2010
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.95.3 Recommended version: 0.96
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven)
daily.cvd is up to date (version: 10751, sigs: 52057, f-level: 51, 
builder: guitar)
It doesn't. So please cut the dung about freshclam having been 
warning me for a long time about this. It did no such thing - there 
is a difference between noting that there may be some of the newest 
features not supported and it turning it's toes up and going to meet 
it's maker.
As to the policy having been published, well it would appear many of 
us have the same problem as Arthur Dent.


Of course, if you insist on keeping your system out-of-date, you 
could just restore the database from your backup, and disable 
freshclam.  You do have backups, don't you?


As I've already said several times, YES I HAVE AND YES THAT IS WHAT 
I'VE DONE until I can fix it.



I can think of two other ways this could have been done, with very 
little effort, and with little or no inconvenience to what you would 
consider superior admins. That's irrelevant now, you've done what 
you've done and it's not going to be undone.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] (no subject)

[Simon Hobson]

Richard Bishop wrote:


You are running Debian Sarge!  That's been EOL and unsupported for over 2
years (March 2008).  See here - http://www.debian.org/releases/sarge/


Yes, I am as well - and for several good reasons.

1) If it aint broke, don't fix it. It works, has worked reliably for 
several years, and was working fine yesterday. It's uptime is 
currently 405 days, and then the last downtime was to physically move 
the server.


2) If it aint broke - don't fix it. There's no way I'd attempt a 
major upgrade in-place when it's a live server used 24*7. For various 
internal reasons (which I'm sure you can guess) I don't have the 
resources to do anything but an in-place upgrade if I want to upgrade.


3) I can accept that software will go out of support - but I never 
expected a Miscrosoft-esque remote shutdown.



Recognising that Sarge is quite old, I have in fact got a new server 
about ready to go - and I've taken the opportunity to roll in some 
better features that the current live one. However, I don't have the 
hardware to deploy it with yet - and I probably won't for several 
months.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] Debian Sarge - what now ?

[Simon Hobson]

OK, so I get into work this morning to be told there's a problem with 
the mail server - and the helpdesk have had calls from several 
clients who aren't getting any mail.


The first hint I have is a delayed mail message from one of the 
servers which included the following :

xx...@x.xxx (expanded from root): host 127.0.0.1[127.0.0.1]
said: 451-4.5.0 Error in processing, id=20146-06, virus_scan FAILED:
virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: Too
many retries to talk to /var/run/clamav/clamd.ctl (Can't connect to UNIX
socket /var/run/clamav/clamd.ctl: No such file or directory) at (eval 42)
line 268.; ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan unexpected
exit 50, output=LibClamAV Error: cli_hex2str(): Malformed hexstring: This
ClamAV version has reached End of Life! Please upgrade to 
version 0.95 or l
451-4.5.0 ater. For more information see 
www.clamav.net/eol-clamav-094 and

www.clamav.net/download (length: 169) 451-4.5.0 LibClamAV Error: Problem
parsing signature at line 742 451-4.5.0 LibClamAV Error: Problem parsing
database at line 742 451-4.5.0 LibClamAV Error: Can't load
/var/lib/clamav//daily.inc/daily.ndb: Malformed database 451 4.5.0 ERROR:
Malformed database at (eval 42) line 462. (in reply to end of DATA
command)


To which my first reaction is WTF ?

So I find that **without warning** my mail server has been remotely disabled.

Yes, I do mean **WITHOUT WARNING** - there has not, at any point, 
been anything remotely resembling any warning that things were going 
to be turned off. A notice on your website doesn't count unless you 
think it's reasonable for all admins to have to visit the project 
website for all their packages on a regular basis just in case the 
project plans something crazy like remotely disabling your server !



WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92.1 Recommended version: 0.96
DON'T PANIC! Read http://www.clamav.net/support/faq

doesn't count as any sort of warning that things WILL BE TURNED OFF

What's more, the language of the notice that I have now seen makes it 
quite clear that you knew **BEFORE** you did this what the effects 
would be.

This move is needed to push more people to upgrade to 0.95
This makes it quite clear that there are still a lot of people 
running the older version, so it's hard to imagine what sort of 
response you expected from people.




Anyway, rant over, how to move forward. The mail server is running 
Debian Sarge, and upgrading is not an option for now - that's why 
it's still running Sarge. Even if it were running Lenny, then the 
stable version in that is still affected. I have a newer server 
built, but I won't have the hardware to run it on for a few months.
0.95 won't install - unmet dependencies and I'm not going to try 
manually frigging stuff on a production server to work round that.


So for now I've had to completely disable AV scanning on the server.

The obvious workaround for me at the moment is to disable Freshclam 
and rollback to where I was before the update that broke things. Can 
anyone tell me exactly which files I need to rollback ? Yes, using an 
old AV db is bad, but it's less bad than not using one at all which 
is where I am now.


So, like the title above - now what ?


Could I suggest the following ?
1) Roll out an update to re-enable peoples servers.
2) Roll out a less damaging update - how about NOT updating the DB 
and announce that it's not being updated ? Still annoying, but far 
less annoying that having your server taken down without warning.



--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Upgrading System for latest ClamAV version

[Simon Hobson]

Jerry wrote:


In any case, at some point in time, when it comes to updating software,
or whole operating systems, you just have to bite the bullet.

http://en.wikipedia.org/wiki/Bite_the_bullet
http://www.phrases.org.uk/meanings/bite-the-bullet.html

Or, to put it in simpler terms, It's better to light a candle than
curse the darkness.


Still, it would be better still if someone didn't break in and snuff 
our candles out to force us to switch to electricity !



I am in the process of preparing to upgrade an older FreeBSD system to
the latest version. I could bitch and complain; however, in the time I
would waste doing that, I could have completed the job.


Well IFF I had the skills, and IFF the server had the tools 
installed, then I suppose I might be able to compile the source 
(having figured out how to deal with the broken dependencies). On the 
first, I don't - that's why I'm using packaged software. On the 
second, I don't know - it probably doesn't have everything installed 
since I don't build software on it.


What might have been a few minutes to you, is in fact a week or two 
for me - building a new server, configuring it (the old configs 
aren't really useful when the software has progressed over the 
years), tested it fully, and then migrated all the users and their 
data. That would, of course, be assuming I had the hardware to host a 
new server on - which I don't.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Francesco Peeters wrote:


How long back do McAfee or Norton, etc. support their clients? Only
difference (aside from the fact you have to pay them for the privilege)
is they just force the upgrade on you during the standard upgrades, no
matter how inconvenient it may be... ClamAV gives you 6 months... Now
which one is more appreciative of the issues system admins may face when
upgrading software?


Well my experience over 20+ years ...

No, I've never had my commercial AV licenced software turned off 
with no warning.


Forget the 6 months stuff, this was NO WARNING to most people. If 
you'd given 6 months notice then I'd have had grounds for going to 
management and making sure I had the resources to do something about 
it - I'm running Debian Sarge so it's not a matter of just using the 
Volatile repo.


At no point have I seen anything in the logs on my servers to say it 
was going to be turned off. Like many others, the first I knew was 
when I got to work this morning and the server wasn't working.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Upgrading System for latest ClamAV version

[Simon Hobson]

Jerry wrote:


  Still, it would be better still if someone didn't break in and snuff

 our candles out to force us to switch to electricity !


At some point a candle will burn out. Simple fact of life.


OK, so perhaps bad analogy - if it were an oil lamp, I could keep adding oil !


  What might have been a few minutes to you, is in fact a week or two

 for me - building a new server, configuring it (the old configs
 aren't really useful when the software has progressed over the
 years), tested it fully, and then migrated all the users and their
 data. That would, of course, be assuming I had the hardware to host a
 new server on - which I don't.


Nothing personal; however, is this network a simple home one or are
you maintaining a mail server for a [business|group|organization].

If (1), then this is a great time to acquire those skills and install
those pesky tools. If (2), then perhaps it is time to call in a
professional. This job is obviously beyond your capabilities.

Nothing personal; however, this sounds like a text book definition of
the Peter Principal (http://en.wikipedia.org/wiki/Peter_Principle).
If you are going to run a mail server and hope to run it proficiently,
then acquiring the skills to do so are paramount to you. There are many
individuals on several assorted lists that would be glad to help you
get started acquiring those skills.


Yes, that is very personal and I take it as an insult. It's the very 
reason OSS has such a bad reputation in some quarters - this apparent 
insistence that you are not competent to do anything unless you can 
write code. That IS the inference - that if I'm not capable of 
compiling my code from scratch then I shouldn't be running a server.


If that was true, then why should all those people spend all that 
effort packaging up software so that incompetent (according you you) 
people should be able to install and use it ? In the same vein, then 
it's an obvious extension that there is no such thing as a 
competently run server using closed source code - after all, the 
admin cannot compile the Windows or Exchange or ISS or ... their 
server runs.


So please get off the high horse before you fall and hurt yourself. 
Just because I don't build the software from source does not mean I 
cannot competently configure and run a service. That is exactly what 
I did several years ago for this particular server, and it's been 
running very nicely until someone actively pulled the plug on it, in 
practical terms, **WITHOUT ANY WARNING**.


I'd love to have enough hardware to run up a new server, with all the 
latest software, and migrate all the users etc. Unfortunately, due to 
internal politics I won't get that until all the other stuff gets 
upgraded. I can't say more, but suffice it to say, there are a lot 
more services running on OSS than there were when I started here - 
but there has been no new hardware provided to run it - I only get 
the hand-me-downs when it won't run the latest tech from a certain 
well known closed source vendor.

That's politics for you - wish it wasn't the case, but that's how it is.


Now, I've always thought ClamAV was great - but when shit like this 
happens it suddenly gets harder to justify OSS when one of your 
vendors does exactly what you accuse the closed source outfits of 
doing.


I can appreciate why it's been done, I just think it was done very badly.
--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Török Edwin wrote:


On 04/16/2010 03:17 PM, Giampaolo Tomassoni wrote:

It was explicitly stated that clamd will be disabled.


In which language?


Starting from 15 April 2010 our CVD will 
contain a special signature which disables all 
clamd installations older than 0.95


http://www.clamav.net/lang/en/2009/10/05/eol-clamav-094/


Could you please point out where in this log 
extract it mentions anything about the software 
getting remotely turned off ?



Received signal: wake up
ClamAV update process started at Fri Apr 16 10:26:14 2010
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.95.3 Recommended version: 0.96
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven)
daily.cvd is up to date (version: 10751, sigs: 
52057, f-level: 51, builder: guitar)


That log message links to http://www.clamav.net/support/faq

Could you please point out where on that page it 
mentions anything about the problem ?
As it happens, I HAVE been to that page several 
times in the last few months, because I've been 
setting up new mail servers and was looking for 
info on downloading the updates just once and 
passing them round to the others - see, even 
though it's a small setup, I still try and 
minimise my load on the upstream project servers.



That is why people are so upset about this - in 
practical terms, to most users, it was **NOT** 
announced 6 months ago - it was sprung on them 
with no warning this morning.



--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Török Edwin wrote:


Could you please point out where in this log extract it mentions
anything about the software getting remotely turned off ?


Received signal: wake up
ClamAV update process started at Fri Apr 16 10:26:14 2010
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.95.3 Recommended version: 0.96
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cvd is up to date (version: 52, sigs: 704727, f-level: 44,
builder: sven)
daily.cvd is up to date (version: 10751, sigs: 52057, f-level: 51,
builder: guitar)




If you manually start clamscan/clamd it shows this message:

LibClamAV Warning: ***
LibClamAV Warning: ***  This version of the ClamAV engine is outdated.***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***
LibClamAV Error: cli_hex2str(): Malformed 
hexstring: This ClamAV version has reached End 
of Life! Please upgrade to version 0.95 or 
later. For more information see 
www.clamav.net/eol-clamav-094 and 
www.clamav.net/download (length: 169)

LibClamAV Error: Problem parsing database at line 742
LibClamAV Error: Can't load 
/tmp/clamav-87fcebeda696335ed02c4a74df419b38/daily.ndb: 
Malformed database

LibClamAV Error: Can't load /usr/share/clamav/daily.cvd: Malformed database
ERROR: Malformed database


No, that's what it says NOW, **AFTER** it's borked the server.

Where in that log message I quoted above does it 
say that at any point in the future is will be 
turned off ?
I've had no reason to run freshclam manually on 
that server in the last 6 months, for several 
years in fact. That demonstrates the quality of 
the code/project prior to this issue.



  That log message links to http://www.clamav.net/support/faq

You are right, the FAQ should link to the EOL message.



Could you please point out where on that page it mentions anything about
the problem ?


www.clamav.net
IMPORTANT ANNOUNCEMENT (red)


That is **NOT** on the page referenced.


I hope that by now you may be realising that many 
people quite legitimately did not know anything 
until things broke this morning. We did not have 
6 months notice - our servers just broke.




Aecio F. Neto wrote:


I use clamav, I think it is great and I recommend it to all my customers.


I agree.


Even though, I do not agree with fact that a vendor (open source or not)
disable and break services on my endpoint.
There are many other ways to do it and this is bad for the endpoint and for
the vendor.

Team should review this practice, no matter if they announce it earlier or
not.


Ditto.


Today I've gone from having a server that just 
runs and has run with virtually no oversight for 
several years to one that just broke.


I had to disable AV scanning this morning in 
order to get the mail moving, now I've disabled 
freshclam and rolled back the database to 
yesterdays version.


Luckily it's not been a busy day today !

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Maurice Lucas - TAOS-IT wrote:


   I dont know in which world you live ... but in the REAL world i

 live, not all systems are managed by proactive admins. In fact, in the
 REAL world, LOTS of systems are just left alone running. And it works
 most of the time, despite of all the theorical and practical
 considerations against it. I know that isn't right, that isn't secure,
 that's not the optimal situation . but thats the REAL situation.


If you don't have the time, knowledge, or whatever. Don't be a sysadmin.

Being a sysadmin for a PRODUCTION server is a real job.
I hire someone to fix my car and repair my roof. Why because I could 
try and fix something but I know I can't complain if I break 
something.


Ohh, bad analogy.

According to comments already made, to be a competent car owner 
you've got to periodically check the websites of all the bits that go 
into it. So we'll start with (for example) Ford for the base vehicle, 
and (for example) Michelin for the tyres, and Bosch for the engine 
management, Girling for the brakes, 


But then again, if I don't I don't find myself sat in the middle of 
the road with a dead car - I've yet to hear of a vendor building in a 
facility with the sole function of bricking your car if you don't 
keep going to them for updates.


And guess what, when you take your car to be serviced, the guy that 
services it won't go and check with all the vendors to check, just in 
case, that someone has plans to remotely brick it in the next 6 
months.
IFF he's a (say) Ford main dealer then he'll check with Ford if there 
are any bulletins that apply to it.



   despite of all the warnings, the EOL signature was a bad move in

 my opinion.


We are talking about a message send to everyone who cares for there 
system of October 5th, 2009.


As pointed out, it was ***NOT*** sent to people running the servers - 
you've done the equivalent of Ford putting a notice up in it's 
corporate reception and expecting all owners to know about it. Had I 
known 6 months ago rather than this morning, I'd not be complaining 
for the simple reason that I'd have been able to deal with it.


An old version of ClamAV can't find the newest viruses. The really 
old ones don't run in the wild anymore.


For half the day I've been forced to detect no virus's. Now I'm only 
detecting the ones known about up till yesterday.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Upgrading System for latest ClamAV version

[Simon Hobson]

 be interested to here how you would have 
fixed the problem without compiling the code or using the compatible 
binary package that doesn't appear to exist - but then that applied 
to any closed source server. If a Windows admin can't fix a problem 
by fixing the code they don't have, does that mean they aren't 
competent either ? That was your inference.



  Now, I've always thought ClamAV was great - but when shit like this

 happens it suddenly gets harder to justify OSS when one of your
 vendors does exactly what you accuse the closed source outfits of
 doing.


I use FreeBSD myself. I am upgrading to take advantage of the latest
wifi, drivers, etc available in the new version. I guess I could cry
and complain that they _SHOULD_ have back ported those features, or I
could just upgrade and avoid the whole tantrum act entirely. You are
effectively in the same boat.


Have I at any time complained that a feature hasn't been back-ported 
to Sarge ? NO I have not. If I need/want features in the newer 
software, then I'll upgrade - something I've already done but don't 
have the resources at the moment to deploy. Presumably, your old 
FreeBSD installation didn't just stop working one morning ? By stop 
working, I mean it worked, then the next day it didn't - not having 
features in newer software isn't stopped working.



Out of morbid curiosity, what is you fear of 'compiling' anyway? While
I prefer to use the distros provided by the OS vendor whenever
possible, I realize that, that is not always possible. If you are not
going to be running a Microsoft or equivalent system exclusively, it is
not a bad skill to acquire.


It's not a 'fear' as such - just another of those skills I've not 
learned, though it's something I have on my list to do sometime. 
Administering Linux boxes is just part of my job - it would be nice 
to just concentrate on one area and learn it thoroughly, but I have a 
lot and so I tend to select options that minimise effort/return. In 
general, packaged software has been OK (though I've had to tweak a 
few scripts to make it all hang together). Or put another way, if you 
can do it with pre-packaged units, why duplicate the effort if you 
don't have to (and don't have the time) ?


Another factor is that I've been trying very hard to NOT have 
anything 'non standard' on the servers. That's a matter of making 
things as easy as possible should someone else have to pick up the 
pieces. Apart from whether I might change jobs, there's always the 
proverbial bus to get knocked down with. I have lost friends killed 
in accidents, and I've seen what it';s like when others have to pick 
up what they were doing from a cold start.


And then of course, there's an element of which language ?
It's one thing if I can just hit make clean ; make and it all works 
- but when it doesn't - then being able to at least read whatever 
language is kinda useful. I do have some programming experience (done 
Pascal and PLM/51 in the past, mostly stick to shell now) - and yes 
I've managed to tweak a few things in the past when I've had to.


Next week I might well download the source and see what happens.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Bowie Bailey wrote:


Personally, I keep my servers updated, so the EOL issue didn't affect
me,


And on another server (that's newer and is updated), I got bitten by 
that as well when an update broke something and I had to manually 
figure out which update was responsible and find versions of which 
packages to roll back to (which had been deleted from the repos - now 
I keep backup copies !)


So keeping up to date has it's own risks - hence why many people take 
the attitude of if it aint broke, don't fix it.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Upgrading System for latest ClamAV version

[Simon Hobson]

Jerry wrote:


The bottom line is:

1) You and you alone are responsible for your system. You failed to
keep it up-to-date and are now suffering the consequences. Trying to
off-load that onto someone else's plate just isn't going to cut it.


Please stop telling me what I said - at least until you get it right !

Where did I say it's anyone's responsibility but my own if I'm not 
running the latest version ? I'm not complaining that no-one came and 
updated my system for me - but I am complaining that someone who was 
watering the plants for me, one day fed them a strong dose of 
weedkiller !


Perhaps they left a post it, at the back of a cupboard where I don't 
go very often (if at all) telling me they were going to kill my 
plants - does that make it right that they did so (even if I'm not 
paying them to water my plants) ?



2) There were notices of the change (read EOL) posted. If you are too
busy to keep current for a system that you apparently are
administering, they you have a serious problem. Either the job is
beyond you or you are not attending to it seriously enough. That is not
to be taken as an insult, but rather as a statement of fact.


And as already pointed out. 1) I am not alone in thinking that the 
notices weren't as obvious as they could have been. 2) There were 
other options besides killing my system.



Right now you should be backing up your precious configuration files,
etc. If you suddenly had a catastrophic HD failure, what would you do;
bitch to the HD manufacturer? Even if you did, it would accomplish
nothing. The hardest part of any OS installation, at least in my
opinion, is the configuration. If I have a complete backup of those
files and settings, the rest is usually uneventful. The added bonus is
I get (in most cases) better software and a chance to further optimize
settings that I might have long ago forgotten about, or are now
deprecated.


I go one further, I have multiple backups of all my servers, so I can 
restore them from bare metal to the last state they were backed up. 
So yes, I can recover from a disk failure - and indeed have had the 
opportunity to do so. What I wasn't expecting was someone nipping in 
and killing the software !
As it is, using the backups that sometimes do seem like a lot of 
hassle, I've been able to roll back the AV database to yesterday and 
carry on. Yes I know I won't get updates, but scanning with 
yesterdays database is better than not at all.


As to restoring settings to a fresh install. I generally find that to 
be a whole load of hassle - unless the versions are reasonably close, 
so much tends to change that I end up having to go and sort things 
out. I wouldn't consider that as an acceptable DR solution due to the 
time required to get the new system plus old settings to be fully 
working and tested.

YMMV as they say.


Anyway, I've had my say, others have said theirs, I don't think 
there's anything new to be said.




Francis Stevens wrote:


It is possible to build clam on Sarge (I've just verified that is true).
If your going to try this next week the following may help...


Thanks, that's possibly the most constructive thing written all day !

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Jerry wrote:


So, rather than update ClamAV and/or their OS, which in the majority of
cases would involve no monetary expense, users will purchase new
servers and flock en masse to Microsoft, spend thousands more on
Microsoft Windows Server 2010, Exchange, etc and learn new skills to
administer said network. Could I ask you a personal question; are you
on drugs and if so, can I have some because that is one hell of a trip
you are on?


You really think they don't do that ? In the real world, PHBs all 
over do take just that sort of decision - how else do you think MS 
got where they are.



Furthermore, why wouldn't these quotesmall companies running their
crappy and old mailing systems/quote install updated versions of the
OS, etc they all ready have installed?


In many cases, they will have systems that were installed for them 
some time ago, and that they no longer have paid support for. When it 
dies they'll go to someone to fix it - and lets face it, there 
are a lot more outfits that will tell them they need an Exchange 
server than there are that will tell them it's an easy fix.


I've seen it more than once. IN fact, I was thinking about the mail 
server at my last job as I wrote the previous paragraph - then 
thought I ought to warn the guy left to run it - and then remembered 
that it dies a while ago with a disk failure and they switched to 
using hosted Exchange. So yes, a real example where they decided to 
replace the free and functional software with something they pay for 
and which does less.


That's PHBs for you. Weird, but believe me, it happens - and 
incidentally, guess what my current employer loves to sell :-/



Eric Rostetter wrote:

At no point have I seen anything in the logs on my servers to say 
it was going to be turned off. Like many others, the first I knew 
was when I got to work this morning and the server wasn't working.


Because they should have obviously jumped in the way-back-machine
and changed the 5 year old software you use to warn you about a future
event that wasn't known 5 years ago?

Or because they should have hacked into your machine and placed the notice
there for you?

Or should they have gone personally to your house last night and knocked
on your door to tell you?


Or they could have put it on their website at the one page that does 
appear in the log - but they didn't put it on the FAQ page at all. As 
it happens, I **HAVE** been to the FAQ page in the last few months 
and had it been there like it is on the front page then I would have 
seen it.


So in that respect, a very simple edit to the website could have made 
a significant difference - I doubt I'm alone.



Jason Bertoch ja...@i6ix.com wrote:


 It's broke


It is now


 please go fix it.


I will, now I know about it. But it would have been nice to do it at 
a more convenient time, and with advance notice so I could use it to 
get some resource allocated by management.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Upgrading System for latest ClamAV version

[Simon Hobson]

Hmm, getting somewhat off-topic here ...

Jim Preston wrote:

Except you do not need to move all your applications, users, and 
data. All you need to do is build an expensive server and have it 
host ONLY email.


I already have a server that hosts ONLY mail.

Then your email server will be able to run clamav and your other 
services will not be affected or forced to upgrade. I needed to do 
this very thing for another company I worked for. We too had RH9 
(other posts in this thread mention RH9) and found it to be just 
fine for what we were using it for. Yes, there were no security 
updates and yes we did have to make changes to the way some services 
were run to keep it secure, but that was the price we were willing 
to pay since upgrading did not yield any significant improvements 
for that server. When we needed services that could not be provided 
securely by the RH9 server we built a new server to host those new 
services.


Now, a question - if you have only the settings, and install a later 
version of RH, then will those settings create a system that runs 
identically as far as the important stuff is concerned ?


Re your later clarification - yes I do that too, compare old and new 
side-by-side. But of course it's not just Postfix, there's 
spamassasin, clamav, freshclam, courier-[pop|imap], SASL stuff, 
Squirrelmail, PostFixAdmin, MySQL, Apache2. And of course, it's 
likely that more than one of those has added/changed some features 
and you end up going off to learn about them.


It's not a 5 minute job, so I wouldn't rely on that as a DR mechanism.

In addition, as of last time I updated my new server that's waiting 
to go live when I get something to run it on, the versions of certain 
packages in Lenny were incompatible - and Squirrelmail broke. I was 
able to backtrack and revert to earlier version by checking the logs 
to remind myself which packages had been upgraded - but I struggled 
finding debs for one or two since the versions I'd been running were 
no longer in the repositories. Were I installing a new machine from 
scratch - I'd have been faced with a broken system and not known if 
it was a config issue or a compatibility issue.
And all the while, managers leaning over your shoulder like kids on a 
car journey - are we nearly there yet ?


And of course, this isn't the only server I've got - hopefully I 
won't have to do a bare metal recovery of any of my Xen hosts, 
otherwise I've potentially quite a few machines to restore. I can of 
course restore all of them as they were from regular backups - I 
wouldn't want to try and rebuild them all against the clock.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Jerry wrote (having given up reading I think):


  So, rather than update ClamAV and/or their OS, which in the majority

 of cases would involve no monetary expense, users will purchase new
 servers and flock en masse to Microsoft, spend thousands more on
 Microsoft Windows Server 2010, Exchange, etc and learn new skills to
 administer said network. Could I ask you a personal question; are you
 on drugs and if so, can I have some because that is one hell of a
 trip you are on?

 You really think they don't do that ? In the real world, PHBs all
 over do take just that sort of decision - how else do you think MS
 got where they are.


The reasons are legion; however, for starters a fully functional GUI
has to listed at or near the top. For instance, one of the more
requested features I have seen on the Postfix forum is a GUI. There
have even been inquires about one for Dovecot. NetManager
http://projects.gnome.org/NetworkManager/ is becoming very popular in
the *nix community. One of Microsoft's greatest accomplishments was
their GUI and early use of hot plugging devices and plug  play
capability. I seriously doubt that some FOSS EOLing their software had
any discernible influence on its success. In any case, none of this has
anything to do with ClamAV + EOL.


Err, it does have something to do with it. You made the assertion 
that no-one would spend money replacing a system rather than upgrade 
it. Two of us now have pointed out that real world PHB do exactly 
that sort of thing - and this issue with clamav getting the kill 
switch can be just the sort of excuse they need. It may not be a 
valid reason, but then so many business decisions are based on having 
enough excuses to do what you want rather than doing what would 
logically be right. As Giampaolo comments, some people (especially 
PHBs) simply see it as that Linux stuff blew up, best go with 
Microsoft like everyone else.


Fortunately that's not the case where I am - this box replaced an 
iMail server running on NT4 which was forever crashing and getting 
used for spamming. No-one on the engineering or support teams mourned 
it's loss ! But equally, if it wasn't for the licence costs, 
management would still be happier with a Microsoft 'solution'.



  Furthermore, why wouldn't these quotesmall companies running their

 crappy and old mailing systems/quote install updated versions of
 the OS, etc they all ready have installed?

 In many cases, they will have systems that were installed for them
 some time ago, and that they no longer have paid support for. When it
 dies they'll go to someone to fix it - and lets face it, there
 are a lot more outfits that will tell them they need an Exchange
 server than there are that will tell them it's an easy fix.


There isn't, at least as far as I know, a fully functional *.nix
replacement that is equivalent to Exchange.


I never suggested there was. What I did say is that there are plenty 
of people who will be happy to tell the PHB that what they really 
need is this nice shiny Exchange server (ie something that gets them 
points for their sales targets, and of course commission) rather than 
I can fix this in a few minutes. Plenty of PHBs will believe that, 
because it's an expert telling them right ?


Trust me, I've been in situations where they've made a point of not 
letting me near a customer in case I point out these things.




As my mother use to tell me (paraphrased):  I shouldn't have to tell
you to pick up your toys; you should know enough to do it.


Did she ever lock you in the cupboard (or insert other punishment) 
because you didn't follow some instruction she left on a piece of 
paper in a place you never look ?



The point being is that you procrastinated and now are paying the price.


Made a decision, based on resources available, what else is going on, 
and an assumption (now proven false) that my working software 
wouldn't break without me doing something to break it. it's uptime is 
405 days, cf the comments above about people with systems setup by 
others that just sit in the corner and work.


The timing is naff - in (hopefully) a few months, I'd have a better 
hand me down server and I've have migrated the system anyway.



Perhaps this is a good learning
experience.


Yes, I've learned that  commercial companies don't have a monopoly on 
these things !



I suppose I could just copy the guys running the Windows servers - 
and just configure all the systems to automatically install any and 
every update automatically. And then just fix things as they break - 
how I love watching the going on on patch Tuesdays :-)


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Jerry wrote:


  Err, it does have something to do with it. You made the assertion

 that no-one would spend money replacing a system rather than upgrade
 it. Two of us now have pointed out that real world PHB do exactly
 that sort of thing - and this issue with clamav getting the kill
 switch can be just the sort of excuse they need. It may not be a
 valid reason, but then so many business decisions are based on having

  enough excuses to do what you want rather than doing what would

 logically be right. As Giampaolo comments, some people (especially
 PHBs) simply see it as that Linux stuff blew up, best go with
 Microsoft like everyone else.


The two who have pointed out that real world PHB do exactly that sort
of thing now are operating broken systems. So much for credibility.


There you are again - that attitude is rubbing people up the wrong 
way and not helping. May I point out that my system was working fine 
until fed sour data ? Your analogy would be like saying that a car is 
broken if someone put sugar in the tank, and it would be all the 
owners fault as long as the vandal (it's claimed) told them in 
advance to fit a sugar filter.



  Fortunately that's not the case where I am - this box replaced an

 iMail server running on NT4 which was forever crashing and getting
 used for spamming. No-one on the engineering or support teams mourned
 it's loss ! But equally, if it wasn't for the licence costs,
 management would still be happier with a Microsoft 'solution'.


NT is ancient history. Why you would even mention it is beyond me,
although it might be interesting to know when they actually did get
around to swapping it out. Then again, maybe I don't want to know.


Yet guess what, NT is still in use in many places (and it's why MS 
bought Connectix so they could rebrand their virtualisation software 
and sell it to customers so they could run their NT systems on newer 
systems). There are many reasons for using old software - in fact I 
have a PC down in the garage that still runs DOS/Windows3. In that 
case, it's an embedded system and it really, really wouldn't be worth 
trying to touch it - only to scrap it and buy another machine. We've 
got customers running similarly old software because that's what the 
package works with - and it would be horrendously expensive to 
upgrade (in many cases meaning scrapping the machine it runs).


Another server I run is also not updated. In this case, not only 
would I have to fix any issues related to the server itself - but I'd 
also risk breaking any of the customer sites it runs. Just before it 
was handed to me, the guy that built it did some updates - and then 
handed it over with an oops, can you fix it yes I've had a security 
issue with it, but that was a config issue. If customers want to 
upgrade - I move them to a newer server.


What I'm trying to get through is that there are valid reasons for 
not running the very latest bleeding edge stuff. I agree that with 
something like Clamav there aren't that many show stoppers, but you 
come across as having the attitude that old versions should simply 
cease to exist and anyone running then is automatically an idiot.
It would be nice to have a job where all I have to do is run a few 
servers - and I have all the time I need to update them (and fix them 
when the update breaks it*), but I have a real world job where that 
isn't the case.


* BTW - thinking back, I've had more things break from updates, than 
I have had problems from not updating. In that respect, even with 
this issue, it's not been too bad a return from the policy decisions 
I've taken.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml