Re: Updated Clam AV monitor

2009-10-31 Thread Nathan Gibbs 
* Nathan Gibbs wrote:
> I just updated the Clam AV monitor.
> 
> 
The Clamav Team listed this monitor on their site.




signature.asc
Description: OpenPGP digital signature
___
mon mailing list
mon@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon

Re: Updated Clam AV monitor

2009-10-31 Thread Jim Trocki 

On Sat, 31 Oct 2009, Nathan Gibbs wrote:


* Nathan Gibbs wrote:

I just updated the Clam AV monitor.



The Clamav Team listed this monitor on their site.


That's good news, but a URL for it would make the good news better :)

___
mon mailing list
mon@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon

Re: Updated Clam AV monitor

2009-10-31 Thread Nathan Gibbs 
* Jim Trocki wrote:
> On Sat, 31 Oct 2009, Nathan Gibbs wrote:
>> The Clamav Team listed this monitor on their site.
> 
> That's good news, but a URL for it would make the good news better :)
> 
> 

Oops' my bad.
:-(

http://www.clamav.net/download/third-party-tools/3rdparty-misc

I was so excited, I forgot to add the link
:-)

-- 
Sincerely,

Nathan Gibbs

Systems Administrator
Christ Media
http://www.cmpublishers.com




signature.asc
Description: OpenPGP digital signature
___
mon mailing list
mon@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon

Re: Updated Clam AV monitor

2009-10-31 Thread Ed Ravin 
Sorry, I should have posted the clamd.monitor used at my shop.

The one from http://www.cmpublishers.com/oss/ checks the TCP
banner, complains if the socket isn't answered or if you're running
an outdated clamd (the latter a nice feature which is not in the
one I've been using).

However, the clamd monitor attached to this message goes through
the steps to actually submit a piece of email for virus scanning,
and uses the EICAR "fake virus" to test whether clamd is actually
going through the message.  That goes a bit deeper into the internals
and might turn up problems that a simple socket open/close wouldn't.

We use a similar monitor for SpamAssassin that uses the corresponding
"fake spam signature" to test whether spamd is checking messages - if
anyone's interested, let me know.

-- Ed
#!/usr/local/bin/perl5.6.1

# clamd.monitor - make sure clamd recognizes the EICAR test virus

# Written by Jed Davis.  Released to public (license is GPL) courtesy of
# PANIX Public Access Networks, http://www.panix.com

require 5.006;
use strict;
use Getopt::Std;
use ClamAV::Client;
use IO::String;

my $usage = "clamd.monitor [-d] [-p port] [-t timeout] host [host...]\n";
our ($opt_t, $opt_p, $opt_d);
getopts("p:t:d") || die $usage;
my $tcpport = $opt_p || 9001;
my $timeout = $opt_t || 30;
my $debugp = $opt_d;

# Standard "test" virus - broken up into two lines to avoid triggering
# anti-virus systems (cough, cough)
my $virus = 'x5o...@ap[4\pzx54(P^)7CC)7}$EICAR-STANDARD-' .
'ANTIVIRUS-TEST-FILE!$H+H*';

my (@failures);
for my $host (@ARGV) {
my $result = undef;
eval {
alarm $timeout;
$SIG{ALRM} = sub { die "Timeout ($timeout seconds)\n" };
my $scanner = ClamAV::Client->new(
socket_host => $host,
socket_port => $tcpport);
$result = $scanner->scan_stream(IO::String->new($virus));
print STDERR "DEBUG: $host: $result\n" if $debugp;
};
if ($@) {
chomp $@;
$@ =~ s/^(Could not establish socket connection), tried UNIX 
domain and TCP sockets at .*/$1/;
push @failures, [$host, "Exception: $@"];
} elsif (!$result) {
push @failures, [$host, "Responded, but failed to recognize 
test virus"];
} elsif ($result ne "Eicar-Test-Signature") {
push @failures, [$host, "Unexpected response: $result"];
}
}

print join(" ",map{$$_[...@failures)."\n";
print join("",map{"$$_[0]: $$_[1]\n"}...@failures);

exit ($#failures>=0);
___
mon mailing list
mon@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon