Re: download of source packages alarmed clamav
Russ Allbery wrote: Given that the whole point of those files is to test clamav, I would hope that they would trigger clamav's detection. If not, that would be a bug in clamav, no? However, the point of the pymilter source package is not to test clamav, it's to distribute the source to pymilter. Falsely triggering virus scanners does not help it achieve this aim. So, the tarball could be fixed to rot-13 the virus files stored in it, and re-rotate them when the test suite is run. (If virus scanners perhaps try rot-13, then instead encrypt the viruses with a key included in the source package, but that's probably overkill.) -- see shy jo signature.asc Description: Digital signature
Re: download of source packages alarmed clamav
Joey Hess jo...@debian.org writes: So, the tarball could be fixed to rot-13 the virus files stored in it, and re-rotate them when the test suite is run. (If virus scanners perhaps try rot-13, then instead encrypt the viruses with a key included in the source package, but that's probably overkill.) That's a good idea. If ROT-13 isn't sufficient, a simple XOR cipher that could be hacked together in a few lines of Python doubtless would be, without the complexity of real encryption. But I bet ROT-13 would do it. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87obato17h@windlord.stanford.edu
Re: download of source packages alarmed clamav
On Tuesday, June 25, 2013 11:06:26 PM Russ Allbery wrote: Joey Hess jo...@debian.org writes: So, the tarball could be fixed to rot-13 the virus files stored in it, and re-rotate them when the test suite is run. (If virus scanners perhaps try rot-13, then instead encrypt the viruses with a key included in the source package, but that's probably overkill.) That's a good idea. If ROT-13 isn't sufficient, a simple XOR cipher that could be hacked together in a few lines of Python doubtless would be, without the complexity of real encryption. But I bet ROT-13 would do it. The first time this came up, I discussed it with upstream. Their view is that it's part of (for testing) the example milters that are shipped either in pymilter or pymilter-milters and so they think it's appropriate to ship it. In the past, I've concluded it wasn't something worth changing what upstream shipped to 'fix'. It's not there to test clamav. IIRC, there's a heuristic test in one of the sample milters that would detect it directly. Anyone who doesn't like the fact that clamav has a false positive on this file might want to consider sending it to them. On clamav.net there's a process for submitting false positives. Scott K -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1487871.NEvMSKbTmG@scott-latitude-e6320
Re: download of source packages alarmed clamav
Harald Dunkel harald.dun...@aixigo.de writes: I doubt that sending a virus complies to the DFSG, so the question is whether these source packages have been compromised? The test/ directory in pymilter_0.9.3.orig.tar.gz contains some sample viruses on purpose. I can't comment on other source packages since you didn't name them. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/84ip12tz0c@sauna.l.org
Re: download of source packages alarmed clamav
Forgot to list-reply. On Tue, Jun 25, 2013 at 08:47:56AM +0200, Harald Dunkel wrote: I doubt that sending a virus complies to the DFSG, so the question is whether these source packages have been compromised? That package contains a directory named test/ with emails with spam, viruses and similar. This might have caused the clamav warning. -- Marius Gavrilescu signature.asc Description: Digital signature
Re: download of source packages alarmed clamav
On Tue, Jun 25, 2013 at 09:52:26AM +0200, Harald Dunkel wrote: Its not a warning. The download failed. Yes, I should have said failure. Anyway, the probable cause is the existence of emails with viruses as tests in the package. -- Marius Gavrilescu signature.asc Description: Digital signature
Re: download of source packages alarmed clamav
On Tue, 25 Jun 2013 10:46:23 +0300 Marius Gavrilescu mar...@ieval.ro wrote: That package contains a directory named test/ with emails with spam, viruses and similar. This might have caused the clamav warning. Its not a warning. The download failed. Regards Harri -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130625095226.604b1...@dpcl082.ac.aixigo.de
Re: download of source packages alarmed clamav
On Tue, Jun 25, 2013 at 10:19:46AM +0200, Harald Dunkel wrote: These are real-life viruses that should not be distributed using Debian's FTP server (IMHO). Even if they wre real, they would be real-life MS Windows viruses in emails in a debian package. For someone to get infected they would have to run MS Windows, download a debian package, unpack it, open a file named virusN in an email viewer and run the attached file. However, as far as I know they're not actual viruses, they're just made to look like them (i.e. they contain the signatures, but not the harmful code). Therefore they're harmless. -- Marius Gavrilescu (science-kids) In some rocks you can find the fossil footprints of fishes. signature.asc Description: Digital signature
Re: download of source packages alarmed clamav
On Tue, 25 Jun 2013 10:54:53 +0300 Marius Gavrilescu mar...@ieval.ro wrote: On Tue, Jun 25, 2013 at 09:52:26AM +0200, Harald Dunkel wrote: Its not a warning. The download failed. Yes, I should have said failure. Anyway, the probable cause is the existence of emails with viruses as tests in the package. These are real-life viruses that should not be distributed using Debian's FTP server (IMHO). Eicar is a test virus. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130625101946.12b98...@dpcl082.ac.aixigo.de
Re: download of source packages alarmed clamav
Harald Dunkel harald.dun...@aixigo.de wrote: On Tue, 25 Jun 2013 10:54:53 +0300 Marius Gavrilescu mar...@ieval.ro wrote: On Tue, Jun 25, 2013 at 09:52:26AM +0200, Harald Dunkel wrote: Its not a warning. The download failed. Yes, I should have said failure. Anyway, the probable cause is the existence of emails with viruses as tests in the package. These are real-life viruses that should not be distributed using Debian's FTP server (IMHO). This comes up periodically. They aren't real. Scott K -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/c437fc8f-649c-4d32-b0e2-77c98f1ac...@email.android.com
Re: download of source packages alarmed clamav
Marius Gavrilescu mar...@ieval.ro wrote: On Tue, Jun 25, 2013 at 10:19:46AM +0200, Harald Dunkel wrote: These are real-life viruses that should not be distributed using Debian's FTP server (IMHO). Even if they wre real, they would be real-life MS Windows viruses in emails in a debian package. For someone to get infected they would have to run MS Windows, download a debian package, unpack it, open a file named virusN in an email viewer and run the attached file. However, as far as I know they're not actual viruses, they're just made to look like them (i.e. they contain the signatures, but not the harmful code). Therefore they're harmless. Correct. Scott K -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/3f9897e5-b6cd-4129-b78c-06d2b137f...@email.android.com
Re: download of source packages alarmed clamav
On Tue, Jun 25, 2013 at 08:04:00AM -0400, Scott Kitterman wrote: Harald Dunkel harald.dun...@aixigo.de wrote: On Tue, 25 Jun 2013 10:54:53 +0300 Marius Gavrilescu mar...@ieval.ro wrote: On Tue, Jun 25, 2013 at 09:52:26AM +0200, Harald Dunkel wrote: Its not a warning. The download failed. Yes, I should have said failure. Anyway, the probable cause is the existence of emails with viruses as tests in the package. These are real-life viruses that should not be distributed using Debian's FTP server (IMHO). This comes up periodically. They aren't real. It would appear they're real enough to trigger clamav's detection, which was the problem the OP was having. signature.asc Description: Digital signature
Re: download of source packages alarmed clamav
On Tue, Jun 25, 2013 at 5:05 AM, Scott Kitterman deb...@kitterman.com wrote: Marius Gavrilescu mar...@ieval.ro wrote: On Tue, Jun 25, 2013 at 10:19:46AM +0200, Harald Dunkel wrote: These are real-life viruses that should not be distributed using Debian's FTP server (IMHO). Even if they wre real, they would be real-life MS Windows viruses in emails in a debian package. For someone to get infected they would have to run MS Windows, download a debian package, unpack it, open a file named virusN in an email viewer and run the attached file. However, as far as I know they're not actual viruses, they're just made to look like them (i.e. they contain the signatures, but not the harmful code). Therefore they're harmless. Correct. Scott K FYI, some Windows viruses work under Wine (which can do whatever your normal user can do, unless you're using AppArmor or something similar to restrict it). -- -Austin -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CACC5Q1egjmC1xGGGSJEt+N_wksqzC8fJyu=f0dy1ivfmnsx...@mail.gmail.com
Re: download of source packages alarmed clamav
On Tue, Jun 25, 2013 at 08:04:00AM -0400, Scott Kitterman wrote: This comes up periodically. They aren't real. [Darac Marjal] It would appear they're real enough to trigger clamav's detection, which was the problem the OP was having. Yes. It is not really a fixable problem. The test files intentionally contain material whose purpose is to trigger a virus scanner. That is their entire point. The fact that they do in fact trigger a virus scanner is unfortunate in this case, but it is a straightforward consequence and there probably isn't much you can do about it (except of course to not use a virus scanner while downloading virus scanning test data). The EICAR string is all very well, but doesn't solve this problem. Either virus scanners treat EICAR just like any real virus, alerting and/or blocking stuff, or they treat it as a special case. If the formert, you haven't solved anything. If the latter, then by the nature of it being a special case, EICAR alone is not sufficient test coverage for virus scanning functionality. Peter -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130625181639.gd13...@p12n.org
Re: download of source packages alarmed clamav
Darac Marjal mailingl...@darac.org.uk writes: On Tue, Jun 25, 2013 at 08:04:00AM -0400, Scott Kitterman wrote: These are real-life viruses that should not be distributed using Debian's FTP server (IMHO). This comes up periodically. They aren't real. It would appear they're real enough to trigger clamav's detection, which was the problem the OP was having. Given that the whole point of those files is to test clamav, I would hope that they would trigger clamav's detection. If not, that would be a bug in clamav, no? -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87zjuem3ok@windlord.stanford.edu
Re: download of source packages alarmed clamav
* Scott Kitterman deb...@kitterman.com, 2013-06-25, 08:04: These are real-life viruses that should not be distributed using Debian's FTP server (IMHO). This comes up periodically. They aren't real. I hope so! Do we even have any real viruses that are DFSG-free? -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130625185344.ga5...@jwilk.net
Re: download of source packages alarmed clamav
On Tue, Jun 25, 2013 at 11:04:40AM -0700, Austin English wrote: [...] FYI, some Windows viruses work under Wine (which can do whatever your normal user can do, unless you're using AppArmor or something similar to restrict it). That's not entirely true -- a Windows-based keylogger wouldn't really work with Wine -- you'd need X-specific code for that. I reckon talking to user-accessible UNIX sockets would probably also be out of the question. But anything that involves snooping around the filesystem would probably work, but only if it knows where to look (z: is mapped to / by default) inside a Wine environment. -- Kind regards, Loong Jin signature.asc Description: Digital signature