-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Lord
Sent: January 13, 2005 12:50 PM
To: clamav-users@lists.clamav.net
Subject: [Clamav-users] RFC: squidclam
Hi,
just wrote a small programm to replace SquidClamAV_Redirector.py
Reason for doing
-Original Message-
At 12.08 01/12/2004, you wrote:
And now a wish:
Is possible to implement in clamav-milter or clamd itself the
possibility to define a list of suffix I'd like to consider as:
UNAUTHORIZED ATTACH TYPE
That is not the job of a virus-scanner, it's the job of a
-Original Message-
I checked it too and everething is ok, except tests
nr. 24, 25 ( which are non-virus, anyway ).
We're running .80 on Gentoo.
Robert
[Mitch says:]
24 25 could be stopped similar to how password protected zips are stopped
- not because they are viral, but because of
Hi, how do you make ClamAV update virus database as soon as possible
when the signature becomes ready?
Sam.
[Mitch (bitblock)]
Sam. Bad toad! Don't hijack threads.
You can run freshclam - there is no such thing as an instant update - the
latest version uses DNS records to allow more
On a off-topic side note, if anyone knows what SMTP related
timeout issues
come up if a Milter timeout is set to greater than several
minutes, I'd be very
interested to hear. Does sendmail somehow keep the SMTP session
alive even
if the Milter is taking longer than the SMTP DATA timeout
The GPL defines source as the preferred form of the work for making
modifications to it. If the maintainers of the clamav db add new
signatures by unpacking the database, modifying it and packing it again,
it is source code (the act of packing and unpacking is IMHO similar to
tarring and
-Original Message-
From: [EMAIL PROTECTED] [mailto:clamav-users-
[EMAIL PROTECTED] On Behalf Of Tomasz Kojm
Sent: September 25, 2004 12:22
To: [EMAIL PROTECTED]
Subject: Re: [Clamav-users] Re: Re: Re: Windows port ?
On Sun, 26 Sep 2004 00:09:22 -0700
Mitch (WebCob) [EMAIL
Remi wrote:
No, it won't. Security by obscurity is a nonsense.
It's true only for cryptography I think.
Anyone with a disassembler can find your secret sauce as soon as they
download your product. A lot of effort yes... but if what you think you have
found has any value it will be done.
Ok, you can download the clam database handling and file scanner at
http://uscanit.free.fr/lib.zip
It looks OK. Thanks for publishing it.
Can you clarify for the rest of us? Does that mean the clam team is
accepting this sort of usage of the db?
m/
Or write an open source program which does the scanning without dependancy
on cygwin. GPL it, give away the source. Keep your heuristics separate, and
if you like your interface, etc. This is the same effect as the windows
wrapper that exists without the underlying overhead of the gygwin
With one caveat.
It is perfectly acceptable to place an explanatory message in an SMTP
REJECT message.
Something like
EHLO (hi)
MAIL FROM (ok)
RCPT TO (ok)
DATA (can't accept for delivery, contains the EICAR virus!)
If the mail is being sent by a virus, the virus will usually just give
I think this was mentioned in a man page somewhere...
I believe that clam would return a timeout error, and what happens with that
depends on the script that calls clamdscan. If it accepts nothing other than
success, the mail should be deferred and tried again later by the MTA.
not authoritive,
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Graham
Toal
Aren't we missing something obvious here? Shouldn't we be using some
sort of distributed technology like BitTorrent?
That's been asked and answered... Bittorrent is meant to optimize
I think such a provider would be liable for very little - but it is very
expensive to establish that in court. Law suits are trivial to initiate
and we are in a very litigous society. If you have 10,000 customers you
can bet at least one of them will levy a suit against you for some
perceived
Someone recently suggested the idea of allowing sites with
less than the
mirror site requirements becoming second-tier mirrors. This thread is
an attempt to see what kind of interest there is in such an
idea and for
the developers to respond whether or not the idea has merit.
It
I would love to setup a mirror, but 10Mbps and 100GB/month is more than
I've got available.
--TWH
By my count that makes 5 of us I recall seeing volunteer and it isn't even
an option yet.
As we are already trampling the rules with cnames to cnames... what about
this... the second tier cnames
If you really want updates instantly, there *is* a solution. Volunteer
to run a mirror. All mirrors are given updates within 2 minutes.
Damian Menscher
Joining this thread a little late - sorry...
Then we get back to the level of committment required to do that... With
things as they are
run freschclam on one machine, use on-update-execute to run an
rsync script
after a successfull download to update all your other machines.
==
Chris Candreva -- [EMAIL PROTECTED]
Does the clamd process need to be signaled on each
I still don't see why rsync can't be used here. It can
easily do incremental
updates.
True. However,
(1) many firewall admins allow outgoing HTTP and DNS
ports; I cannot say the same for rsync port.
(2) The uncompressed signature (viruses.db*) files is a
good candidate for rsync (or even
No, the cron job only runs on the hour (minute == 0) so it will only run
once per hour at a random time between hh:00 and hh:30.
A.
D'oh! Note to self - don't think you are smart when you're tired! Thanks.
---
SF.Net email is sponsored
DNS for serial numbers plus HTTP for actual data transfer still sounds
New version of freshclam will work in this way. Big thanks to all for
the interesting thread !
Sounds cool Tomasz! Be interested to hear if this helps reduce the load on
the mirrors at all. Once this is tested, an update
Similarly, BitTorrent *requires* raw Internet access in order
to operate -
again - not a normal situation for an AV server.
Don't know what exactly you meant by raw as opposed to sauteed, broiled,
baked or toasted, but BitTorrent does NOT require unfirewalled access. It
does require a small
So does that mean you no longer use Exiscan's demime facility, because,
if I understand this correctly, it is sufficient to pass the mime parts
to clamd for scanning. Using it and ScanMail would appear to bring some
competition between Exiscan's demime and ClamAV's ScanMail.
Could someone
I've already mentioned this jokingly, but I was half serious: I think
setting up a bittorrent would solve a lot of the bandwidth problems.
Been playing with that a bit recently - the more I think about it, the more
I like it... saw a website that has built a custom tracker to manage
leeches,
Opening another port is simply no option for any serious
enterprise use. There
is simply no way to open another port in the firewall. In addition I am
confident that IANA will not allow to reserve a fixed port number
for this
service. After all port numbers are a limited resource with todays
right, but as discussed below, generally bind servers don't have
100k people
waiting for notifications and updates.
Nope, true... but like I suggested, the notification tree doesn't have to be
flat...
One server notifying 10 servers is time consuming and sure - costs a lot
of
The mirror page talkes about the need for mirrors, about
exponential growth,
and how at least a 10mbit pipe is needed to host a mirror. It puts March
2004 traffic at about 120gig/month
I think I read it differently... I thought it was 120GB / month per mirror
(at that point in time there
What about a deeper mirroring system? Perhaps one that supports
notification?
One of the things I like about BIND (not enough to use it, but still an
admired concept ;-) is the way zones can be distributed... notification
speeds things up if it works, polling creates a failsafe in which a missing
I have 445 (have had it for 5 hours or so) and it still calls it
Trojan.JS.RunMe. Am I missing something? I can see in my
clamd.log where
it picked up the changes and reloaded the database, and sigtool -l lists
both Trojan.JS.RunMe and Worm.Bagle.AI-2 in it.
I'm going to take a guess
This is predicated on the developers of the database incrementing the
functionality level when they make changes like this.
I'm still not sure I get it, but there seems to be some resistance to doing
this consistantly.
Some changes in detection seem to make it into CVS, and I think future
Hi.
Before you do, I've been told by Tomasz Papszun that there are signatures
that won't work for anything other than CVS... so you'd have to try building
a CVS version to make it work.
I suggested changes to allow us users to know this info when we do an upload
to the webform, but haven't had
I'd be willing to hack the code to add the information mentioned the other
day - care to share the base script (off list is fine by me).
I'd like to make it a little more informative what was found and how it was
found etc.
thanks
m/
-Original Message-
From: [EMAIL PROTECTED]
For one thing, the web interface for uploading could be A LOT MORE USEFUL by
stating it's current clamscan version, what it detects the upload as,
selected options/config, and signature database - just allowing easier
confirmation of relavent settings.
I've downloaded the 0.75, and upgraded,
I'd like to second that. Those of us depending on clamav to catch stuff
can't afford to upgrade in the middle of the day for new signatures to
work. And why don't these new signatures work? Has that interface not
yet stabilized?
Thanks,
John
Just wondering...
If signatures come out
I'd say so. You aren't talking about doing this after the fact, but as the
message is received and detected as viral - right? They'd have to have hung
up immediately and even then, it's unlikely the modem handshake would be
complete yet on the next call ;-)
On Thu, 10 Jun 2004, Nigel Horne
What's the harm? You aren't selling them anything... Spam is something done
for commercial gain by definition isn't it? they are hurting you - wasting
your bandwidth etc... and as many of my customers could prove - they can go
for MONTHS not knowing they are infected. Your message could say
/
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of jef moskot
Sent: Wednesday, June 09, 2004 3:50 PM
To: [EMAIL PROTECTED]
Subject: RE: [Clamav-users] Ethics Question
On Wed, 9 Jun 2004, Mitch (WebCob) wrote:
We are sending this notification
(it was removed) there is nothing for ClamAV to find. About the best
you can do is to educate others that stripping viruses out of email (and
letting the rest through) is a Bad Idea.
While you are mentioning bad ideas... what about this trend of sending
bounce messages to the sender or
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Kevin
Spicer
Sent: Monday, May 10, 2004 10:49 AM
To: [EMAIL PROTECTED]
Subject: Re: [Clamav-users] Re: Virus Alias Database
Its running PHP MySQL on apache2, unfortunately this is my home box
(that
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Lionel
Bouton
Sent: Thursday, April 08, 2004 12:26 AM
To: [EMAIL PROTECTED]
Subject: Re: [Clamav-users] Updating ClamAV method other than freshclam
I just do that because I have 4 systems using clamav
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of B. van
Ouwerkerk
Sent: Wednesday, April 07, 2004 2:00 AM
To: [EMAIL PROTECTED]
Subject: Re: [Clamav-users] Virus Names
I don't fancy the idea of doing the same job someone else does
but I could
do it
No idea how easy this would be to implement but here goes:
As well as the virus signature databases, how about having an alias
database which would contain a record for each virus, indicating its
ClamAV name along with those used by the more mainstream AV software
like Sophos, McAfee etc.
-Original Message-
From: Tomasz Kojm
On Thu, 11 Mar 2004 10:15:50 +
Dave Ewart [EMAIL PROTECTED] wrote:
2. Can the alias details be extracted from the .cvd files? If not
currently, is there any way to add this detail?
Virus aliases will be supported in signatures in the
That's got my vote - can the core team give some indication of options being
considered and what general direction we'll go here?
Thanks.
m/
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Andy Dills
Sent: Tuesday, March 02, 2004 11:05 PM
To: [EMAIL
But...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Chris
Meadors
Sent: Tuesday, March 02, 2004 11:44 PM
To: [EMAIL PROTECTED]
Subject: Re: [Clamav-users] Password-protected .zip file viruses
Paul Boven wrote:
How about only trying every word
Fantastic Michael!
I think that will be a good interrum until there is an official method of
dealing with the problem.
Thanks.
m/
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Michael L
Torrie
Sent: Wednesday, March 03, 2004 12:38 PM
To: [EMAIL
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Diego
d'Ambra
Sent: Tuesday, March 02, 2004 4:55 AM
To: [EMAIL PROTECTED]
Subject: RE: [Clamav-users] password-protected Worm.Bagle.H
-Original Message-
From: [EMAIL PROTECTED]
My understanding of reliable zip password checking was that you needed two
or more files encoded with the same password in the archive to allow a good
check...
Maybe I'm wrong on that, but still I'd rather a setting that allows me to
reject unscannable attachements. Preferably as mentioned before
I was looking for reviews on virus protection quality as well as response
time...
Helen, the editor of virusbtn.com says as far as she knows, Clam AV has
never been submitted for review.
I asked for details on the process, and ask here if there is any reason NOT
to submit to various reviewers -
1) Does the ClamAV system use a common naming convention? Where does it come
from? By this I mean I think I see other virus detection software using the
same names for things - how is this agreed upon?
2) Is there a Clam source for virus information? I'd like to tie my filter
to a status page
50 matches
Mail list logo