Re: [Clamav-users] mime parser in clamav
Oh! I missed my actual question! :-) Is this expected behavior. i.e. a limitation with making your own simple MD5-based sigs. Jason Haar wrote: Hi there The new W32/Nyxem-D virus seems to escape clamav fairly well. It comes in as a .HQX or .MIM attachment - which is base64 encoded. However, the resultant HQX/MIM file is actually an UUENCODED file (that WinXP at least auto-supports). I uudecoded it and wrote my own signature for the resulting executable using sigtool --md5 (you have to do it against the exe - it's always the same size, whereas the uuencoded files have different sizes based on what random filename they chose when generated). After than Clamav detects the virus in the executable just fine - but can't catch it within either the uuencoded attachment, or the raw email itself. clamscan --verbose --debug file.eml shows it loading the homemade signature, but shows no reference to uudecoding. I have just uploaded it via the submission form. Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Mime - FIXED
On Wednesday 16 February 2005 14:35, Scott Ryan shaped the electrons to say: Hi list, I have posted before about an issue with clamd hanging and yesterday we finally managed to find out what the underlying problem was. We came across an 800k mail that we initially thought was causing clamd to hang. The truth infact was that once we turned on debugging, we noticed that clamd was not hanging - just taking an age to scan the mail. This was obviously causing us huge problems as this was happening on very busy mail servers and in effect causes a DOS. We were running 0.83 and downgraded eventually to 0.80 and then we no longer experienced the issue. What we noticed about this one particular mail was that it had hundreds of mime-parts. So it appears to us that there has been a major change in the way clamav deals with mime parts since 0.80. So much so that it goes from scanning this mail in under a second in 0.80: # ls -la 1108491486.1513-1.ophelia.telkomsa.net -rw---1 root root 817795 Feb 15 20:35 1108491486.1513-1.ophelia.telkomsa.net # cat 1108491486.1513-1.ophelia.telkomsa.net | clamdscan - stream: OK --- SCAN SUMMARY --- Infected files: 0 Time: 0.741 sec (0 m 0 s) To taking over 4 minutes to scan in 0.83 Can anyone shed some light on this / offer some advice, as obviously we want to keep up with the latest stable version. I can provide the mail if anyone wants to examine it further. My setup is now as follows: Qmail-scanner with 'reformmime' enabled. Clamd with the ScanMail option removed. It looks initially like this will solve our issue of clamd taking an age to scan messages that have huge numbers of messages within them. Tested by sending a few viruses. and they were trapped. Cheers. -- Scott Ryan Telkom Internet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Mime
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ted Fines wrote: --On Thursday, February 17, 2005 3:38 PM + Nigel Horne [EMAIL PROTECTED] wrote: On Thursday 17 Feb 2005 15:07, Tomasz Kojm wrote: On Thu, 17 Feb 2005 11:50:11 + (GMT) Andy Fiddaman [EMAIL PROTECTED] wrote: Kind of.. there's a limit for how many times the mail scanner is invoked, (such as for a message with zip containing message containing zip containing message...), but not for mime recursion.. i.e. parseEmailBody recurses through embedded MIME parts with no recursion checking. I can't help you here as my knowledge on a mail structure is very limited. That limit and its implementation will have to be discussed with Nigel. The recursive blocking was taken out some time ago after a LOT of pressure in this list and through personal emails (there used to be a hardcoded limit of 10 recursions). I am not about to start that argument again since it is the usual case of clamAV developers are damned if we do and damned if we don't. I am not getting something here. By recursive 'blocking' do you mean a limit on recursion (that's how I read it) or something else? Tomasz seemed to indicate in a previous email that there is an email recursion limit set in Clam: ; There's already a recursion limit for mail scanning but it's not ; configurable (yet). and libclamav/scanners.c:#define MAX_MAIL_RECURSION 15 I'm not trying to start any argument, either. Just trying to understand how Clam actually works, given what appear to me to be two contradictory statements. I get that the previous 800k email I mentioned is actually 200 nested emails. You are right about that and I missed it. But if there is a recursion limit of 15, and let's even say Clam looks at the 15 biggest ones first, so they're all about 800. That should still mean Clam would only need several seconds to scan through the first 15, then quit. But it doesn't. It takes much, much longer. That's where I'm coming from. If mail recursion has a max setting, why does it take so long? If it doesn't have one, what was Tomasz talking about? In my opinion after reaching (configurable and disabled by default) max recursion limit clamav should return with error (or virus name?) Oversized.Mail (or something like this). Regards Boguslaw Brandys -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCFyvftuGICzHOh+YRAvzlAJ939yqTXviXsWYwFVjeTkdBdzNJMQCggUyG XiiiB8PnF9Oxc6gRCL1IKR8= =Nanq -END PGP SIGNATURE- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wed, 16 Feb 2005, [ISO-8859-2] Bogusaw Brandys wrote: ; -BEGIN PGP SIGNED MESSAGE- ; Hash: SHA1 ; ; Nigel Horne wrote: ; On Wednesday 16 Feb 2005 14:18, Ted Fines wrote: ; ; ; FOUR MINUTES, 13 SECONDS for an 800k email. ... ; 0.80 didn't scan it properly and would have let a virus through, 0.83 fixes that bug. ; Oversized.Mail ? Do we need such new detection or is better solution ? How about MailMaxMimeDepth and MailBlockMax directives ? Most other scanners I've used default to block any message with over 10 levels of mime nesting, maybe something like 25 is a good default though. Andy___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Thursday 17 February 2005 11:29, Andy Fiddaman shaped the electrons to say: On Wed, 16 Feb 2005, [ISO-8859-2] Bogusaw Brandys wrote: ; -BEGIN PGP SIGNED MESSAGE- ; Hash: SHA1 ; ; Nigel Horne wrote: ; On Wednesday 16 Feb 2005 14:18, Ted Fines wrote: ; ; ; FOUR MINUTES, 13 SECONDS for an 800k email. ... ; 0.80 didn't scan it properly and would have let a virus through, 0.83 fixes that bug. ; Oversized.Mail ? Do we need such new detection or is better solution ? How about MailMaxMimeDepth and MailBlockMax directives ? Most other scanners I've used default to block any message with over 10 levels of mime nesting, maybe something like 25 is a good default though. I even think that 25 is too much... -- Scott Ryan Telkom Internet ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wed, 16 Feb 2005, Tomasz Kojm wrote: ; On Wed, 16 Feb 2005 17:51:28 +0200 ; Scott Ryan [EMAIL PROTECTED] wrote: ; ; I will just have to allow these types of mails to go unscanned. Four ; minutes to scan 1 will cause a DOS. ; ; So increase the number of MaxThreads... ; ; Would it be possible to request that some kind of recursion limit be ; added here like there currently is on zip files? ; ; There's already a recursion limit for mail scanning but it's not ; configurable (yet). Kind of.. there's a limit for how many times the mail scanner is invoked, (such as for a message with zip containing message containing zip containing message...), but not for mime recursion.. i.e. parseEmailBody recurses through embedded MIME parts with no recursion checking. Both limits would be useful with optional block on limit exceeded. Andy ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Thu, 17 Feb 2005 11:50:11 + (GMT) Andy Fiddaman [EMAIL PROTECTED] wrote: Kind of.. there's a limit for how many times the mail scanner is invoked, (such as for a message with zip containing message containing zip containing message...), but not for mime recursion.. i.e. parseEmailBody recurses through embedded MIME parts with no recursion checking. I can't help you here as my knowledge on a mail structure is very limited. That limit and its implementation will have to be discussed with Nigel. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Feb 17 16:05:53 CET 2005 pgpj1oCxOPnLh.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Thursday 17 Feb 2005 15:07, Tomasz Kojm wrote: On Thu, 17 Feb 2005 11:50:11 + (GMT) Andy Fiddaman [EMAIL PROTECTED] wrote: Kind of.. there's a limit for how many times the mail scanner is invoked, (such as for a message with zip containing message containing zip containing message...), but not for mime recursion.. i.e. parseEmailBody recurses through embedded MIME parts with no recursion checking. I can't help you here as my knowledge on a mail structure is very limited. That limit and its implementation will have to be discussed with Nigel. The recursive blocking was taken out some time ago after a LOT of pressure in this list and through personal emails (there used to be a hardcoded limit of 10 recursions). I am not about to start that argument again since it is the usual case of clamAV developers are damned if we do and damned if we don't. -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Thu, 17 Feb 2005, Nigel Horne wrote: ; On Thursday 17 Feb 2005 15:07, Tomasz Kojm wrote: ; On Thu, 17 Feb 2005 11:50:11 + (GMT) ; Andy Fiddaman [EMAIL PROTECTED] wrote: ; ; Kind of.. there's a limit for how many times the mail scanner is ; invoked, (such as for a message with zip containing message containing ; zip containing message...), but not for mime recursion.. i.e. ; parseEmailBody recurses through embedded MIME parts with no recursion ; checking. ; ; I can't help you here as my knowledge on a mail structure is very ; limited. That limit and its implementation will have to be discussed ; with Nigel. ; ; The recursive blocking was taken out some time ago after a LOT of pressure ; in this list and through personal emails (there used to be a hardcoded limit ; of 10 recursions). ; ; I am not about to start that argument again since it is the usual case of clamAV ; developers are damned if we do and damned if we don't. The problem with the old limit was that it was hard coded and so was the behaviour when it was exceeded (IIRC it used to just not scan the additional nested parts). I can't understand why adding this option with configurable behaviour would be a problem, and I'd be happy to submit a patch if it has a chance of being accepted! Andy ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
--On Thursday, February 17, 2005 3:38 PM + Nigel Horne [EMAIL PROTECTED] wrote: On Thursday 17 Feb 2005 15:07, Tomasz Kojm wrote: On Thu, 17 Feb 2005 11:50:11 + (GMT) Andy Fiddaman [EMAIL PROTECTED] wrote: Kind of.. there's a limit for how many times the mail scanner is invoked, (such as for a message with zip containing message containing zip containing message...), but not for mime recursion.. i.e. parseEmailBody recurses through embedded MIME parts with no recursion checking. I can't help you here as my knowledge on a mail structure is very limited. That limit and its implementation will have to be discussed with Nigel. The recursive blocking was taken out some time ago after a LOT of pressure in this list and through personal emails (there used to be a hardcoded limit of 10 recursions). I am not about to start that argument again since it is the usual case of clamAV developers are damned if we do and damned if we don't. I am not getting something here. By recursive 'blocking' do you mean a limit on recursion (that's how I read it) or something else? Tomasz seemed to indicate in a previous email that there is an email recursion limit set in Clam: ; There's already a recursion limit for mail scanning but it's not ; configurable (yet). and libclamav/scanners.c:#define MAX_MAIL_RECURSION 15 I'm not trying to start any argument, either. Just trying to understand how Clam actually works, given what appear to me to be two contradictory statements. I get that the previous 800k email I mentioned is actually 200 nested emails. You are right about that and I missed it. But if there is a recursion limit of 15, and let's even say Clam looks at the 15 biggest ones first, so they're all about 800. That should still mean Clam would only need several seconds to scan through the first 15, then quit. But it doesn't. It takes much, much longer. That's where I'm coming from. If mail recursion has a max setting, why does it take so long? If it doesn't have one, what was Tomasz talking about? Damned if you do and damned if you don't. Yep. I think most of us on this list are HUGE fans of ClamAV. But it's human-on-a-mailing-list nature to chime in mostly to complain or report problems. Things would be worse if mailing list members were constantly sending sappy e-cards to the list though. I Love You Guys... Thinking of you..., etc. Blecch. I Love You Guys, Ted ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Thursday 17 Feb 2005 16:07, Andy Fiddaman wrote: The problem with the old limit was that it was hard coded and so was the behaviour when it was exceeded (IIRC it used to just not scan the additional nested parts). I can't understand why adding this option with configurable behaviour would be a problem, and I'd be happy to submit a patch if it has a chance of being accepted! Wrong. The problem with the old limit was that it existed. You weren't on the receiving end of the sometimes nasty emails, so why are you making the above statement. Andy -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Thu, 17 Feb 2005 16:12:08 + in [EMAIL PROTECTED] Nigel Horne [EMAIL PROTECTED] wrote: On Thursday 17 Feb 2005 16:07, Andy Fiddaman wrote: The problem with the old limit was that it was hard coded and so was the behaviour when it was exceeded (IIRC it used to just not scan the additional nested parts). I can't understand why adding this option with configurable behaviour would be a problem, and I'd be happy to submit a patch if it has a chance of being accepted! Wrong. The problem with the old limit was that it existed. You weren't on the receiving end of the sometimes nasty emails, so why are you making the above statement. So if there were a configurable limit that could vary from no limit at all to a user defined limit suited to a given installation it ought to be OK. Those that sent the nasty emails should realise that very little happens when volunteers are nastygrammed. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
; [EMAIL PROTECTED] Nigel Horne [EMAIL PROTECTED] ; wrote: ; ; On Thursday 17 Feb 2005 16:07, Andy Fiddaman wrote: ; ; The problem with the old limit was that it was hard coded and so was ; the behaviour when it was exceeded (IIRC it used to just not scan ; the additional nested parts). I can't understand why adding this ; option with configurable behaviour would be a problem, and I'd be ; happy to submit a patch if it has a chance of being accepted! ; ; Wrong. The problem with the old limit was that it existed. You weren't ; on the receiving end of the sometimes nasty emails, so why are you ; making the above statement. Apologies, I should have caveated the first statement with 'from my perspective'. The rest of my comment still stands though. A. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
--On Wednesday, February 16, 2005 2:52 PM +0200 Scott Ryan [EMAIL PROTECTED] wrote: On Wednesday 16 February 2005 14:50, Ted Fines shaped the electrons to say: Would you please send me this attachment off-list. Please zip it and password protect it (password='password') so it comes through. Thanks, Ted Hope this works. -- Scott Ryan Telkom Internet Holy bananas. This problem could easily hang any server using Clam 0.83. I asked Scott to send me the email in question and I see exactly the same behavior with Clam 0.83 on FreeBSD 5.3 / Dual Xeon 2.xx GHz machine: qmail2# ls -l total 816 -rw-r--r-- 1 root daemon 817795 Feb 16 14:47 1108491486.1513-1.ophelia.telkomsa.net qmail2# time clamdscan 1108491486.1513-1.ophelia.telkomsa.net /usr/home/ftp/incoming/1108491486.1513-1.ophelia.telkomsa.net: OK --- SCAN SUMMARY --- Infected files: 0 Time: 253.436 sec (4 m 13 s) 0.006u 0.000s 4:13.44 0.0% 0+0k 0+0io 0pf+0w FOUR MINUTES, 13 SECONDS for an 800k email. By comparison, I scanned a large (160 MB) .zip file: qmail2# ls -al total 158260 drwx-wx-wx 2 root daemon512 Feb 16 08:02 . drwxr-xr-x 3 root daemon512 Feb 16 08:02 .. -rw-r--r-- 1 root daemon 161946301 Jan 18 16:01 GhostFull1117.zip qmail2# time clamdscan GhostFull1117.zip /usr/home/ftp/incoming/GhostFull1117.zip: OK --- SCAN SUMMARY --- Infected files: 0 Time: 86.319 sec (1 m 26 s) 0.006u 0.000s 1:26.32 0.0% 0+0k 0+0io 0pf+0w A minute, 26 seconds. ...And a more realistic sized .zip file: qmail2# ls -l total 1104 -rw-r--r-- 1 root daemon 1098702 Feb 16 08:04 Archive.zip qmail2# time clamdscan . /usr/home/ftp/incoming/.: OK --- SCAN SUMMARY --- Infected files: 0 Time: 0.795 sec (0 m 0 s) 0.006u 0.000s 0:00.80 0.0% 0+0k 0+0io 0pf+0w ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wednesday 16 Feb 2005 14:18, Ted Fines wrote: FOUR MINUTES, 13 SECONDS for an 800k email. Look at the file again. It is NOT an 800k mail. It is over 200 emails embedded within each other. By definition the largest message is about 800K and the smallest is about 1K give or take, giving an average of 400K (don't worry if the maths isn't too accurate). So thats about 200x400K = c.80Mb. 0.80 didn't scan it properly and would have let a virus through, 0.83 fixes that bug. By comparison, I scanned a large (160 MB) .zip file: Try comparing like with like next time. -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
* Ted Fines [EMAIL PROTECTED] [20050216 17:20]: wrote: --On Wednesday, February 16, 2005 2:52 PM +0200 Scott Ryan [EMAIL PROTECTED] wrote: On Wednesday 16 February 2005 14:50, Ted Fines shaped the electrons to say: Would you please send me this attachment off-list. Please zip it and password protect it (password='password') so it comes through. Thanks, Ted Hope this works. -- Scott Ryan Telkom Internet Holy bananas. This problem could easily hang any server using Clam 0.83. I asked Scott to send me the email in question and I see exactly the same behavior with Clam 0.83 on FreeBSD 5.3 / Dual Xeon 2.xx GHz machine: Now that you have come up, I believe I should as well. I backed off 0.83 and run several steps backwards. For the same reasons (clamd taking ages to scan), I am running the following version of ClamAv: ClamAV devel-20050214 I just did not have enough time to debug this on a production box! I am running FreeBSD 4.11/ Quad Xeon 500MHz, 1GB RAM. Well, and zlib version should not have anything to do with this since I still rely on the native one on the base system ;) -Wash http://www.netmeister.org/news/learn2quote.html -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ The human race is a race of cowards; and I am not only marching in that procession but carrying a banner. -- Mark Twain ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nigel Horne wrote: On Wednesday 16 Feb 2005 14:18, Ted Fines wrote: FOUR MINUTES, 13 SECONDS for an 800k email. Look at the file again. It is NOT an 800k mail. It is over 200 emails embedded within each other. By definition the largest message is about 800K and the smallest is about 1K give or take, giving an average of 400K (don't worry if the maths isn't too accurate). So thats about 200x400K = c.80Mb. 0.80 didn't scan it properly and would have let a virus through, 0.83 fixes that bug. By comparison, I scanned a large (160 MB) .zip file: Try comparing like with like next time. Oversized.Mail ? Do we need such new detection or is better solution ? Boguslaw Brandys -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCE198tuGICzHOh+YRAt/lAJwMmtO1DoF3aNSyzJoZVzwZNwY1UACgi3A2 Pav6a4h07YNqkEVx0tn27PM= =PWNa -END PGP SIGNATURE- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wednesday 16 Feb 2005 14:58, Bogusaw Brandys wrote: Oversized.Mail ? Do we need such new detection or is better solution ? I need to finish the work on the new scanner that is already underway (see mbox.c) which removes the parser. Boguslaw Brandys -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wednesday 16 February 2005 16:26, Nigel Horne shaped the electrons to say: On Wednesday 16 Feb 2005 14:18, Ted Fines wrote: FOUR MINUTES, 13 SECONDS for an 800k email. Look at the file again. It is NOT an 800k mail. It is over 200 emails embedded within each other. By definition the largest message is about 800K and the smallest is about 1K give or take, giving an average of 400K (don't worry if the maths isn't too accurate). So thats about 200x400K = c.80Mb. 0.80 didn't scan it properly and would have let a virus through, 0.83 fixes that bug. My dillema is now this, we cannot upgrade to any version above 0.80 due to oversized mails potentially causing a DOS. What functionality am I missing out on (in a nutshell) by running 0.80? Are there many viruses that I will not be able to catch? Is there potentially a work around for these types of mails? regards -- Scott Ryan Telkom Internet ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wednesday 16 Feb 2005 15:15, Scott Ryan wrote: On Wednesday 16 February 2005 16:26, Nigel Horne shaped the electrons to say: On Wednesday 16 Feb 2005 14:18, Ted Fines wrote: FOUR MINUTES, 13 SECONDS for an 800k email. Look at the file again. It is NOT an 800k mail. It is over 200 emails embedded within each other. By definition the largest message is about 800K and the smallest is about 1K give or take, giving an average of 400K (don't worry if the maths isn't too accurate). So thats about 200x400K = c.80Mb. 0.80 didn't scan it properly and would have let a virus through, 0.83 fixes that bug. My dillema is now this, we cannot upgrade to any version above 0.80 due to oversized mails potentially causing a DOS. What functionality am I missing out on (in a nutshell) by running 0.80? Are there many viruses that I will not be able to catch? I have seen this in the field, indeed the scans were added as the result of a bug report. It's your decision on what to do. Is there potentially a work around for these types of mails? regards -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wednesday 16 February 2005 17:34, Nigel Horne shaped the electrons to say: On Wednesday 16 Feb 2005 15:15, Scott Ryan wrote: On Wednesday 16 February 2005 16:26, Nigel Horne shaped the electrons to say: On Wednesday 16 Feb 2005 14:18, Ted Fines wrote: FOUR MINUTES, 13 SECONDS for an 800k email. Look at the file again. It is NOT an 800k mail. It is over 200 emails embedded within each other. By definition the largest message is about 800K and the smallest is about 1K give or take, giving an average of 400K (don't worry if the maths isn't too accurate). So thats about 200x400K = c.80Mb. 0.80 didn't scan it properly and would have let a virus through, 0.83 fixes that bug. My dillema is now this, we cannot upgrade to any version above 0.80 due to oversized mails potentially causing a DOS. What functionality am I missing out on (in a nutshell) by running 0.80? Are there many viruses that I will not be able to catch? I have seen this in the field, indeed the scans were added as the result of a bug report. It's your decision on what to do. I will just have to allow these types of mails to go unscanned. Four minutes to scan 1 will cause a DOS. Would it be possible to request that some kind of recursion limit be added here like there currently is on zip files? Just a thought... Is there potentially a work around for these types of mails? regards -- Scott Ryan Telkom Internet ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wednesday 16 Feb 2005 15:51, Scott Ryan wrote: Would it be possible to request that some kind of recursion limit be added here like there currently is on zip files? That would be bad idea since it would be v. easy for a virus writer to get around. -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wed, 2005-02-16 at 16:00 +, Nigel Horne wrote: On Wednesday 16 Feb 2005 15:51, Scott Ryan wrote: Would it be possible to request that some kind of recursion limit be added here like there currently is on zip files? That would be bad idea since it would be v. easy for a virus writer to get around. Okay. How about an option to dump an email - or flag it as a *possible* virus - if a specified recursion limit is reached? -- Peter Hubbard [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wed, 16 Feb 2005 18:23:51 +0200 in [EMAIL PROTECTED] Peter Hubbard [EMAIL PROTECTED] wrote: That would be bad idea since it would be v. easy for a virus writer to get around. Okay. How about an option to dump an email - or flag it as a *possible* virus - if a specified recursion limit is reached? Isn't that what ArchiveBlockMax is for? See man clamd.conf -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wed, 16 Feb 2005 17:51:28 +0200 Scott Ryan [EMAIL PROTECTED] wrote: I will just have to allow these types of mails to go unscanned. Four minutes to scan 1 will cause a DOS. So increase the number of MaxThreads... Would it be possible to request that some kind of recursion limit be added here like there currently is on zip files? There's already a recursion limit for mail scanning but it's not configurable (yet). -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Feb 16 17:41:10 CET 2005 pgpRgcqVnmvFu.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wednesday 16 February 2005 18:43, Tomasz Kojm shaped the electrons to say: On Wed, 16 Feb 2005 17:51:28 +0200 Scott Ryan [EMAIL PROTECTED] wrote: I will just have to allow these types of mails to go unscanned. Four minutes to scan 1 will cause a DOS. So increase the number of MaxThreads... It was at 200 - I will increase to 300 and see what result I get. Would it be possible to request that some kind of recursion limit be added here like there currently is on zip files? There's already a recursion limit for mail scanning but it's not configurable (yet). What is that limit? -- Scott Ryan Telkom Internet ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mime
On Wed, 16 Feb 2005 19:05:22 +0200 Scott Ryan [EMAIL PROTECTED] wrote: What is that limit? libclamav/scanners.c: #define MAX_MAIL_RECURSION 15 -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Feb 16 19:12:57 CET 2005 pgp4XtmVzOvMa.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] MIME problem?
On Monday 15 Mar 2004 5:43 pm, Stuart Mycock wrote: When I rip out the attachment manually it detects the virus fine. Shall I submit the sample anyway? I don't want to waste anyone's time if this is something that's already being dealt with? Send me the e-mail and I'll look into it. -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [clamav-users] Mime mails
uudecoding is handled by libclamav/message.c -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [clamav-users] Mime mails
My experience is that it does to some extent. I know, though, that it doesn't support uuencoded messages, for example (unless I'm doing something wrong). The only way I can get it to work well for mime and uuencoded messages is to run a program (like ripmime) on the message and then run clamscan on the mime parts. If anyone has a better way of doing it, I'd love to hear it. Ricardo On Fri, 23 May 2003 17:43:49 +0100 Sean Rima wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Does clamav (0.54) read understand mime. I am just curious Sean - -- Q: Because it reverses the logical flow of conversation. A: Why is top posting frowned upon? Normal Email sean AT tcob1 DOT net GPG Key Id 7DA70294 ICQ: 679813 Jabber: [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (MingW32) iD8DBQE+zk/FHMnSWn2nApQRAtU3AJ0RTaUvh1Luk9jjmkg0hKtXkOTW7QCgkXHw FkUUyczrZJfFPWPmM43JeI4= =X3fz -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [clamav-users] Mime mails
The only way I can get it to work well for mime and uuencoded messages is to run a program (like ripmime) on the message and then run clamscan on the mime parts. How well does ripmime handle strange/non-standard mime messages like those generated by viruses? -- Damjan Georgievski jabberID: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [clamav-users] Mime mails
On 23 May 2003, [EMAIL PROTECTED] spake: My experience is that it does to some extent. I know, though, that it doesn't support uuencoded messages, for example (unless I'm doing something wrong). The only way I can get it to work well for mime and uuencoded messages is to run a program (like ripmime) on the message and then run clamscan on the mime parts. If anyone has a better way of doing it, I'd love to hear it. I suppose I could do it but then my other scanner would hit it and wait for human input :( Sean -- Q: Because it reverses the logical flow of conversation. A: Why is top posting frowned upon? Normal Email sean AT tcob1 DOT net GPG Key Id 7DA70294 ICQ: 679813 Jabber: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [clamav-users] Mime mails
On Fri, 23 May 2003, Sean Rima wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Does clamav (0.54) read understand mime. I am just curious Sean - -- Q: Because it reverses the logical flow of conversation. A: Why is top posting frowned upon? Does whatever glues your installation of ClamAV to your MTA do this for you? I would expect that MIMEDefang would. In fact IIRC MD decodes the message, put it into a temporary directory, and directs ClamAV to check the decoded files there. You might look into that and see for sure. That's what I recall though. Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [clamav-users] Mime mails
I don't really have a test suite, I'm assuming ripmime works well. Anybody have a suite of these kinds of messages to run through? Ricardo On Fri, 23 May 2003 21:43:04 +0200 Damjan wrote: The only way I can get it to work well for mime and uuencoded messages is to run a program (like ripmime) on the message and then run clamscan on the mime parts. How well does ripmime handle strange/non-standard mime messages like those generated by viruses? -- Damjan Georgievski jabberID: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]