Re: [Clamav-users] clamd.conf question.
On Mar 25, 2008, at 1:57 AM, Arnaud Jacques wrote: > > > Just a not about DetectPUA setting : > > The PUAs are being detected based on pattern. You can find patterns > by doing : > grep PUA daily.ndu > grep PUA daily.mdu > > This is not a work in progress. It is not "may or may not work". > This is very > reliable detection of possible unwanted software based on the same > technologies of malware detection. It can be used in production > environment. > > Here a short list of PUAs : > EXE packers > Remote admin tools/VNC > Hacking tools > Network tools > Keyloggers/Monitoring > Password recovery tools > etc... > Thank you for the clarification - I'll re-enable it and review the results again. My error was in thinking this had a heuristic component of detection in it and now I don't recall how I arrived at that conclusion. I do know it created a lot of false positives for me but I work in an environment where those file types are intentionally exchanged. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamd.conf question.
Hello, Le mardi 25 mars 2008 03:28, Dennis Peterson a écrit : > DetectPUA is an abbreviation for "Detect Possibly Unwanted > Applications". This is a method of detection that does not use > patterns, but rather analyzes the scanned data and makes some > decisions about its nature. This is not unlike trying to predict the > weather based on previous weather samples and it may or may not work. > I consider it a work in progress but not something that is ready to > use on the corporate mail system. Just a not about DetectPUA setting : The PUAs are being detected based on pattern. You can find patterns by doing : grep PUA daily.ndu grep PUA daily.mdu This is not a work in progress. It is not "may or may not work". This is very reliable detection of possible unwanted software based on the same technologies of malware detection. It can be used in production environment. Here a short list of PUAs : EXE packers Remote admin tools/VNC Hacking tools Network tools Keyloggers/Monitoring Password recovery tools etc... All the softwares detected as PUAs can be used on a regular way, or a hacking way. It depends to you to decide if PUAs are OK to be used in your computer network. For example : if you are a system admin or a network admin, you probably need to use software such as network sniffer or password recovery or remote admin. In that case, Clamav should *not* detect these tools as possibly unwanted. PUA should be disable. But in the case of web hosting servers, this could be interesting to detect if a hacker drops a network sniffer or IRC server on the disk of your webserver. In that case PUA should be enable. PUA setting should suit the computer security politics of your company. -- Cordialement / Best regards, Arnaud Jacques Consultant Sécurité SecuriteInfo.com http://www.securiteinfo.com http://www.securiteinfo.net http://www.securiteinfo.fr ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamd.conf question.
On Mar 24, 2008, at 2:03 PM, Erik P. Olsen wrote: > Hi, > > I am new on clamav and I have a few questions on some of the items > in the > clamd.conf file: > > 1. LocalSocket must be specified, it says, but what is it used for > and what > would it normally be? > > 2. TCPAddr. Again, I don't know what it is used for and what > INADDR_ANY is. > > 3. DetectPUA. What sort of applications is detected with this setting? > > Would someone be kind enough as to clarify these questions for me? > Thanks in advance, > -- > Here's an acceptable explanation of Unix local sockets: http://www.frostbytes.com/~jimf/papers/sockets/sockets.html They're used as a communications channel between processes running locally on your system. Other systems can't see them or uses them. There are other socket types (tcp/ip) that we use all the time on the internet. A listener, in this case the Clamav daemon, clamd, opens a socket and other products such as clamdscan can use it to request clamd scan something. That something can be a stream of data, a file or directory, or an archive such as a zip or tar file. Clamd is configured to use a tcp/ip socket with an assigned port number to listen on when it is to do this over the network verses locally. A local socket is a special file and will show up using the 'ls' command. A tcp/ip socket shows up when using the netstat tool. The TCPAddr is the IP address assigned to your network interface. For systems that have multiple network cards this will cause clamd to bind to one but not the other, based on the address. A tcp/ip socket becomes the combination of the TCPAddr and the port number given to the process - technically it's a listening socket until a connection is made by another system. Clamd typically listens on port 3310 but can listen on any port you give it. INADDR_ANY is shorthand for "listen on every IP you find". That would include all active network interfaces, virtual interfaces, wireless interfaces, and even the localhost psuedo interface, lo0 which by default always uses address 127.0.0.1. The expansion of the shorthand term is INternet ADDRess, Any. You should choose either a tcp/ip socket using TCPAddr, or a Unix socket, but not both. If you don't intend to run clamd then you don't need either one. The current version of ClamAV allows using both but that was not always so and I'm not sure I can successfully rationallize why I'd want both. I use a local socket for self- contained systems, and a tcp/ip socket for client-server configurations where one clamav installation services several client systems over the network but only for email. It creates a lot of network traffic to scan an entire disk across the net. DetectPUA is an abbreviation for "Detect Possibly Unwanted Applications". This is a method of detection that does not use patterns, but rather analyzes the scanned data and makes some decisions about its nature. This is not unlike trying to predict the weather based on previous weather samples and it may or may not work. I consider it a work in progress but not something that is ready to use on the corporate mail system. If this is useful, send a card to Luca in Italy - he keeps the ClamAV Wiki going. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamd.conf question.
On Mon, Mar 24, 2008 at 9:03 PM, Erik P. Olsen <[EMAIL PROTECTED]> wrote: > Hi, > > I am new on clamav and I have a few questions on some of the items in the > clamd.conf file: > > 1. LocalSocket must be specified, it says, but what is it used for and what > would it normally be? > > 2. TCPAddr. Again, I don't know what it is used for and what INADDR_ANY is. These are used by other applications (such as clamav-milter, clamdscan etc) to connect to clamd. > 3. DetectPUA. What sort of applications is detected with this setting? Potentially Unwanted Applications: http://www.clamav.org/2007/09/03/detection-of-potentially-unwanted-applications/ -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamd.conf question.
Hi, I am new on clamav and I have a few questions on some of the items in the clamd.conf file: 1. LocalSocket must be specified, it says, but what is it used for and what would it normally be? 2. TCPAddr. Again, I don't know what it is used for and what INADDR_ANY is. 3. DetectPUA. What sort of applications is detected with this setting? Would someone be kind enough as to clarify these questions for me? Thanks in advance, -- Erik. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html