Re: [clamav-users] combine ALLMATCHSCAN and INSTREAM
Allmatch will not work with clamd fd passing either. Please open a buzilla request for allmatch when using fd passing or instream. bugzilla.clamav.net. Thanks, Steve On Wed, Feb 3, 2016 at 12:09 PM, Torge Husfeldt wrote: > Hi, > > what about passing an (alredy open) filehandle through the clamd-socket? > Currently we're facing the tradeoff between giving the clamd-process > more permissons or running multiple instances of the scanning-engine > (clamd + clamscan) and parsing the output of clamscan with "tainted" > filenames. > > Thanks > > Am 01.02.2016 um 21:54 schrieb Steven Morgan: > > Bernhard, > > > > Clamd does not currently support ALLMATCH mode with the INSTREAM > protocol. > > The only other suggestion I can offer is to preserve those files found to > > contain viruses and research them separately using ALLMATCH. > > > > Steve > > > > On Mon, Feb 1, 2016 at 5:27 AM, Bernhard Vogel > > wrote: > > > >> Hi, > >> > >> is there an option in clamd to combine INSTREAM and ALLMATCHSCAN? > >> > >> We scan files which have already been locked (permission: 200 or > similar) > >> by another process/shellscript. Clamd runs with user "clamav" > priviledges. > >> At the moment we stream the content of the locked files to CLAMD with > the > >> INSTREAM option. > >> > >> Since I also require to do an allmatchscan to review our malware > >> signatures, I need to combine INSTREAM and ALLMATCHSCAN. > >> > >> How can I ALLMATCHSCAN files only accesible by root, without doing > >> something like "sudo clamscan -z " > >> > >> > >> > >> > >> Regards, > >> Bernhard > >> ___ > >> Help us build a comprehensive ClamAV guide: > >> https://github.com/vrtadmin/clamav-faq > >> > >> http://www.clamav.net/contact.html#ml > >> > > ___ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > > -- > Torge Husfeldt > > Senior Anti-Abuse Engineer > Hosting Security > > 1&1 Internet Service GmbH | Brauerstraße 50 | 76135 Karlsruhe | Germany > Phone: +49 721 91374-4795 > E-Mail: torge.husfe...@1und1.de | Web: www.1und1.de > > Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 20141 > > Geschäftsführer: Christian Bigatà Joseph, Hans-Henning Kettler, Uwe Lamnek > > > Member of United Internet > > Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte > Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat > sind oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie bitte > den Absender und vernichten Sie diese E-Mail. Anderen als dem > bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu speichern, > weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden. > > This e-mail may contain confidential and/or privileged information. If > you are not the intended recipient of this e-mail, you are hereby > notified that saving, distribution or use of the content of this e-mail > in any way is prohibited. If you have received this e-mail in error, > please notify the sender and delete the e-mail. > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] combine ALLMATCHSCAN and INSTREAM
Hi, what about passing an (alredy open) filehandle through the clamd-socket? Currently we're facing the tradeoff between giving the clamd-process more permissons or running multiple instances of the scanning-engine (clamd + clamscan) and parsing the output of clamscan with "tainted" filenames. Thanks Am 01.02.2016 um 21:54 schrieb Steven Morgan: > Bernhard, > > Clamd does not currently support ALLMATCH mode with the INSTREAM protocol. > The only other suggestion I can offer is to preserve those files found to > contain viruses and research them separately using ALLMATCH. > > Steve > > On Mon, Feb 1, 2016 at 5:27 AM, Bernhard Vogel > wrote: > >> Hi, >> >> is there an option in clamd to combine INSTREAM and ALLMATCHSCAN? >> >> We scan files which have already been locked (permission: 200 or similar) >> by another process/shellscript. Clamd runs with user "clamav" priviledges. >> At the moment we stream the content of the locked files to CLAMD with the >> INSTREAM option. >> >> Since I also require to do an allmatchscan to review our malware >> signatures, I need to combine INSTREAM and ALLMATCHSCAN. >> >> How can I ALLMATCHSCAN files only accesible by root, without doing >> something like "sudo clamscan -z " >> >> >> >> >> Regards, >> Bernhard >> ___ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Torge Husfeldt Senior Anti-Abuse Engineer Hosting Security 1&1 Internet Service GmbH | Brauerstraße 50 | 76135 Karlsruhe | Germany Phone: +49 721 91374-4795 E-Mail: torge.husfe...@1und1.de | Web: www.1und1.de Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 20141 Geschäftsführer: Christian Bigatà Joseph, Hans-Henning Kettler, Uwe Lamnek Member of United Internet Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat sind oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie bitte den Absender und vernichten Sie diese E-Mail. Anderen als dem bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu speichern, weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient of this e-mail, you are hereby notified that saving, distribution or use of the content of this e-mail in any way is prohibited. If you have received this e-mail in error, please notify the sender and delete the e-mail. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] combine ALLMATCHSCAN and INSTREAM
Bernhard, Clamd does not currently support ALLMATCH mode with the INSTREAM protocol. The only other suggestion I can offer is to preserve those files found to contain viruses and research them separately using ALLMATCH. Steve On Mon, Feb 1, 2016 at 5:27 AM, Bernhard Vogel wrote: > Hi, > > is there an option in clamd to combine INSTREAM and ALLMATCHSCAN? > > We scan files which have already been locked (permission: 200 or similar) > by another process/shellscript. Clamd runs with user "clamav" priviledges. > At the moment we stream the content of the locked files to CLAMD with the > INSTREAM option. > > Since I also require to do an allmatchscan to review our malware > signatures, I need to combine INSTREAM and ALLMATCHSCAN. > > How can I ALLMATCHSCAN files only accesible by root, without doing > something like "sudo clamscan -z " > > > > > Regards, > Bernhard > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] combine ALLMATCHSCAN and INSTREAM
Hi, is there an option in clamd to combine INSTREAM and ALLMATCHSCAN? We scan files which have already been locked (permission: 200 or similar) by another process/shellscript. Clamd runs with user "clamav" priviledges. At the moment we stream the content of the locked files to CLAMD with the INSTREAM option. Since I also require to do an allmatchscan to review our malware signatures, I need to combine INSTREAM and ALLMATCHSCAN. How can I ALLMATCHSCAN files only accesible by root, without doing something like "sudo clamscan -z " Regards, Bernhard ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
