RE: [Clamav-users] RFC: squidclam

[Mitch (WebCob)]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Lord
Sent: January 13, 2005 12:50 PM
To: clamav-users@lists.clamav.net
Subject: [Clamav-users] RFC: squidclam

Hi,

just wrote a small programm to replace SquidClamAV_Redirector.py 
Reason for doing that:
- I manage RPM based servers which don't have pylibclam
  (with my own program I only need one alien rpm not three)
- maybe C is faster as pyhton (not proven yet ;)
- I was in the mood doing that.


[Mitch says:] Sounds good to me - the fewer dependencies the better - right?

I've been looking at setting something up like this - will post how it goes
- I'm interested ;-)

m/

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] Virus Tests from www.testvirus.org

[Mitch (WebCob)]

-Original Message-
At 12.08 01/12/2004, you wrote:
  And now a wish:
  Is possible to implement in clamav-milter or clamd itself the
  possibility to define a list of suffix I'd like to consider as:
  UNAUTHORIZED ATTACH TYPE
 
 That is not the job of a virus-scanner, it's the job of a content-
 filter.

I know, but what if I want to consider them by default undesiderable ?
I think clamav-milter should do the job quite easily.
If it found such attachment it threat like a virus name :
UNAUTHORIZED ATTACH TYPE
Stop... :-)

Do you think the idea is wrong ? In this way, as I said, you could also 
lower the cpu load on the antivir box (you discard without check) and you 
could fight better the new virus (If my sig doesn't detect, probably the 
attach type do the message be discarded).
And last... we probably stop to use other tool like noattach (which I like 
very much, indeed).

Thanks for attention.

[Mitch says:] 
Basically, what everyone is saying by that is what a content filter is for
is USE a content filter - do that BEFORE you run clam on the content - that
will be faster - and clam won't have to reinvent the wheel and maintain code
that others already do.

Opensource software is often not monolithic - to get what you want, you are
expected to combine suitable projects - this flexibility and dedication to
purpose is generally a good thing - projects fail more often as they
increase in scope.

m/

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] virus tests

[Mitch (WebCob)]

-Original Message-

I checked it too and everething is ok, except tests
nr. 24, 25 ( which are non-virus, anyway ).
We're running .80 on Gentoo.
Robert
[Mitch says:] 

24  25 could be stopped similar to how password protected zips are stopped
- not because they are viral, but because of a policy that allows us to
decide If it ain't scannable I don't want it - right?

24 - multimessage segmented file trick - as well as 25 - clsid extension
used could be prevented with optional tests... or perhaps blocked in some
sort of maildrop or procmail script.

I don't want to reignite the earlier battle about what clam should or
shouldn't do - but the zip test has proved useful to us, and it IS optional.
Something like these (assuming there are beasties in the wild taking
advantage of these flaws) could be nice additions...

Just my 2 cents.

m/

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

update as soon as possible WAS RE: [Clamav-users] Independent Testing

[Mitch (WebCob)]

 Hi, how do you make ClamAV update virus database as soon as possible
 when the signature becomes ready?
 
 Sam.
 
[Mitch (bitblock)] 
Sam. Bad toad! Don't hijack threads.

You can run freshclam - there is no such thing as an instant update - the
latest version uses DNS records to allow more frequent polling, but it's
still about 10 minutes from update til when you can download iirc...

That still beats everything else out there though I think.

m/

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] Re: Delays scanning MS Access db file ?

[Mitch (WebCob)]

 On a off-topic side note, if anyone knows what SMTP related
 timeout issues
 come up if a Milter timeout is set to greater than several
 minutes, I'd be very
 interested to hear.  Does sendmail somehow keep the SMTP session
 alive even
 if the Milter is taking longer than the SMTP DATA timeout might be, or am
 I restricted to the SMTP timeout periods?


My understanding (from attempted understanding behaviour I saw a while ago)
is that if sendmail OR the other side times out waiting for a response, you
will likely receive multiple copies - the remote MTA see's anything that is
not a SUCCESS, as a FAIL, and so considers the message undelivered. This can
result in hugely overflowed mailq's ;-)

m/

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: AW: [Clamav-users] Re: Re: Re: Windows port ?

[Mitch \(WebCob\)]

 The GPL defines source as the preferred form of the work for making
 modifications to it. If the maintainers of the clamav db add new
 signatures by unpacking the database, modifying it and packing it again,
 it is source code (the act of packing and unpacking is IMHO similar to
 tarring and untarring C source files). If they the generate the database
 from a different source, which cannot be trivially reconstructed from
 the distributed database, it is not source code. In the latter case, the
 database cannot be covered by the GPL (you cannot require somebody to
 distribute the source if you don't give it to them).
 
   hp
[Mitch (bitblock)] 

Hi Peter...

Isn't just as easy as this? Company B wants to use GPL product A in a closed
source commercial product

So...

They write library B, license it to themselves closed source, containing all
their proprietary stuff, and write application B, which calls product A or
uses it's libs, but IS open sourced and GPL'd - there's nothing in the GPL
that prohibits you from using code within your GPL product that doesn't have
the same license - there couldn't be or you could run a GPL app on a BSD
system - right?

Just a musing...

m/



---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: Re: Re: Windows port ?

[Mitch \(WebCob\)]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:clamav-users-
 [EMAIL PROTECTED] On Behalf Of Tomasz Kojm
 Sent: September 25, 2004 12:22
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Re: Re: Re: Windows port ?
 
 On Sun, 26 Sep 2004 00:09:22 -0700
 Mitch (WebCob) [EMAIL PROTECTED] wrote:
 
  containing all their proprietary stuff, and write application B, which
  calls product A or uses it's libs, but IS open sourced and GPL'd -
 
 They can always use clamd (via its socket) without writing any
 additional stuff.
 

[Mitch]

I totally agree - except that to do that they have to install cygwin on
windows, etc...

I think that's what would have started this whole thing - still could be
usable that way, though when everything is wrapped in cygwin calls and
service emulators (to encapsulate daemon functionality) things can get
ugly... he probably started thinking he was simplifying those problems
without realizing the size of the ensuing discussion that would follow.

Realizing and acknowledging that clam was written focusing on unix in
general, mail scanners in particular, I wonder if the clam team would be
interested in accepting windows ports of the code... assuming it's doable,
and I'm not volunteering. It would just open the product to an even wider
audience... of course maybe that's not desirable yet ;-) (considering mirror
server loads etc.!)

m/




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: Re: Re: Re: Windows port ?

[Mitch \(WebCob\)]

Remi wrote:

  No, it won't. Security by obscurity is a nonsense.
 It's true only for cryptography I think.


Anyone with a disassembler can find your secret sauce as soon as they
download your product. A lot of effort yes... but if what you think you have
found has any value it will be done. Consider the volume of movies and
software and keygens released daily...

The people who write viruses are used to low level analysis and reverse
engineering of systems and their weaknesses - right? They aren't
particularly fond of the laws...

That's the reason the big vendors have to keep rolling new engines as well
;-)

m/



---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: Re: Re: Re: Windows port ?

[Mitch \(WebCob\)]

  Ok, you can download the clam database handling and file scanner at
  http://uscanit.free.fr/lib.zip

 It looks OK. Thanks for publishing it.


Can you clarify for the rest of us? Does that mean the clam team is
accepting this sort of usage of the db?

m/



---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: Re: Windows port ?

[Mitch \(WebCob\)]

Or write an open source program which does the scanning without dependancy
on cygwin. GPL it, give away the source. Keep your heuristics separate, and
if you like your interface, etc. This is the same effect as the windows
wrapper that exists without the underlying overhead of the gygwin underneath
(though is there really much point in that? cygwin is free, allows us to
start daemons and services (so you could run clam or clamd as your virus
scan tool underneath you app, and you can install cygwin by simply
distributing a single dll - right?

Note, I'm in full support of the project maintainer having the right to
control the use of their own work under their own license, just don't see
what the problem is - you just have to work WITH the system instead of
trying to hack around it and produce your own - which is kindof pointless
anyway - every new version results in additional signature formats, and more
porting work for you.

If you came up with a cygwinless patch / build script, it could be
opensourced, and you wouldn't have to do the ports - just call the resulting
engine!

m/

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Stefke
 Sent: Wednesday, September 22, 2004 4:02 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [Clamav-users] Re: Re: Windows port ?


 Advise to Remi.

 Create your own database structure, write a GPL'ed program that converts
 Clamav's DB to your own, use your own DB in your Free but closed source
 program



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Ralph
 Angenendt
 Sent: woensdag 22 september 2004 11:33
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Re: Re: Windows port ?


 Fajar A. Nugraha wrote:
  How is that so?
  From daily.cvd's COPYING :
 
  -GNU GENERAL PUBLIC LICENSE Version 2
 Isn't LGPL more suitable for libraries?

 Why should it be? *IF* the authors chose to license it to you in a way,
 which *only* allows you to incorporate it into Programs with GPL
 compatible
 licenses, it should be respected.

  -   1. You may copy and distribute verbatim copies of the Program's
  source code as you receive it, in any medium ...
  He didn't distribute it. He just use it

 He uses it in a program. He has to load it somehow.

  How is his using clamavdb (but does not distribute it), be different
  from hosting appliances (Ensim, CPanel, etc) which uses numerous open
  source programs on Linux (apache, mysql, and even clamav) but does not
  distribute it? I don't see Ensim released as GPL.

 He has to link the database *somehow* into his program. Look up
 what the GPL
 has to say about that.

 And: Hey, if you do not like the license of a program - do not
 use it. It is
 simple as that. If you want to use it - fulfill the license.

 Ralph
 --
 Ralph [EMAIL PROTECTED] | ..Text processing has made it
 possible Bayerischer Rundfunk...HA-Multimedia | to right-justify any
 idea, even one Rundfunkplatz 180300 München | .which cannot be
 justified on any other Tl:089.5900.16023..Fx:089.5900.16240 |
 ..grounds. -- J. Finnegan, USC




 ---
 This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
 Project Admins to receive an Apple iPod Mini FREE for your judgement on
 who ports your project to Linux PPC the best. Sponsored by IBM.
 Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Notification E-mail

[Mitch \(WebCob\)]

 With one caveat.
 It is perfectly acceptable to place an explanatory message in an SMTP
 REJECT message.

 Something like

 EHLO (hi)
 MAIL FROM (ok)
 RCPT TO (ok)
 DATA (can't accept for delivery, contains the EICAR virus!)

 If the mail is being sent by a virus, the virus will usually just give
 up and go on to the next recipient server on their list.  No you sent a
 virus mail is sent to a (usually) innocent third party.

 If the virus is a false positive, and is really good mail being sent by
 a legitimate mail server, the sending mail server will keep the
 responsibility of generating the undeliverable message.

 It would be nice if the SMTP reject message was customizable - say, to
 include a phone number to call in case of false positives.  I didn't see
 anything in the man pages for 0.75.1 - did I miss it?

 [EMAIL PROTECTED]  805.964.4554 x902

Clam doesn't do this at all. It's the widget that is used to integrate with
the MTA that has control of this. I use courier, and this is exactly how my
mail server handles it.

Whatever integration tool you use to tie clam to your MTA (or the MTA
itself) has this job - that's why it's not in the clam man pages ;-)

m/



---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] daemon restarting while clamdscan is running

[Mitch \(WebCob\)]

I think this was mentioned in a man page somewhere...

I believe that clam would return a timeout error, and what happens with that
depends on the script that calls clamdscan. If it accepts nothing other than
success, the mail should be deferred and tried again later by the MTA.

not authoritive, but hope it helps.

m/

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Yury
 Tarasievich
 Sent: Thursday, September 09, 2004 6:46 AM
 To: [EMAIL PROTECTED]
 Subject: [Clamav-users] daemon restarting while clamdscan is running


 Hello,

 What happens if clamd is restarted while clamdscan was running?
 Clamdscan just completes its job and returns OK status?
 Or?..

 regards,
 Yury.



 ---
 This SF.Net email is sponsored by BEA Weblogic Workshop
 FREE Java Enterprise J2EE developer tools!
 Get your free copy of BEA WebLogic Workshop 8.1 today.
 http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Second-tier Mirrors...

[Mitch \(WebCob\)]

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Graham
 Toal

 Aren't we missing something obvious here?  Shouldn't we be using some
 sort of distributed technology like BitTorrent?


That's been asked and answered... Bittorrent is meant to optimize download
of large files when there are many peers. We could effect the many peers,
but the size of the files involved are often finished downloading before a
torrent file is downloaded parsed, and attempted (there are always
unreachable / not responding hosts / slow hosts / bad routes etc.)

a summarization of my understanding anyways.

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Downloading clam virus definition files automatically

[Mitch \(WebCob\)]

 I think such a provider would be liable for very little - but it is very
 expensive to establish that in court. Law suits are trivial to initiate
 and we are in a very litigous society. If you have 10,000 customers you
 can bet at least one of them will levy a suit against you for some
 perceived affront and you are out of pocket without some kind of
 insurance.


Think we're blowing things out of proproation and way off topic here... This
is ClammAV not business 101...

Liability insurance doesn't PREVENT people from suing you. It covers
SPECIFIED perils if people do, but still requires you to defend yourself in
the suit - it kicks in to pay legal costs or settle if you lose... Having a
fat liability policy can also make you a target.

And a waiver, SLA or specific contract limiting liability can close off many
of these threats.

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Second-tier Mirrors...

[Mitch \(WebCob\)]

   Someone recently suggested the idea of allowing sites with
 less than the
   mirror site requirements becoming second-tier mirrors.  This thread is
   an attempt to see what kind of interest there is in such an
 idea and for
   the developers to respond whether or not the idea has merit.
 
  It would help if you could define what you mean by a second-tier mirror.
  If you allow just anyone to connect, then what makes you second-tier
  instead of primary-tier?  And if you restrict your connections to come
  from within your domain, then why do you need to become an official
  mirror at all?

 Since there was no response, I'll offer an idea:

 What about one set of mirrors that host the main.cvd and another set of
 mirrors that host the daily.cvd?  Assuming people use the DNS to check
 what updates they need, they could then connect to the appropriate
 class of mirrors to get the actual updates.

 It seems to me that this could be a simple way to split the load and
 allow potential mirrors to choose how much they want to host (main only,
 daily only, or both).


I suggested this (2 tier mirrors) at one point - not sure if it was me you
are referring to or not...

I was thinking something like this:

Currently each mirror contributes around 100GB of traffic monthly

Perhaps (not sure of the DNS system in place) could be arranged so that 10%
of the requests a full primary mirror receives could be directed to a
secondary level mirror. With a committment of only roughly 10GB per month,
we'd get more volunteers (I'd volunteer 2).

Also, while I'm at it, sponsors of open source products are often credited -
the mirrors should have a web page crediting the responsible hosts with
banners / links to them if they would like it... (or has this appeared at
some point since I started participating)... Of course tier 1 mirrors would
get top billing. ;-)


m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Second-tier Mirrors...

[Mitch \(WebCob\)]

 I would love to setup a mirror, but 10Mbps and 100GB/month is more than
 I've got available.

 --TWH

By my count that makes 5 of us I recall seeing volunteer and it isn't even
an option yet.

As we are already trampling the rules with cnames to cnames... what about
this... the second tier cnames could exist as multiple rr ips in a single
mirror cname... thereby sharing the required bandwidth.

Just an idea. I don't think the problem will be adding a few more sites to
push updates too... it would probably be much worse to manage the complexity
of 2 tier deployment than to just update the secondary mirrors after the
primary mirrors from the same source... 10 updates vs 100 updates won't kill
the main source... when it becomes 1000's maybe we worry ;-)

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Downloading clam virus definition files automatically

[Mitch \(WebCob\)]

 If you really want updates instantly, there *is* a solution.  Volunteer
 to run a mirror.  All mirrors are given updates within 2 minutes.

 Damian Menscher

Joining this thread a little late - sorry...

Then we get back to the level of committment required to do that... With
things as they are now, the 100GB / month (iirc) and massive number of hits
is too big for all but larger organizations to commit to - and they normally
often have politics involved that make such a decision more than one sysop
can make (unless he's not worried about his job)...

I for one would love to set up a mirror... if it was 10GB / 20GB / maybe
even 30GB... but 100 and growing is a little too much of an unknown for me.
I wouldn't want to opt in, and then have to opt out due to unanticipated and
growing load...

I've seen the notes about the new cap on daily sizes, maybe that will reduce
download size... or maybe at some point a multi levle approach will be
used...  (main, monthly, daily, etc...) or something through the setup of
the DNS that could allow people to volunteer to mirror at a second tier with
some fraction of main-mirror bandwidth.

Then we could get more mirrors, and reduce the load on each. Already the DNS
system will eliminate downloads / connections to the mirrors if the version
hasn't changed - right? So eventually we should be able to query more often.

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Freshclam cron interval {Revisado por Antivirus}

[Mitch \(WebCob\)]

 run freschclam on one machine, use on-update-execute to run an
 rsync script
 after a successfull download to update all your other machines.


 ==
 Chris Candreva  -- [EMAIL PROTECTED]

Does the clamd process need to be signaled on each machine to recognize the
new db?

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Idea for more timely virusdb updates

[Mitch \(WebCob\)]

 I still don't see why rsync can't be used here.  It can
 easily do incremental
 updates.

 True. However,
 (1) many firewall admins allow outgoing HTTP and DNS
 ports; I cannot say the same for rsync port.
 (2) The uncompressed signature (viruses.db*) files is a
 good candidate for rsync (or even a simple diff command).
 I don't know how well rsync or diff performs on the
 compressed-signed *.cvd.

Hmmm... interesting points... but what about this option?

Rsync and diff are generic patching mechanisms meant to accomodate data
without a known format - we don't have that problem here.

My understanding is that for the most part database updates are additions,
though sometimes there may be deletions or updates to preexisting keys

Lets say on the SERVER side, those updates were kept in something of the
form:

version|status|signature|md5

Where version is the version number containing the change...
status is + (new sig), - (remove sig), or = (update sig) (the sematics are
important, the values of the enum are not of course)
and signature contains whatever the current fields of the database are...
md5 would be the checksum of a database if all patches applied to this point
are sucessful

Then, any freshclam could connect, something like:

http://somemirror.db?version=xxx

The server would then return all updates  xxx, which would allow the
freshclam to patch it's local database, and verify the last md5 is a match
for the md5 of the updated local db. If the update fails to produce a
matching checksum, freshclam could then pull a fresh copy in it's entirety.


This would mean the mirrors would have to support basic scripting (PHP?) but
we could trade a significant portion of the bandwidth for a few cpu
cycles...

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Freshclam cron interval {Revisado por Antivirus}

[Mitch \(WebCob\)]

 No, the cron job only runs on the hour (minute == 0) so it will only run
 once per hour at a random time between hh:00 and hh:30.
 
 A.
 

D'oh! Note to self - don't think you are smart when you're tired! Thanks.


---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Idea for more timely virusdb updates

[Mitch \(WebCob\)]

  DNS for serial numbers plus HTTP for actual data transfer still sounds

 New version of freshclam will work in this way. Big thanks to all for
 the interesting thread !


Sounds cool Tomasz! Be interested to hear if this helps reduce the load on
the mirrors at all. Once this is tested, an update to recommended polling
times would be appreciated (for anyone not running freshclam as a daemon)

Thanks!

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Idea for more timely virusdb updates

[Mitch \(WebCob\)]

 Similarly, BitTorrent *requires* raw Internet access in order
 to operate -
 again - not a normal situation for an AV server.


Don't know what exactly you meant by raw as opposed to sauteed, broiled,
baked or toasted, but BitTorrent does NOT require unfirewalled access. It
does require a small port range to be forwarded to it, BUT that port range
is not required to be the same on any two hosts.

When the host contacts the tracker, it tells the tracker which ports it is
listening on so the tracker can distribute load to it.

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] OpenSource Clamav not ready?

[Mitch \(WebCob\)]

 So does that mean you no longer use Exiscan's demime facility, because,
 if I understand this correctly, it is sufficient to pass the mime parts
 to clamd for scanning. Using it and ScanMail would appear to bring some
 competition between Exiscan's demime and ClamAV's ScanMail.

 Could someone clarify this point?

I'd appreciate similar clarification...

I'd heard on the list of people having problems with clamd / clamdscan and
the various mail scanning options (can't remember if the problems were
related). For now (running courier on freebsd) I invoke an external mime
unpacker, and then run clamscan on the unpacked message parts. I know
clamscan is less efficient, but I keep hearing people commenting about run
away memory use etc, and haven't followed it all in enough detail to know if
it's still a problem? (currently the extra cpu cyles are less costly than
the downtime caused by run away ram or processor use...)

Can someone in similar config (courier and freebsd) confirm that they are no
longer  having (or never have had) stability issues with clamd / clamdscan
and what changes I make to clam config to properly scan a single mime
encoded message (not an entire mbox).

As a small measure of comfort it would also be nice to know how heavily
loaded your machines are (i.e. small corporate network or ISP/ enterprise
class)

Thanks a bunch!

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Idea for more timely virusdb updates

[Mitch \(WebCob\)]

 I've already mentioned this jokingly, but I was half serious: I think
 setting up a bittorrent would solve a lot of the bandwidth problems.


Been playing with that a bit recently - the more I think about it, the more
I like it... saw a website that has built a custom tracker to manage
leeches, and prevent people (regardless of client) from sponging without
contributing...

The old way could remain, for offline / intermittantly or heavily firewalled
users...

The addition of DNS version management could reduce overhead bandwidth that
occurs during useless polls...

The new way could provide higher frequency updates for those willing to
share and contribute some bytes.

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Idea for more timely virusdb updates

[Mitch \(WebCob\)]

 Opening another port is simply no option for any serious
 enterprise use. There
 is simply no way to open another port in the firewall. In addition I am
 confident that IANA will not allow to reserve a fixed port number
 for this
 service. After all port numbers are a limited resource with todays IPv4
 networks.

bittorrent doesn't rely on a fixed port - it doesn't need one.

If I understand it right, seeders (people with full copies) and peers
(people with partial downloads) register their ports with the tracker, and
if shutdown properly, de-register themselves.

The problem with slow starts DEFINITELY has something to do with seeders and
peers not deregistering themselves (I see it in logs) and have seen FAQ's on
web sites hosting torrent files to this effect.

With a closed loop distribution system with a custom client that guaranteed
a 10X ratio and then cleanly deregistered itself, we would have a very
powerful distribution system.

Might even make a project on it's own.

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Idea for more timely virusdb updates

[Mitch \(WebCob\)]

 right, but as discussed below, generally bind servers don't have
 100k people
 waiting for notifications and updates.


Nope, true... but like I suggested, the notification tree doesn't have to be
flat...

One server notifying 10 servers is time consuming and sure - costs a lot
of bandwidth...

Lets assume that each notify takes 5 seconds... we have to have SOMETHING to
measure...

1 server notifying 10 servers takes 50 seconds. That's a little over
a day to push the notification - bad idea ;-)

1 server notifying 100 servers, which each in turn notify 100 servers and so
on...
1 to 100: 100 seconds
each of them notifying 100: 100 seconds (total notified 10100)
each of them notifying 100: 100 seconds (total notified 1010100!) in 5
minutes!

That's 10 times your value of 10 servers. Each server would only have to
know about 100 others. Not a huge database - wouldn't even have to be
written to file. Each server could be responsible for polling it's master
once per hour.

  Hourly polls is a good thing - but if the system worked both ways, the
  mirror could signal the end clients that it's time to download... those
  notifies could be send only to clients that had registered to
 receive it (an
  option in freshclam) and would not push the data, but trigger a
 freshclam
  pull.

 with that option, the 'clients' would either have to remain connected the
 entire time, which is completely not feasable, or somehow the
 database mirrors
 would have to either 'remember' who to notify, or have some sort
 of registry
 of people to notify (I can see how one might do this with a paid mirror
 service), and then send out notifications (even a single UDP
 packet to 100k
 servers could be quite bandwidth intensive.  The architecture
 could work, yes,
 but it doesn't scale well, and I don't think the clamav team has
 the resources
 to do this sort of ass-kissing for free.  They're already providing a
 wonderful service to the internet community, we cannot bite the hand that
 feeds us.

I wasn't proposing that it had to be done for free (not that it can't be
with the factor tree I explained above). It might even reduce the cost of
database distribution.

If each server is only pushing 100 updates @ 200KB per update (2MB total) we
can get 500 pushes per month for only a couple dollars.

 Another problem with this notification is there are still the
 spikes when the
 notifications come out that EVERYONE AND THEIR BROTHER contacts
 the database
 mirrors for updates.  Your solution doesn't solve any problems imposed by
 Christopher's idea, and actually introduces more.

100 servers for 200KB (20MB is hardly a spike.) and as for clients remaining
connected, that is what a server is - connected. This isn't for end users,
or local workstations. It's an OPTION for people who process a lot of data,
are at high risk, and need immediate response. Then their own internal
freshclam clients can poll their local authoritative server as often as they
want, or use the same procedure to distribute to them (if they are full time
connected that is).

 In my opinion, the existing system is fine, and if you want
 better, you should
 talk to the clamav folks about setting up some sort of 'priority'

Yeah, we could, but I don't think it needs that. And setting up an internal
mirror doesn't address the response time of the updates, unless I start
hammering the main freshclam every few minutes... and I just don't think
that would be friendly.

With the sort of hierarchical distribution I'm talking about, you could even
use an ranking system to automatically organize the distribtion (while I'm
on a roll ;-)...

What I mean is that everyone would contact one of the root mirrors
initially. In the request to be notified, it would indicate the number of
clients it serves. If less than a certain number, then it could be referred
to a child of the root server. If that child becomes unavailable it could
contact the root again (at the next hourly polling time). How many servers
are there on the Internet? We could probably handle the whole lot of them
with no more than 4 or 5 levels. Push an update to the world in under 10
minutes. Think how many virus laden emails this could stop.

(visions of f5...) in fact, the root server could hand out the IP's of all
child servers not fully loaded. The client could register with the nearest
(by route time) one -

just ranting...

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Idea for more timely virusdb updates

[Mitch \(WebCob\)]

 The mirror page talkes about the need for mirrors, about
 exponential growth,
 and how at least a 10mbit pipe is needed to host a mirror. It puts March
 2004 traffic at about 120gig/month


I think I read it differently... I thought it was 120GB / month per mirror
(at that point in time there were 11 mirrors!)

QUOTE (http://www.clamav.net/doc/mirrors/clamav-mirror-howto.txt)
Without mirrors, the traffic on our main site was
100GB/month (May 2003).

On Feb 2004 the traffic on each mirror (11 in total)
reached 120GB/month.
END QUOTE

Not sure if I read it wrong, but that would put total consumption about 1320
GB - makes it more urgent doesn't it?

Unfortunately the round robin - no limits nature makes the entry price for
people who want to help too high for some. I wonder in the short term if
there is a way to create a lower % hit mirror which could say take 10% of
the normal average...

at 12GB / month there might be more takers

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Idea for more timely virusdb updates

[Mitch \(WebCob\)]

What about a deeper mirroring system? Perhaps one that supports
notification?

One of the things I like about BIND (not enough to use it, but still an
admired concept ;-) is the way zones can be distributed... notification
speeds things up if it works, polling creates a failsafe in which a missing
notify doesn't cause the world to end...

Hourly polls is a good thing - but if the system worked both ways, the
mirror could signal the end clients that it's time to download... those
notifies could be send only to clients that had registered to receive it (an
option in freshclam) and would not push the data, but trigger a freshclam
pull.

It could provide faster update response and smooth out the spikes in
download traffic, and could be used to maintain a larger set of mirrors...
without increasing polling frquency... a new freshclam server could allow
all larger users to easily run their own mirrors for internal
distribution...

Just a few ideas...

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: [Clamav-virusdb] Update (daily: 445)

[Mitch \(WebCob\)]

 I have 445 (have had it for 5 hours or so) and it still calls it
 Trojan.JS.RunMe.  Am I missing something?  I can see in my
 clamd.log where
 it picked up the changes and reloaded the database, and sigtool -l lists
 both Trojan.JS.RunMe and Worm.Bagle.AI-2 in it.


I'm going to take a guess here...
The RunMe is the HTML part...
The Worm... is the executable payload...

iirc, clam stops scanning when it sees the first match. HTML would be seen
before payload, so that could be what you are seeing.

m/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Clamav Engine upgrades?

[Mitch \(WebCob\)]

This is predicated on the developers of the database incrementing the
functionality level when they make changes like this.

I'm still not sure I get it, but there seems to be some resistance to doing
this consistantly.

Some changes in detection seem to make it into CVS, and I think future
versions without a change in the db functionality level - so the code is
there, and maybe it was originally for MAJOR changes - not simply one or two
viruses that need the upgrade, but it doesn't seem to make sense for the way
people use this project...

my 2 cents.

m/

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Ryan Moore
 Sent: Thursday, August 05, 2004 2:02 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Clamav Engine upgrades?


 Jeremy Kitchen wrote:
  On Thursday 05 August 2004 12:46 pm, Ryan Moore wrote:
 
 Such that if freshclam downloads a signature and if the
 signature has a 'engine version requirement' or some attribute that can
 be compared against the installed engine, if the installed engine isn't
 newer, give a nasty warning in the log.
 
 
  it already does this.  search the archives for 'functionality level'
 
 
 WARNING: Your ClamAV installation is OUTDATED - please update
 immediately !
 WARNING: Current functionality level = 1, required = 2
 
 
  -Jeremy
 

 I didn't get any such warnings on any of my machines, they were all
 using clamav 0.72 with freshclam daemonized (with LogVerbose in
 freshclam.conf). Do you have to do anything special to get this sort of
 behavior? Also did anyone get these warnings when running a version
 previous to 0.75.1?


 Ryan Moore
 --
 Perigee.net Corporation
 704-849-8355 (sales)
 704-849-8017 (tech)
 www.perigee.net



 ---
 This SF.Net email is sponsored by OSTG. Have you noticed the changes on
 Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
 one more big change to announce. We are now OSTG- Open Source Technology
 Group. Come see the changes on the new OSTG site. www.ostg.com
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users




---
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)

[Mitch \(WebCob\)]

Hi.

Before you do, I've been told by Tomasz Papszun that there are signatures
that won't work for anything other than CVS... so you'd have to try building
a CVS version to make it work.

I suggested changes to allow us users to know this info when we do an upload
to the webform, but haven't had response from any of the other developers,
so don't know if the idea is generally approved or not.

Wouldn't want anyone to waste time researching something that might be as
simple as a cvs snapshot build ;-)

Try running the snapshot build (perhaps without installing? can that work?)
to scan the individual file of interest... then you will know...

m/

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Nigel
 Horne
 Sent: Tuesday, July 27, 2004 4:50 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Virus found, not detected by Clamav, can't
 submit (claimed already recognised but is not)


  # clamscan --mbox virus-20030403-121256-27560

 Forward a copy of the email to me and I'll look into it.

 -Nigel

 --
 Nigel Horne. Arranger, Composer, Typesetter.
 NJH Music, Barnsley, UK.  ICQ#20252325
 [EMAIL PROTECTED] http://www.bandsman.co.uk


 ---
 This SF.Net email is sponsored by BEA Weblogic Workshop
 FREE Java Enterprise J2EE developer tools!
 Get your free copy of BEA WebLogic Workshop 8.1 today.
 http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus found, not detected by Clamav, can'tsubmit (claimed already recognised but is not)

[Mitch \(WebCob\)]

I'd be willing to hack the code to add the information mentioned the other
day - care to share the base script (off list is fine by me).

I'd like to make it a little more informative what was found and how it was
found etc.

thanks

m/

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Mike
 Cathey
 Sent: Tuesday, July 27, 2004 7:13 AM
 To: Clamav-users
 Subject: Re: [Clamav-users] Virus found, not detected by Clamav,
 can'tsubmit (claimed already recognised but is not)


 Albert,

 On Tue, 2004-07-27 at 06:15, Albert Pauw wrote:
  However when I tried to submit it, the page came back
  saying that it already is recognised.

 We had to move the submission interface to another server (one of mine)
 and in the process, the interface was broken.  This was resolved
 yesterday afternoon/evening (GMT-4).  I sincerely apologize for the
 inconvenience.

 Cheers,

 Mike
 --
 Mike Cathey - [EMAIL PROTECTED]
 Unix/Networking geek  Perl hacker
 http://www.mikecathey.com/



 ---
 This SF.Net email is sponsored by BEA Weblogic Workshop
 FREE Java Enterprise J2EE developer tools!
 Get your free copy of BEA WebLogic Workshop 8.1 today.
 http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] New virus not getting scanned, but web interface says already detected?

[Mitch \(WebCob\)]

For one thing, the web interface for uploading could be A LOT MORE USEFUL by
stating it's current clamscan version, what it detects the upload as,
selected options/config, and signature database - just allowing easier
confirmation of relavent settings.

I've downloaded the 0.75, and upgraded, ensured my freshclam is running and
current, and manually unpacked the zip archive containing the file.

Still don't get a positive scan on my end, though.

Help? Don't want to post the virus publicly of course... what now?

Thanks.




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Signatures and versions... RE: [Clamav-users] Suggestion: Feature Freeze

[Mitch \(WebCob\)]

 I'd like to second that.  Those of us depending on clamav to catch stuff
 can't afford to upgrade in the middle of the day for new signatures to
 work.  And why don't these new signatures work?  Has that interface not
 yet stabilized?

 Thanks,
   John

Just wondering...

If signatures come out that REQUIRE a new version of code to run, wouldn't
that be a good use for the versions flags in the signature files?

Right now there are two - right? One is for like a format version, and the
other is for an actual version right?

Either we could use the format version to at least raise the error that the
codebase requires an update to the latest (live or CVS or version X (could
predate the actual release so people know to use CVS until then) or we could
add another field to support this function - that may be harder though.

I'm going from memory here, but I remember a while back seeing errors in my
cron email even though I'd run freshclam with --quiet - right? Plus
something ended up in the log file... either of these two things (preferably
both!) could serve to notify users that their application needs an update to
catch the latest.

Thoughts?

Thanks!

m/



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Ethics Question

[Mitch \(WebCob\)]

I'd say so. You aren't talking about doing this after the fact, but as the
message is received and detected as viral - right? They'd have to have hung
up immediately and even then, it's unlikely the modem handshake would be
complete yet on the next call ;-)

 On Thu, 10 Jun 2004, Nigel Horne wrote:
  And just hope that the next person to dial in to the ISP who gets that
  IP address from DHCP is the same person...

 If it's done immediately, then the chance of alerting the wrong machine is
 pretty small, isn't it?

 Jeffrey Moskot
 System Administrator
 [EMAIL PROTECTED]




---
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the
one installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Ethics Question

[Mitch \(WebCob\)]

What's the harm? You aren't selling them anything... Spam is something done
for commercial gain by definition isn't it? they are hurting you - wasting
your bandwidth etc... and as many of my customers could prove - they can go
for MONTHS not knowing they are infected. Your message could say something
like:

Notice from SMTP server @ YOUR_IP:

We have detected incoming mail from you containing virus X.

We are sending this notification as a public service. Please contact your
computer support person or visit one of the many PC Antivirus providers.
Many have free solutions to your problem.


my 2 cents.

m/

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Samuel
 Benzaquen
 Sent: Wednesday, June 09, 2004 12:10 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Clamav-users] Ethics Question




  Tris Forster
  Sent: Wednesday, June 09, 2004 1:02 PM
 
  While the aim of doing this may be completely honourable,  sending
  winpopups to a non-firewalled  machine stinks of spamming and thus I am
  in two minds about putting it into practice

 You are right. That could be even worst that the virus, because you are
 sending it on purpose while the infected computer it's just a victim.

 
  Any thoughts or experiences with similar situations would be
  appreciated..
 

 I think the only way I could think is reporting the IP to some DNSBLs.
 That way you can stop receiving their mails and you leave the cleansing
 problem to their ISP.

 -Samuel



 ---
 This SF.Net email is sponsored by: GNOME Foundation
 Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
 GNOME Users and Developers European Conference, 28-30th June in Norway
 http://2004/guadec.org
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users




---
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Ethics Question

[Mitch \(WebCob\)]

If they are in fact unprotected by a firewall, it's likely they are
receiving popups from all kinds of people... we can only hope they read
yours. Personally I'd be interested in the script you end up using - I'm
assuming you'd call smbclient to generate the popup - an interesting
experiment...

m/

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of jef moskot
 Sent: Wednesday, June 09, 2004 3:50 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Clamav-users] Ethics Question


 On Wed, 9 Jun 2004, Mitch (WebCob) wrote:
  We are sending this notification as a public service. Please contact
  your computer support person or visit one of the many PC Antivirus
  providers. Many have free solutions to your problem.

 That does sound reasonable to me.  I wonder if there isn't a technical
 reason why this might be a Bad Idea, though.  For example, it used to be
 courteous to send an e-mail to a sender to let them know their computer
 was infected, but now trying to do things like that is a nuisance because
 it's highly unlikely that you're actually going to be contacting the
 original sender.

 Popping up a message on the machine with the proper IP number of the
 source of the infection sounds useful at best and harmless at worst...but
 is it really harmless?  Could these popups interrupt running processes on
 poorly configured servers and such?

 Jeffrey Moskot
 System Administrator
 [EMAIL PROTECTED]




---
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Bad ideas WAS RE: [Clamav-users] Zero bytes vbs cpl attachment

[Mitch \(WebCob\)]

 (it was removed) there is nothing for ClamAV to find.  About the best
 you can do is to educate others that stripping viruses out of email (and
 letting the rest through) is a Bad Idea.

While you are mentioning bad ideas... what about this trend of sending
bounce messages to the sender or postmaster based on the From or envelope
address of messages with virii in them. Does Clam-milter do this? (I don't
use that part - use my own courier filter system). Personally I fail to see
the point of this if it does... the virii are most often (these days) lying
about their origins anyways - the only time this helps is when the mail is a
trojan / malware. If the filter was smart enough to send a bounce ONLY in
those cases, it might be useful, but as it is, I've been asked to write
filters by my users to stop these bounces - they are most often telling my
users they are guilty of sending something they know they didn't ;-)

Is Clam on this crazy track of notifying the innocent? Or am I off base
here?

Thanks.

m/



---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: Virus Alias Database

[Mitch \(WebCob\)]

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Kevin
 Spicer
 Sent: Monday, May 10, 2004 10:49 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Re: Virus Alias Database


 Its running PHP  MySQL on apache2, unfortunately this is my home box
 (that said its not a bad spec) so the response will be directly
 proportional to what I'm compiling at the time and the amount of
 bandwidth on my DSL line.

  2. If it could handle heavy loads, it would be useful if the form used
  GET instead of POST, so that links to specific viruses could be posted.

 I've changed the form to GET, however direct links won't work because of
 the web diversion service that I use - unless you link to the IP address
 (of the lower frame, not the outer window), it is a static IP but could
 change if I get fed up with my ISP or something (not that that is at all
 likely right now, I'm using Eclipse and they are excellent)

I'm sure there are many (including myself) that could be convinced to host
mirrors once the concept stabilizes...

Or alternatively, you could allow download of the db and functions so people
wouldn't have to keep hitting your server...

m/




---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson  Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Updating ClamAV method other than freshclam

[Mitch \(WebCob\)]

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Lionel
 Bouton
 Sent: Thursday, April 08, 2004 12:26 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Updating ClamAV method other than freshclam


 I just do that because I have 4 systems using clamav and want them to be
 in sync. So I put some glue around freshclam that compares the cvd
 contents before and after a freshclam run and if a diff is found update
 the 4 systems using rsync and mail the changes to me (new, removed and
 updated entries).


Neat idea!

I know some might think that's trivial, but others might benefit from the
script - I guess you are running it as a cron job?

Care to share? could reinvent the wheel, but would like to see if you've
done anything else interesting ;-)

cheers.

m/



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus Names

[Mitch \(WebCob\)]

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of B. van
 Ouwerkerk
 Sent: Wednesday, April 07, 2004 2:00 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Virus Names


 I don't fancy the idea of doing the same job someone else does
 but I could
 do it if no one else does or has dropped the idea.
 This would be a good way for me to do something in return for
 using Clamav.

me either.

I'd certainly be willing to help with something along those lines as well -
even if it's only hosting a mirror!

I think the idea makes sense to me, but I keep hearing that the clamav
format will support some sort of alias system - just not sure what, or how,
or if it is enough information.

I'd IDEALLY like a system that allows us (collaboratively) to map viruses to
all commercial products - PARTICULARLY those maintaining virus information
databases, and then allow us to create a diff-based distribution of this
database - like the clamav datafile, and also a simple lookup page which
could use a template, and the database to return cross references / links to
information on the virii as documented by other systems.

m/



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus aliases

[Mitch \(WebCob\)]

 No idea how easy this would be to implement but here goes:

 As well as the virus signature databases, how about having an alias
 database which would contain a record for each virus, indicating its
 ClamAV name along with those used by the more mainstream AV software
 like Sophos, McAfee etc. Then have the scanning software (clamd etc.)
 accept a commandline switch to indicate your preferred naming. That way,
 if you also use Sopos/McAfee/whatever on internal servers you could get
 ClamAV to report an infection using the same naming as internally.  Of
 course, as the Clam sigs are usually ahead of the rest, the aliases for
 a particular virus would all be set to ClamAV's chosen name. Then, as
 the other vendors get their signatures out the aliases could be updated
 accordingly.

 Workable/unworkable/insane idea?

 Paul

I like it!

Should be quite simple to implement and very workable - depending on the
will of the powers that be to maintain...

A little more complex idea would be to create a cololaborative maintenance
system allowing the users to update and complete the information - a simple
voting system could accept mutliple submissions from confirmed contributors
as validation...

With such a database (downloadable like freshclam currently maintains
regular virus db) we could issue warnings that make more sense to users of
bigger name commercial products, and even generate links to their
educational content on the virii...

The feeling I get is that clam detects the virus - generates the sig and
done... Norton, etc. decode it and see what it does and then publish the
info - when the link between the clam viruss and the norton name is made
(for example) a link to that content would let the clam user know what they
found and what potential damage it could or might have already caused.

The developers of clam already have probably got their plates full with clam
issues... I could (as I imagine many others) consider building and hosting
something like this if there was enough support for it - thoughts?

Thanks!

m/



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus aliases

[Mitch \(WebCob\)]

 -Original Message-
 From: Tomasz Kojm

 On Thu, 11 Mar 2004 10:15:50 +
 Dave Ewart [EMAIL PROTECTED] wrote:

  2. Can the alias details be extracted from the .cvd files?  If not
  currently, is there any way to add this detail?

 Virus aliases will be supported in signatures in the near future.


Maybe I spoke to soon... if you guys are already working on this great - how
will aliases be identified and submissions be processed?

I've heard that the bigger manufacturers often copy the first known name -
is there a way to get in that peer group?

Will the system handle multiple aliases in the event it occurs?

Will the system identify the owner of the alias (like norton / sophos /
etc.)

Thanks!

m/



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] password-protected Worm.Bagle.H

[Mitch \(WebCob\)]

That's got my vote - can the core team give some indication of options being
considered and what general direction we'll go here?

Thanks.

m/

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Andy Dills
 Sent: Tuesday, March 02, 2004 11:05 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] password-protected Worm.Bagle.H


I think clamav should return a certain value if the zip file is deemed
clean because it's encrypted, so that glue programs like amavisd-new can
allow people to control when encrypted zips are allowed through. This is a
reasonable thing for clamav to do regardless, if you think about it;
isn't that essentially an error condition (can't scan zipfile)?

It would seem a simple fix for somebody familiar with the code.
Developers, any comments?

Thanks,
Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Password-protected .zip file viruses

[Mitch \(WebCob\)]

But...

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Chris
 Meadors
 Sent: Tuesday, March 02, 2004 11:44 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Password-protected .zip file viruses


 Paul Boven wrote:

  How about only trying every word in the mail-body as a key to try,
  instead of brute-forcing? The virus(-writer) cannot afford to fudge the
  password in the mail-body: One would hope that the subset of users that
  is clever enough to reconstruct the password, yet stupid enough to use
  that to open it, is small enough to make the virus unviable.

The problem is that the virus could send an HTML message... in an HTML
message, character encodings, fonts with small spaces between, etc. could be
enough to fool software but not a human:

For example (don't take this too literally)::

the password is
dsmallnbsp;/smallosmallnbsp;/smallggsmallnbsp;/smally

will look like doggy

m/



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Simple patch for dealing with password zip files

[Mitch \(WebCob\)]

Fantastic Michael!

I think that will be a good interrum until there is an official method of
dealing with the problem.

Thanks.

m/

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Michael L
 Torrie
 Sent: Wednesday, March 03, 2004 12:38 PM
 To: [EMAIL PROTECTED]
 Subject: [Clamav-users] Simple patch for dealing with password zip files


 I have made a rudimentary patch (clean patch) against clamav 0.67 to
 mark all zip files containing password-protected (and hence unscannable)
 files as a virus type SuspectEncrypted.Zip.  This way I can simply
 quarantine all such passworded zip files, along with normal viruses.  I
 know of no other way for clamav to catch this virus currently.  (In fact
 it didn't even catch one of them using fingerprinters.)



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] password-protected Worm.Bagle.H

[Mitch \(WebCob\)]

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Diego
 d'Ambra
 Sent: Tuesday, March 02, 2004 4:55 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [Clamav-users] password-protected Worm.Bagle.H


  -Original Message-
  From: [EMAIL PROTECTED] [mailto:clamav-users-
  [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
  Sent: 2. marts 2004 13:15
  To: [EMAIL PROTECTED]
  Subject: Re: [Clamav-users] password-protected Worm.Bagle.H
 
  Suggestions?  There are really easy ways for the virus writer to
  circumvent this type of check but until they start utilizing such
  strategies, is it possible to include the zip's crc into ClamAV's
 sigs?
 

 From the (unzipped) samples I've access to they differ in size, so MD5
 or other checksums are useless.

 Best regards,
 Diego d'Ambra

Seeing how quickly this could get out of hand, and how hard it would be to
write code to read the password from the mail - how about a simple option
that allows full rejection of password encrypted archives - or optional
(based on db lookup) but I'm probably hoping too much there...

I run virtual users out of a mysql database - the user emails are in one
field - options controlling mail handling are in others ('Y' / 'N' enums).

Being able to control this would be ideal, but being able to outright reject
them would be an improvement.

Another tack on this might be accomplished through procmail / maildrop if
unzip will report if archived files are in fact password protected... does
anyone know if there is a way to list passworded file besides trying to
extract them?

Just a few thoughts - as always thank you for the excellent tool

m/



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Password-protected .zip file viruses

[Mitch \(WebCob\)]

My understanding of reliable zip password checking was that you needed two
or more files encoded with the same password in the archive to allow a good
check...

Maybe I'm wrong on that, but still I'd rather a setting that allows me to
reject unscannable attachements. Preferably as mentioned before somehow by
user - if this was a command line argument ignore unscannable archives vs.
reject unscannable archives.

m/

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Jesper
 Juhl
 Sent: Tuesday, March 02, 2004 5:55 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Password-protected .zip file viruses


 On Tue, 2 Mar 2004, Charlie Watts wrote:

  Clearly the virus DB maintainers are inundated with password-protected
  .zip files with viruses inside.
 
  I think I understand the technical impossibility of making a
 signature for
  these - the .zip header is the same, and then the filenames inside are
  randomized, as is the password, and thus the encrypted body has nothing
  recognizable - so there isn't anything available to make a signature off
  of.
 

 What I'm thinking is; Would it be feasible to add an option to attempt to
 brute-force-crack the passwords on zip files when scanning them?
 Yes, it would slow down scanning immensely, and there's *no* way it should
 ever be a default option, but zip file passwords are /resonably/ simple to
 crack, so it is doable (although it takes time)...

 I could whip some code together for this if it has any interrest at all...


 --
 Jesper Juhl [EMAIL PROTECTED]
 Systems Administrator, Danmarks Idræts-Forbund / The Danish
 Sports Federation
 Please don't top-post
 http://www.catb.org/~esr/jargon/html/T/top-post.html
 Please send plain text emails only
 http://www.expita.com/nomime.html


 ---
 SF.Net is sponsored by: Speed Start Your Linux Apps Now.
 Build and deploy apps  Web services for Linux with
 a free DVD software kit from IBM. Click Now!
 http://ads.osdn.com/?ad_id56alloc_id438op=ick
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56alloc_id438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Submission to virusbtn.com and AV-test.org?

[Mitch \(WebCob\)]

I was looking for reviews on virus protection quality as well as response
time...

Helen, the editor of virusbtn.com says as far as she knows, Clam AV has
never been submitted for review.

I asked for details on the process, and ask here if there is any reason NOT
to submit to various reviewers - don't want to step on toes, but I figure
the broader range of support we can get for the project, the faster our
response times will be to detecting virii in the wild etc.

I was given a pdf of a response time article written by Andreas
Marx at AV-test.org, but on a side note, she thinks he was unofficially
stating that Clam AV had only a 56% rate detection of virii in the wild -
I'd say my experience is better, perhaps this is someone to chat with?

Don't want to step on toes, so I thought I'd ask before I kept digging.

Thanks!

m/



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] 2 questions - virus naming convention virus information

[Mitch \(WebCob\)]

1) Does the ClamAV system use a common naming convention? Where does it come
from? By this I mean I think I see other virus detection software using the
same names for things - how is this agreed upon?

2) Is there a Clam source for virus information? I'd like to tie my filter
to a status page that would link users to information on what is currently
hitting us and what it was capable of... When I search individual names on
google I see different databases online listing and describing the virii,
but I don't know which are to be considered authoritative...

Any thoughts?

Thanks and kudos on a most excellent project.

I'm running a custom perlfilter with courier-mta -- if anyone is looking for
something like this, I will share the source. I can't take credit for it,
but the original author didn't sign the source - I had to change it to
update it, and added some logging, works well - simpler than amavis, etc.

Thanks!

m/



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users