[sniffer] Re: eWall
On Feb 2, 2009, at 2:50 PM, Andy Schmidt wrote: Wo – how did I miss eWall all these years? I thought ASSP was the only game in Windows town, but I didn’t like the Sniffer integration and was worried about running on Perl. Sadly, the eWall web site is terrible – I don’t see any manual or installation guide or anything that allows me to evaluate the software’s suitability “on paper”. But from the little bit that the video-walk-through reveals when you stop the video at just the right moments to be able to catch the screens – THIS looks like an awesome application addressing many issues I’ve always wanted to address. Being a Designer I could not help but voice the same concerns to these folks when I first bought their program. $99 and no renewal fees... It revived my server that had iMail choking on the amounts of processing needed to handle the volumes of email passing through the server. I believe the manual is included in the download when testing the product if that helps. Regards, Steve Guluk SGDesign (949) 661-9333
[sniffer] Re: Announcing ClamAID - Clam AV installer for windows.
They offer a ClamAV tie-in: http://sssolutions.net/ew/tutor.php?topic=setup From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Monday, February 02, 2009 2:53 PM To: Message Sniffer Community Subject: [sniffer] Re: Announcing ClamAID - Clam AV installer for windows. Hello Steve, Monday, February 2, 2009, 2:31:17 PM, you wrote: > Any plans on an eWall version? We may look into that -- however, eWall is a very fast, lightweight solution; SNF is easily fast enough to work during the SMTP conversation; Clam AV is decidedly not that fast. It might not be a good fit to put Clam AV in an SMTP proxy. SNF will reject most email borne malware seen within eWall. None the less, we will look into it-- I'm sure Clam AV could be scripted into eWall-- perhaps only running on those messages that don't get rejected up-front. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: eWall
Wo - how did I miss eWall all these years? I thought ASSP was the only game in Windows town, but I didn't like the Sniffer integration and was worried about running on Perl. Sadly, the eWall web site is terrible - I don't see any manual or installation guide or anything that allows me to evaluate the software's suitability "on paper". But from the little bit that the video-walk-through reveals when you stop the video at just the right moments to be able to catch the screens - THIS looks like an awesome application addressing many issues I've always wanted to address. From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Monday, February 02, 2009 2:53 PM To: Message Sniffer Community Subject: [sniffer] Re: Announcing ClamAID - Clam AV installer for windows. Hello Steve, Monday, February 2, 2009, 2:31:17 PM, you wrote: > Any plans on an eWall version? We may look into that -- however, eWall is a very fast, lightweight solution; SNF is easily fast enough to work during the SMTP conversation; Clam AV is decidedly not that fast. It might not be a good fit to put Clam AV in an SMTP proxy. SNF will reject most email borne malware seen within eWall. None the less, we will look into it-- I'm sure Clam AV could be scripted into eWall-- perhaps only running on those messages that don't get rejected up-front. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Announcing ClamAID - Clam AV installer for windows.
At 12:49 2/2/2009 -0500, you wrote: >Hello Sniffer Folks, > >We've noticed that folks often have trouble getting Clam AV (the free >open source anti-virus scanner) working correctly on their mail >servers, so we've created a free product to help solve that. ClamAID >(Clam AV Assisted Install Device). > >http://www.armresearch.com/tools/arm/clamAID.jsp > >What ClamIAD does is collect all of the bits and pieces that make >ClamAV work, configure them, install them, and get them running with >your email / filtering platform. > >So far ClamAID supports IceWarp, Declude/IMail, and >Declude/SmarterMail. > >We will add support for additional platforms as requested (time >permitting). Is an mxGuard/IMail version in the works? -- Kirk Mitchell-General Managermi...@keyconn.net Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Announcing ClamAID - Clam AV installer for windows.
Hello Steve, Monday, February 2, 2009, 2:31:17 PM, you wrote: > Any plans on an eWall version? We may look into that -- however, eWall is a very fast, lightweight solution; SNF is easily fast enough to work during the SMTP conversation; Clam AV is decidedly not that fast. It might not be a good fit to put Clam AV in an SMTP proxy. SNF will reject most email borne malware seen within eWall. None the less, we will look into it-- I'm sure Clam AV could be scripted into eWall-- perhaps only running on those messages that don't get rejected up-front. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Announcing ClamAID - Clam AV installer for windows.
Any plans on an eWall version? On Feb 2, 2009, at 9:49 AM, Pete McNeil wrote: Hello Sniffer Folks, We've noticed that folks often have trouble getting Clam AV (the free open source anti-virus scanner) working correctly on their mail servers, so we've created a free product to help solve that. ClamAID (Clam AV Assisted Install Device). http://www.armresearch.com/tools/arm/clamAID.jsp What ClamIAD does is collect all of the bits and pieces that make ClamAV work, configure them, install them, and get them running with your email / filtering platform. So far ClamAID supports IceWarp, Declude/IMail, and Declude/SmarterMail. We will add support for additional platforms as requested (time permitting). Please take a look, keep us posted on your progress, and tell your friends about ClamAID if it helps you. If you have any questions or run into problems then please let us know (support@). Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to > To switch to the INDEX mode, E-mail to Send administrative queries to Regards, Steve Guluk SGDesign (949) 661-9333
[sniffer] Re: Crosspost: ClamAV for Window (Summary of what I had posted last month on a different list)
Team, Sniffer Folks, Andy: The ClamAID installer does handle the pthreads requirement for you. It does wrap ClamD as a service, (from the w32.clamav.net port ) , as well as wrapping freshclam.exe as a reoccurring service, and it finishes with a test of the eicar file. Older Port? Yes, again, you are correct. The port from ClamAV is old, and so the warning (From executing the ClamAV scanner at the command line), gives you a 36 out of 48 possible in your "upgrade score". ( Meaning, your database is up to date, but you have an older clamd.exe. ) This will be updated as soon as ClamAV releases a rebuild. We felt that while we could use one of the other two ports that were out there, people would be more comfortable using the .MSI that was issued from ClamAV. Sadly, this MSI does have limitations, that we've hopefully corrected. ( One of these is it fails to adjust the paths in data and config resources, if you install in an alternative folder. ) Every document we found said "Don't Change the Install Path!" Yet the ClamAV installer offers you the choice to put it anywhere. The problem seems to be that the Clamd.exe ignores its local config file if its installed somewhere other than C:\ClamAV\ The workaround is to always include the command line switch --config-file="" in all calls to clamdscan.exe or freshclam.exe. ClamAID handles correcting thoses issues. It uses command line config references for all calls from Declude or Icewarp, in order to enable you to install it in a location other than C:\ClamAV\ We thought that was a good upgrade just in itself. Let us know how it responds under fire. Thanks, Andrew Wallo - Original Message - From: "Andy Schmidt" To: "Message Sniffer Community" Sent: Monday, February 02, 2009 1:20 PM Subject: [sniffer] Crosspost: ClamAV for Window (Summary of what I had posted last month on a different list) Hi, 1. http://www.clamwin.com is essentially a GUI/desktop build. It's kept current - but doesn't have ClamD. So no good! 2. http://hideout.ath.cx/clamav/ needs CHP (http://www.commandline.co.uk/chp/) to run in the "background", but was unable to run this ClamD as a "service". 3. http://w32.clamav.net/ (the "official" build) does have ClamD and can use the current signature files - BUT the build is 10 month old (whatever the consequence of that might be). It can be made to work with Declude, using a little Jscript that I'm attaching. a) Declude Configuration: #ClamAV SCANFILE1 c:\Windows\system32\cscript.exe //nologo D:\CMDfiles\runClamAV.JS VIRUSCODE1 1 REPORT1 FOUND b) Schedule this hourly to get fetch signature updates: freshclam --daemon-notify The Jscript file trims off the trailing "\" that Declude uses (otherwise ClamDScan exits with code "2", file/path not found) and generates a Report.txt file that matches Declude's expected format. It would be helpful if someone were to either take over the "official builds" and bring the version up to date (and teaches ClamDScan to accept paths with trailing backslashes). Best Regards, Andy -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Sunday, January 04, 2009 6:39 PM Hi, The official Win32 build seems to work just fine, ClamD service and all? a) I downloaded and installed the MSI file b) I downloaded the pthread DLL that it required c) I confirmed that clamscan (the command line scanner) was working - it was. d) I confirmed that I could run clamd from the command line. The I used clamdscan from a second command window to scan for eicar.com, but this time using the clamd instance - and it detected it instantly. e) I installed clamd as a Window service: "C:\Program Files\Windows Resource Kits\Tools\Instsrv.exe" "ClamAV ClamD" "C:\Program Files\Windows Resource Kits\Tools\Srvany.exe" Then added the necessary registry entry: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClamAV ClamD\Parameters] "Application"="C:\\Program Files\\clamAV\\clamd.exe" f) started the ClamAV ClamD service - and again confirmed with clamdscan that it detected eicar beautifully. Not sure if that helps anyone? Best Regards, Andy # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Announcing ClamAID - Clam AV installer for windows.
Team, Sniffer Folks, Beta Testers: I've handled most of the testing and the development so I'll do my best to reply: (I'll respond inline to A.Schmidt's inquiries. _Andy Wallo - The engine for "official" Windows build I found (http://w32.clamav.net/) was out of date (but still usable) and had problems with trailing backslashes the way that Declude was passing them. Sadly, this is an issue of the very overworked and newly promoted head of project management at ClamAV. He has handled the port up to this point, but due to other demands, has not rebuilt the current stable windows port, nor delegated that task. ClamAV does state that they intend to keep their Windows port however. ( There has been some concern what with the cgwyn versions come to a close etc. ) I am keeping tabs on this, so that at the earliest possible moment, we can push a rebuild of ClamAID with the upgraded port. This does NOT affect the side of the system that downloads new/daily databases, etc. ( Freshclam.exe is wrapped with XYNTService as FreshClamSVC and will run periodically in the background. ) - The ClamWin build was current, but resisted any attempt to run it as a service. ClamD ( and FreshClam) are fully wrapped with XYNTService, and allow the Declude users to use clamdscan.exe instead of the very time and cpu consuming clamscan.exe ( Thus saving the re-booting of the clam databasses etc. ) - Either one had the problem that the virus report generated by ClamAV is not understood by Declude (which looks only for one, very specific pattern) - so one doesn't get the proper virus name passed to messages, log files and virus statistics I have read about this in some reports, and I've used the Declude recommended call for calling Clam... I'd like more information if you have it on your specific solution of the name-dissconnect. < open issue? > However, the ClamAID install sets the system up to have both Declude as well as ClamAV log their results. So the correct view of what is happening should be being logged on the ClamAV side, if not fully transparent through Declude. I ended up scripting some middleware between Declude and Clam that would address the trailing backslash on the input side and the virus name on the output site. We haven't detected a trailing backslash issue with clamdscan.exe being called from Declude. Of course, we're not perfect, but we'd definately love to get your read on the AID tool. Thanks. Andrew Wallo # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Crosspost: ClamAV for Window (Summary of what I had posted last month on a different list)
Hi,
1. http://www.clamwin.com is essentially a GUI/desktop build. It's kept
current - but doesn't have ClamD. So no good!
2. http://hideout.ath.cx/clamav/ needs CHP
(http://www.commandline.co.uk/chp/) to run in the "background", but was
unable to run this ClamD as a "service".
3. http://w32.clamav.net/ (the "official" build) does have ClamD and can use
the current signature files - BUT the build is 10 month old (whatever the
consequence of that might be). It can be made to work with Declude, using a
little Jscript that I'm attaching.
a) Declude Configuration:
#ClamAV
SCANFILE1 c:\Windows\system32\cscript.exe //nologo
D:\CMDfiles\runClamAV.JS
VIRUSCODE1 1
REPORT1 FOUND
b) Schedule this hourly to get fetch signature updates:
freshclam --daemon-notify
The Jscript file trims off the trailing "\" that Declude uses (otherwise
ClamDScan exits with code "2", file/path not found) and generates a
Report.txt file that matches Declude's expected format.
It would be helpful if someone were to either take over the "official
builds" and bring the version up to date (and teaches ClamDScan to accept
paths with trailing backslashes).
Best Regards,
Andy
-Original Message-
From: Andy Schmidt [mailto:andy_schm...@hm-software.com]
Sent: Sunday, January 04, 2009 6:39 PM
Hi,
The official Win32 build seems to work just fine, ClamD service and all?
a) I downloaded and installed the MSI file
b) I downloaded the pthread DLL that it required
c) I confirmed that clamscan (the command line scanner) was working - it
was.
d) I confirmed that I could run clamd from the command line. The I used
clamdscan from a second command window to scan for eicar.com, but this time
using the clamd instance - and it detected it instantly.
e) I installed clamd as a Window service:
"C:\Program Files\Windows Resource Kits\Tools\Instsrv.exe" "ClamAV ClamD"
"C:\Program Files\Windows Resource Kits\Tools\Srvany.exe"
Then added the necessary registry entry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClamAV
ClamD\Parameters]
"Application"="C:\\Program Files\\clamAV\\clamd.exe"
f) started the ClamAV ClamD service - and again confirmed with clamdscan
that it detected eicar beautifully.
Not sure if that helps anyone?
Best Regards,
Andy
// Application Constants
var strClamAV = "C:\\Program Files\\clamAV\\ClamDScan.exe";
// Get Command Line Parameter
if ( WScript.Arguments.Count() == 0 )
// nothing to scan
WScript.Quit();
var strPath = WScript.Arguments(0);
// Trim last backslash
if ( strPath.substr( strPath.length - 1 ) == "\\" )
strPath = strPath.substr( 0, strPath.length - 1 );
// Run ClamAV
var objShell = new ActiveXObject("WScript.Shell");
WScript.Echo( "Launching: " + strClamAV + " " + strPath );
var objExec = objShell.Exec( strClamAV + " " + strPath );
var strLine;
var nSeperator, nFound;
var bHaveFound = false;
while ( !objExec.StdOut.AtEndOfStream )
{
// Process ClamAV Output
strLine = objExec.StdOut.ReadLine();
if ( bHaveFound )
continue;
nFound = strLine.indexOf( " FOUND" );
if ( nFound > 0 )
{
nSeperator = strLine.indexOf( ": " );
if ( nSeperator < 1 )
continue;
// Appears to be a possible virus report
bHaveFound = true;
WScript.Echo( "Reporting: " + strLine.substring( 0, nSeperator
) + " FOUND " + strLine.substring( nSeperator + 2, nFound ) );
var objFS = new ActiveXObject("Scripting.FileSystemObject");
objTS = objFS.CreateTextFile( "Report.txt" ); //
Create Declude Report File
objTS.WriteLine( strLine.substring( 0, nSeperator ) + " FOUND "
+ strLine.substring( nSeperator + 2, nFound ) );
objTS.Close();
}
}
// Wait for completion to be able to obtain exit code
while ( objExec.Status != 1 )
WScript.Sleep(100);
WScript.Echo( strClamAV + " returned: " + objExec.ExitCode );
WScript.Quit( objExec.ExitCode );
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to:
To switch to the DIGEST mode, E-mail to
To switch to the INDEX mode, E-mail to
Send administrative queries to
[sniffer] Re: Announcing ClamAID - Clam AV installer for windows.
Hi Pete, Very cool. I just went through this a few weeks ago. Here's the issues I encountered: - The engine for "official" Windows build I found (http://w32.clamav.net/) was out of date (but still usable) and had problems with trailing backslashes the way that Declude was passing them. - The ClamWin build was current, but resisted any attempt to run it as a service. - Either one had the problem that the virus report generated by ClamAV is not understood by Declude (which looks only for one, very specific pattern) - so one doesn't get the proper virus name passed to messages, log files and virus statistics I ended up scripting some middleware between Declude and Clam that would address the trailing backslash on the input side and the virus name on the output site. Are all these issues addressed in your installer? How? Then I'd be happy to migrate my incarnation over to yours. Best Regards, Andy -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Monday, February 02, 2009 12:49 PM To: Message Sniffer Community Subject: [sniffer] Announcing ClamAID - Clam AV installer for windows. Hello Sniffer Folks, We've noticed that folks often have trouble getting Clam AV (the free open source anti-virus scanner) working correctly on their mail servers, so we've created a free product to help solve that. ClamAID (Clam AV Assisted Install Device). http://www.armresearch.com/tools/arm/clamAID.jsp What ClamIAD does is collect all of the bits and pieces that make ClamAV work, configure them, install them, and get them running with your email / filtering platform. So far ClamAID supports IceWarp, Declude/IMail, and Declude/SmarterMail. We will add support for additional platforms as requested (time permitting). Please take a look, keep us posted on your progress, and tell your friends about ClamAID if it helps you. If you have any questions or run into problems then please let us know (support@). Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Announcing ClamAID - Clam AV installer for windows.
Hello Sniffer Folks, We've noticed that folks often have trouble getting Clam AV (the free open source anti-virus scanner) working correctly on their mail servers, so we've created a free product to help solve that. ClamAID (Clam AV Assisted Install Device). http://www.armresearch.com/tools/arm/clamAID.jsp What ClamIAD does is collect all of the bits and pieces that make ClamAV work, configure them, install them, and get them running with your email / filtering platform. So far ClamAID supports IceWarp, Declude/IMail, and Declude/SmarterMail. We will add support for additional platforms as requested (time permitting). Please take a look, keep us posted on your progress, and tell your friends about ClamAID if it helps you. If you have any questions or run into problems then please let us know (support@). Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
