On 2/17/2005 12:08 AM +0100, John Madden wrote:
Several times now, we've been burned by virii that are picked up by other
virus scanners when ClamAV doesn't yet have the signature. Within a
couple of hours, when the bulk of the threat has already passed, Clam then
catches up. Mydoom.M-2 was the
On 2/17/2005 1:20 AM +0100, John Madden wrote:
Hmm.
Are there factors that can affect freshclam's performance? I got the
Mydoom.M-2 sig at 17:10EST today. When was it available? (The mailing
list archive doesn't appear to yet reflect today's update(s).)
Timezone = CET (GMT+1)
ClamAV update
On 2/17/2005 9:34 AM +0100, Niek wrote:
Timezone = CET (GMT+1)
ClamAV update process started at Wed Feb 16 23:16:21 2005 main.cvd is up
to date
ClamAV update process started at Wed Feb 16 23:30:53 2005
daily.cvd updated (version: 707, sigs: 1806, f-level: 4, builder: ccordes)
Actually, 23:10
On Feb 16, 2005, at 7:04 PM, John Madden wrote:
In any case, Clam is a user supported project. ALL viruses are
submitted
by
end users. So, the only way response will get any better is if you
submit
new viruses you receive that get by clam.
It's not going to 'improve' any other way.
Well,
Timezone = CET (GMT+1)
ClamAV update process started at Wed Feb 16 23:16:21 2005 main.cvd is up
to date
Yeah, 6-hour difference, that's consistent with my findings.
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL PROTECTED]
--On Thursday, February 17, 2005 10:30 AM -0500 John Madden
[EMAIL PROTECTED] wrote:
Just stop mail with certain attachments (.bat/.com/.scr/.cpl/.ectect) at
the door.
Well of course, and we currently block RAR's because of the license
issues, but that doesn't help the zip file situation.
John wrote concerning:
Just stop mail with certain attachments (.bat/.com/.scr/.cpl/.ectect) at
the door.
Well of course, and we currently block RAR's because of the license
issues, but that doesn't help the zip file situation. ...Perhaps amavisd
can.
Have you considered John Hardin's
To handle the zip file situation, get qmail and patch it with Russell
Nelson's ingenious qmail-smtp-viruscan patch. You will have no more zip
file 'situation.' See http://www.qmail.org.
(I'm running postfix; I won't run qmail. Thanks for the suggestion though.)
John
--
John Madden
Have you considered John Hardin's e-mail Sanitizer?
http://www.impsec.org/email-tools/procmail-security.html
I like the concept, but I procmail-based setups don't scale well enough,
IMO, for the sort of mail setup (100k [virtual] accounts) I'm concerned
with.
John
--
John Madden
UNIX
John Madden wrote:
Just stop mail with certain attachments
(.bat/.com/.scr/.cpl/.ectect) at the door.
Well of course, and we currently block RAR's because of the license
issues, but that doesn't help the zip file situation. ...Perhaps
amavisd can.
John
What we do:
If a zip file is
On Thu, 17 Feb 2005, Tomasz Kojm wrote:
Actually you're an egoist.
How so?
Have you submitted any sample for the last two years?
Didn't see him on the donations page either. Maybe his was anonymous
though.
--
Sam Morris, Owner
Loganet Internet Service
Logan IA, United States of
On Wed, 16 Feb 2005, John Madden wrote:
Have you submitted any sample for the last two years?
Yes, when appropriate, which I believe has been thrice. (We haven't been
on Clam for that long, though.)
Mydoom doesn't affect every OS either. Perhaps you should upgrade your
affected clients to
John Madden wrote:
I'm running postfix; I won't run qmail.
Well, at least you have some redeeming points :)
But, (getting into sermon mode once again), anyone who relies solely on
only one point of detection for any type of mail content inspection, are
literally bending over and begging
John Madden wrote:
I'm running postfix; I won't run qmail.
Well, at least you have some redeeming points :)
But, (getting into sermon mode once again), anyone who relies solely on
only one point of detection for any type of mail content inspection, are
literally bending over and
Several times now, we've been burned by virii that are picked up by other
virus scanners when ClamAV doesn't yet have the signature. Within a
couple of hours, when the bulk of the threat has already passed, Clam then
catches up. Mydoom.M-2 was the virus of the day today.
What is being done to
On Wed, 16 Feb 2005, John Madden wrote:
Several times now, we've been burned by virii that are picked up by other
virus scanners when ClamAV doesn't yet have the signature. Within a
This is the exact opposite of our experience.
How often do you run freshclam ?
On Wed, 16 Feb 2005 18:08:01 -0500 (EST)
John Madden [EMAIL PROTECTED] wrote:
Several times now, we've been burned by virii that are picked up by
other virus scanners when ClamAV doesn't yet have the signature.
Within a couple of hours, when the bulk of the threat has already
passed, Clam
Several times now, we've been burned by virii that are picked up by
other
virus scanners when ClamAV doesn't yet have the signature. Within a
This is the exact opposite of our experience.
Hmm. For example, Clam was about 2 hours behind McAfee's update of the
2/16/05 MyDoom variant.
How
You haven't submitted anything on our site.
I would've today, had I not been off-site at a conference. Trouble is, by
the time I receive a copy, it's too late. I suppose it's a perception
problem with our users more than anything.
Actually you're an egoist.
How so?
John
--
John Madden
On Wed, 16 Feb 2005 18:38:38 -0500 (EST)
John Madden [EMAIL PROTECTED] wrote:
You haven't submitted anything on our site.
I would've today, had I not been off-site at a conference. Trouble
is, by the time I receive a copy, it's too late. I suppose it's a
perception problem with our users
On Wed, 16 Feb 2005, John Madden wrote:
Hmm. For example, Clam was about 2 hours behind McAfee's update of the
2/16/05 MyDoom variant.
Odd.
In any case, Clam is a user supported project. ALL viruses are submitted by
end users. So, the only way response will get any better is if you submit
Have you submitted any sample for the last two years?
Yes, when appropriate, which I believe has been thrice. (We haven't been
on Clam for that long, though.)
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL PROTECTED]
___
In any case, Clam is a user supported project. ALL viruses are submitted
by
end users. So, the only way response will get any better is if you submit
new viruses you receive that get by clam.
It's not going to 'improve' any other way.
Well, that'd be my assumption as well. What I'm poking
On Wednesday 16 February 2005 05:08 pm, John Madden wrote:
Several times now, we've been burned by virii that are picked up by other
virus scanners when ClamAV doesn't yet have the signature. Within a
couple of hours, when the bulk of the threat has already passed, Clam then
catches up.
I agree with Christopher that this has been the exact opposite experience
that
I have had.
Hmm.
Are there factors that can affect freshclam's performance? I got the
Mydoom.M-2 sig at 17:10EST today. When was it available? (The mailing
list archive doesn't appear to yet reflect today's
John Madden wrote:
well, something must be wrong with *your* virus scanner, because the
one over *here* in *Exchange* caught it.
I think it's inherently a good thing to run multiple virus scanners from
different vendors. Sometimes ClamAV will update first, sometimes other vendors
will update
On Wed, 16 Feb 2005 18:56:32 -0500 (EST)
John Madden [EMAIL PROTECTED] wrote:
Have you submitted any sample for the last two years?
Yes, when appropriate, which I believe has been thrice. (We haven't
been on Clam for that long, though.)
Found 0 submissions - Total results (0 pages)
(on
On Wed, 16 Feb 2005 19:04:25 -0500 (EST)
John Madden [EMAIL PROTECTED] wrote:
managers want to buy AV licenses.
Is that bad?
It's always good to have two or more e-mail virus scanners if
resources funds allow that.
--
oo. Tomasz Kojm [EMAIL PROTECTED]
(\/)\.
Found 0 submissions - Total results (0 pages)
(on both your name and ivytech)
Uh. 'Guess I can't explain that, unless submissions for already-submitted
virii don't count.
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL PROTECTED]
On Wed, 16 Feb 2005 20:04:55 -0500 (EST)
John Madden [EMAIL PROTECTED] wrote:
Found 0 submissions - Total results (0 pages)
(on both your name and ivytech)
Uh. 'Guess I can't explain that, unless submissions for
already-submitted virii don't count.
They count so this is a bad argument
Tomasz Kojm wrote:
On Wed, 16 Feb 2005 20:04:55 -0500 (EST)
John Madden [EMAIL PROTECTED] wrote:
Found 0 submissions - Total results (0 pages)
(on both your name and ivytech)
Uh. 'Guess I can't explain that, unless submissions for
already-submitted virii don't count.
They count so this is a
On Wed, 16 Feb 2005 20:27:27 -0500
Rick Macdougall [EMAIL PROTECTED] wrote:
Tomasz Kojm wrote:
On Wed, 16 Feb 2005 20:04:55 -0500 (EST)
John Madden [EMAIL PROTECTED] wrote:
Found 0 submissions - Total results (0 pages)
(on both your name and ivytech)
Uh. 'Guess I can't
Tomasz Kojm wrote:
On Wed, 16 Feb 2005 20:27:27 -0500
Rick Macdougall [EMAIL PROTECTED] wrote:
Two of them have been published, one (some trojan, i.e. low priority) is
still waiting for its turn:
Page(s):1
Found 3 submissions - Total results (1 pages)
Cool, I'm a hero :)
But I never
On Wed, 16 Feb 2005 20:37:23 -0500
Rick Macdougall [EMAIL PROTECTED] wrote:
Have a good day/night Tomasz, you are doing incredible work.
Thanks, it's 2:50 a.m. here. The whole team is working hard in its free
time and sometimes I must take that unrewarding position and protect
our cave ;-) even
Thanks, it's 2:50 a.m. here. The whole team is working hard in its free
time and sometimes I must take that unrewarding position and protect
our cave ;-) even if I may sound harsh and boorish.
No one's attacking your cave.
Fact of the matter is, for whatever reason, we had GB's of this virus
35 matches
Mail list logo