[Clamav-devel] The upcoming 15 April kill-switch
Hi, I have a question about the CVD that will contain a special signature which disables all clamd installations older than 0.95. What exactly will this do? Will old versions always report No virus? Or will they always report Virus? Or will they always report an error? Regards, David. ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
[Clamav-devel] Two buglets on 0.96
Sun Studio Compiler finds two buglets in 0.96. ** CC bcrun.o bcrun.c, line 240: warning: initializer does not fit or is out of range: -1 Line 240 is : unsigned int fd = -1; An unsigned integer can't be negative. Should delete the word unsigned. ** Many lines of : ../libclamav/bytecode_api.h, line 55: warning: enumerator value overflows INT_MAX (2147483647) enum { PE_INVALID_RVA = 0x }; Well, enum types aren't necessarily unsigned (as long as I know), but as long as clamav shall be 64 bits compatible, IMHO, it should be better to write something of the kind : enum { PE_INVALID_RVA = UINT_MAX }; instead of hardcode this value, unless the exact value cares. -- --- Jose Marcio MARTINS DA CRUZ http://j-chkmail.ensmp.fr Ecole des Mines de Paris 60, bd Saint Michel 75272 - PARIS CEDEX 06 mailto:jose-marcio.mart...@mines-paristech.fr ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] The upcoming 15 April kill-switch
On 04/07/2010 09:21 PM, David F. Skoll wrote: Hi, I have a question about the CVD that will contain a special signature which disables all clamd installations older than 0.95. What exactly will this do? Will old versions always report No virus? Or will they always report Virus? Or will they always report an error? It will refuse to load the database and print an error message. Best regards, --Edwin ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] Two buglets on 0.96
On 04/07/2010 10:17 PM, Jose-Marcio Martins da Cruz wrote: Sun Studio Compiler finds two buglets in 0.96. ** CC bcrun.o bcrun.c, line 240: warning: initializer does not fit or is out of range: -1 Line 240 is : unsigned int fd = -1; An unsigned integer can't be negative. Should delete the word unsigned. Right, it should be an int. ** Many lines of : ../libclamav/bytecode_api.h, line 55: warning: enumerator value overflows INT_MAX (2147483647) enum { PE_INVALID_RVA = 0x }; Well, enum types aren't necessarily unsigned (as long as I know), but as long as clamav shall be 64 bits compatible, IMHO, it should be better to write something of the kind : enum { PE_INVALID_RVA = UINT_MAX }; instead of hardcode this value, unless the exact value cares. The exact value matters: it is used by the bytecode, and this value is part of the bytecode - libclamav API. However I could use an (unsigned) integer constant instead of the enum. Best regards, --Edwin ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] The upcoming 15 April kill-switch
Would you prefer freshclam/ClamAV crash/corrupt memory when loading the new databases with 980 byte lines? If it was impossible to support new functionality with a database compatible with ClamAV =0.94, then the database should have forked -- two sets of databases generated by the automated database build process, one containing only signatures compatible with ClamAV =0.94, and the other containing all available signatures, and the database update infrastructure should have been enhanced to be smart enough to know how to download the correct database for the installed ClamAV version. The initial announcement about this was 6 month ago. If a 6 month window to upgrade is not enough, what would be? I'd say that obsoleting and remotely disabling mission-critical software that is less than two years old is unreasonable whether the software is commercial or OSS, and I'd say that doing so with anything less than a 1-year lead time is also unreasonable. In comparison, Symantec says (see http://www.symantec.com/business/support/Symantec_Support_Policy.pdf), We generally provide Support Services for each 'Major Release' of Licensed Software for a period of up to seven (7) years from the date it first became GA. While seven years may be excessive for an OSS project, whose resources are obviously far more limited than those of a large corporation, I really think what was done here was excessive in the other direction. Not to mention that y'all really need to put some thought into your version numbering. A major incompatible change like this warrants a major version bump, and yet despite the fact that ClamAV has been in use by many sites in production for years and years and you've introduced many major changes during that time, you're still not even at version 1.0. There's something wrong there. jik ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] The upcoming 15 April kill-switch
On 04/08/2010 12:05 AM, David F. Skoll wrote: Török Edwin wrote: Would you prefer freshclam/ClamAV crash/corrupt memory when loading the new databases with 980 byte lines? No. I can think of ways around this to make things degrade gracefully: o The server You mean to do this on all the 122 mirrors here: http://www.clamav.net/mirrors.html could look at the Freshclam user-agent version number and not serve up the new database if it's too old. o The 0.96 Freshclam client could use a different request to get the newer longer-lined files. (I guess it's a bit late for that now...) How about 0.95? That version has been out for a while, and its not affected by this bug. The initial announcement about this was 6 month ago. If a 6 month window to upgrade is not enough, what would be? Nothing justifies a kill-switch. If the database is malformed .. ClamAV refuses to load. This is what prevents malformed databases to be published by accident in the first place. I understand your frustration with people who take a long time to upgrade. We have 754868 signatures right now, out of those 626061 are .mdb signatures. .mdb signatures are not supported, and not loaded by some older ClamAV versions. Is it better if they keep running the old version, thinking they have some anti-virus protection? Best regards, --Edwin ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] The upcoming 15 April kill-switch
David, While I agree, to some extent, with your concerns, I cannot help but wonder why you waited until now to raise this issue. The fact that ClamAV =0.94 would stop working on April 15 was first announced six months ago, on October 6, 2009. Surely this question would have been better asked then, when you had more than six months to plan for the change, rather than now, when you have only 8 days. My company had hundreds of appliances in the field running versions of ClamAV affected by this change. When we saw the announcement, we immediately started working on figuring out how we were going to get them updated by April 15, and we succeeded in doing so. I agree with you that ClamAV 0.94 was end-of-lifed too early. I, too, think it was unreasonable for the ClamAV developers to kill a software version that was released less than 2 years ago and obsoleted only a year ago. Nevertheless, if your company is currently facing an emergency because of this change, then you seem to have forced it upon yourselves by waiting this long to figure out how to address it. Jik -- Jonathan Kamens Operations Manager Advent Tamale RMS 201 South Street, Suite 300, Boston, MA 02111 Phone: +1 617 261 0264 ext. 133 | Mobile : +1 617 417 8989 | Fax: + 1 617 812 0330 jkam...@advent.com | www.advent.com ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] The upcoming 15 April kill-switch
On Wed Apr 07 2010 22:47:27 GMT+0200 (CET) David F. Skoll d...@roaringpenguin.com wrote: OK. That's bad. Really bad. It's an enormous problem for us. We have some customers (I don't know exactly how many) who are running ClamAV = 0.94.2. When this hits the ether, their mail servers will tempfail all mail because clamd will error out. This might even put us in legal difficulties: some of our customers have contracts with us in which we assert our software has no kill switch that can disable mail delivery. Thanks to the fine ClamAV developers, we've been shipping a kill-switch for years. Do your customers use the public ClamAV mirror infrastructure? If they do, and also use old ClamAV versions, they're (or will be) making harm to our infrastructure and the other users of ClamAV who run the latest releases. This is because the old versions of freshclam fail to apply some incremental updates and need to download entire database files as described in the original announcement: http://lists.clamav.net/lurker/message/20091006.143601.d27bbd20.en.html If they don't and *you* provide them with some private database mirror (what you should really be doing!), then I see no problem - you can simply keep redirecting (with some httpd rule or so) their installations to a specific daily.cvd file which works for them until they get upgraded to some recent release. We can't do that globally because the diversity of software run by our mirrors makes this solution ineffective. Regards, -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Apr 7 23:08:57 CEST 2010 ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] The upcoming 15 April kill-switch
Török Edwin wrote: How about 0.95? That version has been out for a while, and its not affected by this bug. Well, you don't seem to have any reservations about a kill-switch for 0.95, so I don't see why you're suddenly so concerned about 0.95. After all, everyone should be on the leading-edge immediately, right? Is it better if they keep running the old version, thinking they have some anti-virus protection? Yes, it is better than a kill-switch. Nothing justifies a kill-switch. Not in proprietary software and not in free software. It simply shows a blatant disregard for your users and is extremely unprofessional. Regards, David. ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] The upcoming 15 April kill-switch
Mark Pizzolato - ClamAV-devel wrote: Will refuse to load means that daily.cvd will be considered a malformed database by ClamAV = 0.94.2. That would be the case if it was actually downloaded. Will the freshclam = 0.94.2 actually download the updated signatures? I think it won't and it will just spit out the warning message about Upgrading details. Then there really is no kill-switch, but signature updates simply stop happening. This, along with the many other changes since 0.94.2 will drastically reduce the effectiveness of ClamAV to detect current threats. That is what you get when you don't update. I would say that freshclam *should* refuse to download and put in production a database that, if put in production, would prevent clamav from working. This seems the Right Thing To Do even regardless of end-of-life problems. In fact, this can be easily achieved even if the old freshclam cannot prevent new lethal database from being downloaded: just change naming convention for the new database and publish new freshclam that is aware of the new naming. This way, old freshclam will not see the new database and thus the old installations will not be killed. Just slowly starved of new signatures. That said, I mostly disagree with angry posters: I believe that antivirus software upgrades should be treated the same way as security patches - urgently. Delaying upgrade of antivurus software is as bad as delaying installation of a security patch to your system. In both cases you stay unprotected against freshly-emerged threats. Eugene signature.asc Description: OpenPGP digital signature ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] The upcoming 15 April kill-switch
On 07/04/2010 23.26, David F. Skoll wrote: Török Edwin wrote: How about 0.95? That version has been out for a while, and its not affected by this bug. Well, you don't seem to have any reservations about a kill-switch for 0.95, so I don't see why you're suddenly so concerned about 0.95. After all, everyone should be on the leading-edge immediately, right? Is it better if they keep running the old version, thinking they have some anti-virus protection? Yes, it is better than a kill-switch. Nothing justifies a kill-switch. Not in proprietary software and not in free software. It simply shows a blatant disregard for your users and is extremely unprofessional. ask ms about windows xp :) -- Gianluigi Tiesi sher...@netfarm.it EDP Project Leader Netfarm S.r.l. - http://www.netfarm.it/ Free Software: http://oss.netfarm.it/ ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] The upcoming 15 April kill-switch
On 04/07/2010 08:33 PM, Gianluigi Tiesi wrote: ask ms about windows xp :) There is no kill switch in Windows XP. Microsoft is ending support for it, but existing installations of Windows XP will continue to work as they always have for the indefinite future. The parallel in the anti-virus world would be that even after Symantec stops publishing updated virus definitions for an old version of one of their anti-virus products, the last virus definitions published for that version will continue to work for the indefinite future. They will become less and less effective over time, but the product will continue to do what it is intended to do at some level. The parallel in ClamAV would have been if the maintainers declared that they would no longer publish virus definition files for ClamAV 0.94 but it would continue to work with the last virus definitions publish for it. That is not what happened here. That is what should have happened here. jik ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net