[Clamav-users] clamdscan extremely fast (was: Re: clamscan extremly slow)
On Sun, 2007-06-24 at 20:56 -0400, Paul Kosinski wrote: When I originally started using clamav, clamscan could handle my low (SOHO) volume of email quite well, but recently, it started taking over 20 secs to scan a short email, [...] So I decided to try clamdscan, again. What an incredible improvement! Instead of 20+ secs to scan, it scans normal emails in anywhere from .005 sec to .100 secs. I would guess the average speed up is on the order of 1000 to 1! This is a recurring topic. clamd/clamdscan does not *scan* faster than clamscan. It just does not need to read in all the signatures yet again for each and any mail. This starting up penalty is what you are observing. Another point worth noting is, that this is an issue with 0.90.x only, which is way slower starting up than previous versions. This will be fixed in the forthcoming 0.91.x releases (already at RC2). My only worry now is that either clamd will crash, or stop listening too long when updating. I am using procmail on the tail-end of Postfix's virtual delivery and don't see a way to have procmail get Postfix to try delivery again later (like it would with SMTP delivery), rather than bouncing it back to the sender (not their fault). The typical procmail recipes calling filters won't bounce the message. If clamd is unavailable, procmail will just go on. The worst thing that usually could happen is, that the the mail will be delivered without being scanned for viruses. If you seriously can't live with that, there actually *is* a way to make postfix try delivery again later as a procmail recipe. Google for EX_TEMPFAIL. Not easy to find though... So in the meantime, I flag the mail as possible virus and write some nasty messages to log files. (In the script my procmailrc calls for scanning, I use netcat to PING clamd to see if it's available.) I think I may set up a cron-driven monitor for clamdscan, to restart it if it dies. I could also set up a delay and retry loop in my scanner script. Hmm, script? Instead of a home-brew solution, I recommend clamassassin. Using it myself, and it really makes virus scanning from procmail a breeze. clamassassin acts pretty much as SA spam[cd] does. It can be used with clamd, and it inserts headers you easily can filter on in procmail. A simple procmail recipe like the one below takes care of virus scanning. Again, if clamd is down for whatever reason, the worst that can happen is the mail not being scanned. No failure, no bounce, no lost mail. :0 fw * 1024000 | clamassassin As for watching and restarting clamd, see the post by Peter. HTH... ;) guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus/Worm not detected
I recieved a word document with an embedded object which was an executable, Symantec nor Clam detected anything is there someway to submit this? http://clamav.net/ See Submit a file. -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamdscan extremely fast
On Tue, 2007-06-26 at 08:43 -0700, Dennis Peterson wrote: guenther wrote: On Sun, 2007-06-24 at 20:56 -0400, Paul Kosinski wrote: When I originally started using clamav, clamscan could handle my low (SOHO) volume of email quite well, but recently, it started taking over 20 secs to scan a short email, [...] So I decided to try clamdscan, again. What an incredible improvement! Instead of 20+ secs to scan, it scans normal emails in anywhere from .005 sec to .100 secs. I would guess the average speed up is on the order of 1000 to 1! This is a recurring topic. clamd/clamdscan does not *scan* faster than clamscan. It just does not need to read in all the signatures yet again for each and any mail. This starting up penalty is what you are observing. This is an incomplete picture. If you are scanning mail as it comes in in real time then clamscan is nearly useless. Starting clamscan 100,000 times an hour is far costlier in time to complete a scan per file and load on the system. Calling clamd from a milter that is already running comes nowhere near that impact. If you are scanning mail after the connection has closed then you can run clamscan and scan whole blocks of files quite efficiently and time is not so important anyway. True. However, even when batch-processing, the startup penalty still exists. Not for every single mail, but per chunk... The point being, context is an important consideration when comparing the merits of clamscan and clamd. Exactly. This context is procmail. Which calls filters per mail. So in this very context, the above is the complete picture, no? ;-) guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamassasin clam - very slow
On Fri, 2007-06-15 at 11:04 +0100, Nigel Horne wrote: [EMAIL PROTECTED] wrote: i am using clamav clamassassin - clamscan is very slow and clamscan uses many ressources. 1) Drop clamassassin With all due respect, that advice doesn't solve anything. clamassassin serves a purpose that ClamAV doesn't do. 2) Use clamdscan not clamscan This one, however, is correct. :) Use clamd -- if not installed / built yet, do so. Rebuild clamassassin. Have a look at its README, particularly the --enable-clamdscan option. guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Cannot update clamav-0.90.1.tar.gz on Mandriva 2007
On Mon, 2007-04-23 at 22:13 +0100, Stephen Constantinou wrote: Thanks for your lengthy reply I appreciate that you went to a lot of effort to explain things to me. I am sorry to say I understood very little of it. However, I took the hint and worked on and learnt a bit. I worked on the aspect of permission to enter the database directory and permission to read and write to the log file. As a user I can scan but I must be root to update the database. See below on permissions... I need to know if this limitation to updating the database is normal and OK for when I install the “clamtk-2.31-1.centos.noarch.rpm” gui front end (I think I have used the right terminology). Given the owners and permissions you mentioned below, this seems quite normal to me. The signature database should not be writable by users, hence a user can't update it. As for ClamTk: never used it. However, there is no way anyone can help you without knowing details and what exactly you did. In your previous mail you told us how you built ClamAV from source, installing into a custom (user owned) prefix. The files shown below don't match this. So you installed ClamAV some other way. Since you are running Mandriva... I believe the default dir for log files to be /var/log/clamav/ on this distribution. Again, this doesn't match with what you show below. Also, you installed a CentOS RPM, which doesn't match your distro. However I have a new situation. During the database update I am told to get the latest version: [EMAIL PROTECTED] bin]# ./freshclam ClamAV update process started at Mon Apr 23 19:48:41 2007 SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES See the FAQ at http://www.clamav.net/support/faq for an explanation. WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.90.1 Recommended version: 0.90.2 DON'T PANIC! Read http://www.clamav.net/support/faq main.cvd is up to date (version: 43, sigs: 104500, f-level: 14, builder: sven) daily.inc is up to date (version: 3151, sigs: 6896, f-level: 15, builder: ccordes) [EMAIL PROTECTED] bin]#” I go to the website http://www.clamav.net/support/faq and it is explained that I need the latest version of the scanner to detect the latest virus'. To do this I am presented with a question about having installed from Packages or Sources. I do not know the answer to this nor have I managed to find this out. If you don't know how you installed ClamAV, we sure don't either. See above for a brief explanation of the various oddities. I have no objections to scrapping everything I have done so far in favour of an easier installation method, if there is one. To do so, you'd need to know how you installed... Anyway, without repeating all the details from my previous post: Why aren't you just installing the RPM packages provided (as an update) by your distro? It comes with an init script to automatically update the signatures, too. Here is a summery of the permission of the relevant file/directories Path/File/Direc' User GrpUser Group Other /var/log/freshclam.log Root Admin RW- R-- RW- This log file definitely should not be world writable. /var/lib/clamav/ clamav clamav RW- RW- R-- Directories need to be executable to cd into them. /usr/local/etc/freshclam.conf Root RootRW- R-- R-- /usr/local/etc/clamd.conf Root RootRW- R-- R-- guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Cannot update clamav-0.90.1.tar.gz on Mandriva 2007
On Sat, 2007-04-14 at 16:18 +0100, Stephen Constantinou wrote: I tried to follow as many instructions from various sources before I made this posting however my lack of knowledge was not improved as I found the freshclam.conf(5) manual impossible to understand. This file is not written for a new person. I removed earlier versions of clam that were installed as a result of a default install on Mandriva 2007. I did this as I was always upgrading clam and Klam to the same version. I was not able to get to the bottom of why the updates and upgrades were not staying. What do you mean by not staying? Anyway, is there any reason you want / need to install ClamAV for a single user only? If you want to update ClamAV, I'd either install it system wide from source, or by rebuilding a src.rpm with an updated ClamAV release -- if just using the distro provided rpm is not an option. Personally, I do prefer the src.rpm approach, since it magically gets a lot of things right without the need to do it myself. Like a dedicated clamav user and stuff. Mandriva provides a ClamAV 0.90.1 update. Why don't you just install (update) that one, instead of removing the already existing system wide ClamAV and trying to get your own build running for a single user? You do have update sources configured, don't you? :) Also, there is a freshclam init script, so you don't need to update the virus signatures manually. I downloaded clamav-0.90.1.tar.gz and configured it etc using the instructions found in the tutorial on the web, as follows: ./configure --prefix=/home/stephanos/clamav --disable-clamav make; make install Minor nitpicking: This should be 'make make install'. I think I did this as a user but I am not sure. As far as I know this worked OK. At the command line I tested the scanner (as a user) with the command clamscan /home/stephanos/ It scanned and reminded me I was seven days out of date. So I set about updating it with the freshclam command. [EMAIL PROTECTED] bin]$ ./freshclam ERROR: Please edit the example config file /home/stephanos/clamav/etc/freshclam.conf. ERROR: Please edit the example config file /home/stephanos/clamav/etc/clamd.conf. ERROR: Can't parse the config file /home/stephanos/clamav/etc/clamd.conf So I tried as root: Please read the error messages carefully. They do not tell you to try as root. [EMAIL PROTECTED] bin]$ su Password: [EMAIL PROTECTED] bin]# ./freshclam ERROR: Please edit the example config file /home/stephanos/clamav/etc/freshclam.conf. ERROR: Please edit the example config file /home/stephanos/clamav/etc/clamd.conf. ERROR: Can't parse the config file /home/stephanos/clamav/etc/clamd.conf [EMAIL PROTECTED] bin]# Same problem that I had to fiddle with config files. Yup, exactly. Edit the config files... Here is some other information that might be relevant: 1) The permissions of file: /home/stephanos/clamav/etc/freshclam.conf are: owner-stephanos, rw-r--r--. 2) As root, using Kate, I made file /var/log/freshclam.log as it was not present. The permissions of this file are: owner-root, rw-r--r--. 3) Is this log file in the right place as there is a directory /var/log/clamav 4) I did try to read the freshclam.conf(5) manual before editing this file. But I did not understand a word of it sorry, After these small changes to freshclam.conf I tried to update again but got the same messages. Do read the config files. They contain pretty good comments about the various settings. Any help appreciated Stephen Contents of /home/stephanos/clamav/etc/freshclam.conf after I have edited it ## ## Example config file for freshclam ## Please read the freshclam.conf(5) manual before editing this file. ## # Comment or remove the line below. Example Sic! Let's start here... # Path to the database directory. # WARNING: It must match clamd.conf's directive! # Default: hardcoded (depends on installation options) DatabaseDirectory /var/lib/clamav Since you installed ClamAV inside your $HOME and it is running as the calling user (I guess, I never disabled clamav user/group testing), you most likely will have to adjust all these paths, since you won't be able to use the system ones. [ lots of conf file dump snipped ] guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] slow scanning on the .9 version
On Fri, 2007-04-13 at 15:35 +0200, Walter Bürger wrote: # time clamscan (in an empty directory) --- SCAN SUMMARY --- Known viruses: 108369 Engine version: 0.90.1 Scanned directories: 1 Scanned files: 0 Infected files: 0 Data scanned: 0.00 MB Time: 18.512 sec (0 m 18 s) clamscan 17.26s user 0.69s system 96% cpu 18.652 total This makes clamscan almost unusable. You want to use clamd/clamdscan instead of calling clamscan all the time. Just as Anton already pointed out in this thread, loading the virus signatures takes a lot of time. $ clamscan | egrep -i '(scanned|time)' Scanned directories: 1 Scanned files: 0 Data scanned: 0.00 MB Time: 10.460 sec (0 m 10 s) $ clamdscan | egrep -i '(scanned|time)' Time: 0.001 sec (0 m 0 s) guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: pdf zip module failure
On Tue, 2007-02-27 at 22:15 -0500, Frank DeChellis wrote: I am using clamav 0.90 and exim 4.66. Where can I disable the scanning of PDF files? Please resist the urge to top post. On 2/24/07 1:47 PM, Robert Allerstorfer [EMAIL PROTECTED] wrote: On Sun, 18 Feb 2007, 19:42 GMT+01 Robert Allerstorfer wrote: On Sat, 17 Feb 2007, 15:17 GMT+10 Bill Maidment wrote: How do you switch off pdf scanning, so I can get the the pdf in. Unfortunately, there seems to be no way to disable PDF scanning in ClamAV 0.90. I am currently using this workaround: clamscan --exclude=.+\.pdf$ With the next ClamAV release (0.90.1?), this will be possible using clamscan --no-pdf You did read the mail you replied to, didn't you? guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problems with version 0.90 amd webmin
On Tue, 2007-02-20 at 11:09 +0100, smc-oper wrote: I need help about clamav and webmin.We made the update to version 090.rc2.Now we have the problem when we want to use webmin. Why are you using an old release candidate? You should update to the officially released version 0.90 instead. We get the message Bitte geben Sie im Konfigurationsmodul den Ort der zweiten Unterschriftsdatenbank an (das sollte daily.cvd sein) Because we only have now an daily.inc, not an daily.cvd. What can we do now? Note: I never used webmin for ClamAV. Also, I did not have my coffee yet. ;) Such issues happen rather frequently. That is, every time the software changes some behavior or configuration settings (as in this case). The ClamAV configuration changed, and the webmin module will be out-of-date and most likely dysfunctional, until they caught up and support the 0.90 configuration style. You will need an updated webmin to use it with ClamAV 0.90. Btw, that translated (German) webmin warning sounds pretty poor. Indeed, a Signature can be translated with Unterschrift (as in your name, hand written), but a translation of Signatur would make so much more sense... Maybe someone wanna tell the webmin team? guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] which scans mail
I notice that in my /usr/sbin folder there are 3 clam related files. 1..clamav-milter 2..clamd 3..clamsmtpd I am trying to create a filter for evolution to scan for viruses. I was able to create a filter for spam by pointing to spamc. I presume it is either one or two above. But which one does the work? Neither of them. They are not intended to be run by a user anyway. Have a look at the ClamAV related executables in your /bin directory. Oh, and *please* have a look at the documentation... 'clamscan' can scan data streams, which is necessary in your case. Unfortunately there is no client for the 'clamd' daemon provided AFAIK, that takes data streams -- which would speed up scanning. A Filter condition like this works for your purpose: Pipe to Program /bin/clamscan --quiet - returns 1 The dash is necessary to use it on data streams, the --quite option prevents scanning reports on STDOUT. See 'man clamscan' for more details. A warning about Evolution Filters and STDOUT: Although a quick test even without --quite just did work for me, I vaguely remember a bug at some time, that output on STDOUT may rewrite the mail. Did not do this for me. You should test this anyway, before running this on valuable mails... A related note: Evolution 2.2.x comes with SA integration. That is, there is a convenient option to use SA to filter for SPAM. It uses spamc/spamd if available, and there are buttons to train Bayes by explicitly learning mails. There even is a Junk Test Filter. No need at all to create a filter for this purpose on your own... ...guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ http://lurker.clamav.net/list/clamav-users.html
OT: gnupg (was: Re: [Clamav-users] clamav.net email addresses)
What sort of gpg key is that. All the others there are plain text, but yours seems to be binary. I'm not an expert on gpg, so perhaps I am missing something regarding the difference. I'm just trying to add it to Evolution. Thx. Sorry to step into this, but as I'm an Evolution support guy... ;) This got nothing to do with Evolution. In fact, there is no GnuPG key management in Evolution, it's just using gnupg. What you're after simply is importing a key into your gnupg keyring. Apart from what Tomasz already said, you'll maybe find this settings usefull: [1] $ grep ^keyserver .gnupg/options keyserver blackhole.pca.dfn.de keyserver-options auto-key-retrieve The first line may vary, as it's simply the keyserver to use. The second line means about do automatically, what Tomasz said on verifying keys not yet retrieved. :) Of course, this does not add a trust -- it just retrieves the key to validate the signature at least. Whether you trust that signature or not is an entirely different story. ...guenther [1] Using my old style configuration file; only used when gpg.conf is not found. -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Resolve problem with Mod_clamav about files ziped or compressed many time
The problem was with the fact that I had installed clamav from RPM source. I had downloaded the source rpm, and rebuild it for Redhat AS. [...] After many hours of debugging and no more clue, I have decided to remove the RPM and install clamav from source. Thank to the magic everything work properly now. Mod_clamav can now detect archived or zipped file that contain other zipped or archived virus. So this seems like either a packagers issue or a local issue when rebuilding on a different system. In the first case, please report it to the packager. In the latter, well... You're using a source package that likely doesn't fit your environment. I think that my post will help some people, because many people use RPM to install clamav, they will have the same problem, if one day they decide to use mod_clamav. If the same occurs with the unaltered and not rebuilt RPM packages, it sure is a packagers issue -- as it works when using the same version from source. ...guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ http://lurker.clamav.net/list/clamav-users.html
Re: OT: gnupg (was: Re: [Clamav-users] clamav.net email addresses)
On Mon, 2005-06-06 at 20:21 -0400, Jim Popovitch wrote: On Tue, 2005-06-07 at 01:59 +0200, guenther wrote: What sort of gpg key is that. All the others there are plain text, but yours seems to be binary. I'm not an expert on gpg, so perhaps I am missing something regarding the difference. I'm just trying to add it to Evolution. Thx. Sorry to step into this, but as I'm an Evolution support guy... ;) This is good to know... Whenever I double-click on an attachment in Evolution 2.4.0 I get a strange mouse icon that looks like a turtle ^ You're ahead of time, dude. 2.3.2 is the current unstable development branch. And you Mailer: header states 2.0.4 anyway... ;-) btw, this is a GNOME issue, not Evolution related. ;) oh never mind. ;-) This got nothing to do with Evolution. In fact, there is no GnuPG key management in Evolution, it's just using gnupg. What you're after simply is importing a key into your gnupg keyring. Apart from what Tomasz already said, you'll maybe find this settings usefull: [1] $ grep ^keyserver .gnupg/options grep: .gnupg/options: No such file or directory Well, that may be the issue then. Thanks for pointing this out. As you can see from your own reply and my footnote [1], the old-style options file used ONLY, when gpg.conf is missing -- which it clearly is not for you. ;) -Jim P. (came to learn about ClamAV, learned about Evo and GnuPG too!) keyserver blackhole.pca.dfn.de keyserver-options auto-key-retrieve The first line may vary, as it's simply the keyserver to use. The second line means about do automatically, what Tomasz said on verifying keys not yet retrieved. :) Of course, this does not add a trust -- it just retrieves the key to validate the signature at least. Whether you trust that signature or not is an entirely different story. ...guenther [1] Using my old style configuration file; only used when gpg.conf is not found. ...guenther (who seriously needs some sleep) -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Virus naming conventions?
On Thu, 2005-05-26 at 17:07 -0500, Ren Berber wrote: So, in conclusion: Are my assumptions correct, that this partially is due to old names? Is there at least a consensus on the classified naming amongst AV vendors (as mentioned above)? And are dots and dashes treated equally these days? I'm not an expert, but it seems to me that the section What is the naming convention for viruses? does anwswer your question about consensus and goes further to address why some names are different (made by different people at different times). The different syntax you noted are the result of that. Well, it's not exactly what I'm after -- but I agree, that it might be the answer to my question anyway. Perhaps your question is more general, not only the clamav database, but about a taxonomy for viruses. Kind of, yes. The way I see it, when a new virus is found, the developers or database maintainers try to get the detection strings ASAP and would not like to loose time looking up rules for naming, which is a very different situation from say a biologist classifying a live virus. I think a taxonomy would not be welcomed and we can expect all kinds of names (dots, dashes, spaces, upper- lower-case, slashes, etc. don't have a meaning). Agreed and understood. :) Thanks for the response... ...guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Reporting Phishing Mails?
Hey folks, About a week ago I installed ClamAV on my local machine and it is doing a great job so far, catching Virii and even Phishing Mails. Database updated: ClamAV 0.85.1/894/Wed May 25 14:53:16 2005 signatures 31.894 However, within the last 12 hours I got 9 Phishing Mails (obviously basically the same one) slipping through. As ClamAV detects Phishing Mails as well, I wonder if I should report them to the ClamAV Virus Database -- although strictly it isn't a Virus. So, should I go on and report one or two samples? Keep up the great work. :) ...guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus naming conventions?
I just started using ClamAV and it is performing great so far. :) As I prefer to call ClamAV from procmail (actually, I used YAVR before, a procmail only based virus signature scanner) my current setup is procmail / clamassassin / clamdscan. Rather than dumping all Virii to a single location, I want to collect them in different mailboxes based on the virus family not counting the incarnation. For example all Worm.Sober.XYZ virii should be dropped to a Worm.Sober named mailbox. (clamassassin adds X-Virus-Report headers, reporting the exact virus name) I know how to do this sorting and evaluation of the ClamAV reported virus name with procmail -- however, I'm having a hard time understanding the naming conventions correctly and thus figuring out the procmail RE magic... Let's take Sober as an example again: There is the original version 'Worm.Sober' as well as later incarnations like 'Worm.Sober.B'. But then there is 'Worm.Sober.mime.2' too, which adds another dot... Are there any docs describing the naming conventions? Maybe someone else did before what I'm trying to achieve? Any pointers or hints? (Sure, I read a lot of docs and searched for this, but I don't seem to be able to find anything.) Anyone? Does the absence of any replies mean, there is no real naming convention and it is kind of random? ;-) ...guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Reporting Phishing Mails?
On Thu, 2005-05-26 at 10:42 -0500, Damian Menscher wrote: On Thu, 26 May 2005, guenther wrote: However, within the last 12 hours I got 9 Phishing Mails (obviously basically the same one) slipping through. So, should I go on and report one or two samples? Yes, to the SpamAssassin team. Actually, I don't think so. SpamAssassin is designed to catch SPAM, not malware or phishing mails. The fact it triggers on most phishing mails is pretty much a coincidence, as there are no special tests for this. Besides, they don't want my SPAM anyway. ;) [1] Whereas ClamAV explicitly identifies more than 1000 phishing mails and HTML exploits. So ClamAV obviously is meant to trigger on phishing mails, but you don't want new ones to be reported? ...guenther [1] http://wiki.apache.org/spamassassin/DoYouWantMySpam -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Reporting Phishing Mails?
On Thu, 2005-05-26 at 18:43 +0200, aCaB wrote: Yes, please submit your phishing samples using the link on clamav homepage. Done, with the Received: and To: headers removed. Hope that's ok. Thanks aCaB for your response. As I mentioned, I'm fairly new to ClamAV, and I think I should ask if in doubt, rather than doing something dumb. ;) I like to contribute, and I try to respect the rules and procedure of every project. ...guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Reporting Phishing Mails?
On Thu, 2005-05-26 at 12:08 -0500, Daniel J McDonald wrote: Damian - give it up. The clamav team has already agreed to filter those out for you in version 0.90. A good portion of the rest of us do want clamav to catch these. Thanks for the details Daniel, now I see. Bad me asked about the wrong topic. ;-) So, go ahead and submit phishes using the standard web interface for viral patterns. Include the full rfc-822 source message - nothing pre-rendered by outlook Sure, I wouldn't even think about anything else than RFC [2]822 messages. I'm fairly new to ClamAV, but I'm used to deal with mails and fight SPAM. Besides, Outlook... Eh, we're using the same MUA. And even the same distro. ;) ...guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Virus naming conventions?
On Thu, 2005-05-26 at 13:59 -0500, Ren Berber wrote: Does the absence of any replies mean, there is no real naming convention and it is kind of random? ;-) Have you seen? http://clamav.net/cvdinfo.html#pagestart Yes, I read that page before posting to the list. Unfortunately it doesn't cover what I'm trying to grasp. Maybe I didn't explain myself properly, so let me try again. :) The page mentioned above is about different names for the same threat by different AV vendors -- like SomeFool vs. Netsky.B. I'm totally aware of that. What I'm after if the naming convention of any particular threat. Most names seem to be broken in 2 or 3 parts (at least), separated by dots. Something along the lines of a) class of the threat like Adware and Worm, b) the actual name and c) a version or incarnation ID (left out for the first incarnation). This seems to be true for most of the current threats. Anyway, there are a lot of sigs in the database that don't follow this convention: * Some of them do not have the class of the thread preceeding, like 'Agiplan.A'. Embedded spaces and mixing between '.' and '-' seems to be used too, like in 'Amazon Queen-500' and 'AmazonQueen.500.B'. * Sometimes there are a lot of minor differences for the same incarnation, leading to different sigs and thus names -- again mixing dots and dashes. See Worm.Sober.I for some examples... $ ./sigtool --list-sigs | grep ^Worm.Sober.I | sort The first issue likely may be a result of old threats, back those days when the AV vendors didn't use a classification like these days. I honestly don't know, cause I didn't even hear about most of 'em. The second issue may even break automatically sorting the worms. So, in conclusion: Are my assumptions correct, that this partially is due to old names? Is there at least a consensus on the classified naming amongst AV vendors (as mentioned above)? And are dots and dashes treated equally these days? Or am I totally off the track? Hope that makes more sense... ...guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus naming conventions?
On a related note: I am using clamassassin [1], but shortly after I installed it the website and mailing list seems to be down. Does anyone know anything about it? FYI only, up and working again. ...guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ http://lurker.clamav.net/list/clamav-users.html