Re: [Mimedefang] Poll: Time to drop Trophie support?
> Only if you're around 24x7x365, and can get your e-mail delivered and acted upon within 30 minutes. that's it :) These days, it is not unusual to see a virus released over a holiday weekend, on the basis that it will be able to spread to a lot more machines before anyone picks up the warning and updates their signature files. Doing a freshclam check consumes so little bandwidth that it is a no-brainer to use it. By all means subscribe to the mailing list and update when a notification comes out if it makes you happy, but don't take away the safety net on the assumption that you'll never be ill, or forget, or fail to receive the e-mail. In fact I have the two method implemented plus a full download at midnight. ;-) ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Freshclam load (was RE: [Mimedefang] Poll: Time to drop Trophie support?)
- Original Message - From: "David F. Skoll" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, April 29, 2004 11:28 AM Subject: Freshclam load (was RE: [Mimedefang] Poll: Time to drop Trophie support?) > On Thu, 29 Apr 2004, Paul Murphy wrote: > > > the basis that it will be able to spread to a lot more machines > > before anyone picks up the warning and updates their signature > > files. Doing a freshclam check consumes so little bandwidth that it > > is a no-brainer to use it. > > Freshclam actually uses an astounding amount of bandwidth if you aggregate > it across all Freshclam users. I don't have the statistics handy, but > I remember reading that each clam mirror does over 100GB/month. > > I wonder if there's a very light way to announce updates? Maybe a DNS > record with a TTL of a few minutes that gets updated with the latest > DB version string? It might lower the load on the DB servers. (Unfortunately, > DNS is not secure.) Actually, that would probably crush the servers instead since everyone would pounce on the signature update seconds after it was released. At least this way it's spread over an hour or two. 100GB a month actually isn't that much bandwidth, it's only 17% of a T1 line if the load were spread out over a month. Obviously there are bursts rather than a constant load, but folks with 10M/45M/155M connections are a lot more common today -- and if they aren't an ISP, the odds are good that normal use is inbound-traffic-heavy, so outbound traffic is virtually free and doesn't affect operations. Still, it's definitely good to run your own signature server if you have a number of systems running ClamAV. Much more polite! Chris Myers Networks By Design ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Freshclam load (was RE: [Mimedefang] Poll: Time to drop Trophie support?)
On Thu, 29 Apr 2004, Paul Murphy wrote: > the basis that it will be able to spread to a lot more machines > before anyone picks up the warning and updates their signature > files. Doing a freshclam check consumes so little bandwidth that it > is a no-brainer to use it. Freshclam actually uses an astounding amount of bandwidth if you aggregate it across all Freshclam users. I don't have the statistics handy, but I remember reading that each clam mirror does over 100GB/month. I wonder if there's a very light way to announce updates? Maybe a DNS record with a TTL of a few minutes that gets updated with the latest DB version string? It might lower the load on the DB servers. (Unfortunately, DNS is not secure.) -- David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Poll: Time to drop Trophie support?
> > If the list has many thousands of subscribers, it could be a while. > Yes of course, you r right but I'm pretty sure I'll be more uptodate > than using a scheduler. Only if you're around 24x7x365, and can get your e-mail delivered and acted upon within 30 minutes. These days, it is not unusual to see a virus released over a holiday weekend, on the basis that it will be able to spread to a lot more machines before anyone picks up the warning and updates their signature files. Doing a freshclam check consumes so little bandwidth that it is a no-brainer to use it. By all means subscribe to the mailing list and update when a notification comes out if it makes you happy, but don't take away the safety net on the assumption that you'll never be ill, or forget, or fail to receive the e-mail. Best Wishes, Paul. __ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 ___ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741 ___ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Poll: Time to drop Trophie support?
I'd recommend that you give ClamAV a try; as others on the list have pointed out, you can set up MIMEDefang to use both virus scanners for a while, so you can test out ClamAV and make sure that it isn't letting anything through to Sophie. thanks for the advice, but I fact, I'm already using the two one with Mimedefang modified because I wanted Sophos/Sophie first. Mainly because I wanted to use the Virus Names given by Sophos and not the ones given by Sophos (which looks likes difficult to find in antivirus web site as they are not listed in alias virus names). ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Poll: Time to drop Trophie support?
That will have substantially the same effect, Absolutely not, with the method I use I don't have to open unuseful internet connections. And the method is really less aggressive. I really prefer the PUSH method to the PULL method. and you don't have to wait an arbitrarily long time for someone's mail > server to get the message delivered to you. If there mail server is slow, I'm guess there FTP/HTTP server might be too... > If the list has many thousands of subscribers, it could be a while. Yes of course, you r right but I'm pretty sure I'll be more uptodate than using a scheduler. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Poll: Time to drop Trophie support?
- Original Message - From: "Jerome Tytgat" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, April 29, 2004 2:28 AM Subject: Re: [Mimedefang] Poll: Time to drop Trophie support? > One point I prefer Sophie/Sophos vs Clamav is because I can > get a newsletter from Sophos indicating new release of IDE > (viral signatures). > > I've set up a procmail catch up which download new IDE as they > are released. Use freshclam and set it to poll the virus signature servers twice an hour: freshclam --checks=48 That will have substantially the same effect, and you don't have to wait an arbitrarily long time for someone's mail server to get the message delivered to you. If the list has many thousands of subscribers, it could be a while. Chris Myers Networks By Design ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Poll: Time to drop Trophie support?
Jerome Tytgat wrote: One point I prefer Sophie/Sophos vs Clamav is because I can get a newsletter from Sophos indicating new release of IDE (viral signatures). I've set up a procmail catch up which download new IDE as they are released. So I think I'm more uptodate with Sophie/Sophos than with Clamav. ClamAV offers an email list of virus signature updates as well: http://lists.sourceforge.net/lists/listinfo/clamav-virusdb It's been my experience that ClamAV updates their signatures VERY fast; much faster than McAfee (the only other antivirus program that I have much experience with). Bugtraq indicates that they've been faster than Sophos too: http://www.securityfocus.com/archive/1/353379/2004-02-07/2004-02-13/0 I'd recommend that you give ClamAV a try; as others on the list have pointed out, you can set up MIMEDefang to use both virus scanners for a while, so you can test out ClamAV and make sure that it isn't letting anything through to Sophie. Josh Kelley ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Poll: Time to drop Trophie support?
One point I prefer Sophie/Sophos vs Clamav is because I can get a newsletter from Sophos indicating new release of IDE (viral signatures). I've set up a procmail catch up which download new IDE as they are released. So I think I'm more uptodate with Sophie/Sophos than with Clamav. Maybe I'm wrong and you can correct me :) BTW, as I have worked for a company who sold Trendmicro ISVW, we were facing a big problem with that product, we wanted to benefit of it's power but also sendmail power. By default, ISVW use a very little of sendmail, nor AUTH, nor SASL, nor real mime treatment, etc. We would have been very interested in Trophie, but the lack of ISVW feature was the big deal. I would have like seeing Trendmicro supporting a little more Trophie as they do not offer a milter solution. Matthew Schumacher wrote: David F. Skoll wrote: Hi, all. Is anyone using Trophie with MIMEDefang? It looks like Trend Micro doesn't give out enough docs for the Trophie author to maintain it. If it's a dead end, I will drop Trophie support. Yell if that will hurt you! It seems like clamav is the best solution for mail systems anyway. I'm looking at replacing sohpie with clamav so I have both running right now and I am finding that nothing is getting though clamav to sophie (sophos). schu ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- > Jérôme Tytgat Administrateur Réseau et Sécurité ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Poll: Time to drop Trophie support?
On Wed, 2004-04-28 at 12:26, David F. Skoll wrote: > Hi, all. > > Is anyone using Trophie with MIMEDefang? It looks like Trend Micro doesn't > give out enough docs for the Trophie author to maintain it. If it's > a dead end, I will drop Trophie support. > > Yell if that will hurt you! > I was going to see if I could reverse engineer things enough to get trophie working, but I wouldnt complain too much if it were to go away. -- Stephen John Smoogen[EMAIL PROTECTED] Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- You should consider any operational computer to be a security problem -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Poll: Time to drop Trophie support?
David F. Skoll wrote: Hi, all. Is anyone using Trophie with MIMEDefang? It looks like Trend Micro doesn't give out enough docs for the Trophie author to maintain it. If it's a dead end, I will drop Trophie support. Yell if that will hurt you! It seems like clamav is the best solution for mail systems anyway. I'm looking at replacing sohpie with clamav so I have both running right now and I am finding that nothing is getting though clamav to sophie (sophos). schu ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang