[Clamav-users] clamdscan extremely fast (was: Re: clamscan extremly slow)
On Sun, 2007-06-24 at 20:56 -0400, Paul Kosinski wrote:
When I originally started using clamav, clamscan could handle my low
(SOHO) volume of email quite well, but recently, it started taking
over 20 secs to scan a short email,
[...]
So I decided to try clamdscan, again.
What an incredible improvement! Instead of 20+ secs to scan, it scans
normal emails in anywhere from .005 sec to .100 secs. I would guess
the average speed up is on the order of 1000 to 1!
This is a recurring topic.
clamd/clamdscan does not *scan* faster than clamscan. It just does not
need to read in all the signatures yet again for each and any mail. This
starting up penalty is what you are observing.
Another point worth noting is, that this is an issue with 0.90.x only,
which is way slower starting up than previous versions. This will be
fixed in the forthcoming 0.91.x releases (already at RC2).
My only worry now is that either clamd will crash, or stop listening
too long when updating. I am using procmail on the tail-end of
Postfix's virtual delivery and don't see a way to have procmail get
Postfix to try delivery again later (like it would with SMTP
delivery), rather than bouncing it back to the sender (not their
fault).
The typical procmail recipes calling filters won't bounce the message.
If clamd is unavailable, procmail will just go on. The worst thing that
usually could happen is, that the the mail will be delivered without
being scanned for viruses.
If you seriously can't live with that, there actually *is* a way to make
postfix try delivery again later as a procmail recipe. Google for
EX_TEMPFAIL. Not easy to find though...
So in the meantime, I flag the mail as possible virus and write
some nasty messages to log files. (In the script my procmailrc calls
for scanning, I use netcat to PING clamd to see if it's available.) I
think I may set up a cron-driven monitor for clamdscan, to restart it
if it dies. I could also set up a delay and retry loop in my scanner
script.
Hmm, script? Instead of a home-brew solution, I recommend clamassassin.
Using it myself, and it really makes virus scanning from procmail a
breeze.
clamassassin acts pretty much as SA spam[cd] does. It can be used with
clamd, and it inserts headers you easily can filter on in procmail. A
simple procmail recipe like the one below takes care of virus scanning.
Again, if clamd is down for whatever reason, the worst that can happen
is the mail not being scanned. No failure, no bounce, no lost mail.
:0 fw
* 1024000
| clamassassin
As for watching and restarting clamd, see the post by Peter. HTH... ;)
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus/Worm not detected
I recieved a word document with an embedded object which was an
executable,
Symantec nor Clam detected anything
is there someway to submit this?
http://clamav.net/ See Submit a file.
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamdscan extremely fast
On Tue, 2007-06-26 at 08:43 -0700, Dennis Peterson wrote:
guenther wrote:
On Sun, 2007-06-24 at 20:56 -0400, Paul Kosinski wrote:
When I originally started using clamav, clamscan could handle my low
(SOHO) volume of email quite well, but recently, it started taking
over 20 secs to scan a short email,
[...]
So I decided to try clamdscan, again.
What an incredible improvement! Instead of 20+ secs to scan, it scans
normal emails in anywhere from .005 sec to .100 secs. I would guess
the average speed up is on the order of 1000 to 1!
This is a recurring topic.
clamd/clamdscan does not *scan* faster than clamscan. It just does not
need to read in all the signatures yet again for each and any mail. This
starting up penalty is what you are observing.
This is an incomplete picture. If you are scanning mail as it comes in
in real time then clamscan is nearly useless. Starting clamscan 100,000
times an hour is far costlier in time to complete a scan per file and
load on the system. Calling clamd from a milter that is already running
comes nowhere near that impact.
If you are scanning mail after the connection has closed then you can
run clamscan and scan whole blocks of files quite efficiently and time
is not so important anyway.
True. However, even when batch-processing, the startup penalty still
exists. Not for every single mail, but per chunk...
The point being, context is an important consideration when comparing
the merits of clamscan and clamd.
Exactly. This context is procmail. Which calls filters per mail. So in
this very context, the above is the complete picture, no? ;-)
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamassasin clam - very slow
On Fri, 2007-06-15 at 11:04 +0100, Nigel Horne wrote:
[EMAIL PROTECTED] wrote:
i am using clamav clamassassin - clamscan is very slow and clamscan uses
many ressources.
1) Drop clamassassin
With all due respect, that advice doesn't solve anything. clamassassin
serves a purpose that ClamAV doesn't do.
2) Use clamdscan not clamscan
This one, however, is correct. :)
Use clamd -- if not installed / built yet, do so. Rebuild clamassassin.
Have a look at its README, particularly the --enable-clamdscan option.
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Cannot update clamav-0.90.1.tar.gz on Mandriva 2007
On Mon, 2007-04-23 at 22:13 +0100, Stephen Constantinou wrote:
Thanks for your lengthy reply I appreciate that you went to a lot of
effort to explain things to me. I am sorry to say I understood very
little of it. However, I took the hint and worked on and learnt a bit.
I worked on the aspect of permission to enter the database directory
and permission to read and write to the log file. As a user I can scan
but I must be root to update the database.
See below on permissions...
I need to know if this limitation to updating the database is normal and
OK for when I install the “clamtk-2.31-1.centos.noarch.rpm” gui front
end (I think I have used the right terminology).
Given the owners and permissions you mentioned below, this seems quite
normal to me. The signature database should not be writable by users,
hence a user can't update it. As for ClamTk: never used it.
However, there is no way anyone can help you without knowing details and
what exactly you did.
In your previous mail you told us how you built ClamAV from source,
installing into a custom (user owned) prefix. The files shown below
don't match this. So you installed ClamAV some other way.
Since you are running Mandriva... I believe the default dir for log
files to be /var/log/clamav/ on this distribution. Again, this doesn't
match with what you show below. Also, you installed a CentOS RPM, which
doesn't match your distro.
However I have a new situation. During the database update I am told to
get the latest version:
[EMAIL PROTECTED] bin]# ./freshclam
ClamAV update process started at Mon Apr 23 19:48:41 2007
SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES
See the FAQ at http://www.clamav.net/support/faq for an explanation.
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.90.1 Recommended version: 0.90.2
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cvd is up to date (version: 43, sigs: 104500, f-level: 14, builder:
sven)
daily.inc is up to date (version: 3151, sigs: 6896, f-level: 15,
builder: ccordes)
[EMAIL PROTECTED] bin]#”
I go to the website http://www.clamav.net/support/faq and it is
explained that I need the latest version of the scanner to detect the
latest virus'. To do this I am presented with a question about having
installed from Packages or Sources. I do not know the answer to this
nor have I managed to find this out.
If you don't know how you installed ClamAV, we sure don't either. See
above for a brief explanation of the various oddities.
I have no objections to scrapping everything I have done so far in
favour of an easier installation method, if there is one.
To do so, you'd need to know how you installed...
Anyway, without repeating all the details from my previous post: Why
aren't you just installing the RPM packages provided (as an update) by
your distro? It comes with an init script to automatically update the
signatures, too.
Here is a summery of the permission of the relevant file/directories
Path/File/Direc' User GrpUser Group Other
/var/log/freshclam.log Root Admin RW- R-- RW-
This log file definitely should not be world writable.
/var/lib/clamav/ clamav clamav RW- RW- R--
Directories need to be executable to cd into them.
/usr/local/etc/freshclam.conf Root RootRW- R-- R--
/usr/local/etc/clamd.conf Root RootRW- R-- R--
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Cannot update clamav-0.90.1.tar.gz on Mandriva 2007
On Sat, 2007-04-14 at 16:18 +0100, Stephen Constantinou wrote:
I tried to follow as many instructions from various sources before I
made this posting however my lack of knowledge was not improved as I
found the freshclam.conf(5) manual impossible to understand. This file
is not written for a new person.
I removed earlier versions of clam that were installed as a result of a
default install on Mandriva 2007. I did this as I was always upgrading
clam and Klam to the same version. I was not able to get to the bottom
of why the updates and upgrades were not staying.
What do you mean by not staying?
Anyway, is there any reason you want / need to install ClamAV for a
single user only? If you want to update ClamAV, I'd either install it
system wide from source, or by rebuilding a src.rpm with an updated
ClamAV release -- if just using the distro provided rpm is not an
option. Personally, I do prefer the src.rpm approach, since it magically
gets a lot of things right without the need to do it myself. Like a
dedicated clamav user and stuff.
Mandriva provides a ClamAV 0.90.1 update. Why don't you just install
(update) that one, instead of removing the already existing system wide
ClamAV and trying to get your own build running for a single user? You
do have update sources configured, don't you? :)
Also, there is a freshclam init script, so you don't need to update the
virus signatures manually.
I downloaded clamav-0.90.1.tar.gz and configured it etc using the
instructions found in the tutorial on the web, as follows:
./configure --prefix=/home/stephanos/clamav --disable-clamav
make; make install
Minor nitpicking: This should be 'make make install'.
I think I did this as a user but I am not sure.
As far as I know this worked OK. At the command line I tested the
scanner (as a user) with the command
clamscan /home/stephanos/
It scanned and reminded me I was seven days out of date. So I set about
updating it with the freshclam command.
[EMAIL PROTECTED] bin]$ ./freshclam
ERROR: Please edit the example config file
/home/stephanos/clamav/etc/freshclam.conf.
ERROR: Please edit the example config file
/home/stephanos/clamav/etc/clamd.conf.
ERROR: Can't parse the config file /home/stephanos/clamav/etc/clamd.conf
So I tried as root:
Please read the error messages carefully. They do not tell you to try as
root.
[EMAIL PROTECTED] bin]$ su
Password:
[EMAIL PROTECTED] bin]# ./freshclam
ERROR: Please edit the example config file
/home/stephanos/clamav/etc/freshclam.conf.
ERROR: Please edit the example config file
/home/stephanos/clamav/etc/clamd.conf.
ERROR: Can't parse the config file /home/stephanos/clamav/etc/clamd.conf
[EMAIL PROTECTED] bin]#
Same problem that I had to fiddle with config files.
Yup, exactly. Edit the config files...
Here is some other information that might be relevant:
1) The permissions of file:
/home/stephanos/clamav/etc/freshclam.conf are:
owner-stephanos, rw-r--r--.
2) As root, using Kate, I made file /var/log/freshclam.log as it was
not present. The permissions of this file are: owner-root,
rw-r--r--.
3) Is this log file in the right place as there is a directory
/var/log/clamav
4)
I did try to read the freshclam.conf(5) manual before editing this
file. But I did not understand a word of it sorry,
After these small changes to freshclam.conf I tried to update again but
got the same messages.
Do read the config files. They contain pretty good comments about the
various settings.
Any help appreciated
Stephen
Contents of /home/stephanos/clamav/etc/freshclam.conf after I have
edited it
##
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
##
# Comment or remove the line below.
Example
Sic! Let's start here...
# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav
Since you installed ClamAV inside your $HOME and it is running as the
calling user (I guess, I never disabled clamav user/group testing), you
most likely will have to adjust all these paths, since you won't be able
to use the system ones.
[ lots of conf file dump snipped ]
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] slow scanning on the .9 version
On Fri, 2007-04-13 at 15:35 +0200, Walter Bürger wrote:
# time clamscan (in an empty directory)
--- SCAN SUMMARY ---
Known viruses: 108369
Engine version: 0.90.1
Scanned directories: 1
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Time: 18.512 sec (0 m 18 s)
clamscan 17.26s user 0.69s system 96% cpu 18.652 total
This makes clamscan almost unusable.
You want to use clamd/clamdscan instead of calling clamscan all the
time. Just as Anton already pointed out in this thread, loading the
virus signatures takes a lot of time.
$ clamscan | egrep -i '(scanned|time)'
Scanned directories: 1
Scanned files: 0
Data scanned: 0.00 MB
Time: 10.460 sec (0 m 10 s)
$ clamdscan | egrep -i '(scanned|time)'
Time: 0.001 sec (0 m 0 s)
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: pdf zip module failure
On Tue, 2007-02-27 at 22:15 -0500, Frank DeChellis wrote:
I am using clamav 0.90 and exim 4.66. Where can I disable the scanning of
PDF files?
Please resist the urge to top post.
On 2/24/07 1:47 PM, Robert Allerstorfer [EMAIL PROTECTED] wrote:
On Sun, 18 Feb 2007, 19:42 GMT+01 Robert Allerstorfer wrote:
On Sat, 17 Feb 2007, 15:17 GMT+10 Bill Maidment wrote:
How do you switch off pdf scanning, so I can get the the pdf in.
Unfortunately, there seems to be no way to disable PDF scanning in
ClamAV 0.90. I am currently using this workaround:
clamscan --exclude=.+\.pdf$
With the next ClamAV release (0.90.1?), this will be possible using
clamscan --no-pdf
You did read the mail you replied to, didn't you?
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problems with version 0.90 amd webmin
On Tue, 2007-02-20 at 11:09 +0100, smc-oper wrote:
I need help about clamav and webmin.We made the update to version
090.rc2.Now we have the problem when we want to use webmin.
Why are you using an old release candidate? You should update to the
officially released version 0.90 instead.
We get the message Bitte geben Sie im Konfigurationsmodul den Ort der
zweiten Unterschriftsdatenbank an (das sollte daily.cvd sein)
Because we only have now an daily.inc, not an daily.cvd.
What can we do now?
Note: I never used webmin for ClamAV. Also, I did not have my coffee
yet. ;)
Such issues happen rather frequently. That is, every time the software
changes some behavior or configuration settings (as in this case). The
ClamAV configuration changed, and the webmin module will be out-of-date
and most likely dysfunctional, until they caught up and support the 0.90
configuration style.
You will need an updated webmin to use it with ClamAV 0.90.
Btw, that translated (German) webmin warning sounds pretty poor. Indeed,
a Signature can be translated with Unterschrift (as in your name, hand
written), but a translation of Signatur would make so much more
sense... Maybe someone wanna tell the webmin team?
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] which scans mail
I notice that in my /usr/sbin folder there are 3 clam related files.
1..clamav-milter
2..clamd
3..clamsmtpd
I am trying to create a filter for evolution to scan for viruses. I was
able to create a filter for spam by pointing to spamc. I presume it is
either one or two above. But which one does the work?
Neither of them. They are not intended to be run by a user anyway.
Have a look at the ClamAV related executables in your /bin directory.
Oh, and *please* have a look at the documentation...
'clamscan' can scan data streams, which is necessary in your case.
Unfortunately there is no client for the 'clamd' daemon provided AFAIK,
that takes data streams -- which would speed up scanning.
A Filter condition like this works for your purpose:
Pipe to Program /bin/clamscan --quiet - returns 1
The dash is necessary to use it on data streams, the --quite option
prevents scanning reports on STDOUT. See 'man clamscan' for more
details.
A warning about Evolution Filters and STDOUT:
Although a quick test even without --quite just did work for me, I
vaguely remember a bug at some time, that output on STDOUT may rewrite
the mail. Did not do this for me. You should test this anyway, before
running this on valuable mails...
A related note: Evolution 2.2.x comes with SA integration. That is,
there is a convenient option to use SA to filter for SPAM. It uses
spamc/spamd if available, and there are buttons to train Bayes by
explicitly learning mails. There even is a Junk Test Filter. No need
at all to create a filter for this purpose on your own...
...guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
http://lurker.clamav.net/list/clamav-users.html
OT: gnupg (was: Re: [Clamav-users] clamav.net email addresses)
What sort of gpg key is that. All the others there are plain text, but
yours seems to be binary. I'm not an expert on gpg, so perhaps I am
missing something regarding the difference. I'm just trying to add it
to Evolution. Thx.
Sorry to step into this, but as I'm an Evolution support guy... ;)
This got nothing to do with Evolution. In fact, there is no GnuPG key
management in Evolution, it's just using gnupg. What you're after simply
is importing a key into your gnupg keyring. Apart from what Tomasz
already said, you'll maybe find this settings usefull: [1]
$ grep ^keyserver .gnupg/options
keyserver blackhole.pca.dfn.de
keyserver-options auto-key-retrieve
The first line may vary, as it's simply the keyserver to use. The second
line means about do automatically, what Tomasz said on verifying keys
not yet retrieved. :)
Of course, this does not add a trust -- it just retrieves the key to
validate the signature at least. Whether you trust that signature or not
is an entirely different story.
...guenther
[1] Using my old style configuration file; only used when gpg.conf is
not found.
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Resolve problem with Mod_clamav about files ziped or compressed many time
The problem was with the fact that I had installed clamav from RPM source. I
had downloaded the source rpm, and rebuild it for Redhat AS.
[...]
After many hours of debugging and no more clue, I have decided to remove the
RPM and install clamav from source. Thank to the magic everything work
properly now. Mod_clamav can now detect archived or zipped file that contain
other zipped or archived virus.
So this seems like either a packagers issue or a local issue when
rebuilding on a different system.
In the first case, please report it to the packager. In the latter,
well... You're using a source package that likely doesn't fit your
environment.
I think that my post will help some people, because many people use RPM to
install clamav, they will have the same problem, if one day they decide to
use mod_clamav.
If the same occurs with the unaltered and not rebuilt RPM packages, it
sure is a packagers issue -- as it works when using the same version
from source.
...guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
http://lurker.clamav.net/list/clamav-users.html
Re: OT: gnupg (was: Re: [Clamav-users] clamav.net email addresses)
On Mon, 2005-06-06 at 20:21 -0400, Jim Popovitch wrote:
On Tue, 2005-06-07 at 01:59 +0200, guenther wrote:
What sort of gpg key is that. All the others there are plain text, but
yours seems to be binary. I'm not an expert on gpg, so perhaps I am
missing something regarding the difference. I'm just trying to add it
to Evolution. Thx.
Sorry to step into this, but as I'm an Evolution support guy... ;)
This is good to know... Whenever I double-click on an attachment in
Evolution 2.4.0 I get a strange mouse icon that looks like a turtle
^
You're ahead of time, dude. 2.3.2 is the current unstable development
branch. And you Mailer: header states 2.0.4 anyway... ;-)
btw, this is a GNOME issue, not Evolution related. ;)
oh never mind. ;-)
This got nothing to do with Evolution. In fact, there is no GnuPG key
management in Evolution, it's just using gnupg. What you're after simply
is importing a key into your gnupg keyring. Apart from what Tomasz
already said, you'll maybe find this settings usefull: [1]
$ grep ^keyserver .gnupg/options
grep: .gnupg/options: No such file or directory
Well, that may be the issue then. Thanks for pointing this out.
As you can see from your own reply and my footnote [1], the old-style
options file used ONLY, when gpg.conf is missing -- which it clearly is
not for you. ;)
-Jim P. (came to learn about ClamAV, learned about Evo and GnuPG too!)
keyserver blackhole.pca.dfn.de
keyserver-options auto-key-retrieve
The first line may vary, as it's simply the keyserver to use. The second
line means about do automatically, what Tomasz said on verifying keys
not yet retrieved. :)
Of course, this does not add a trust -- it just retrieves the key to
validate the signature at least. Whether you trust that signature or not
is an entirely different story.
...guenther
[1] Using my old style configuration file; only used when gpg.conf is
not found.
...guenther (who seriously needs some sleep)
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Virus naming conventions?
On Thu, 2005-05-26 at 17:07 -0500, Ren Berber wrote:
So, in conclusion: Are my assumptions correct, that this partially is
due to old names? Is there at least a consensus on the classified naming
amongst AV vendors (as mentioned above)? And are dots and dashes treated
equally these days?
I'm not an expert, but it seems to me that the section What is the naming
convention for viruses? does anwswer your question about consensus and goes
further to address why some names are different (made by different people at
different times). The different syntax you noted are the result of that.
Well, it's not exactly what I'm after -- but I agree, that it might be
the answer to my question anyway.
Perhaps your question is more general, not only the clamav database, but
about a
taxonomy for viruses.
Kind of, yes.
The way I see it, when a new virus is found, the
developers or database maintainers try to get the detection strings ASAP and
would not like to loose time looking up rules for naming, which is a very
different situation from say a biologist classifying a live virus. I think a
taxonomy would not be welcomed and we can expect all kinds of names (dots,
dashes, spaces, upper- lower-case, slashes, etc. don't have a meaning).
Agreed and understood. :)
Thanks for the response...
...guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Reporting Phishing Mails?
Hey folks,
About a week ago I installed ClamAV on my local machine and it is doing
a great job so far, catching Virii and even Phishing Mails. Database
updated:
ClamAV 0.85.1/894/Wed May 25 14:53:16 2005 signatures 31.894
However, within the last 12 hours I got 9 Phishing Mails (obviously
basically the same one) slipping through. As ClamAV detects Phishing
Mails as well, I wonder if I should report them to the ClamAV Virus
Database -- although strictly it isn't a Virus.
So, should I go on and report one or two samples?
Keep up the great work. :)
...guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus naming conventions?
I just started using ClamAV and it is performing great so far. :)
As I prefer to call ClamAV from procmail (actually, I used YAVR before,
a procmail only based virus signature scanner) my current setup is
procmail / clamassassin / clamdscan.
Rather than dumping all Virii to a single location, I want to collect
them in different mailboxes based on the virus family not counting the
incarnation. For example all Worm.Sober.XYZ virii should be dropped to a
Worm.Sober named mailbox. (clamassassin adds X-Virus-Report headers,
reporting the exact virus name)
I know how to do this sorting and evaluation of the ClamAV reported
virus name with procmail -- however, I'm having a hard time
understanding the naming conventions correctly and thus figuring out the
procmail RE magic...
Let's take Sober as an example again: There is the original version
'Worm.Sober' as well as later incarnations like 'Worm.Sober.B'. But then
there is 'Worm.Sober.mime.2' too, which adds another dot...
Are there any docs describing the naming conventions? Maybe someone else
did before what I'm trying to achieve? Any pointers or hints?
(Sure, I read a lot of docs and searched for this, but I don't seem to
be able to find anything.)
Anyone?
Does the absence of any replies mean, there is no real naming convention
and it is kind of random? ;-)
...guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Reporting Phishing Mails?
On Thu, 2005-05-26 at 10:42 -0500, Damian Menscher wrote:
On Thu, 26 May 2005, guenther wrote:
However, within the last 12 hours I got 9 Phishing Mails (obviously
basically the same one) slipping through.
So, should I go on and report one or two samples?
Yes, to the SpamAssassin team.
Actually, I don't think so.
SpamAssassin is designed to catch SPAM, not malware or phishing mails.
The fact it triggers on most phishing mails is pretty much a
coincidence, as there are no special tests for this. Besides, they don't
want my SPAM anyway. ;) [1]
Whereas ClamAV explicitly identifies more than 1000 phishing mails and
HTML exploits.
So ClamAV obviously is meant to trigger on phishing mails, but you don't
want new ones to be reported?
...guenther
[1] http://wiki.apache.org/spamassassin/DoYouWantMySpam
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Reporting Phishing Mails?
On Thu, 2005-05-26 at 18:43 +0200, aCaB wrote:
Yes, please submit your phishing samples using the link on clamav homepage.
Done, with the Received: and To: headers removed. Hope that's ok.
Thanks aCaB for your response. As I mentioned, I'm fairly new to ClamAV,
and I think I should ask if in doubt, rather than doing something
dumb. ;) I like to contribute, and I try to respect the rules and
procedure of every project.
...guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Reporting Phishing Mails?
On Thu, 2005-05-26 at 12:08 -0500, Daniel J McDonald wrote:
Damian - give it up. The clamav team has already agreed to filter those
out for you in version 0.90. A good portion of the rest of us do want
clamav to catch these.
Thanks for the details Daniel, now I see. Bad me asked about the wrong
topic. ;-)
So, go ahead and submit phishes using the standard web interface for
viral patterns. Include the full rfc-822 source message - nothing
pre-rendered by outlook
Sure, I wouldn't even think about anything else than RFC [2]822
messages. I'm fairly new to ClamAV, but I'm used to deal with mails and
fight SPAM.
Besides, Outlook... Eh, we're using the same MUA. And even the same
distro. ;)
...guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Virus naming conventions?
On Thu, 2005-05-26 at 13:59 -0500, Ren Berber wrote:
Does the absence of any replies mean, there is no real naming convention
and it is kind of random? ;-)
Have you seen?
http://clamav.net/cvdinfo.html#pagestart
Yes, I read that page before posting to the list. Unfortunately it
doesn't cover what I'm trying to grasp. Maybe I didn't explain myself
properly, so let me try again. :)
The page mentioned above is about different names for the same threat by
different AV vendors -- like SomeFool vs. Netsky.B. I'm totally aware of
that.
What I'm after if the naming convention of any particular threat. Most
names seem to be broken in 2 or 3 parts (at least), separated by dots.
Something along the lines of a) class of the threat like Adware and
Worm, b) the actual name and c) a version or incarnation ID (left out
for the first incarnation).
This seems to be true for most of the current threats.
Anyway, there are a lot of sigs in the database that don't follow this
convention:
* Some of them do not have the class of the thread preceeding, like
'Agiplan.A'. Embedded spaces and mixing between '.' and '-' seems to
be used too, like in 'Amazon Queen-500' and 'AmazonQueen.500.B'.
* Sometimes there are a lot of minor differences for the same
incarnation, leading to different sigs and thus names -- again mixing
dots and dashes. See Worm.Sober.I for some examples...
$ ./sigtool --list-sigs | grep ^Worm.Sober.I | sort
The first issue likely may be a result of old threats, back those days
when the AV vendors didn't use a classification like these days. I
honestly don't know, cause I didn't even hear about most of 'em.
The second issue may even break automatically sorting the worms.
So, in conclusion: Are my assumptions correct, that this partially is
due to old names? Is there at least a consensus on the classified naming
amongst AV vendors (as mentioned above)? And are dots and dashes treated
equally these days?
Or am I totally off the track?
Hope that makes more sense...
...guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus naming conventions?
On a related note: I am using clamassassin [1], but shortly after I
installed it the website and mailing list seems to be down. Does anyone
know anything about it?
FYI only, up and working again.
...guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
___
http://lurker.clamav.net/list/clamav-users.html
