Re: [Clamav-users] Third party signature databases
At 12:59 PM 7/12/2007, John Rudd wrote: From past discussion on this list, it was discussed how easy it would be to throw together a script to check validity before putting a message into production. But I don't recall anyone ever actually offering up their script. Earlier today, someone had posted something to the SpamAssassin list that showed they weren't properly handling downloaded signature databases, and it just so happens that I just got around to writing such a script the other day. You must not be following the list very closely. Such scripts have been posted frequently and several good ones are available from http://sanesecurity.co.uk/clamav/usage.htm Also, if you check the Sanesecurity usage page, you will note download signatures only when there have been changes, which your script seems to ignore. Use the wget -N option. Also, it looks as if you are removing your tmp files every time the script runs. This causes rsync to download the whole file rather than checking for changes, and makes it impossible for wget -N to work. Your script still needs some work. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Third party signature databases
Noel Jones wrote: At 12:59 PM 7/12/2007, John Rudd wrote: From past discussion on this list, it was discussed how easy it would be to throw together a script to check validity before putting a message into production. But I don't recall anyone ever actually offering up their script. Earlier today, someone had posted something to the SpamAssassin list that showed they weren't properly handling downloaded signature databases, and it just so happens that I just got around to writing such a script the other day. You must not be following the list very closely. Such scripts have been posted frequently and several good ones are available from http://sanesecurity.co.uk/clamav/usage.htm The last time I saw it come up on this list, I didn't see a script come back within a few days. If it took longer than that, I probably was only skimming the list by then (my degree of intently reading vs skimming the list varies over time, but when there's a thread I consider important I try to keep up with it until it looks like the thread has petered out ... and the download script with verification that the database is usable by clamav is an important topic to me). I saw the supporting material on sanesecurity's downloads page, but it looked like it was almost all windows oriented (ie. useless to me). Plus, I want one thing that I can apply to all 3rd parties, and I (perhaps incorrectly) assumed sanesecurity's stuff would be oriented just around their own stuff. Also, if you check the Sanesecurity usage page, you will note download signatures only when there have been changes, which your script seems to ignore. Use the wget -N option. Also, it looks as if you are removing your tmp files every time the script runs. This causes rsync to download the whole file rather than checking for changes, and makes it impossible for wget -N to work. Yes, I am/was aware that I'm undermining rsync's bandwidth savings. I just hadn't figured out the best way to address that. I don't think that leaving it in /tmp/{something} works well for that. I had been thinking about doing the scratch space in /usr/local/share/{something}/tmp, but wasn't sure if that would be standard enough. I suppose I could put it under {clamavdbdir}/{source}/tmp And, it was this types of reason I wanted to open it up for public scrutiny. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Third party signature databases
At 02:02 PM 7/12/2007, John Rudd wrote: Such scripts have been posted frequently and several good ones are available from http://sanesecurity.co.uk/clamav/usage.htm I saw the supporting material on sanesecurity's downloads page, but it looked like it was almost all windows oriented (ie. useless to me). There are 5 scripts on the page, only the last one is labeled as a windows script. Plus, I want one thing that I can apply to all 3rd parties, and I (perhaps incorrectly) assumed sanesecurity's stuff would be oriented just around their own stuff. All those scripts are clearly labeled as working with MSRBL. Yes, I am/was aware that I'm undermining rsync's bandwidth savings. I just hadn't figured out the best way to address that. I don't think that leaving it in /tmp/{something} works well for that. I had been thinking about doing the scratch space in /usr/local/share/{something}/tmp, but wasn't sure if that would be standard enough. Consensus seems to be that /var/tmp/clamdb or similar is an appropriate place to hold the scratch/work files. checking for updates every hour is wasteful, every 4 hours is more reasonable. Here's a perl one-liner you might want to integrate in your script - it signals clamd to reload the database. Only run this if one of the databases has changed. # perl -MIO::Socket::UNIX -we 'my $s = IO::Socket::UNIX-new (shift); $s-print(RELOAD); print $s-getline; $s-close' /var/run/clamav/clamd.socket -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Third party signature databases
Noel Jones wrote: At 02:02 PM 7/12/2007, John Rudd wrote: Such scripts have been posted frequently and several good ones are available from http://sanesecurity.co.uk/clamav/usage.htm I saw the supporting material on sanesecurity's downloads page, but it looked like it was almost all windows oriented (ie. useless to me). There are 5 scripts on the page, only the last one is labeled as a windows script. Plus, I want one thing that I can apply to all 3rd parties, and I (perhaps incorrectly) assumed sanesecurity's stuff would be oriented just around their own stuff. All those scripts are clearly labeled as working with MSRBL. Like I said, what I looked at was their downloads page. Their downloads page has: 1) their phishing signatures 2) their scam signatures 3) a windows installer for their phishing signatures 4) a windows installer for their scam signatures 5) a build of clamav for windows 6) a signature updater that doesn't give a platform, but is from the same source as #5 7) rsync for windows 89) references to MSRBL signatures So, as I said: the only specifics of the page I looked at, before you made me aware of their usage page, were windows specific, and the installers were also highly specific. Yes, I am/was aware that I'm undermining rsync's bandwidth savings. I just hadn't figured out the best way to address that. I don't think that leaving it in /tmp/{something} works well for that. I had been thinking about doing the scratch space in /usr/local/share/{something}/tmp, but wasn't sure if that would be standard enough. Consensus seems to be that /var/tmp/clamdb or similar is an appropriate place to hold the scratch/work files. checking for updates every hour is wasteful, every 4 hours is more reasonable. noted. Here's a perl one-liner you might want to integrate in your script - it signals clamd to reload the database. Only run this if one of the databases has changed. # perl -MIO::Socket::UNIX -we 'my $s = IO::Socket::UNIX-new (shift); $s-print(RELOAD); print $s-getline; $s-close' /var/run/clamav/clamd.socket When I switch to the Mail::ClamAV method, it has a means of detecting and reloading as necessary. I'm doing that this week. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html