[sniffer] Re: Announcing ClamAID - Clam AV installer for windows.
Andy, Ahah. We are debugging an install at this very moment which is exhibiting that issue. You're posts were of immense value. Oddly, my install of Declude on Imail dose not create those directories. But I was not testing under Wind 2003. We will work to correct the issue quickly. Thanks. Andrew Wallo - Original Message - From: "Andy Schmidt" To: "Message Sniffer Community" Sent: Tuesday, February 03, 2009 5:42 PM Subject: [sniffer] Re: Announcing ClamAID - Clam AV installer for windows. 1. >> We haven't detected a trailing backslash issue with clamdscan.exe being called from Declude. << My Declude creates a temporary folder C:\imail\spool\proc\work\Dxx.vir\ where it "unravels" the nested MIME attachments that belong to a single mail as individual files and then it attempts to scan the entire temporary folder content by launching: CLAMDSCAN.EXE -v --no-summary -l report.txt C:\imail\spool\proc\work\Dxx.vir\ The problem is that the W32.ClamAV.net build will return "No such file or directory" (under Windows 2003) if you pass a trailing slash. It WOULD work and scan the entire folder ONLY if the trailing backslash is omitted. I'm curious - in your system, what happens when you do: ClamDScan c:\windows\ vs. ClamDScan c:\windows 2. Your page http://www.armresearch.com/tools/arm/clamAID.jsp states: "Navigate to the \declude\ directory under Imail or Smartermail. Find the virus.cfg file. The file should now have an entry: #CLAMAV_CLAMAID SCANFILE D:\PROGRA~1\ClamAV\CLAMDS~1.EXE -v --config-file="D:\PROGRA~1\ClamAV\conf\clamd.conf" --no-summary -l D:\PROGRA~1\ClamAV\log\report.txt VIRUSCODE 1" If this is true, then on a busy server, multiple concurrent ClamAV processes would be attempting to write into the SAME "report.txt" file in the CLAMAV program files folder - causing concurrency problems or "locked file" problems. The best approach would be to leave out the path information and let ClamAV create a unique Report.txt file in the distinct temporary folder that is created for each message! I have read about this in some reports, and I've used the Declude recommended call for calling Clam... I'd like more information if you have << The ClamAV report file will have the following format: -- C:\Maintenance\Eicar.com: Eicar-Test-Signature FOUND Declude will parse that Report.txt file and NOT expect to see the "---" divider line AND will look for the word "FOUND" and expect the virus name AFTER the search token "FOUND". Consequently the parsing will fail. Declude WILL recognize the error level and know that the email was infected, but neither the Declude log NOR the virus notification emails will report a sensible virus name. So the correct view of what is happening should be being logged on the ClamAV side, if not fully transparent through Declude. << The virus notification emails are wrong and those of us who generate anti-virus reports by scanning the declude virus logfiles will get nonsense reporting. if you have it on your specific solution of the name-dissconnect << Well, it's fairly simply. The script I had sent in my post two days ago does the following: a) trim the trailing backslash from the path if any is found b) read and parse the ClamAV report.txt file and outputs a new Report.txt file that uses a format that's parsable by Declude. Best Regards, Andy Schmidt # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Announcing ClamAID - Clam AV installer for windows.
1. >> We haven't detected a trailing backslash issue with clamdscan.exe being called from Declude. << My Declude creates a temporary folder C:\imail\spool\proc\work\Dxx.vir\ where it "unravels" the nested MIME attachments that belong to a single mail as individual files and then it attempts to scan the entire temporary folder content by launching: CLAMDSCAN.EXE -v --no-summary -l report.txt C:\imail\spool\proc\work\Dxx.vir\ The problem is that the W32.ClamAV.net build will return "No such file or directory" (under Windows 2003) if you pass a trailing slash. It WOULD work and scan the entire folder ONLY if the trailing backslash is omitted. I'm curious - in your system, what happens when you do: ClamDScan c:\windows\ vs. ClamDScan c:\windows 2. Your page http://www.armresearch.com/tools/arm/clamAID.jsp states: "Navigate to the \declude\ directory under Imail or Smartermail. Find the virus.cfg file. The file should now have an entry: #CLAMAV_CLAMAID SCANFILE D:\PROGRA~1\ClamAV\CLAMDS~1.EXE -v --config-file="D:\PROGRA~1\ClamAV\conf\clamd.conf" --no-summary -l D:\PROGRA~1\ClamAV\log\report.txt VIRUSCODE 1" If this is true, then on a busy server, multiple concurrent ClamAV processes would be attempting to write into the SAME "report.txt" file in the CLAMAV program files folder - causing concurrency problems or "locked file" problems. The best approach would be to leave out the path information and let ClamAV create a unique Report.txt file in the distinct temporary folder that is created for each message! >> I have read about this in some reports, and I've used the Declude recommended call for calling Clam... I'd like more information if you have << The ClamAV report file will have the following format: -- C:\Maintenance\Eicar.com: Eicar-Test-Signature FOUND Declude will parse that Report.txt file and NOT expect to see the "---" divider line AND will look for the word "FOUND" and expect the virus name AFTER the search token "FOUND". Consequently the parsing will fail. Declude WILL recognize the error level and know that the email was infected, but neither the Declude log NOR the virus notification emails will report a sensible virus name. >> So the correct view of what is happening should be being logged on the ClamAV side, if not fully transparent through Declude. << The virus notification emails are wrong and those of us who generate anti-virus reports by scanning the declude virus logfiles will get nonsense reporting. >> if you have it on your specific solution of the name-dissconnect << Well, it's fairly simply. The script I had sent in my post two days ago does the following: a) trim the trailing backslash from the path if any is found b) read and parse the ClamAV report.txt file and outputs a new Report.txt file that uses a format that's parsable by Declude. Best Regards, Andy Schmidt # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Announcing ClamAID - Clam AV installer for windows.
They offer a ClamAV tie-in: http://sssolutions.net/ew/tutor.php?topic=setup From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Monday, February 02, 2009 2:53 PM To: Message Sniffer Community Subject: [sniffer] Re: Announcing ClamAID - Clam AV installer for windows. Hello Steve, Monday, February 2, 2009, 2:31:17 PM, you wrote: > Any plans on an eWall version? We may look into that -- however, eWall is a very fast, lightweight solution; SNF is easily fast enough to work during the SMTP conversation; Clam AV is decidedly not that fast. It might not be a good fit to put Clam AV in an SMTP proxy. SNF will reject most email borne malware seen within eWall. None the less, we will look into it-- I'm sure Clam AV could be scripted into eWall-- perhaps only running on those messages that don't get rejected up-front. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Announcing ClamAID - Clam AV installer for windows.
At 12:49 2/2/2009 -0500, you wrote: >Hello Sniffer Folks, > >We've noticed that folks often have trouble getting Clam AV (the free >open source anti-virus scanner) working correctly on their mail >servers, so we've created a free product to help solve that. ClamAID >(Clam AV Assisted Install Device). > >http://www.armresearch.com/tools/arm/clamAID.jsp > >What ClamIAD does is collect all of the bits and pieces that make >ClamAV work, configure them, install them, and get them running with >your email / filtering platform. > >So far ClamAID supports IceWarp, Declude/IMail, and >Declude/SmarterMail. > >We will add support for additional platforms as requested (time >permitting). Is an mxGuard/IMail version in the works? -- Kirk Mitchell-General Managermi...@keyconn.net Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Announcing ClamAID - Clam AV installer for windows.
Hello Steve, Monday, February 2, 2009, 2:31:17 PM, you wrote: > Any plans on an eWall version? We may look into that -- however, eWall is a very fast, lightweight solution; SNF is easily fast enough to work during the SMTP conversation; Clam AV is decidedly not that fast. It might not be a good fit to put Clam AV in an SMTP proxy. SNF will reject most email borne malware seen within eWall. None the less, we will look into it-- I'm sure Clam AV could be scripted into eWall-- perhaps only running on those messages that don't get rejected up-front. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Announcing ClamAID - Clam AV installer for windows.
Any plans on an eWall version? On Feb 2, 2009, at 9:49 AM, Pete McNeil wrote: Hello Sniffer Folks, We've noticed that folks often have trouble getting Clam AV (the free open source anti-virus scanner) working correctly on their mail servers, so we've created a free product to help solve that. ClamAID (Clam AV Assisted Install Device). http://www.armresearch.com/tools/arm/clamAID.jsp What ClamIAD does is collect all of the bits and pieces that make ClamAV work, configure them, install them, and get them running with your email / filtering platform. So far ClamAID supports IceWarp, Declude/IMail, and Declude/SmarterMail. We will add support for additional platforms as requested (time permitting). Please take a look, keep us posted on your progress, and tell your friends about ClamAID if it helps you. If you have any questions or run into problems then please let us know (support@). Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to > To switch to the INDEX mode, E-mail to Send administrative queries to Regards, Steve Guluk SGDesign (949) 661-9333
[sniffer] Re: Announcing ClamAID - Clam AV installer for windows.
Team, Sniffer Folks, Beta Testers: I've handled most of the testing and the development so I'll do my best to reply: (I'll respond inline to A.Schmidt's inquiries. _Andy Wallo - The engine for "official" Windows build I found (http://w32.clamav.net/) was out of date (but still usable) and had problems with trailing backslashes the way that Declude was passing them. Sadly, this is an issue of the very overworked and newly promoted head of project management at ClamAV. He has handled the port up to this point, but due to other demands, has not rebuilt the current stable windows port, nor delegated that task. ClamAV does state that they intend to keep their Windows port however. ( There has been some concern what with the cgwyn versions come to a close etc. ) I am keeping tabs on this, so that at the earliest possible moment, we can push a rebuild of ClamAID with the upgraded port. This does NOT affect the side of the system that downloads new/daily databases, etc. ( Freshclam.exe is wrapped with XYNTService as FreshClamSVC and will run periodically in the background. ) - The ClamWin build was current, but resisted any attempt to run it as a service. ClamD ( and FreshClam) are fully wrapped with XYNTService, and allow the Declude users to use clamdscan.exe instead of the very time and cpu consuming clamscan.exe ( Thus saving the re-booting of the clam databasses etc. ) - Either one had the problem that the virus report generated by ClamAV is not understood by Declude (which looks only for one, very specific pattern) - so one doesn't get the proper virus name passed to messages, log files and virus statistics I have read about this in some reports, and I've used the Declude recommended call for calling Clam... I'd like more information if you have it on your specific solution of the name-dissconnect. < open issue? > However, the ClamAID install sets the system up to have both Declude as well as ClamAV log their results. So the correct view of what is happening should be being logged on the ClamAV side, if not fully transparent through Declude. I ended up scripting some middleware between Declude and Clam that would address the trailing backslash on the input side and the virus name on the output site. We haven't detected a trailing backslash issue with clamdscan.exe being called from Declude. Of course, we're not perfect, but we'd definately love to get your read on the AID tool. Thanks. Andrew Wallo # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: Announcing ClamAID - Clam AV installer for windows.
Hi Pete, Very cool. I just went through this a few weeks ago. Here's the issues I encountered: - The engine for "official" Windows build I found (http://w32.clamav.net/) was out of date (but still usable) and had problems with trailing backslashes the way that Declude was passing them. - The ClamWin build was current, but resisted any attempt to run it as a service. - Either one had the problem that the virus report generated by ClamAV is not understood by Declude (which looks only for one, very specific pattern) - so one doesn't get the proper virus name passed to messages, log files and virus statistics I ended up scripting some middleware between Declude and Clam that would address the trailing backslash on the input side and the virus name on the output site. Are all these issues addressed in your installer? How? Then I'd be happy to migrate my incarnation over to yours. Best Regards, Andy -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Monday, February 02, 2009 12:49 PM To: Message Sniffer Community Subject: [sniffer] Announcing ClamAID - Clam AV installer for windows. Hello Sniffer Folks, We've noticed that folks often have trouble getting Clam AV (the free open source anti-virus scanner) working correctly on their mail servers, so we've created a free product to help solve that. ClamAID (Clam AV Assisted Install Device). http://www.armresearch.com/tools/arm/clamAID.jsp What ClamIAD does is collect all of the bits and pieces that make ClamAV work, configure them, install them, and get them running with your email / filtering platform. So far ClamAID supports IceWarp, Declude/IMail, and Declude/SmarterMail. We will add support for additional platforms as requested (time permitting). Please take a look, keep us posted on your progress, and tell your friends about ClamAID if it helps you. If you have any questions or run into problems then please let us know (support@). Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
