Re: [Clamav-users] News about 0.95
Matus UHLAR - fantomas wrote: What I've meant is, can it (instruct sendmail to) reject mail only viruses, not phishing nor unsafe pages, or do I need two instances of clamd for this? On 30.03.09 14:40, aCaB wrote: Hi Matus, If you are using clamd for different purposes as well as for serving the milters and if you require different config options for these (notably phish detection enabled) then you need two instances. Hmm, there could be an option for not rejecting signatures like *.Phishing.* or Safebrowsing.* -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fighting for peace is like fucking for virginity... ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
Matus UHLAR - fantomas wrote: Hmm, there could be an option for not rejecting signatures like *.Phishing.* or Safebrowsing.* Hi, If you want to fine tune detection based on malware names you can either do the tuning in clamd (as explained above) or use OnInfected=Accept and AddHeader=Yes and postprocess the message based on the X-Virus- headers. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
Matus UHLAR - fantomas wrote: Hmm, there could be an option for not rejecting signatures like *.Phishing.* or Safebrowsing.* On 31.03.09 11:46, aCaB wrote: If you want to fine tune detection based on malware names you can either do the tuning in clamd (as explained above) or use OnInfected=Accept and AddHeader=Yes and postprocess the message based on the X-Virus- headers. Do you think that my advise is just not good, or do you advise me what to until something like that will be done? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
On Tue, 2009-03-31 at 12:11 +0200, Matus UHLAR - fantomas wrote: Matus UHLAR - fantomas wrote: Hmm, there could be an option for not rejecting signatures like *.Phishing.* or Safebrowsing.* On 31.03.09 11:46, aCaB wrote: If you want to fine tune detection based on malware names you can either do the tuning in clamd (as explained above) or use OnInfected=Accept and AddHeader=Yes and postprocess the message based on the X-Virus- headers. Do you think that my advise is just not good, or do you advise me what to until something like that will be done? I think he is giving you a work-around. That would also allow you to use 3-rd party signatures that are spam indications, rather than malware. Amavisd-new is able to convert the signature name to either a dead right there list or a score to be added to the SpamAssassin value, and he is postulating that you might be able to accomplish much the same thing using header checks in your MTA after the milter has altered the message. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
Matus UHLAR - fantomas wrote: What I've meant is, can it (instruct sendmail to) reject mail only viruses, not phishing nor unsafe pages, or do I need two instances of clamd for this? Hi Matus, If you are using clamd for different purposes as well as for serving the milters and if you require different config options for these (notably phish detection enabled) then you need two instances. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
Matus UHLAR - fantomas wrote: You can then filter based on the virusname, if you want to treat phishing/safebrowsing-blacklisted entries as spam. Yes, that wil be important. Does clamav-milter support this for now? On 24.03.09 15:46, aCaB wrote: clamav-milter has been nerfed and it now relies on clamd. All you have to do is to tune clamd.conf so that it suits your needs. isn't it clamav-milter.conf? What I've meant is, can it (instruct sendmail to) reject mail only viruses, not phishing nor unsafe pages, or do I need two instances of clamd for this? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
On Wed, 11 Mar 2009 17:56:22 + Ian Eiloart i...@sussex.ac.uk wrote: That sounds good. What does it do, though? My guess is that it enables freshclam to download copies of files containing URLs that Google considers unsafe, and then clamd will block emails that contain those URLs. Is that right? On 12.03.09 09:11, Spiro Harvey wrote: http://code.google.com/apis/safebrowsing/ Sounds like it.. might be possible to check realtime too.. but the quick blurb on the site just mentions downloading a lookup table to the local machine. Looks good to me tho. Yes, but I found this question quite important and Seems like it is not satisfactory answer. Customers may (and already did) send us notices about unsafe pages in our hosting (shit happens, while clamav works good for rejecting infected files, it doesnt for .htaccess containing Rewrite*), and I'd like such mail _not_ to be blocked by clamav... I'm also surprised that safebrowsing is an option only for freshclam. Some people reported running two instances of clamav, one with PhishingSignatures off for SMTP-level filtering, one with on for spam filter. Seems this won't be possible with safebrowsing database... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
On 2009-03-24 13:40, Matus UHLAR - fantomas wrote: On Wed, 11 Mar 2009 17:56:22 + Ian Eiloart i...@sussex.ac.uk wrote: That sounds good. What does it do, though? My guess is that it enables freshclam to download copies of files containing URLs that Google considers unsafe, and then clamd will block emails that contain those URLs. Is that right? On 12.03.09 09:11, Spiro Harvey wrote: http://code.google.com/apis/safebrowsing/ Sounds like it.. might be possible to check realtime too.. but the quick blurb on the site just mentions downloading a lookup table to the local machine. Looks good to me tho. Yes, but I found this question quite important and Seems like it is not satisfactory answer. Customers may (and already did) send us notices about unsafe pages in our hosting (shit happens, while clamav works good for rejecting infected files, it doesnt for .htaccess containing Rewrite*), and I'd like such mail _not_ to be blocked by clamav... You can match on the virusname ^Safebrowsing.+, and send those messages to a different folder. If it is about customers reporting unsafe pages, then you wouldn't want that to go to the spam folder either, would you? Files that are match by a signature in the safebrowsing.cvd have lower precedence than other signatures, so scanning just once should be enough. Even if someone sends an email containing both something matched by a signature (malware, signature-based phishing) and something matched by the anti-phishing code (Google Safe Browsing, heuristics ...), the (malware) signatures take precedence. This works even when scanning archives: by default clamav only stops scanning when it matches a signature, not when matching based on phishing heuristics, or safebrowsing entries. You can then filter based on the virusname, if you want to treat phishing/safebrowsing-blacklisted entries as spam. I'm also surprised that safebrowsing is an option only for freshclam. Some people reported running two instances of clamav, one with PhishingSignatures off for SMTP-level filtering, one with on for spam filter. Seems this won't be possible with safebrowsing database... Turning off the heuristic-based phishing detection also turns off the use of safebrowsing.cvd: PhishingScanURLs off So if you don't want to scan for phishing at SMTP-level: PhishingSignatures off PhishingScanURLs off Would there be a situation where you want PhishingScanURLs to be On, yet Google Safe Browsing Off? Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
On Wed, 11 Mar 2009 17:56:22 + Ian Eiloart i...@sussex.ac.uk wrote: That sounds good. What does it do, though? My guess is that it enables freshclam to download copies of files containing URLs that Google considers unsafe, and then clamd will block emails that contain those URLs. Is that right? On 12.03.09 09:11, Spiro Harvey wrote: http://code.google.com/apis/safebrowsing/ Sounds like it.. might be possible to check realtime too.. but the quick blurb on the site just mentions downloading a lookup table to the local machine. On 2009-03-24 13:40, Matus UHLAR - fantomas wrote: Yes, but I found this question quite important and Seems like it is not satisfactory answer. Customers may (and already did) send us notices about unsafe pages in our hosting (shit happens, while clamav works good for rejecting infected files, it doesnt for .htaccess containing Rewrite*), and I'd like such mail _not_ to be blocked by clamav... On 24.03.09 14:07, Török Edwin wrote: You can match on the virusname ^Safebrowsing.+, and send those messages to a different folder. If it is about customers reporting unsafe pages, then you wouldn't want that to go to the spam folder either, would you? I mean, I don't want to detect safebrowsing when scanning incoming mail at SMTP level, i do when checking by SpamAssassin. You can then filter based on the virusname, if you want to treat phishing/safebrowsing-blacklisted entries as spam. Yes, that wil be important. Does clamav-milter support this for now? I'm also surprised that safebrowsing is an option only for freshclam. Some people reported running two instances of clamav, one with PhishingSignatures off for SMTP-level filtering, one with on for spam filter. Seems this won't be possible with safebrowsing database... Turning off the heuristic-based phishing detection also turns off the use of safebrowsing.cvd: PhishingScanURLs off Aha, that should be enough. Btw, which URL's does it check for? url-like strings in plaintext, urls in html, url-like strings in html ? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Two words: Windows survives. - Craig Mundie, Microsoft senior strategist So does syphillis. Good thing we have penicillin. - Matthew Alton ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
Matus UHLAR - fantomas wrote: You can then filter based on the virusname, if you want to treat phishing/safebrowsing-blacklisted entries as spam. Yes, that wil be important. Does clamav-milter support this for now? Hi, clamav-milter has been nerfed and it now relies on clamd. All you have to do is to tune clamd.conf so that it suits your needs. --aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
On Wed, Mar 11, 2009 at 05:07:19PM +, Nigel Horne wrote: Folks, I am pleased to let you know of a major new feature to be added to ClamAV. 0.95RC2 will be released next Monday, 16/3/09, which will include support for Google Safe Browsing. Have you tried this with live servers? Can you tell us the results? There was a SpamAssassin plugin few years ago that checked URLs in Safe Browsing. It seems it was pretty bad at hitting anything. But it might be that things are better now. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
The safebrowsing.cvd will be distributed under Google's terms and license. Therefore, before enabling SafeBrowsing in freshclam.conf one should check that he's OK with that license. We'll provide all necessary information and links to make it easy to find out. Hi, Just a quick question: What files will be push into the safebrowsing.cvd, all of the following or just some of them? * goog-phish-shavar: a list of hashed suffix/prefix expressions representing sites that should be blocked because they are hosting phishing pages. * goog-malware-shavar: a list of suffix/prefix regular expressions representing sites that should be blocked because they are hosting malware pages. * goog-white-exp: a list of suffix/prefix regular expressions representing sites that are known to be trusted. Note that this list should only be used for enhanced mode clients that do direct lookups to Google to determine which sites are phishy. In that case, if a site is on the whitelist there is no need to send the query to Google. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
On 2009-03-12 10:41, Steve Basford wrote: The safebrowsing.cvd will be distributed under Google's terms and license. Therefore, before enabling SafeBrowsing in freshclam.conf one should check that he's OK with that license. We'll provide all necessary information and links to make it easy to find out. Hi, Just a quick question: What files will be push into the safebrowsing.cvd, all of the following or just some of them? * goog-phish-shavar: a list of hashed suffix/prefix expressions representing sites that should be blocked because they are hosting phishing pages. * goog-malware-shavar: a list of suffix/prefix regular expressions representing sites that should be blocked because they are hosting malware pages. Just these. On 2009-03-12 00:05, Dennis Peterson wrote: Is such a list now available to explore for gotcha's that need to be whitelisted? The list contains only hashes, so you can lookup URLs, but not browse them. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
Török Edwin wrote: On 2009-03-12 00:05, Dennis Peterson wrote: Is such a list now available to explore for gotcha's that need to be whitelisted? The list contains only hashes, so you can lookup URLs, but not browse them. No thanks, then. That would be too full of surprised. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
--On 11 March 2009 17:07:19 + Nigel Horne n...@bandsman.co.uk wrote: Folks, I am pleased to let you know of a major new feature to be added to ClamAV. 0.95RC2 will be released next Monday, 16/3/09, which will include support for Google Safe Browsing. That sounds good. What does it do, though? My guess is that it enables freshclam to download copies of files containing URLs that Google considers unsafe, and then clamd will block emails that contain those URLs. Is that right? We wish to avoid a major new functionality such as this going into the marketplace untested by adding it as a feature between the release candidate and the full version. Furthermore, we don't want to wait for 0.96 to publish the code, given that the code is ready now and it's a major feature, not something for a minor release such as 0.95.1. Therefore we've decided to publish the extra release candidate for 0.95. 0.95RC2 will have this feature built-in. 0.95 is now due for publication on 23rd March, a slippage of 1 week which I hope you will all accept so that we can ensure that this new feature is fully tested before it goes live on your servers. We expect the functionality will be off by default. The entry in freshclam.conf will be SafeBrowsing Yes. There is no option in clamd.conf. If the engine finds Google Safe Browsing files in the database directory, ClamAV will enable safe browsing. To turn it off you need to update freshclam.conf and remove the safebrowsing files from the database directory before restarting clamd. The above two points are as of now, and may change between now and Monday. Best Regards, -Nigel -- Ian Eiloart IT Services, University of Sussex x3148 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
On Wed, 11 Mar 2009 17:56:22 + Ian Eiloart i...@sussex.ac.uk wrote: That sounds good. What does it do, though? My guess is that it enables freshclam to download copies of files containing URLs that Google considers unsafe, and then clamd will block emails that contain those URLs. Is that right? http://code.google.com/apis/safebrowsing/ Sounds like it.. might be possible to check realtime too.. but the quick blurb on the site just mentions downloading a lookup table to the local machine. Looks good to me tho. -- Spiro Harvey Knossos Networks Ltd 021-295-1923www.knossos.net.nz signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
Nigel Horne wrote: Folks, Hi Folk, I am pleased to let you know of a major new feature to be added to ClamAV. 0.95RC2 will be released next Monday, 16/3/09, which will include support for Google Safe Browsing. Some questions : * if I understood, freshclam will get the complete list of URLs from Google. The computer running clamav/clamd/... will get this list from clamav (as a signature) not from Google. Right ? * What about Google license issues for final user ? Regards, José-Marcio ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
On Wed, 11 Mar 2009 22:06:19 +0100 Jose-Marcio Martins da Cruz jose-marcio.mart...@ensmp.fr wrote: * if I understood, freshclam will get the complete list of URLs from Google. The computer running clamav/clamd/... will get this list from clamav (as a signature) not from Google. Right ? That's right, freshclam will be updating safebrowsing.cvd from our own mirrors (in the same way as daily.cvd and main.cvd) and not directly from Google. * What about Google license issues for final user ? The safebrowsing.cvd will be distributed under Google's terms and license. Therefore, before enabling SafeBrowsing in freshclam.conf one should check that he's OK with that license. We'll provide all necessary information and links to make it easy to find out. Regards, -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Mar 11 23:05:04 CET 2009 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
Tomasz Kojm wrote: On Wed, 11 Mar 2009 22:06:19 +0100 Jose-Marcio Martins da Cruz jose-marcio.mart...@ensmp.fr wrote: * if I understood, freshclam will get the complete list of URLs from Google. The computer running clamav/clamd/... will get this list from clamav (as a signature) not from Google. Right ? That's right, freshclam will be updating safebrowsing.cvd from our own mirrors (in the same way as daily.cvd and main.cvd) and not directly from Google. * What about Google license issues for final user ? The safebrowsing.cvd will be distributed under Google's terms and license. Therefore, before enabling SafeBrowsing in freshclam.conf one should check that he's OK with that license. We'll provide all necessary information and links to make it easy to find out. Regards, Is such a list now available to explore for gotcha's that need to be whitelisted? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml