Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?
On 10-8-16 08:22, ANANT S ATHAVALE wrote: > Hi, > > Most of the mails are marked with Win.Exploit.CVE_2016_3316-1. Is this a > false positive? Yes. Created a completely empty .doc file using LibreOffice on linux, and the resulting file was recognized as Win.Exploit.CVE_2016_3316-1. This means that on our medium sized ISP, we got so many false positives from ClamAV in a few hours, that it would take several weeks for ClamAV to even find the same number of true positives in our e-mail stream. Guess that's the end of ClamAV as an e-mail virus scanner here... -- Jan-Pieter Cornet <joh...@xs4all.nl> "Any sufficiently advanced incompetence is indistinguishable from malice." - Grey's Law signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] confirm fc348079837XXXXXXXXXXXXXXXXXXXXXXXXb8a2a7
On 2012-11-20 22:20 , Steve Scotter wrote: I've love to but opendkim doesn't appear (on first glance) to have the ability to do that. Will look into that. Then you probably shouldn't let opendkim reject mails at all, if it cannot do that. But rejecting on a bad DKIM signature alone is simply not someone should ever do. Just to clarifiy, are you suggesting that rejecting a DKIM signed email from a domain with a ADSP record of dkim=discardable still shoulnd't be rejected? I assume you mean ... given that the signature is bad or absent. Yes, I would recommend to ignore ADSP completely, and instead use DMARC. And then optionally detect traffic from known mailinglists and accept those regardless of a p=quarantine or p=reject status from dmarc. But that's still being hotly debated in the dmarc community. That said, there's only recently public software available to verify dmarc signatures and generate the necessary reports, implementing that on a home mail gateway is probably a lot of work. The DMARC standard is only a draft, and might change. And of course every admin is free to choose whatever he or she likes. But ADSP doesn't appear to be getting a lot of leverage, and if dmarc does take off, ADSP will be obsolete. -- Jan-Pieter Cornet SSL is only keeping your connection safe from hackers, crooks and three letter agencies by the least secured, least likely to refuse money from strangers, and least bullying-proof of several hundred companies worldwide. signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Untit Testing
On 2012-2-7 18:27 , Reynolds, David C. wrote: Thanks for the quick replies. I was able to run those tests. As to why I would install ClamAV, it is an IA requirement that we scan for viruses on remote file transfers that go thru this system and there aren't too many options that will run under IRIX. I haven't got any experience with IRIX, but I do wonder: why are you using tits for testing purposes? That seems inappropriate. Everyone else uses canaries! The tits scare too easily and will fly at the slightest sound. Canaries are more reliable. And if there's a virus in range, they just die :) PS ;-) -- Jan-Pieter Cornet SSL is only keeping your connection safe from hackers, crooks and three letter agencies by the least secured, least likely to refuse money from strangers, and least bullying-proof of several hundred companies worldwide. signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] daily.cvd update issue.
On 2011 Jul 19, at 17:20 , Luca Gibelli wrote: http://www.clamav.net/support/ml What? If websites are a requirement for ClamAV then this project is doomed. I don't see our NOC surfin the interwebz as part of the job. (Sarcasm alert). -- Jan-Pieter Cornet joh...@xs4all.nl People are continuously reinventing the flat tyre. PGP.sig Description: This is a digitally signed message part ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
On 2011 Jun 29, at 12:49 , Joel Esler wrote: If you have a sample of the file, submitting it through ClamAV's submission interface makes it bubble up so the rule writers can get to it faster. Or if you're lucky and it's the exact same file every time, you can trivially create your own signature using an md5 hash and use that instantly. That's one of the things I particularly like about clamav (and used a couple of times in the past). -- Jan-Pieter Cornet joh...@xs4all.nl People are continuously reinventing the flat tyre. PGP.sig Description: This is a digitally signed message part ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] What happened to 12663 ?
On 2011 Feb 11, at 13:54 , Jan-Frode Myklebust wrote: For us it took down clamd on 15 servers at 00:03 today, and we received the fix 3 hours later... but clamd wasn't restarter before later this morning, leading to huge mailqueues. We should probably look into verifying the db before telling clamd to reload it... I suggest you instead look at your mail config, verifying that mail keeps on flowing when clamav happens to be down/unresponsive. Unless you want to err on the safe side, and have a policy in place that says we do not want to receive/send ANY mail when the virus scanning doesn't work. In that case, your system is already working as designed, and tonight's outage was actually helpful, because it prevented mail from getting through that could have been detected by a newer version of the database. On the other hand, since you haven't updated ClamAV in over a year, leading to (significantly) decreased detection, maybe the scanning of email isn't top priority, and your mail scanning engine needs to fallback to letting mail through on scan errors. -- Jan-Pieter Cornet joh...@xs4all.nl People are continuously reinventing the flat tyre. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] What happened to 12663 ?
On 2011 Feb 11, at 17:56 , Vincent Fox wrote: On 2/11/2011 8:31 AM, Jan-Pieter Cornet wrote: On the other hand, since you haven't updated ClamAV in over a year, leading to (significantly) decreased detection, maybe the scanning of email isn't top priority, and your mail scanning engine needs to fallback to letting mail through on scan errors. Forgive me for this but 3-4 days after v0.97 is released, v0.95 is considered obsolete and no longer worth testing databases for. Yes, that sucks. And the clamav team has admitted as much and promised to do something about it. I didn't like that either, I am running 0.95 myself, so clamav stopped functioning. To remedy the situation, I dug into my archive and recovered an older, working, daily.cvd, and installed that on top of the broken one. The reason I replied is that the OP mentioned that 'mail stopped because of this', somehow implicating it's ClamAV's fault. It isn't. There are a number of reasons that a virus scanner can fail, a bad database is just one of them. What I wanted to point out is: unless you consider virus scanning more important than the actual flowing of emails, you need to make sure that failures in the virus scanning don't stop your mail from functioning. If scan failures do prevent your mail from being delivered, then right there is your first configuration error: go fix it so you don't depend on the virus scanner to always behave correctly, because it simply won't. There will always be unpredictable circumstances that make your virus scanner crash, so you must be prepared to deal with that. If that makes you feel uneasy, because it might let unscanned mail through, put a monitoring mechanism in place that alerts you as soon as the virus scanning fails. Or get a second virus scanner, and use them both in parallel (that's what I do - also gives you a nice way to compare performance). -- Jan-Pieter Cornet joh...@xs4all.nl People are continuously reinventing the flat tyre. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] how do I get an old daily. cvd and cld? file?
On 2011 Feb 10, at 23:26 , Michael Scheidell wrote: seems the newest daily file won't work with clamav 0.95.3. how do I get an older one that will? I can turn freshclam off for now, or until this is fixed. I happen to keep backups of the database. daily.cvd version 12660 works for me, and has my clamav's running again. Available at: http://www.xs4all.nl/~johnpc/daily.cvd No guarantees, but you should be able to verify it's authentic by running sigtool: ~/WWW $ sigtool --info daily.cvd File: daily.cvd Build time: 10 Feb 2011 13:33 -0500 Version: 12660 Signatures: 37218 Functionality level: 58 Builder: edwin MD5: 4518087caf519a9f0d28135aade4e2a8 Digital signature: x34ZJRr8E4mKeTiDl+XotNCMI6BEdCnZHi8F9AyX3o9L8LFQEXUZLXi2y6B4A7NyUtSbfj4e8+bOWFlB9dTw3aQBBRr0sfc4C5G/B1zOoIDggfBBe7ZqCqD4pzMCZDnOW4QCvh1BH/44GZft6xnVPpPxqfy2OsHkhorvOPAsZXh Verification OK. -- Jan-Pieter Cornet joh...@xs4all.nl People are continuously reinventing the flat tyre. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Sophos Anti-Virus
On 2011 Jan 3, at 1:46 , TR Shaw wrote: On Jan 2, 2011, at 7:12 PM, Bob Traktman wrote: Is there any reason not to keep ClamAv and Sophos Anti-Virus -- both active? None whatsoever. Defense in depth is a good thing. Probably not. However, a contemplation... It's like a plane. Planes can have 1 engine, or 2, or even more, but usually not more than 4. Why not 8 engines? 100? Plane engines have two failure modes: 1) they stop working. If that engine is all you got, you're in deep doodoo. That's why an extra engine is convenient. 2) The engine explodes, taking the plane with it (fortunately, much less likely). If you have multiple engines, you reduce the chance of a crash because of failure 1, but you increase the chance of a crash in case of failure 2. So there's a balance to be found. The same goes for virus scanners. Failure mode 1 would be a virus scanner not detecting a virus. Failure mode 2 (less likely) would be a false positive, or worse, an exploit causing your server to be hacked. Personally, I find two or three virus scanners to be the sweet spot. If programmed correctly, it even gives you some protection against false positives, because you can treat files/emails that are only recognized by one scanner differently from the ones that are recognized by multiple scanners. For example quarantine in the first case, and remove in the second case. (This requires custom programming, of course). -- Jan-Pieter Cornet joh...@xs4all.nl People are continuously reinventing the flat tyre. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How does Clam stand up to Commercial A/V?
On Tue, Nov 24, 2009 at 04:17:50PM -0400, Robin wrote: I am administering 7 Debian based LAMP servers and am working to get anti-virus to scan uploads as they happen. Since I am a lone sheep in the Microsoft wild of a larger organization I need to prove that Clam is up for the task and at least at par with commercial A/V such as McAfee Commandline Scanner. I have found a few articles stating that Clam is in some cases superior to most of the commercial counterparts. I am looking for feedback and thoughts on this so I can bring my case to the powers that we do not need to dish out $$ to provide virus protection. Your responses are likely to be biased by asking clamav-users :) So let me give a slightly more negative argument. ClamAV used to be quite fast in responding to virus threats, but is currently pretty slow in response to email viruses. We use ClamAV only to scan email on an SMTP server(farm) (approx 3E7 msgs/day). We run 3 virus scanners, and I get daily statistics on the number of viruses catched by each scanner, detailing exactly which viruses were found by which scanner. For at least half a year, clamav has been the slowest to respond to new threats, usually taking at least a day, sometimes two days, to catch up. The number of viruses that ClamAV finds that the others don't, is negligible (a handful a day, and those are usually marked as spam anyway). That said, we only use the standard databases, and we disabled phishing heuristics (too much false positives). Scanning accuracy might improve if you add other malware databases. But I don't want to spend too much CPU and memory on ClamAV. Note that this isn't a complaint - I realise I get what I pay for, but given that admin time isn't free either, ClamAV is definately worse than commercial AV products, even if you consider performance/price ratio. Be aware that YMMV. -- Jan-Pieter Cornet joh...@xs4all.nl !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] please remove
On Fri, Feb 20, 2009 at 02:31:44PM +, Ian Eiloart wrote: --On 19 February 2009 08:29:23 -0500 Gary L Burnore gburn...@databasix.com wrote: Fortunately, you're not a UK lawyer. Nor am I. If you'd like to make case law, go for it. Until some UK judge says a mailing list set up to support a product is now a marketing list, it's not. Well, perhaps it isn't, but I think the principles [...snip] I disagree, but it doesn't really matter, now, does it? This is not a UK list. It's unreasonable to try to force your local rules on global communities. Otherwise you have to stoop down to the lowest common denominator (and probably the longest combined dysclaimer (intentional typo)). Is this mailinglist hosted in the UK? No, it isn't. In fact, it's technically hosted in the Netherlands (hmm... IP looks familiar), but the list operators are, um, foreign. Italian, American, who knows. Whose rules should we apply? This list follows the RFCs and several best practices, and that should suffice. If it doesn't, not only this list is in problems, but a lot of other lists too. You can even get to the unsubscribe page with a single click from the page mentioned in the footer. And then this is a list with email professionals on it (or so you'd expect). If the UK legislature insists on having things their way in spite of the rest of the world, and starts threatening anyone who doesn't follow THEIR rules, then bye bye, unsubscribe *.uk and go and have fun on clamav-uk-us...@lists.1984.gov.uk. Or at least, that's what I'd say if I were the list operator, which I'm not (I do administrate other email lists, though) Capice? -- Jan-Pieter Cornet joh...@xs4all.nl !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Why is ClamAV signature file so unpopular?
On Sat, Nov 29, 2008 at 02:52:53PM -0800, Dave Warren wrote: When I go to the download page for ClamAV at SourceForge, I observe that the signature file (clamav-0.*.*.tar.gz.sig) is downloaded less than 10% of the time that the source code (clamav-0.*.*.tar.gz) is downloaded. I find this strange, especially for anti-malware software, whose users presumably think about security more than the average SourceForge visitor. If you can't trust SourceForge for the source, what makes you think you can trust the signature file? Because it's PGP signed. It's not just an md5 hash. Anyone in a position to compromise one would almost definitely be able to compromise the other. Sure. But it would be suspect if gpg/pgp says: Good Signature by Snake Oil [EMAIL PROTECTED]. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Announcing ClamAV 0.94.1 RC1
On Fri, Oct 17, 2008 at 08:19:54AM +0200, Tomasz Kojm wrote: On Thu, 16 Oct 2008 17:41:50 -0700 John Rudd [EMAIL PROTECTED] wrote: Do you have any thoughts about how we can get the stats to you, so that you can use them, without bypassing our mechanism for ensuring consistent and safe updating of our virus signatures? There's a special option in freshclam (--submit-stats, currently deactivated) which could help here. When this option is used, fresclam only submits the statistics *without* touching the database files. You could just run freshclam --submit-stats=/path/to/clamd.conf on the hosts that get real traffic. Would that work for you? (if so, we will activate this option in 0.94.1-final). That would certainly work for us. We have the same setup: two freshclam config master hosts that push changes out to the production systems. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No viruses detected since 1711GMT August 29, 2008?
On Fri, Aug 29, 2008 at 06:49:00PM -0700, fchan wrote: Hello, Thank you for the suggestion and I just sent myself clam.zip test file and clamav detected this correctly. I could be the systems that have been sending virus infected email messages to my mail server have been evacuated because of Tropical Storm Gustav;) Or it could calm before the storm. If you want another verification that the world-wide virus sources haven't all suddenly dried up, we publish semi real time graphs and counters of received spam and viruses. Since we're a moderately big ISP, there's always something coming in. The graphs are at: http://www.xs4all.nl/en/veiligheid/statistieken.php (The URL itself is partly in Dutch, but don't let that scare you, the page itself is in English) -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] announcing ClamAV 0.94rc1
On Tue, Aug 19, 2008 at 01:51:37PM +0100, G.W. Haywood wrote: I started to download it, but when I saw that it was going to be just under 20 megabytes I cancelled it. Well it's not *that* big! My point was that it's ten times as big as it should be and apparently it's growing without bound. This is because it contains a database, It's probably this big because it now includes support for Premier Election Solutions' (formerly Diebold) machines. See also http://www.xkcd.org/463/ :) (is the bandwidth really such a big deal now that people usually toss DVD images around?) Also note - every other virus scanner I'm aware of also comes with a database out of the box (that sophos update I just downloaded was also 24Meg). Of course, outdated as soon as you hit Download, but with the incremental updates of clam, not quite worthless. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
On Fri, Aug 08, 2008 at 09:25:19AM -0400, David F. Skoll wrote: I am under the opinion that a message should never be silently blackholed. I used to share that opinion, but no longer do for viruses. If you turn off Clam's dubious Phishing options, the odds of a false-positive from Clam are very low. In that situation, there is no point in rejecting; it's better to silently discard. I agree with David: it's better to discard a virus, than reject it just because the sending server has a slightly worse virus scanner, or hasn't received the signature updates yet. But I'm more paranoid: We only discard when _2_ independant scanners say it's a virus. Otherwise, we used to tempfail, but nowadays it's not worth the bother, and we just reject for single virus scanner hits. That's a measly few percent of the already insignificant amount of email viruses (we don't count phishes as a virus, they add to the score in SA). -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav phishing sigs
On Fri, Aug 08, 2008 at 09:44:11AM -0400, Darren G Pifer wrote: Hi Steve, The site is interesting and will help with general cases but lately the school is getting phishing specific to the university, which does not help us. Have you considered using a regular-expression based filtering mechanism, say, SpamAssassin? I use it to block directed phishes (for the ISP I work for), and it works pretty well. Unfortunately, it looks like, for directed phishes, the phishing mails are first tried out, likely via compromised accounts, until they pass the filter. At least, some do, it seems. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Freshclam not terminating correctly
On Sun, Jun 01, 2008 at 08:09:58PM -0400, Robert Blayzor wrote: On Jun 1, 2008, at 6:07 PM, Sarocet wrote: Seems like a problem with the TCP stack to me. No client of normal sockets should be abel to do that. Do you have some device (such a firewall) in front of that machine which could be interfering? Could you fingerprint (p0f) from which OS come this activity? It's not the server or any device in front of it. (which there are not other than switches and routers). In the tcpdumps we've looked at the client appears to hang or timeout, and when the server sends acks to see if the connection is still alive (keepalive or otherwise) the client starts replying with a zero sized window, which is broken. We thought about p0f, but with the randomness of the broken clients and the shear volume of connections the mirrors get, it would be very difficult to capture that data. It may come down to that, but I'm just pointing out that something appears to be bugged in quite a few clients that connect. I cannot confirm this on our mirror, there are no connections stuck in FIN_WAIT_1 at all. Could it be that all stuck connections you see, are the result of some popular DSL-router/NAT box in your area, that behaves badly? -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Non-Windoze Viruses (was Re: Memory usage for clamd is huge)
On Wed, Apr 02, 2008 at 10:50:59AM -0700, Dennis Peterson wrote: Arthur Sherman wrote: I use scripts now to monitor user space for new php code. Could you share these scripts? On a Solaris system you can use the built-in aset tool, and for any Unix/Linux system you can use trip-wire or Cfengine. Or in plain old sh: touch /tmp/lastscan.tmp find /path/to/documentroot -newer /tmp/lastscan -name \*.php mv /tmp/lastscan.tmp /tmp/lastscan Bootstrapping this so it won't give an error on the first run is left as an excersize to the reader (you could just ignore the error). On a related note: I recently saw a php exploit finder, which could search php source for possibly exploitable code. It was basically a collection of regular expressions, written in php itself, version 0.01, but it looked interesting. Sorry, no URL, you'll have to google it. (how far away from viruses are we yet?) -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Non-Windoze Viruses (was Re: Memory usage for clamd is huge)
On Tue, Apr 01, 2008 at 08:38:26AM -0400, David F. Skoll wrote: I am absolutely certain that, once there's a market for it, non-windows viruses will appear. There *is* already a huge market for a Linux virus. The market is different from the Windows market. In the Windows world, the motivation of virus writers is to subvert PCs to build botnets. In the Linux world, the motivation is publicity -- could you imagine the coup of creating an effective Linux virus? Why go through all the trouble of creating a linux virus, when there are tons of readily exploitable php out there? These exploited unix servers aren't sending out viruses just because the spammer/botherder has better use for them at this moment, not because it's impossible. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Vasiliy Bochin в команд ировке
On Wed, Mar 26, 2008 at 11:22:09AM -0700, Dennis Peterson wrote: What is all this gibberish? Out of office autoresponder post using Cyrillic typeface, written in a Russian language. Which is relatively easy to understand if you just cut-n-paste the text into translate.google.com. Provided your mailer does the right thing with the utf-8 or koi8-r charset, of course. Днем, чтобы помочь Nevertheless: Ретуширование письма, не автоматический ответ на clamav-users почты ! (and if this is bad russian, blame google ;) Most users make sure their vacation program does not auto-respond to mailinglist mails, especially not to the list itself. On some mailinglists, it is grounds for immediate removal. さよなら -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] False positive Phishing.Heuristics.Email.SpoofedDomain
On Thu, Feb 21, 2008 at 07:49:27PM -0300, Manuel Lemos wrote: I have site that once in a while sends e-mail alerts about new book reviews published in the site. Recently I noticed that some Dutch e-mail servers were rejecting the review alert messages because the site IP address was listed in VirBL . That's pretty bad. VirBL shouldn't add phishing sites to their DB. I'll try to contact the VirBL maintainers about this. I tracked down the issue and found that ClamAV was marking the messages as Phishing, specifically Phishing.Heuristics.Email.SpoofedDomain . I tested the message and isolated the HTML excerpt that seemed to trigger that classification. If I removed it, the message passes all ClamAV tests. Here follows the relevant excerpt (already decoded from the original quoted-printable message part). a href=tpph:||www.phpclasses.org/reviews/order/1593271204.htmlimg src=tpph:||images.amazon.com/images/P/1593271204.01.MZZZ.jpg width=121 height=160 border=1//a This is a picture of the book cover from Amazon with a link to a page in the site that lets the user choose from which of the several Amazon stores that sell the book. Ehm, first, It probably wasn't a very good idea to include a piece of verbatim text that triggers a false positive. Your email was likely rejected at those places that use the same filtering :) Because of this, I've mangled the HTML a bit so i likely passes the detection now. That said... Phishing.Heuristics.* signatures are, as it says, heuristic signatures, not triggered by any rules, but by heuristics. It can be turned off by adding this line to your clamd.conf: PhishingScanURLs no I don't know what exact rules this uses to trigger on. It's likely some combination of the domain of the visible part, verses the domain of the real target of the link, combined with a list of vulnerable domains that are likely to cause phishing. I think that amazon.com is on that list, and the heuristics code doesn't like you linking to some external site based on an amazon image. You can probably avoid the issue by putting the image on your own server, or on www.phpclasses.org in this case, so the image and target point to the same domain. That said, operators who leave this setting enabled on production servers deserve what they get. Leaving the Phishing.Heuristics.* enabled causes a staggering amount of false positives that, in my opinion, are certainly not worth the tiny fraction of phishes that manage to come through, combined with all other filters we have. Anyone who actually cares about delivering valid email to their users, should switch this off. What I would like to know is why is this considered Phishing? What characterizes Phishing.Heuristics.Email.SpoofedDomain classification? What can I do to avoid such classification? -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] live CD
On Mon, Jan 21, 2008 at 11:07:11PM -0600, Robert wrote: I'm running into the situation, quite regularly lately, where I have to do a virus scan of a machine that has either out-dated or no anti-virus software. Obviously, just installing some anti-virus software and hoping that will clean up everything afterwards is not a good solution. Therefore, I'm looking at live CD's containing clamav that I can use, along with the ntfs-3g drivers. They work, but they are all out of date. Knoppix hasn't been updated in over a year, and the more recent INSERT is only at version 0.90. While I can update the virus definitions on both (usually), I want to run the latest version of the scan engine too for maximum effectiveness. I haven't got experience with this myself, but a colleague of mine installed the ubuntu live CD on a USB memory stick, which then has the ability to update itself. google gave me this: http://www.debuntu.org/how-to-install-ubuntu-linux-on-usb-bar -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Reconfiguring Clam AV
On Tue, Jan 08, 2008 at 10:47:28PM +, Bob Hutchinson wrote: On Tuesday 08 January 2008 18:05, Charles Mckee wrote: [how to update on multiple clients] Cool thank you !! I must install a webserver !! or use rsync And don't forget to clamdctl reload. Err... that is kill -USR2 `cat /path/to/clamd.pid`, if the databases changed. We use a script that's similar to what's below. This script is run from cron, and via ssh to all clients, when the master's OnUpdateExecute is triggered. #!/bin/sh # change these if necessary for your system MD5=`which md5` # ... or use md5sum. CLAMDB=/usr/local/clamav CLAMD_PID=/var/run/clamav/clamd.pid MASTER=machine.example.com:/path/to/master/clamav/database CLAMFILES=`find $CLAMDB -type f` if [ -n $CLAMFILES ]; then CLAMSTATE=`cat $CLAMFILES | $MD5` else CLAMSTATE=empty fi rsync -crlpgo --delete $MASTER $CLAMDB CLAMFILES=`find $CLAMDB -type f` CLAMNEW=`cat $CLAMFILES | $MD5` if [ $CLAMSTATE != $CLAMNEW ] then ### Reload clam databases kill -USR2 `cat $CLAMD_PID` fi Note that we left ScriptedUpdates yes on the master freshclam. The only downside is that it occasionally triggers an update while freshclam is unpacking a new database in a temporary directory, which causes a bunch of warnings for missing files during transfer. These are harmless. (At least, I assumed they are harmless. I should fix the exclude file on rsync one of these days to skip those tempfiles :) -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] TK53 Advisory #2: Multiple vulnerabilities in ClamAV
On Sun, Dec 30, 2007 at 09:49:11PM -0600, Chris wrote: http://seclists.org/fulldisclosure/2007/Dec/0625.html Or is this a rehash of something already known about? The weak random number generator part, and the possibility of a race in the cli_gentemp() function has been known since almost three years (march 2005). See: http://sentinelchicken.com/data/clamav-audit-results.txt This document also describes a setup in which it is most likely to get a successful race: with a cron-started clamscan. Too bad nothing was done with the suggestions on the random generator, I think that article pretty much gives every suggestion that also went to this mailinglist in the past few days (regarding the random generation, at least). -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Email viruses almost non-existent?
Paul Kosinski wrote: In December 2006, we were running ClamAV 0.88.7, and there were still a fair number of real viruses being detected in inbound email. Now running 0.91.2 and 0.92, there seem to be only phishing attempts, and not even very many of them. In fact it seems that our log file shows almost as many (hourly) signature update messages as phish detections (much less real virus detections). Have other ClamAV users experienced a similar decline in email attacks? Yes. We (xs4all, a mid-sized european ISP) actually keep online graphs of the number of viruses and spam detected. Note that we do not count phishes as a virus (phishes detected by clamav count as a score in SA). See: http://www.xs4all.nl/uk/veiligheid/statistieken.php As you can see in the yearly graphs, there have been a few outbreaks of viruses causing a temporary raise in the number of email viruses detected. The number of 'real' viruses we see now is typically less than 0.1%. Of course, more than 95% of the rest is spam... Note that even that 'outbreak' in January was rather weak, topping at 18 viruses/second. We used to see virus outbreaks with over 60 virus delivery (attempts) per second back in 2005. The going theory is that classical email viruses have basically become almost extinct. Congratulations. The email virus scanners won. The bad guys smartened up and moved to infected webpages (hi, Alicia Keys!), p2p fakes and malware (WoWarcraftPingAccelerator.exe.torrent ?), and IM threats. Also, if a virus ever does spread by email, it is usually extremely targetted and quite rare, and it doesn't generate a huge outgoing flood because it doesn't want to be detected. So it is not uncommon for 0-day malwarez to be detected by less than 20% of the scanners available. Currently, the only solution is for end users to have really up to date virus scanners on the desktop, and a healthy dose of scepticism before clicking on anything. Wait, is that a pig flying by my window? So while the battle on email viruses might be won, the war certainly isn't over. If end users continue to be too ignorant to get their security straight, then ISPs will have to run all of their connections through some sort of transparent proxy/virusscanner, at some point, to keep the users secure. And at the moment the NSA (or your local favorite TLA secret agency) hears that that is possible, ISPs will get a request for some more functionality in the transparent proxy, and your privacy will be completely hosed. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Phishing feature defaults, naming, and 0.92
On Thu, Nov 15, 2007 at 01:28:39PM +0100, shuttlebox wrote: On Nov 15, 2007 1:22 PM, David F. Skoll [EMAIL PROTECTED] wrote: Oh, but wait. What's going on here? You upgrade ClamAV and your configuration changes? That shouldn't happen at all. Are you using an installer tool that overwrites your deployed configuration? Surely not! When we upgraded ClamAV, our configuration file stayed the same, BUT we were treated to slow and unwanted new behaviour that caused a flurry of support calls and significant amounts of our support time to figure out what the h*ll was happening. Aren't these features only ever enabled if compiled with --experimental? They were at first, but after the upgrade from 0.90.x to 0.91 the experimental features suddenly became the default. And yes, I did notice this in the Changelog, and we did test it. At that time I trusted the developers not to make stuff default that was still giving lots of false positives. And, it's kind of hard to test the effectiveness of a virus scanner, especially in the face of false positives (or you'd need a pretty huge test set). Since we're reasonably protected from FPs anyway, we decided to put it in production, but found out we were tempfailing legitimate paypal mails soon after, so we disabled the URL scanning. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Accurate subjects (was Re: PhishingScanURLs is dreadfully slow/CPU-intensive)
On Mon, Nov 12, 2007 at 04:22:47PM -0500, David F. Skoll wrote: My own opinion is that the developers are not going to change the default settings since they are what the majority of users would want enabled by default. Really? All posters on this thread who gave an opinion wanted PhishingScanURLs off by default. I invite users who want PhishingScanURLs to be on by default to come forward; I'll happily go with the majority decision. If there's going to be a vote, I haven't expressed my opinion in this thread yet. PhishingScanURLs should be off, in my opinion, for every mailserver installation that actually cares about delivering legitimate mails to its users. So that would imply the default to be off. In fact, this very feature is the reason we are considering to stop the use of ClamAV. Complete lack of a standard naming scheme to distinguish between viruses and phishing mails is also a factor here. The reason we're so concerned about this is the false positive rate. Traditionally, virus scanners have had a negligible false positive ratio (less than 1 in 1E9, typically). This means it is in practice no problem to flat-out reject or discard mails that are flagged as a virus. However, spam and phishing detection has a much higher false positive rate, so it's very unwise to discard the mails, and it's usually bad to reject them (because of automatic bounce handling by legitimate bulk mailers), so we put such mails in a special folder. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RFC: Recognize mbox format
On Wed, Oct 03, 2007 at 08:46:36PM -0700, Dennis Peterson wrote: Any chance to set policy that requires the pattern writers anchor the patterns so they stay inside a message? I don't if the code can compile something like this, but it prevents (on first blush) spanning messages: ^.ubject: (other regex stuff here) * ^From - space character This would stop wildcards from spanning messages. Unchecked those No, it would not stop the regex from spanning messages. It would only prevent it from matching the subject of the LAST message. (or from matching ANY message if scanning individual mail files). wildcard characters can create very cpu intensive patterns and it may be they're best not used if they cannot be anchored or constrained as with {-50}. That seems like a somewhat better idea. As long as the limit isn't excessive so it can skip beyond the next header into the next message body. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Updated unofficial-sigs.sh script available
On Tue, Sep 25, 2007 at 03:17:35PM -0700, Bill Landry wrote: Epoch time: perl -e 'print time() . \n;' Golfed: perl -le print+time You can even leave the -l switch if used in ``, because the trailing newline doesn't matter there. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Updated unofficial-sigs.sh script available
On Tue, Sep 25, 2007 at 04:17:41PM -0700, Dennis Peterson wrote: Epoch time: Golfed: perl -le print+time It wouldn't be Perl if there were only one way to do it ;) But it's not necessarily good to include all possible ways. I mean, this works too: perl -ple '$_=$^T'1 But that's not exactly self-documenting. Plus it's a bitch to embed in a script because of all the quote characters, and finally, it uses a bashism to provide a single line on stdin :) (if you don't use bash, add echo| in front and remove the 1). I optimised for keystrokes, and less complicated characters that possibly need quoting. You could also optimize for the non-existance of perl, and use awk, which might be even more uniformly available (eg, modern FreeBSD comes without perl if you do a bare bones install. Then again, FreeBSD date groks %s). So, TIMTOTDI squared (look ma', no perl!). This does the same as date +%s too: echo|awk '{print systime()}' -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] heuristic phishing detection causes lots of false positives
Since we're treating clamav's detected phishes as spam, instead of rejecting them (what we do with regular malware), we noticed that the heuristic detection causes lots of false positives: in only a few samples I detected legitimate paypal mails (and I know it's legit because it's DomainKeys signed), and mails to the lockergnome mailinglist. I have now disabled the heuristic by setting PhishingScanURLs no. Is anyone actually using this to reject mails on a large production environment, without getting serious complaints about false positives? (we're doing 5-10 million mails a day, could be that we're seeing more false positives due to the high volume) -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] heuristic phishing detection causes lots of false positives
On Wed, Sep 19, 2007 at 07:44:08PM +0300, Török Edvin wrote: See bug #551 about that. Ew. The discussion there only makes me want to make the disabled heuristic setting permanent. On Wed, Sep 19, 2007 at 12:11:10PM -0500, Noel Jones wrote: I think it would be insane to reject or discard mail based on PhishingScanURLs yes on anything bigger than a home/hobby server because of the high false positive rate. I have to agree. Unfortunately, most mail gateway software interfacing to virus scanners doesn't make this distinction. If the scanner thinks it's a virus, it's rejected, otherwise it is passed. That's how virus scanners used to work, anyway. A significant percentage (I'm guessing 10% or more) of the Phishing.Heuristics.* detections here are false, which I then release from quarantine and submit to the signature team as a false positive. This is in contrast to the rest of the clamav detections which have a FP rate approaching zero percent. Yes, I'm satisfied with the rest of the scanning. Even if I ignore all detected phishing mail, clamav still detects more viruses than our commercial scanners. However, we use our virus scanners as a reason for rejecting or even discarding the email - which we feel confident to do because of the very low false positive ratio of the scanners. If that's not the case, I cannot use it. Fortunately, we can change the scanner so it doesn't use detection methods which cause a high FP rate. It's probably important to note that these aren't strictly false positives as the messages invariably contain some sort of funky URL redirect that triggers the detection. That is a very liberal interpretation of the meaning of not a false positive. I would seriously suggest anyone with an urge to educate all senders of broken, dangerous, silly or dumb email to go and write the appropriate SpamAssassin plugin, and launch a campaign to reach the ignorant masses that produce such atrocities. Good luck. Really. May I suggest Mail::SpamAssassin::Plugin::DonQuixote ? But please, in any case, stay away from virus scanning, because it has nothing to do with that. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problems with installation
On Thu, Aug 02, 2007 at 03:03:23PM -0700, Freddie Cash wrote: It's nice that you have been lucky so far, but don't count on that lasting forever. :) Ports maintainers are actively removing all checks and patches for making things work on FreeBSD 4.x. At some point, you will not be able to use the stock ports tree on your 4.x boxes. Which is a shame, because FreeBSD 4.11 is the latest stable release that is actually *stable* for us :) Although I believe a few days back a few more thread-related stability bugs have been fixed in the kernel and, together with the recent NFS bugs fixed, it Should Now Work Properly (tm)... but until a week or two ago, we had several documented, repeatable ways to crash a FreeBSD 6.x machine (and the FreeBSD developers know about those, so the fixes are either already available or in progress). ... so we're still only just beginning to upgrade our several clusters of FreeBSD 4 machines. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamscan extremly slow
On Mon, Jun 18, 2007 at 09:39:23AM -0400, Christopher X. Candreva wrote: On Mon, 18 Jun 2007, Peter Boosten wrote: I had some problems running clamd on one of the machines a long time ago, and with mimedefang running clamscan is the second option (which had worked until sometime ago). So I configured mimedefang for clamscan. Maybe it's time to ask the mimedefang people to either remove the clamscam option, or put a big NOT FOR PRODUCTION - FOR TESTING ONLY on it. clamscan has a purpose. As others have also said - YMMV. A very lightly loaded mailserver (~100 msgs/day) shouldn't have a lot of problems with clamscan. At least not with the 0.88.x version. Besides, mimedefang uses clamscan in case a zip file comes in that clamd is unable to scan, because it is packed with the deflate64 method, which clamd cannot handle. In that case clamscan --unzip is called to scan the file again (at least - clam cannot handle deflate64 up until at least 0.90.3, I haven't checked 0.91rc1 yet). So for anyone upgrading clamav from 0.88.7 to 0.90, the sudden massive drop in performance (about 50% slower scan times, 10-20 times slower startup times for clamd and clamscan) would come as a surprise. The release notes of the 0.90 version of clamav unfortunately fail to mention that performance problem. (To be fair - the scan times have been fixed since 0.90.2 (or 0.90.3 for some platforms), and the startup time appears to be fixed in 0.91rc1. Kudos to the delopers for recognising one of the roots of all evil). So I don't think it's mimedefang that should label the clamscan method as not for production use. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav-milter
On Wed, Mar 14, 2007 at 05:33:05PM +0400, Sergey wrote: On Wednesday 14 March 2007, Claudio Mundin wrote: I try to search information of mailfomd but I cant't find anything. You can tell me where I can found this information? [removed build info requiring unmaintained software, exact phase of the moon, and the sacrificial death of some small rodents.] Or you could use mimedefang (www.mimedefang.org), which gives you the power of perl in sendmail, comes with a relatively friendly example script that you can modify to your needs. You'd need to write a bit of perl to do what you need (because nobody is currently insane enough to shoot holes in his or her feet like you want to), but it wouldn't be particularly hard to do. PS: If the above wasn't obvious, please reconsider what you want to do. At the very least make _VERY_ sure that, if you ever send a notification an email was addressed to you but it contained a virus, that you will NOT send such notifications outside of your own organisation, EVER. Not even in the form of an out-of-office reply to such a message. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Handling the daily.cvd to daily.inc transition in a packaging context
On Sat, Mar 10, 2007 at 10:56:24AM +0100, Marc Haber wrote: in Debian, we have a package called clamav-getfiles which uses freshclam to download new virus patterns and in turn packages up main.cvd and daily.cvd into a .deb package which can then be installed on systems that cannot run their own freshclam, for example for policy reasons. We also use clamav-getfiles to have current .deb packages of the clamav virus database in our unstable and volatile archive. This process of course broke horribly when freshclam suddenly began to produce daily.inc instead of daily.cvd. I am now wondering how to handle this in the future. Just put this in your freshclam.conf: ScriptedUpdates no It will make sure only .cvd files are downloaded. You will probably also want to exclude the mirrors.dat file from the distribution that freshclam 0.90 now puts in the virus database directory. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Handling the daily.cvd to daily.inc transition in a packaging context
On Sat, Mar 10, 2007 at 11:26:10AM +0100, Marc Haber wrote: On Sat, Mar 10, 2007 at 11:11:39AM +0100, Jan-Pieter Cornet wrote: Just put this in your freshclam.conf: ScriptedUpdates no It will make sure only .cvd files are downloaded. This is the quick fix I have taken, but is this the right way in the long term? Scripted updates were implemented for a reason, and I don't think that it is the right way to turn them off again to fix the issues that came up with them. Ah, I assumed for a moment you would only build the .cvd package centrally for the entire debian distribution, so it wouldn't make much of a difference. I see now what you mean... I guess packing up the entire contents of the database directory would work just as well. Verification can be done by pointing clamscan to the downloaded directory and trying to scan a test-file. (That's not signature verification, but you'd assume that freshclam already did that). -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Local mirror with .90
On Fri, Feb 23, 2007 at 07:04:01AM -0700, Shawn Badger wrote: I'm sure this has been asked already, but I haven't been able to find it. How do I get the .cdiff files? I had a local mirror set up, but since .90 was installed they are looking for the .cdiff files. A centralised update mechanism we use is to have two freshclam servers with an OnUpdateExecute to rsync the files in the clamav database dir to all clients (and to eachother). It just kept on working on 0.90. What I did need to update was the how-to-detect-changed-clam-databases mechanism, since I used to compare cat $databasedir/* | md5 from before and after the upgrade to know whether to notify clamd or not. Since $databasedir now contains subdirs, I needed to modify that somewhat. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem with upgrade
On Tue, Feb 20, 2007 at 02:15:56PM +0100, ShopOnWeb wrote: Hi, I have a problem with upgrade from 0.88.7 to 0.90 on Fedora Core 5. My steps for upgrade are: #cd /usr/local/src #tar xzvf clamav-0.90.tar.gz #service postfix stop #service clamd stop #rm -f /usr/local/lib/*clam* #cd clamav-0.90 #./configure make make install #service clamd start [EMAIL PROTECTED] ~]# service clamd start Avvio di clamd: ERROR: Parse error at line 76: Option FixStaleSocket requires boolean argument. ERROR: Can't open/parse the config file /usr/local/etc/clamd.conf [FALLITO] Where is my error ? You forgot to look at the UPGRADE file. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: OT: Re: [Clamav-users] Auto scan problems
On Mon, Feb 19, 2007 at 03:40:04PM -0500, Rick Macdougall wrote: I've spent the last couple of days working on this trying to find out exactly what the problem was. It turned out to be a *bsd issue which I have now corrected (It was NOT my system clock or timezone setting) I've sent myself several test messages and the time/timezone now seems to be correct. Would you mind confirming that for me please? At least the timezone is now correct! Unfortunately, the Date: header in your email now displays UTC plus 26 hours (instead of plus 13, what it should have been). Tue, 20 Feb 2007 09:28:30 +1300 (NZDT) Message-ID: [EMAIL PROTECTED] Date: Tue, 20 Feb 2007 22:28:08 +1300 One of the time stamps is incorrect, unless it really took 13 hours to send it from your computer to the first hop :) (... and you'r living inside the tardis and really did send this from the future. It isn't Tue 20 Feb 2007 22:28 yet, not even for kiwis). (ObClam: while you're there, submit some very fresh virus samples to the clam team, and clamav might be able to start blocking the virus before it's written! :) -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Stats script quits working after upgrade
On Sat, Feb 17, 2007 at 07:50:37PM -0600, Chris wrote: Wed Feb 14 15:25:59 2007 - stream: Html.Img.Gen013.Sanesecurity.06112900 FOUND Wed Feb 14 20:55:26 2007 - stream 1907: HTML.Phishing.Azon-17 FOUND A numeric value is placed after the word stream. I'm not good at regex's, I suppose its a simple fix, would someone be kind enough to show me how to make the change? I think this is the line that needs editing: } elsif (/(\w+)\s(\w+)\s{1,2}(\d{1,2})\s(\d+:\d+:\d+)\s(\d+).+stream:\s(. +)\sFOUND/ ) { Quick fix: turn stream: into stream[\s\d]*: -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Scan report problems with 0.90...
On Sun, Feb 18, 2007 at 01:38:56AM +0100, Jan-Pieter Cornet wrote: I've just compiled a clamav 0.90 --enable-experimental, and installed that on another bunch of servers, I'll have statistics on its speed tomorrow. Preliminary results over 2000 samples aren't showing a huge improvement either. Today's figures: clamav 0.88.7 : 155ms/mail clamav 0.90: 272ms/mail clamav 0.90-EXP: 297ms/mail on average over at least 1,000,000 mails for each scanner. Is anyone else seeing a slowdown in 0.90 like this? Maybe my environment (FreeBSD 4.10, MIMEDefang) isn't optimal for running clamav 0.90? The README file says that --enable-experimental adds performance, but I found it only slows things down further, what sort of speedup is expected with the experimental code? Note: I haven't seen any crashes, not for the regular and neither for the experimental build. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Scan report problems with 0.90...
On Sat, Feb 17, 2007 at 09:07:17AM -0500, Robert S. Carroll wrote: Clamav 0.90 is about twice as fast as 0.88.1 by the way, (33 m 18 s) versus (62 m 35 s)! That's odd, I'm seeing the reverse... at least, I'm comparing to .88.7, not 0.88.1. Clamav 0.88.7: 142 ms per email, Clamav 0.90: 224 ms per email. It's about 55% _slower_ than 0.88.7. (on average. Sample size about 1,400,000 emails). This is without enabling experimental, FreeBSD 4.10, built from ports including the FreeBSD patches that were posted earlier on this list. I've just compiled a clamav 0.90 --enable-experimental, and installed that on another bunch of servers, I'll have statistics on its speed tomorrow. Preliminary results over 2000 samples aren't showing a huge improvement either. For comparison: sophos (via sophie): 27 ms/mail, f-prot (via fprotd): 40 ms/mail (again: average. same samples). -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem running virus-scanner
On Thu, Feb 15, 2007 at 12:49:17PM +0100, Peter Boosten wrote: Dear readers, I've used clamav for some time now, and I'm very hapy with it.Yesterday I tried to upgrade to 0.90, but after upgrading mimedefang starts complaining about Problem running virus-scanner, so I downgraded to 0.88.7 again (and everthing start working again). My setup: Sendmail Mimedefang spamassassin clamav (I'm _not_ running clamd). Anyone any idea? Yes, mimedefang is still using quite ancient commandline arguments to clamscan: clamscan --mbox --stdout --disable-summary --infected $FILE If you remove (in the mimedefang.pl source) all options except --stdout, it should work. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Newbie-inquiry
On Tue, Dec 19, 2006 at 11:12:54AM +, G.W. Haywood wrote: I tried clamav 0.90rc2 and the scantime of clamav minimized to 30-50 seconds. [..] Has anyone else observed such large improvements? Well, I can only observe the fact that clamav is about 10 times slower than our commercial scanners. These are the statistics for one day begin december somewhere (that I happened to have handy right now) : scanner : avg +- stddev (number of times called) Virus:FPROTD: 0.078 +- 0.447 (7085536 samples) Virus:SOPHIE: 0.059 +- 0.183 (7086708 samples) Virus:CLAMD: 0.787 +- 3.210 (7086846 samples) Compare this to, eg, spamassassin: SpamAssassin: 1.891 +- 1.933 (3194175 samples) And then consider that spamassassin usually only takes 25% cpu, where clam takes nearly 100% cpu. Clamav currently eats more CPU than spamassassin, so currently, adding tests to clamav that could also be done by spamassassin is not to my benefit, CPU-wise... I was hoping that this would change with 0.90, but I haven't tried it on our production platforms yet. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Forcing clamd to reload its database
On Mon, Dec 11, 2006 at 07:43:43AM -0800, Dennis Peterson wrote: Gerard Seibert wrote: What is the preferred method to force clamd to reload its databases? Try using kill -1 with the process ID of clamd. That reopens the logfile. You'll have to send it a SIGUSR2, according to the documentation. kill -USR2 `cat /path/to/clamd.pid` -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Choosing best MaxThreads value for clamd?
On Thu, Nov 30, 2006 at 10:15:39AM -0500, Daniel T. Staal wrote: I don't know if that is accurate. clamd seems completely CPU bound. I also don't know why additional threads would use a lot of extra memory, as clamd seems to just stream data from the files it is caching. And I don't see it in practice either. clamd with MaxThreads uses about 50MB resident, and clamd with MaxThreads of 10 is about 48MB. The difference is so small, that is probably just local thread storage. Are you actually using all threads? They might only take up memory (or be present at all) if they are being used. My recommendation would be to set it to the maximum amount of parallel scans that you expect that you need. If you're only ever doing filesystem scans from cron, you will only need 1 thread. If you're doing offline (after smtp) scanning of email, you need very few threads, like 1 or 2. If you're doing online scanning (during the smtp phase), you need the same order of threads as you have sendmail (or postfix, or...) processes running. Not the same (sendmail runs much longer than clamav), but usually something like 20%. Don't worry too much about taskswitching. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] This seems particularly nasty
. Or something in between... -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] hit max-children limit
On Wed, Sep 06, 2006 at 09:44:01PM +0200, [EMAIL PROTECTED] wrote: I do think that there is too much of a danger of denial of service attacks or mail failure due to the milter crashing if you scan your mail during the SMTP phase. I have regularly seen ISPs that can't accept mail because of this problem. I would (at the risk of being repetitive, as I have As a counterpoint, I'd like to point out the benefits of using a milter and scanning in-line, while the mail is being delivered: you get a chance of rejecting the mail instead of having to send a bounce later (or junk the mail, or send it to some possibly-infected or possibly-spam folder). And with the proper software, that doesn't have to be a problem either. We're using MIMEDefang to do spamfiltering and virusscanning. If clamd happens to hang, it hits an internal MIMEDefang timeout and another virus scanner is tried. Apart from some additional delay, the delivering mail server doesn't notice. We process around 10 million emails a day using this setup (spread over a cluster of FreeBSD machines), and in over a year I haven't seen MIMEDefang crash causing it to tempfail over a long period of time. It very rarely runs out of resources, causing the mailserver to tempfail incoming emails, but that can happen without a milter too. We reject roughly 20 emails (or actually recipients) per second. That's 20 bounces that we are NOT sending, per second. Most of these because of spam, by the way, viruses are down to a staggering low of around 300milliviruses per second now :) It spiked to around 30 viruses/sec at the beginning of this year. See http://www.xs4all.nl/uk/veiligheid/statistieken.php if you're interested in numbers of viruses detected. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] hit max-children limit
On Wed, Sep 06, 2006 at 03:58:10PM -0600, [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: recipient. If a virus is rejected at SMTP time then the sending server is likely to try to deliver that virus to the envelope sender, which is not at all friendly. Better to discard viruses than to reject them. That is the sending servers problem. Silently blackholing email is bad. But helping the virus by allowing it to spread to a secondary target (which most viruses now put in the MAIL From field), isn't good either. Having the luxury of multiple (3) virus scanners, I take another approach which hopefully combines the best of both worlds. - if a virus is detected that is known NOT to be able to forge the sender (eg, a word macro virus), we reject it immediately. - all other viruses are treated as likely forging the sender. If only one scanner detects the virus, we TEMPFAIL it mentioning possibly infected with $virusname. - if more than one virus scanner detects the incoming mail as a virus (and it's not recognised as a non-header-forging one), we discard the incoming mail (that is, we say 200 OK and junk the mail into the black hole). This prevents most false positives (which are rare, but not non-existent), and keeps the amount of bounced viruses to a minimum (even if it is bounced by the sending mail server). -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Small number of ClamAV known viruses ?
On Tue, Jul 18, 2006 at 07:39:32AM -0700, Dennis Peterson wrote: Zvi Kave wrote: Why ClamAV has significally small number of known viruses in comparison to other AV software ? There's only a small number of viruses in the wild. MS-DOS viruses from 10 years ago are not likely to pose a problem any longer. Having them in your database only allows you to inflate your virus pattern numbers so that people who are impressed by big numbers will be impressed. The company I work for (xs4all) runs all incoming emails through 3 different virus scanners. Currently Clamav, Sophos and F-prot. I'm keeping statistics of which scanners detect which virus. For months, clamav came out on top, detecting the most viruses in the email stream for any given day. And you should consider that we disabled the phishing signatures in clamav, so I'm not counting those. Plus, F-prot currently has heuristic scanning enabled, which makes it catch some badly cleaned, or truncated viruses. These statistics are from Friday June 23rd, and were typical for the months of May and June. clamd: 28311 viruses fprotd: 27459 viruses saviperl: 21569 viruses Recently, however, the other scanners have apparently caught up, and in the past two or three weeks I'm seeing the scanners in a different order every day. This is from yesterday, Monday July 17th: fprotd: 16091 viruses saviperl: 14409 viruses clamd: 14243 viruses There are a few reasons why we're scanning with multiple scanners. First, because we can: the mail platform is slightly overdimensioned :) Second, because we want to guard against false positives. What happens is, if an email comes in, and we detect a virus of which we are sure it does not (or cannot) fake the MAIL From envelope, such as macro viruses, then we reject the email with a 571 detected $virusname If we cannot positively identify the virus as non-header-faking, then it depends on how many scanners detected the virus. If only one scanner detected the virus, then we tempfail the email: 471 possibly infected with $virusname If two or more scanners detected the virus, we discard the email. (This happens at SMTP time, we never send a bounce because of viruses. We're using MIMEDefang with a custom perl filter to control this). Since we are sending a tempfail for certain viruses, we see a lot of remote mail servers trying over and over again, usually for days. Since I'm counting every scan, a relatively high percentage of viruses are only caught by one scanner. In practice, this is usually the same message scanned several times. The numbers above are therefore not really an indication of relative performance. All in all: clamav makes a pretty good email scanner, certainly not worse than the commercial alternatives that I am using. In fact, there are very few reasons why someone wouldn't want to use clamav, even if you already have another virus scanner: it also makes a good companion to a commercial virus scanner, since not every scanner detects every virus (or virus fragment, like a truncated bounce or a badly disinfected mail, which is more common). Hope this helps. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disc lamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Disable Specific Document Scanning
On Thu, Jul 13, 2006 at 02:41:52PM -0500, Nathan Tullis wrote: Ultimately I would rather define by domain which files get scanned as a temporary solution until I upgrade the mail server to a collaboration type server. If this isn't possible without upgrading to something more along the lines of AmaVIS, then I will bite the bullet and wait, because I don't want to spend the time to learn that application. Yup, you'll need something more sophisticated. I'd recommend MIMEDefang myself, but amavis will likely do too. The easiest, and by far the safest solution, though, is to wield the cluestick and excersize your percussion technique on this customer's cranium until he sees the light. The customer already proved to be susceptible to software diseases. I would rather add another virus scanner on email coming from that domain than whitelist the domain and/or filetype from scanning. You wouldn't want the next excel macro virus to spread through your mail server, and having the rest of the world point to you saying: He's the one! He disabled the virus filters, allowing the stuff to spread! -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disc lamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] XF.Sic.L def is causing tons of false positives
On Tue, May 23, 2006 at 11:36:12AM -0600, Alex Georgopoulos wrote: First I would like to say I've submitted files via the web interface with the false positive using the method from the FAQ. I have a bunch of excel files that won't get through because clam thinks it has this W97 macro virus. We have had 3 commercial AV vendors analyze this file and they said it is not a macro virus but I cannot get any response from the clam devs as to why they think it is one. Anybody out there seeing this too? This is causing a serious issue with our customer and if I can't get any feedback I am going to be forced to abandon the product which is something I don't want to do. Maybe tons is slightly exaggerated? Out of approximately 10 million emails today, our logs show one hit for XF.Sic.L, and then another hit when that email was bounced because of the reject we gave. I can only see that this is for a file of about 600KByte, which is large for a virus, but not exceptional for a macro virus. If it is really bothering you, you could unpack the daily.cvd and main.cvd (using sigtool -u), search for the line containing XF.Sic.L and remove that, and point your virus scanner to the extracted files (which have to be in another directory than the .cvd files). Or provide a non-virus-scanned email address, or non-virus-scanned outgoing mail server (usable with specific SMTP AUTH only), or something. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disc lamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] XF.Sic.L def is causing tons of false positives
On Tue, May 23, 2006 at 12:49:50PM -0700, Kelson wrote: Jan Pieter Cornet wrote: Maybe tons is slightly exaggerated? Out of approximately 10 million emails today, our logs show one hit for XF.Sic.L, and then another hit when that email was bounced because of the reject we gave. If their customer is trying repeatedly to send a bunch of files that trigger false positives on that rule, then yes, they're going to see tons of them -- regardless of the number of hits in anyone else's logs. Oops. Thinko, I meant to say: I don't see tons of hits, so there's probably no outbreak of this virus going on, so, yes, it is likely a FP. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disc lamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] XF.Sic.L def is causing tons of false positives
On Tue, May 23, 2006 at 02:06:05PM -0600, Alex Georgopoulos wrote: Tons maybe a little exaggerated but like Kelson said the users keep retrying cause they don't get any notification that it is getting blocked so the send it again. Removing the def from the cvd file is an option but would be They don't get any notification that it is blocked? That sounds like a problem on their end. Or does your mailserver generate a tempfail (4xx error code) when it finds a virus? anoying to maintain over time. I would really like to know why this is happening and get it fixed from the source and not a work around that we'll have to maintain. (Trend, Symantic and Mcafee all said there wasn't anything wrong with the file) I even took the file converted it to ODF format then back to Excel and it still gave me a false positvie. I stripped out he macros too and it still doesn't like it. My hunch is that there is a problem with the way that particular def works. And you might be right. Please recall that ClamAV comes with a full money back guarantee if it's not performing the way God intended it. Seriously, though: the workaround (removing the sig by extracting the .cvd) might only be necessary once or for a single day. Your customer would be happy, file would get sent (unless the receiving end also uses clamav!), and the problematic sig might be removed/updated from the distribution by one of the next database updates. It's likely however your customer won't hit the same FP twice in short succession (at least - in my experience. FPs are still quite rare). -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disc lamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Disallowed characters found in MIME headers
On Mon, Mar 06, 2006 at 12:20:11PM -0800, Alex Gottschalk wrote: Replacing the CRLF with a bare LF in these headers causes Clamav to no longer quarantine these mail messages. I'm guessing something is doing double encoding tricks. When you pass lines ending in CRLF to the libraries, my guess is the libraries expect lines ending in LF, and blindly replaces LF by CRLF, so your lines end in CRCRLF. Which is a bare CR followed by a line-ending, CRLF. Bare CR characters are illegal in email. See rfc2821, section 2.3.7: SMTP client implementations MUST NOT transmit [bare CR or LF characters] except when they are intended as line terminators and then MUST, as indicated above, transmit them only as a CRLF sequence. So it looks like the fault is in your mime-encoding library. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disc lamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinately to allow verification of the logs. !! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Disallowed characters found in MIME headers
On Mon, Mar 06, 2006 at 02:23:51PM -0800, Alex Gottschalk wrote: Jan Pieter Cornet wrote: On Mon, Mar 06, 2006 at 12:20:11PM -0800, Alex Gottschalk wrote: Replacing the CRLF with a bare LF in these headers causes Clamav to no longer quarantine these mail messages. I'm guessing something is doing double encoding tricks. When you pass lines ending in CRLF to the libraries, my guess is the libraries expect lines ending in LF, and blindly replaces LF by CRLF, so your lines end in CRCRLF. Which is a bare CR followed by a line-ending, CRLF. Bare CR characters are illegal in email. If that were the case, wouldn't I be seeing lines ending with ^M^M in the quarantined email (as viewed with vi)? That isn't the case - the MIME header lines end with a single ^M in mails that get quarantined. Do you see all other mails ending with ^M? Why not? Surely all your other incoming mails follow the RFCs and are sent with CRLF line endings. (Note: You are supposed to answer this question to yourself, upon which you will hopefully see the light. Don't bother answering the obvious answer). Another note: if you're uncertain about the operations that certain tools make, try saving the mail just before it enters the mail system, and immediately after it becomes available from the milter, and inspect those files with a hex dump tool. Also, ethereal might be useful here. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disc lamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinately to allow verification of the logs. !! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
On Fri, Jan 06, 2006 at 12:37:02PM -0500, Chuck Swiger wrote: Anyway, amavisd-new lists a dozen or so examples: # Treat envelope sender address as unreliable and don't send sender # notification / bounces if name(s) of detected virus(es) match the list. # Note that virus names are supplied by external virus scanner(s) and are # not standardized, so virus names may need to be adjusted. # See README.lookups for syntax. # $viruses_that_fake_sender_re = new_RE( qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i, qr'tanatos|lentin|bridex|mimail|trojan\.dropper'i, ); This list is pretty much incomplete (at least sober, somefool and mydoom are missing, to name a few). And having this makes you follow the latest virus definitions scanning for possible new virus strands that fake their sender. I believe it's way easier to do the opposite: list only viruses that do NOT fake the sender. The only ones you'd expect to find in email are things like eicar, joke and macro viruses. This is probably a better regex: $viruses_that_dont_fake_sender_re = qr{ ^( Joke | Eicar | OF97 | WM(97)? | W(97)?M | (Word)?Macro )(\b|_) }xi; Anyone got any comment or suggestions about this list? (You can of course include all oldfashioned .com and .exe infectors, and it would be wise to do so for any still in the wild, but I don't know if there are any.) Unfortunately the information available from various virus scanners never includes a field virus has its own SMTP engine and fakes sender addresses, or this would be a lot easier. -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Phishing - ClamAV and version 0.9
On Fri, Jan 06, 2006 at 05:20:37PM -0500, Jenn wrote: So, to be sure I understand, clamav 0.9 is what I would need if I wanted to turn off the detection of Phishing by ignoring the currently existing 500 (or so) Phishing signatures? No, you can also do that with the current version. You'll just have to create your own signature database, by taking the official clamav signature database and removing the phishing signatures from it. We're currently doing this, and I'm willing to share the scripts and configs to do it, if there is interest. -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Any updates for Lupper Virus?
On Wed, Nov 09, 2005 at 03:29:26PM +0800, SSCR Internet Admin wrote: I just read this from linuxsecurity.com http://www.linuxsecurity.com/content/view/120754/65/ . Just askin. $ sigtool -V ClamAV 0.87.1/1166/Mon Nov 7 20:01:45 2005 $ sigtool -l|grep -i lupii Exploit.Linux.Lupii Exploit.Linux.Lupii-2 -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Yahoo uses ClamAV, listed in abuse.rfc-ignorant.org
On Wed, Oct 26, 2005 at 08:32:57PM +0200, Jacek Politowski wrote: I truly believe that message describing reasons of such e-mail rejection is far better than discarding messages sent to [EMAIL PROTECTED] silently. Agreed. It is however pretty stupid to block abusive content to an abuse@ address. (and if rfc-ignorant would have wider recognition around the world, such listings would lead simply to worldwide conversion of abuse@ into blackholes) Fortunately, nobody in his right mind uses rfc-ignorant as a basis to block emails, these days. Not if you care about receiving wanted emails, that is. -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Amavisd source code
On Tue, Oct 04, 2005 at 04:50:21PM +0300, Stephen Cheboi wrote: Where can i find the amavisd source code. I need to check on the default mail notifications when a virus is detected? http://www.google.com/search?q=amavisdbtnI=I%27m+Feeling+Lucky http://www.sinz.org/Michael.Sinz/Art/Bart-Google.gif -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-milter seems unstable with 0.87
On Mon, Sep 26, 2005 at 09:47:45AM -0700, Todd Lyons wrote: But with this blanket kill, you also kill connections that may have just been there for a few seconds, and are still very much alive. Unfortunately it's required to get sendmail to reload the w class. You only need to restart the listening daemon for that. Kids handling existing connections will exit when the connection terminates, and it's VERY unlikely that you will receive emails for domains via connections that were made before you announced said domain (at least, I presume you add the domains to sendmail before changing the MX records). It's remotely possible, just very very unlikely. -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] MailFollowURLs
On Tue, Sep 20, 2005 at 12:53:22PM +0200, Cami wrote: Is there any way to specify what URLs ClamAV will download based on the extension? (IE, only download+scan zip|exe|pif etc which are found in the url inside a mail) No. And there are no plans for that, since the file would be endless. We've seen infestations in just about all file types. Indeed, that makes sense. Is there perhaps another solution to cater for the possibility of a DOS attack on the server? What about things like click here to confirm your subscription to [EMAIL PROTECTED], isn't MailFollowURLs a sure way to confirm all your spam and other webbugs? Anybody have any experience with that? -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] announce?
On Mon, Jul 25, 2005 at 12:33:37PM -0700, Christopher McCrory wrote: What are the chances of getting new version announcements to the 'users' list also? It seems easy and would save a lot of people the trouble of I think it would be way better if the announce list, and/or possibly the users list, could post followup information when it becomes available, such as this: http://secunia.com/advisories/16180/ I was not rushing the upgrade, waiting for the FreeBSD ports system to catch up, but as I got the info that there's a remote exploit for ClamAV = 0.86.1, I upgraded immediately yesterday evening. Luckily for me, the FreeBSD ports version was also upgraded yesterday. -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Reporting Phishing Mails?
On Thu, May 26, 2005 at 12:34:03PM -0500, Damian Menscher wrote: some people never learn. Looking forward to 0.90, when these debates can finally end. They can end NOW, for two reasons: first because subject has been beaten to death and then some more already, and second because there's a documented solution NOW, too. If you (just like I do) want to remove certain signatures from the database for whatever reason, then use the OnUpdateExecute feature in freshclam.conf to automatically fix (grep -v) your database for you. If you can't figure it out, I'm happy to send you my config as an example. Offlist. -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: virus passing through clamav-milter, but not through clamdscan!
On Fri, May 20, 2005 at 01:14:34AM +0300, Apostolos Papayanakis wrote: I have found a certain kind of mime structure and headers, that causes clamd to produce false negatives errors. The debugging outpout of clamd reports LibClamAV debug: getline: buffer overflow stopped and the viral attachment is not opened at all. (See [...] If the same mail is in mbox format (the only difference is in the first line From ), the attachements are opened normally, and Worm.Bagz.D is found. A small collection of the viral mails I have received, can be found at: http://users.auth.gr/~apap/clamav/viruses-that-bypass-clamav-0.85.1.mbox. I receive tens of them every day. They have all been sent to [EMAIL PROTECTED] (this is forwarded to my INBOX) and originate from unqualified addresses from a specific network. The attacments are BASE64 encoded in very long lines (2048 bytes each). No other user on my servers (17000 of them active) has reported to get these viruses. All this is very puzzling. For what it's worth, I have a sample of Bagz.C, from nov 2004, that also shows the same layout, and behaviour of clamav. If I remove the initial From line, the virus is not recognised and --debug output shows the buffer overflow stopped. I suppose that this is a bug? Is clam supposed to recognise emails even without the leading From line? The reason I ask is: in MIMEDefang, there is this entry in the manpage: md_copy_orig_msg_to_work_dir_as_mbox_file() Normally, virus-scanners are passed only the unpacked, decoded parts of a MIME message. If you want to pass the original, undecoded message in as a UNIX-style mbox file, call md_copy_orig_msg_to_work_dir_as_mbox_file prior to calling mes sage_contains_virus. The only difference between this function and md_copy_orig_msg_to_work_dir is that this function prepends a From_ line to make the message look like a UNIX-style mbox file. This is required for some virus scanners (such as Clam AntiVirus) to recognize the file as an e-mail message. The md_copy_orig_msg_to_work_dir() is however a lot more efficient, and if it's the same to ClamAV (or, well, if it should be treated the same), then this documentation is not correct? (MIMEDefang also extracts all attachments, so the virus is found anyway, albeit in the extracted part). -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Sober.P
On Fri, May 13, 2005 at 12:28:35PM -0500, Daniel J McDonald wrote: On Fri, 2005-05-13 at 13:21 -0400, Bowie Bailey wrote: Is it just me, or did this virus disappear completely? I have not seen a single instance of Sober.P since 8pm on May 9. This seems very strange to me. I was getting 5-10 per hour up until that point. Yes, except that I was seeing 5-10 per minute. Yes, except that I was seeing 60 per second, or about 40% or our total incoming mail flow. It looks like the Sober.P virus has a termination date, just like the previous Sober variants had. The cutoff date is suspiciously close to Tue May 10 2005, 0:00 UTC. So instead of virus spewing zombies, the infected PCs are now probably spam spewing zombies, or waiting for something to turn them into spam zombies. -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus Volumes
On Thu, Apr 14, 2005 at 08:29:44AM -0400, Samuel Benzaquen wrote: I have been running clamav for quite some time now. For most of that time I was receiving between 1500 and 2000 viruses per day. However, lately the number is down to about 200 per day. I don't have any users We've also seen it on our annual graph. I would post the link, but our graphs require authentication... =( Viral traffic on our network is now half of what it used to be on Nov 2004. I hate to be pessimistic, but I believe is the absense of a large amount of virus traffic is because the virus authors currently don't want a large amount of traffic. Yes, better filtering by ISPs will help somewhat, but I believe any virus outbreaks are still caused by the large group of click-on-everything lusers behind ISPs who don't care about abuse issues. The biggest virus outbreaks that I witnessed in the past few months were for Sober-I starting november 19th, and ending januari 5th. During this outbreak, virus volumes were upto 15 times the usual rate, at the beginning we even saw rates of upto 30 viruses per second (currently, it's down to a managable 0.5 to 1 virus per second). If you look up the virus description, Sober-I was scheduled to stop replicating at januari 5th. The next big outbreak was for Sober-K, and I couldn't offhand find a cutoff date for it, but it seemed to have tapered off the beginning of March. So, while there might be a slow decrease in the background virus noise due to more awareness/better filtering, the peaks are primarily controlled by the virus authors. And that's a scary thought... -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Latest virusdb update - mismatched signature count?
On Thu, Mar 17, 2005 at 07:24:15PM +0100, Tomasz Kojm wrote: Your clamd doesn't support meta-data signatures. So that will be a feature of 0.84 then? Yes, it will (already supported in CVS). Great! I've been using meta-data signatures, via procmail, probably since sircam came out in 2001, and it works very good. I'm still catching mydoom variants using a procmail recipe I wrote in 2003 (much to my surprise, I might add). (See http://www.xs4all.nl/~johnpc/procmailrc.txt if you're interested). But it's also bad, since if a high-profile virus scanner like ClamAV is going to start matching meta-data, then virus writers are more likely to notice and start changing it with each virus release, making my procmail hackery less effective ;) -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.81rc1 - html documentation missing, intentional?
On Thu, Jan 27, 2005 at 08:10:36AM +, Brian Morrison wrote: The clamdoc.aux file was not found, so sections will not be numbered and cross-references will be shown as icons. Is there a correct command for generating the html docs or the clamdoc.aux file? I'm not very TeX literate I'm afraid TeX generates the .aux file itself. Just rerun the command you gave. In pathetic cases, you might have to rerun it a third time if the page numbers changed due to page numbers being longer than expected and now suddenly wrapping a paragraph making it appear on a new page, therefore shifting all other pages... etc. -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] 0.81rc1 - html documentation missing, intentional?
On Thu, Jan 27, 2005 at 10:49:57AM +, Brian Morrison wrote: TeX generates the .aux file itself. Just rerun the command you gave. Done that, same result. I ran latex2html, do I need to run another command first? Hm, I'm not very familiar with latex2html. Maybe you should just run latex first? But if nothing is being generated, the tex program aborts due to the missing definitions that you mentioned earlier... those need to be resolved then, somehow. -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Sendmail Milter
On Thu, Jan 13, 2005 at 10:30:52PM -0600, WES wrote: I have installed and tested ClamAV (.80-2) which starts up clamd and runs without a problem. Also I have installed clamav-milter (.80-2). I included in my sendmail.mc file the suggested: INPUT_MAIL_FILTER(~Qclmilter~R ^^^^ ~QS=local:/var/run/clamav/clmilter.sock,F=,T=S:4m;R:4m~R)dnl ^^^^ define(~QconfINPUT_MAIL_FILTERS~R, ~Qclmilter~R)dnl ^^ ^^ ^^^^ Stop using microsoft products to edit your unix configuration files. Those are microsoft smart quotes. Sendmail somehow strips the high bit and then converts it to \021 and \022 or control-Q and control-R characters, which don't make any sense to sendmail either. When I try to restart Sendmail with the INPUT_MAIL_FILTER enabled, I get the following errors: Jan 13 14:34:26 ns2 sendmail[884]: NOQUEUE: SYSERR(root): /etc/mail/sendmail.cf: line 1682: X\021clmilter\022: unknown filter equate \021= -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RE: Re: This is how I use ClamAV
On Fri, Dec 03, 2004 at 02:54:44PM -0800, Todd Lyons wrote: Jan Pieter Cornet wanted us to know: What I find really odd is your complete lack of Worm.Sober-I. Our stats for Thu Dec 2: Good point. I had totally missed that too. Top-5: W32/Sober-I : 1078544 W32/Netsky-P: 57920 That's a pretty big difference, seems more like an internal infection Erm... I cheat bit, because I'm counting recipients, not emails. Sober-I sends to multiple recipients. We only had 178405 viruses that day (about 2 per second). Still makes it to the #1 position, though. Viruses come in from 2212 different IP addresses, from all over the world... but the top-10 /8s are all from the RIPE region.. first non-RIPE is 66.0.0.0/8 with 66 different IPs (66x66/8. Coincidence? I think not! :) Yep, it might be regional indeed. Odd. -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RE: Re: This is how I use ClamAV
On Fri, Dec 03, 2004 at 03:15:49PM -, Ian Lewis wrote: I think it could be nice to have like a list of known systems. That way a newbie could read and choose the best for his needs. Sendmail 8.12.11, mimedefang, f-prot, sophos and Clamav as soon as the thread concurrency problems on FreeBSD 4 are tackled or we upgraded to FreeBSD 5 (whichever comes first). Discarding in case of virus. Viruses stopped Yesterday: Thu Dec 2 77550 Worm.SomeFool.Gen-1 76936 Worm.SomeFool.P 26800 Worm.Mydoom.M 21249 Worm.Bagle.Gen-zippwd What I find really odd is your complete lack of Worm.Sober-I. Our stats for Thu Dec 2: Scanned mail: 5730363 Virus : 1195719 (20%) Top-5: W32/Sober-I : 1078544 W32/Netsky-P: 57920 W32/Netsky-D:9193 Troj/BkFraud-A :7238 W32/Netsky-Z:7157 Sober-I raised the percentage of viruses in email from about 2% to nearly 30% at peak... -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
On Tue, Sep 21, 2004 at 06:39:25PM -0500, Damian Menscher wrote: On Wed, 22 Sep 2004, Jan Pieter Cornet wrote: On Mon, Sep 20, 2004 at 04:26:40PM -0700, [EMAIL PROTECTED] wrote: It is perfectly acceptable to place an explanatory message in an SMTP REJECT message. Acceptable, maybe, but I believe it's better to simply discard all viruses. And most sane people believe you are wrong. I don't think the derogatory comment is necessary. As a riposte: I'm not alone in this, far from it, actually. A similar request was recently issued by virusalert.nl, a dutch organisation on virus prevention. See http://www.virusalert.nl/?show=nieuwsid=559 No, you also guard against false positives. True. However, I've never seen any in email. I might be persuaded to only discard when two independant virus scanners detect the malware. However, if the remote end is a real mailserver, either because the [...] That is not your fault. It is the fault of the remote mailserver. Educate them. It's the fault of the remote server. Well, maybe. But I'm still looking through RFCs that say that you SHOULD not send nasty windows executables with the SMTP protocol. Hopefully an RFC that says something similar is in the works? Seriously, you cannot possibly expect all mail servers out there to suddenly install decent virus filters. Some mail servers will probably never install virus filters, instead using other lines of defense against viruses. You cannot dictate how someone else runs their server. So, the effect of the 5xx reject is, in the worst case, resulting in the virus being sent elsewhere (in the form of a bounce). So while you're protecting your own users, you are directing the virus attack to some unsuspecting bystander. At least, if you look at the big numbers. Most emails containing viruses are forging the From address, these days. (If I look at our own stats, out of 140K viruses blocked yesterday, 2 are EICAR, 3 Joke type viruses and one word 97 macro virus. That's less than 0.004% of the viruses. I could be missing one or two other non-faking viruses though, I don't know every virus brand). If the entire world adapted proper virus filters, then, yes, it would be wise to respond with a 5xx reject to a virus (also, it would change practically nothing, except for the case of false positives). A common problem I see in the AV community is that they forget that *email* is a service. It must work. Antivirus is a cute little feature we tack on top to make life more convenient, much like anti-spam tools are added. But virus/spam blocking is a feature -- not part of the basic service. Please do NOT break the service. Reliable email delivery depends on not having messages get lost. True. However, sit at an ISP helpdesk for a day and you'll learn how email does get lost. People are simply clumsy with it. That's reality :( We're not living in the friendly academic internet of 1993 anymore. And, the people complaining about bogus virus notifications is far greater than the number of people complaining about not receiving a warning after sending a virus. In fact, I believe that last number is close to zero. It probably comes down to the number of false positives that can be expected. I've found a bit of ranting on the net, about virus scanners seeing eachother as false positives, and mcafee having lots of false positives, but I haven't found any hard statistics, unfortunatly. Is anyone aware of something tangible? -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
On Mon, Sep 20, 2004 at 04:26:40PM -0700, [EMAIL PROTECTED] wrote: It is perfectly acceptable to place an explanatory message in an SMTP REJECT message. Acceptable, maybe, but I believe it's better to simply discard all viruses. Why? Since all you achieve with rejects is indirectly causing a lot of virus bounces to appear at innocent bystanders. If the virus delivers the email directly to your scanner - it doesn't matter what return code you give. However, if the remote end is a real mailserver, either because the virus is programmed to send via the default outgoing smtp server, or because someone .forwards all mail to you, or maybe because there's a lower preference MX for some domain, or maybe even because some viruses abuse any listening port 25 that's willing, and one of those smarthosts to your server, then you will cause that other mail server to send a bounce to the wrong person. And even in case the virus does _not_ fake the sender address, then a 5xx return code will land a bounce in the mailbox of someone who is ignorant enough to get infected by a virus. Probably someone who deleted JDBGMGR.EXE a few months ago, and was then told by the sysadmin to NEVER trust any email again saying you have a virus. Or in other words, a person who is guaranteed to not understand any message a MAILER-DAEMON sends them. In short, I do not see any merit in letting the sender of a virus know that they sent a virus. If you really want to do something, contact the abuse contact/postmaster of the site sending the viruses, in a nice daily or weekly summary. But there's no automated software for doing that, and doing it by hand is really difficult and a lot of work. However, there's also the issue of false positives, but I've always assumed they are practically negligable. What I'd really like is to report viruses at SMTP level like this: DATA 354 continue [virus laden email] . 250 OK, your $virus infected email was DISCARDED. But unfortunately, you cannot change the success reply with milter :( -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Newbie: Clamav and Sendmail milter config
On Tue, Aug 24, 2004 at 02:58:11PM -0400, Randall Perry wrote: On Tue, Aug 24, 2004 at 12:07:46PM -0400, Randall Perry said: on 8/24/04 11:23 AM, Steve Lenti at [EMAIL PROTECTED] wrote: I use a procmail recipe for this. Works great. I'd rather use the MTA than the MDA for filtering. Then you'll need an MTA with finre grained ACL's than sendmail. Ok, that's what I was trying to find out -- if it can be done with sendmail. Guess not. Not with plain sendmail, you can certainly do quite a lot using sendmail.cf hackery, but you will always need some form of glue to be able to call spamassassin. The glue could either be procmail, or a milter (or something that hijacks the *:25 listening socket, like amavisd-new). There are various milter options, but you will need to modify one to suit your needs. I can recommend mimedefang, which provides an almost complete perl interface to milter in a very stable manner. It would probably need a few lines of perl code in the default filter config to do the selection based on recipient. Note- you can only call spamassassin after you received the entire mail body, so, after the DATA phase in SMTP. An email might be adressed to multiple users (and spam will more than often be adressed to many users). Some of those users may have opted in for spam filtering, others may not have opted in. At that point in the SMTP conversation, your only options are to either accept the entire message, for all recipients, or to reject it, for all recipients. Bouncing spam is a /very/ bad idea that will undoubtedly put you quickly on a lot of local blacklists, so that's not an option either. So unless all recipients of an email agree on the required action, you can either mark spam with a custom header/modified subject/whatever, and leave it to the users to sort the spam out, put the message in some spam folder for some users, or simply discard the message. -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Wed, Aug 11, 2004 at 08:34:48PM +0200, Martin Konold wrote: The problem with bittorent is that bittorent addresses a different problem domain. clamav pattern update: - frequently changing small number of small files distributed from a single point to many bittorrent: - slowly changing high number of potentially very big files distributed from many sources to many destinations. This isn't correct. You somehow confusingly assume all current bittorrent downloads are related? They are not. Each individual .torrent starts out as a one-to-many distribution. The nice thing about bittorrent is that practically immediately after a third client connects, it becomes a many-to-many transfer, utilising the available upload capacity of all clients. So each individual torrent you find on those popular websites that list all torrents, started as a single-point-to-many distribution. And the number of torrents available there isn't slowly changing, in fact, it's often changing way faster than new virus definitions are released :) The main difference is that most currently offered torrents comprise many megabytes, while a virus definition file would only be a few kilobytes. But that doesn't invalidate the protocol, certainly not with a high number of downloaders. If anyone has questions on how the bittorrent protocol works, there is quite a bit of info on the official website: http://www.bitconjurer.org/BitTorrent/ and there's a wiki FAQ: http://wiki.theory.org/index.php/BitTorrentFAQ -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Tue, Aug 10, 2004 at 10:39:19PM +0200, Peter J. Holzer wrote: On 2004-08-10 14:41:28 -0500, Damian Menscher wrote: [... about sending clamav updates quickly to all subscribers] Anyone know if it's really feasible for us to obtain a mailserver that can send out 2k emails to all (100,000?) users in a short (5-10 mins) time? How about using NNTP instead of SMTP? Then the clamav server doesn't Why use such an old protocol that isn't suited to binary transfers. I've already mentioned this jokingly, but I was half serious: I think setting up a bittorrent would solve a lot of the bandwidth problems. You would need some place to get the daily.cvd.torrent file, which seems to be about 170 bytes when I tried creating one yesterday (Small enough to fit base64-encoded in a DNS TXT record, if you insist, but I doubt that that is prudent to rely upon). Then you'd need a decent tracker, or a bunch of trackers, and at least one seeder per tracker. I guess that the current db.*.clamav.net hosts can easily host both a tracker and a seeder. If you then distribute a downloading clients that keeps seeding for just 1 hour (or until a preset share ratio was reached, say, 10x), you would very quickly take a HUGE load off the download servers... and everyone using clamav would automatically help the project by donating bandwidth for the updates. P2P - it's not just for downloading pirated Metallica mp3s. HTH, -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Mon, Aug 09, 2004 at 05:33:05PM -0400, Chris Meadors wrote: Suppose there was a DNS entry, say virusdb.clamav.net (or version.virusdb.clamav.net, etc), that returned simply a text record with the current DB version in it. Then, it would be possible to check the version with a relatively cheap single UDP packet, rather than a full http check, and people could check for DB updates more often than once an hour without taxing the distribution system. Then all users would sworm to download the new sig, as soon as that serial number incrimented, flooding the download server with update requests. Only tracker.clamav.net (can be loadbalanced) should be able to handle a fair number of connections, but daily.cvd.torrent is small enough you could put it in a DNS TXT record :) (OK, DNS is far from secure, so reliability will be at stake in that case... you might need to cryptographically sign the file). (1/2 :-) -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamd on FreeBSD with linuxthreads?
We recently discovered that on FreeBSD (4.10), clamd isn't really multi- threaded, as the default FreeBSD pthread is userland threads only, which blocks on disk access. As a result, we had occasional long delays when scanning multiple mails at the same time. I wonder if anyone here tried compiling clamd on FreeBSD with linuxthreads installed? Does that work as expected? At least configure for clamav-0.75-1 does not try to detect liblthread, but it is of course easy to install linuxthreads in such a way that clamav will pick it up using the default name. If nobody has negative experiences, I will probably give this a spin and report back to the list if there is interest. -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users