Re: [clamav-users] Clamd vs clamscan

[Gene Heskett]

On Wednesday 10 February 2016 05:29:19 Brad Scalio wrote:

> I've seen a lot of fodder on clamd vs clamscan, running 0.99 on
> RHEL6.7 exit/entry points ... While it's easy enough to use clamscan
> via cron, is there any good stepwise SOP on getting clamd to work
> permission wise to scan all filesystem?  I like the ability to have it
> all controlled via the daemon, easier to enforce configurations via
> puppet, easier quick checking and tweaking of conf, etc ... Apologies
> if I missed the page or doc, but been googling for months to find a
> simple guide.
>
> If clamscan is the preferred way, I'm fine with that, just not sure
> why there's a daemon then?  Is it for on-access, more for other OS
> installs?
>
> Thanks!
> Brad

When doing a bulk scan. clamscan via cron seems to be the peferred usage.

When procmail asks for an incoming email scan, then clamd is used.

But, I do wish that clamd would send me a substitute email advising that 
it has stashed a suspect incoming email into the 
mailfile /var/spool/mail/virii.  I try to look that file over for FP's, 
but quickly get lost in the visual garbage because its probably a zip'd 
file. I just looked over 260kb of what clamd id'd as virii, but which in 
fact are 5 messages from my bank about a new CC they were sending me, 
and some 5 or 6 were propaganda from AARP. And 3 shipping notices 
regarding stuff I bought thru ebay. In this case, an FP rate in excess 
of 90%! That is so high that I am expunging the clamd recipe from 
my .procmailrc as the next thing I do.  Only two files 
containing .zip's, were real suspects, and I do have a delete button.

Also on my wishlist is a clamscan recipe that only sends me an email IF 
it finds something.  Those are useless noise IMO.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamd vs clamscan

[Kris Deugau]

Gene Heskett wrote:
> But, I do wish that clamd would send me a substitute email advising that 
> it has stashed a suspect incoming email into the 
> mailfile /var/spool/mail/virii.  I try to look that file over for FP's, 
> but quickly get lost in the visual garbage because its probably a zip'd 
> file.

This depends on exactly where clamdscan is being called in your mail
processing;  ClamAV just does a bunch of pattern matching and returns a
result in most configurations.

On my personal server, I call Clam from the MIMEDefang milter such that
all signature-based hits get discarded sight unseen, but any hits on any
phishing or "Heuristics" tests get a header added for consideration by
SpamAssassin, precisely because of things like:

 I just looked over 260kb of what clamd id'd as virii, but which in
> fact are 5 messages from my bank about a new CC they were sending me, 
> and some 5 or 6 were propaganda from AARP. And 3 shipping notices 
> regarding stuff I bought thru ebay. In this case, an FP rate in excess 
> of 90%! That is so high that I am expunging the clamd recipe from 
> my .procmailrc as the next thing I do.  Only two files 
> containing .zip's, were real suspects, and I do have a delete button.

I suspect those FP hits are Heuristics.Phishing.Email.SpoofedDomain
hits.  A lot of organizations that should really know better tend to
trigger this with third-party mailings or promotional mailings where the
link text says "mybank.com", but the link address is "tracking.example.com".

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamd vs clamscan

[Matus UHLAR - fantomas]

On 10.02.16 05:29, Brad Scalio wrote:

I've seen a lot of fodder on clamd vs clamscan, running 0.99 on RHEL6.7
exit/entry points ... While it's easy enough to use clamscan via cron, is
there any good stepwise SOP on getting clamd to work permission wise to
scan all filesystem?


For the case of any bug in clamd, it should not be able to scan private
files. 


 I like the ability to have it all controlled via the
daemon, easier to enforce configurations via puppet, easier quick checking
and tweaking of conf, etc ... Apologies if I missed the page or doc, but
been googling for months to find a simple guide.

If clamscan is the preferred way, I'm fine with that, just not sure why
there's a daemon then?  Is it for on-access, more for other OS installs?


clamscan is not the preferred way. There are cases where clamscan is better.

However: how many infections are there for linux system that you want to
scan it all? The most common usage of clamav is to scan mail going through
system and scan filesystems shared to windows machines.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges. 
___

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamd vs clamscan

[Gene Heskett]

On Wednesday 10 February 2016 10:22:44 Kris Deugau wrote:

> Gene Heskett wrote:
> > But, I do wish that clamd would send me a substitute email advising
> > that it has stashed a suspect incoming email into the
> > mailfile /var/spool/mail/virii.  I try to look that file over for
> > FP's, but quickly get lost in the visual garbage because its
> > probably a zip'd file.
>
> This depends on exactly where clamdscan is being called in your mail
> processing;  ClamAV just does a bunch of pattern matching and returns
> a result in most configurations.
>
> On my personal server, I call Clam from the MIMEDefang milter such
> that all signature-based hits get discarded sight unseen, but any hits
> on any phishing or "Heuristics" tests get a header added for
> consideration by SpamAssassin, precisely because of things like:
>
>  I just looked over 260kb of what clamd id'd as virii, but which in
>
> > fact are 5 messages from my bank about a new CC they were sending
> > me, and some 5 or 6 were propaganda from AARP. And 3 shipping
> > notices regarding stuff I bought thru ebay. In this case, an FP rate
> > in excess of 90%! That is so high that I am expunging the clamd
> > recipe from my .procmailrc as the next thing I do.  Only two files
> > containing .zip's, were real suspects, and I do have a delete
> > button.
>
> I suspect those FP hits are Heuristics.Phishing.Email.SpoofedDomain
> hits.  A lot of organizations that should really know better tend to
> trigger this with third-party mailings or promotional mailings where
> the link text says "mybank.com", but the link address is
> "tracking.example.com".

I believe that to be fairly accurate too. OTOH, I do get a lot of stuff 
that passes, which IMO is phishing so that perhaps needs help.

> -kgd

In any event, that recipe is commented out now and several spam spewer 
addresses restored to dump them into the spam folder, more as an aid to 
keep spamassassin well trained. I think it could do a better job, but at 
least I can get to review its effectiveness late in the evenings before 
sa-learn --spam is called on that directory. 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamd vs clamscan

[Brad Scalio]

Unfortunately there are certain standards that information systems have to
adhere to regardless of the logic under specific deployments (I.E. FIPS,
FISMA).

Considering there are other technical controls that would impact operations
much more significantly than running antivirus on a Linux system, we have
to choose wisely those controls we resist and ask for AORs on from our AO,
at the risk of others being implemented despite the efficacy, still adhere
to said standards.

I realize that's not ideal, but sometimes it's just the lot we draw in
life.  I don't want anyone to think antivirus is the only technical control
we have as it relates to host based malicious code prevention, there's
dozens, however the media and vendors have done an excellent job pushing
products.

Anyway off-topic ... Thanks so much for all the valuable input, this user
list has been most helpful during our investigation and analysis, much
appreciated!!!
On Feb 10, 2016 08:51, "Matus UHLAR - fantomas"  wrote:

> On 10.02.16 05:29, Brad Scalio wrote:
>
>> I've seen a lot of fodder on clamd vs clamscan, running 0.99 on RHEL6.7
>> exit/entry points ... While it's easy enough to use clamscan via cron, is
>> there any good stepwise SOP on getting clamd to work permission wise to
>> scan all filesystem?
>>
>
> For the case of any bug in clamd, it should not be able to scan private
> files.
>
>>  I like the ability to have it all controlled via the
>> daemon, easier to enforce configurations via puppet, easier quick checking
>> and tweaking of conf, etc ... Apologies if I missed the page or doc, but
>> been googling for months to find a simple guide.
>>
>> If clamscan is the preferred way, I'm fine with that, just not sure why
>> there's a daemon then?  Is it for on-access, more for other OS installs?
>>
>
> clamscan is not the preferred way. There are cases where clamscan is
> better.
>
> However: how many infections are there for linux system that you want to
> scan it all? The most common usage of clamav is to scan mail going through
> system and scan filesystems shared to windows machines.
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> I wonder how much deeper the ocean would be without sponges.
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Clamd vs clamscan

[Brad Scalio]

I've seen a lot of fodder on clamd vs clamscan, running 0.99 on RHEL6.7
exit/entry points ... While it's easy enough to use clamscan via cron, is
there any good stepwise SOP on getting clamd to work permission wise to
scan all filesystem?  I like the ability to have it all controlled via the
daemon, easier to enforce configurations via puppet, easier quick checking
and tweaking of conf, etc ... Apologies if I missed the page or doc, but
been googling for months to find a simple guide.

If clamscan is the preferred way, I'm fine with that, just not sure why
there's a daemon then?  Is it for on-access, more for other OS installs?

Thanks!
Brad
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamd vs clamscan

[Dennis Peterson]

Clamd is for on-demand scanning and purpose built for email scanning. It runs as 
an unprivileged user which makes it awkward for scanning arbitrary files. 
Clamscan is for user initiated or scheduled scanning of arbitrary files, and can 
be run as any system user. Clamscan is undesirable as an on-demand scanner owing 
to startup delays while it loads signature files. Each utility has a well 
thought out role and when used as intended it provides an excellent and 
efficient service.


dp

On 2/10/16 2:29 AM, Brad Scalio wrote:

I've seen a lot of fodder on clamd vs clamscan, running 0.99 on RHEL6.7
exit/entry points ... While it's easy enough to use clamscan via cron, is
there any good stepwise SOP on getting clamd to work permission wise to
scan all filesystem?  I like the ability to have it all controlled via the
daemon, easier to enforce configurations via puppet, easier quick checking
and tweaking of conf, etc ... Apologies if I missed the page or doc, but
been googling for months to find a simple guide.

If clamscan is the preferred way, I'm fine with that, just not sure why
there's a daemon then?  Is it for on-access, more for other OS installs?

Thanks!
Brad
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml