Re: [clamav-users] Feature request: show checksums of virus databases on the clamav.net website

[Reindl Harald]

Am 30.09.2016 um 04:51 schrieb Alexey Salmin:

Thanks for your replies.

My particular use case is a network that is physically disconnected
from the internet. Storage devices are allowed though, so I bring a
fresh virus database from time to time. It's used to run nightly scans
on shared network filesystems where malware occasionally show up. I
guess it comes from storage devices too and that was mostly fixed by
installing USB Disk Security on Windows machines. However it only
helps from autoruns, not from infected binaries, so scheduled scans
are still needed (and I think that's a good practice anyway).

Long story short: what is the recommended way to handle this scenario?
I'm thinking of setting up a local mirror on the internet-capable
machine and then take CVDs from there (with checksums or whatsoever)


use freshclam on whatever machine and take /var/lib/clamav/ to the 
destination machine - smart setups with more than one machine are doing 
that by rsync that folder to the other machines while freshclam runs on 
a admin-server instead produce multiple traffic for clamav 
infrastructure (the same for locations like /usr/shareGeoIP)



On Fri, Sep 30, 2016 at 6:40 AM, Reindl Harald <h.rei...@thelounge.net> wrote:


Am 30.09.2016 um 01:20 schrieb SCOTT PACKARD:


Some of us clamav users are behind rather substantial proxies and can't
pull them easily.
It's nice to have a place to download them.  Just FYI.



sorry, but in that case these problems needs to be solved with the fools of
admins (or that admins replaced) responsible for only one part of the
infrastructure, blocking anything for security reasons and then at the same
time blocking update sof security software which is just pervert


-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
Behalf Of Joel Esler (jesler)
Sent: Thursday, September 29, 2016 3:23 PM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Subject: Re: [clamav-users] Feature request: show checksums of virus
databases on the clamav.net website

We really don’t want people downloading the cvd’s through the browser
directly on the website.  We really want to encourage people to use
Freshclam to do this.

--
Joel Esler
Manager
Talos Group
http://www.talosintelligence.com

On Sep 29, 2016, at 12:21 PM, Alexey Salmin
<alexey.sal...@gmail.com<mailto:alexey.sal...@gmail.com>> wrote:

Sorry if this had been proposed before, nothing showed up in my search.

I suggest to display checksums (MD5, SHA or both) on the website next
to CVD download links on the
www.clamav.net/downloads<http://www.clamav.net/downloads> page. This will
provide a user with:
1) A simple way to check if files were updated since the last
download. It takes time to fetch the main.cvd. I realize that this
should be possible with a custom HTTP query but it's not convenient in
case you're simply using a browser to get the file.
2) A quick and a standard way to validate the integrity of the file,
without going into CVD internals and digital signatures


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



--

Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / CISO / Software-Development
m: +43 676 40 221 40
p: +43 1 595 3999 33
http://www.thelounge.net/
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Feature request: show checksums of virus databases on the clamav.net website

[Paul Kosinski]

Is the reason you don't want people downloading the CVDs directly
because that approach doesn't distribute the load, or do you have
some changes in mind for Freshclam that are incompatible with simple
direct downloading?

I'd hate to see ClamAV going the way of smartphones and tablets, with
specialized "apps" using opaque protocols replacing HTML and other open
protocols. (Not to mention that recent smartphones seem only to allow
MTP and similar restrictive protocols, as opposed to having the device
export its complete file system over USB like earlier Androids did.)


On Thu, 29 Sep 2016 22:22:32 +
"Joel Esler (jesler)"  wrote:

> We really don’t want people downloading the cvd’s through the browser
> directly on the website.  We really want to encourage people to use
> Freshclam to do this.
> 
> --
> Joel Esler
> Manager
> Talos Group
> http://www.talosintelligence.com
> 
> On Sep 29, 2016, at 12:21 PM, Alexey Salmin
> > wrote:
> 
> Sorry if this had been proposed before, nothing showed up in my
> search.
> 
> I suggest to display checksums (MD5, SHA or both) on the website next
> to CVD download links on the
> www.clamav.net/downloads page. This
> will provide a user with: 1) A simple way to check if files were
> updated since the last download. It takes time to fetch the main.cvd.
> I realize that this should be possible with a custom HTTP query but
> it's not convenient in case you're simply using a browser to get the
> file. 2) A quick and a standard way to validate the integrity of the
> file, without going into CVD internals and digital signatures.
> 
> Thank you,
> Alexey
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Feature request: show checksums of virus databases on the clamav.net website

[Al Varnell]

If you are able to download from the web site to a media that can be brought in 
(not the most secure situation, of course) then simply use the same computer 
you are using to download these updates to run freshclam, copy the already 
verified database of CVD/CLD’s and problem solved.

-Al-

On Thu, Sep 29, 2016 at 07:51 PM, Alexey Salmin wrote:
> 
> Thanks for your replies.
> 
> My particular use case is a network that is physically disconnected
> from the internet. Storage devices are allowed though, so I bring a
> fresh virus database from time to time. It's used to run nightly scans
> on shared network filesystems where malware occasionally show up. I
> guess it comes from storage devices too and that was mostly fixed by
> installing USB Disk Security on Windows machines. However it only
> helps from autoruns, not from infected binaries, so scheduled scans
> are still needed (and I think that's a good practice anyway).
> 
> Long story short: what is the recommended way to handle this scenario?
> I'm thinking of setting up a local mirror on the internet-capable
> machine and then take CVDs from there (with checksums or whatsoever).
> 
> PS You may wonder if I'm the fool admin mentioned above but that's not
> the case (at least the admin part). I'm a user of this network who
> volunteered to help with the malware problem with no budget or means
> to change security rules.
> 
> Alexey
> 
> On Fri, Sep 30, 2016 at 6:40 AM, Reindl Harald <h.rei...@thelounge.net> wrote:
>> 
>> Am 30.09.2016 um 01:20 schrieb SCOTT PACKARD:
>>> 
>>> Some of us clamav users are behind rather substantial proxies and can't
>>> pull them easily.
>>> It's nice to have a place to download them.  Just FYI.
>> 
>> 
>> sorry, but in that case these problems needs to be solved with the fools of
>> admins (or that admins replaced) responsible for only one part of the
>> infrastructure, blocking anything for security reasons and then at the same
>> time blocking update sof security software which is just pervert
>> 
>>> -Original Message-
>>> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
>>> Behalf Of Joel Esler (jesler)
>>> Sent: Thursday, September 29, 2016 3:23 PM
>>> To: ClamAV users ML <clamav-users@lists.clamav.net>
>>> Subject: Re: [clamav-users] Feature request: show checksums of virus
>>> databases on the clamav.net website
>>> 
>>> We really don’t want people downloading the cvd’s through the browser
>>> directly on the website.  We really want to encourage people to use
>>> Freshclam to do this.
>>> 
>>> --
>>> Joel Esler
>>> Manager
>>> Talos Group
>>> http://www.talosintelligence.com
>>> 
>>> On Sep 29, 2016, at 12:21 PM, Alexey Salmin
>>> <alexey.sal...@gmail.com<mailto:alexey.sal...@gmail.com>> wrote:
>>> 
>>> Sorry if this had been proposed before, nothing showed up in my search.
>>> 
>>> I suggest to display checksums (MD5, SHA or both) on the website next
>>> to CVD download links on the
>>> www.clamav.net/downloads<http://www.clamav.net/downloads> page. This will
>>> provide a user with:
>>> 1) A simple way to check if files were updated since the last
>>> download. It takes time to fetch the main.cvd. I realize that this
>>> should be possible with a custom HTTP query but it's not convenient in
>>> case you're simply using a browser to get the file.
>>> 2) A quick and a standard way to validate the integrity of the file,
>>> without going into CVD internals and digital signatures
>> 
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Feature request: show checksums of virus databases on the clamav.net website

[Alexey Salmin]

Thanks for your replies.

My particular use case is a network that is physically disconnected
from the internet. Storage devices are allowed though, so I bring a
fresh virus database from time to time. It's used to run nightly scans
on shared network filesystems where malware occasionally show up. I
guess it comes from storage devices too and that was mostly fixed by
installing USB Disk Security on Windows machines. However it only
helps from autoruns, not from infected binaries, so scheduled scans
are still needed (and I think that's a good practice anyway).

Long story short: what is the recommended way to handle this scenario?
I'm thinking of setting up a local mirror on the internet-capable
machine and then take CVDs from there (with checksums or whatsoever).

PS You may wonder if I'm the fool admin mentioned above but that's not
the case (at least the admin part). I'm a user of this network who
volunteered to help with the malware problem with no budget or means
to change security rules.

Alexey

On Fri, Sep 30, 2016 at 6:40 AM, Reindl Harald <h.rei...@thelounge.net> wrote:
>
> Am 30.09.2016 um 01:20 schrieb SCOTT PACKARD:
>>
>> Some of us clamav users are behind rather substantial proxies and can't
>> pull them easily.
>> It's nice to have a place to download them.  Just FYI.
>
>
> sorry, but in that case these problems needs to be solved with the fools of
> admins (or that admins replaced) responsible for only one part of the
> infrastructure, blocking anything for security reasons and then at the same
> time blocking update sof security software which is just pervert
>
>> -Original Message-
>> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
>> Behalf Of Joel Esler (jesler)
>> Sent: Thursday, September 29, 2016 3:23 PM
>> To: ClamAV users ML <clamav-users@lists.clamav.net>
>> Subject: Re: [clamav-users] Feature request: show checksums of virus
>> databases on the clamav.net website
>>
>> We really don’t want people downloading the cvd’s through the browser
>> directly on the website.  We really want to encourage people to use
>> Freshclam to do this.
>>
>> --
>> Joel Esler
>> Manager
>> Talos Group
>> http://www.talosintelligence.com
>>
>> On Sep 29, 2016, at 12:21 PM, Alexey Salmin
>> <alexey.sal...@gmail.com<mailto:alexey.sal...@gmail.com>> wrote:
>>
>> Sorry if this had been proposed before, nothing showed up in my search.
>>
>> I suggest to display checksums (MD5, SHA or both) on the website next
>> to CVD download links on the
>> www.clamav.net/downloads<http://www.clamav.net/downloads> page. This will
>> provide a user with:
>> 1) A simple way to check if files were updated since the last
>> download. It takes time to fetch the main.cvd. I realize that this
>> should be possible with a custom HTTP query but it's not convenient in
>> case you're simply using a browser to get the file.
>> 2) A quick and a standard way to validate the integrity of the file,
>> without going into CVD internals and digital signatures
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Feature request: show checksums of virus databases on the clamav.net website

[Reindl Harald]

Am 30.09.2016 um 01:20 schrieb SCOTT PACKARD:

Some of us clamav users are behind rather substantial proxies and can't pull 
them easily.
It's nice to have a place to download them.  Just FYI.


sorry, but in that case these problems needs to be solved with the fools 
of admins (or that admins replaced) responsible for only one part of the 
infrastructure, blocking anything for security reasons and then at the 
same time blocking update sof security software which is just pervert



-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
Joel Esler (jesler)
Sent: Thursday, September 29, 2016 3:23 PM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Subject: Re: [clamav-users] Feature request: show checksums of virus databases 
on the clamav.net website

We really don’t want people downloading the cvd’s through the browser directly 
on the website.  We really want to encourage people to use Freshclam to do this.

--
Joel Esler
Manager
Talos Group
http://www.talosintelligence.com

On Sep 29, 2016, at 12:21 PM, Alexey Salmin 
<alexey.sal...@gmail.com<mailto:alexey.sal...@gmail.com>> wrote:

Sorry if this had been proposed before, nothing showed up in my search.

I suggest to display checksums (MD5, SHA or both) on the website next
to CVD download links on the 
www.clamav.net/downloads<http://www.clamav.net/downloads> page. This will
provide a user with:
1) A simple way to check if files were updated since the last
download. It takes time to fetch the main.cvd. I realize that this
should be possible with a custom HTTP query but it's not convenient in
case you're simply using a browser to get the file.
2) A quick and a standard way to validate the integrity of the file,
without going into CVD internals and digital signatures

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Feature request: show checksums of virus databases on the clamav.net website

[SCOTT PACKARD]

Some of us clamav users are behind rather substantial proxies and can't pull 
them easily.
It's nice to have a place to download them.  Just FYI.

-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
Joel Esler (jesler)
Sent: Thursday, September 29, 2016 3:23 PM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Subject: Re: [clamav-users] Feature request: show checksums of virus databases 
on the clamav.net website

We really don’t want people downloading the cvd’s through the browser directly 
on the website.  We really want to encourage people to use Freshclam to do this.

--
Joel Esler
Manager
Talos Group
http://www.talosintelligence.com

On Sep 29, 2016, at 12:21 PM, Alexey Salmin 
<alexey.sal...@gmail.com<mailto:alexey.sal...@gmail.com>> wrote:

Sorry if this had been proposed before, nothing showed up in my search.

I suggest to display checksums (MD5, SHA or both) on the website next
to CVD download links on the 
www.clamav.net/downloads<http://www.clamav.net/downloads> page. This will
provide a user with:
1) A simple way to check if files were updated since the last
download. It takes time to fetch the main.cvd. I realize that this
should be possible with a custom HTTP query but it's not convenient in
case you're simply using a browser to get the file.
2) A quick and a standard way to validate the integrity of the file,
without going into CVD internals and digital signatures.

Thank you,
Alexey
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Feature request: show checksums of virus databases on the clamav.net website

[Joel Esler (jesler)]

We really don’t want people downloading the cvd’s through the browser directly 
on the website.  We really want to encourage people to use Freshclam to do this.

--
Joel Esler
Manager
Talos Group
http://www.talosintelligence.com

On Sep 29, 2016, at 12:21 PM, Alexey Salmin 
> wrote:

Sorry if this had been proposed before, nothing showed up in my search.

I suggest to display checksums (MD5, SHA or both) on the website next
to CVD download links on the 
www.clamav.net/downloads page. This will
provide a user with:
1) A simple way to check if files were updated since the last
download. It takes time to fetch the main.cvd. I realize that this
should be possible with a custom HTTP query but it's not convenient in
case you're simply using a browser to get the file.
2) A quick and a standard way to validate the integrity of the file,
without going into CVD internals and digital signatures.

Thank you,
Alexey
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Feature request: show checksums of virus databases on the clamav.net website

[Alexey Salmin]

Sorry if this had been proposed before, nothing showed up in my search.

I suggest to display checksums (MD5, SHA or both) on the website next
to CVD download links on the www.clamav.net/downloads page. This will
provide a user with:
1) A simple way to check if files were updated since the last
download. It takes time to fetch the main.cvd. I realize that this
should be possible with a custom HTTP query but it's not convenient in
case you're simply using a browser to get the file.
2) A quick and a standard way to validate the integrity of the file,
without going into CVD internals and digital signatures.

Thank you,
Alexey
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [Clamav-users] Feature Request Scanlist

[Matus UHLAR - fantomas]

On 29.01.09 13:26, Andre Hübner wrote:
 during practical work with webspace/virus etc. i missed a function in 
 clamscan to scan files which were given by list in file.
 Often after a Hackattack by ftp/upload etc. a lot of files with alike date 
 of creation are found in filesystem.

there's mod_clamav for ProFTPD.

 Sometimes it is not necessary to scan whole filesystem with thousends of 
 files. I could imagine to create a list in file by typical *nix commands 
 with fileselection which is base for clamscan.
 Thsi fileselection could be reduced by date of creation, special filetypes, 
 chmod, whatever...
 Sure, a complete scan should also be done, but to get fast results or to do 
 quick automated scans of suspicious files this could be a nice feature.

you'll have to check for ctime, even if that means scanning more files,
since mtime can be changed. On filesystems without ctime, you'll have to
scan anything
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] Feature Request Scanlist

[Andre Hübner]

Hi,

during practical work with webspace/virus etc. i missed a function in 
clamscan to scan files which were given by list in file.
Often after a Hackattack by ftp/upload etc. a lot of files with alike date 
of creation are found in filesystem.
Sometimes it is not necessary to scan whole filesystem with thousends of 
files. I could imagine to create a list in file by typical *nix commands 
with fileselection which is base for clamscan.
Thsi fileselection could be reduced by date of creation, special filetypes, 
chmod, whatever...
Sure, a complete scan should also be done, but to get fast results or to do 
quick automated scans of suspicious files this could be a nice feature.

How about that?
Thanks,
Andre 

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Feature Request Scanlist

[Tomasz Kojm]

On Thu, 29 Jan 2009 13:26:29 +0100
Andre Hübner andre.hueb...@gmx.de wrote:

 Hi,
 
 during practical work with webspace/virus etc. i missed a function in 
 clamscan to scan files which were given by list in file.
 Often after a Hackattack by ftp/upload etc. a lot of files with alike date 
 of creation are found in filesystem.
 Sometimes it is not necessary to scan whole filesystem with thousends of 
 files. I could imagine to create a list in file by typical *nix commands 
 with fileselection which is base for clamscan.
 Thsi fileselection could be reduced by date of creation, special filetypes, 
 chmod, whatever...
 Sure, a complete scan should also be done, but to get fast results or to do 
 quick automated scans of suspicious files this could be a nice feature.
 
 How about that?

Please search the archives; it was already described how to use clamdscan
for that purpose.

-- 
   oo. Tomasz Kojm tk...@clamav.net
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Thu Jan 29 13:30:37 CET 2009
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Feature Request Scanlist

[James Kosin]

Tomasz Kojm wrote:
 On Thu, 29 Jan 2009 13:26:29 +0100
 Andre Hübner andre.hueb...@gmx.de wrote:
snip

 with fileselection which is base for clamscan.
 Thsi fileselection could be reduced by date of creation, special filetypes, 
 chmod, whatever...
 Sure, a complete scan should also be done, but to get fast results or to do 
 quick automated scans of suspicious files this could be a nice feature.

 How about that?
 
 Please search the archives; it was already described how to use clamdscan
 for that purpose.
 

You also have to be careful.  The date/time of creation or modification
can be faked or changed.  So, I wouldn't rely entirely on that alone to
determine what files to scan and which not to scan.

James



signature.asc
Description: OpenPGP digital signature
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] feature request?

[Rekrutacja]

Chuck Swiger wrote:
 On May 8, 2008, at 4:08 PM, Rekrutacja wrote:
 is it possible that developers will add option to clamscan, to load  
 file
 list to be scanned, from other file?
 
 Can't you do this via something like:
 
 % ls -1  /tmp/filelist_to_scan
 % xargs clamdscan  /tmp/filelist_to_scan
 
 ...?

i didn't know i can give more than 1 argument to clamscan... by the way
- any idea how to scan files encoded in base64 ? there are PHP.shells on
my server, that are easly found by clamscan when in normal text, but
when encoded in base64 , clam doesn't detect anything.

i thought base64 was added already?

also, any way to add daemon but not for mails, but one that will scan
files added to some directory in the background automatically?

 
 the problem is i have many users uploading files, and i log it. i want
 clamscan to run like every minute or less, and scan these files from  
 the
 list, but it takes a lot of time for clamscan to load into memory
 (viruses databases)
 
 Right, so use clamdscan rather than normal clamscan.
 
 wouldn't that be easier to just be able to add like --load-from-file
 option, where i can tell clamscan which files should be scanned?
 
 I don't see anything wrong with the notion of having explicit support  
 for loading filenames from a file, but you can use xargs to place such  
 files onto the command-line arguments and get the same results
 



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] feature request?

[Török Edwin]

Dennis Peterson wrote:
 Chuck Swiger wrote:
   
 On May 8, 2008, at 5:43 PM, Dennis Peterson wrote:
 
 Can't you do this via something like:

 % ls -1  /tmp/filelist_to_scan
 % xargs clamdscan  /tmp/filelist_to_scan
 
 The clamd user would need to be root for this to always work. That is
 probably not a good idea when scanning user space.
   
 If clamd doesn't have permissions to read some of the files you want  
 to check, use clamscan as root instead, although any potential  
 security risk from a maliciously crafted input file would likely  
 affect clamscan in such circumstances as well.

 Add salt and season to taste.

 

 If permissions on home dirs or (dev dirs) are set correctly clamd would 
 be locked out of all of them. But there's no reason to assume that would 
 be the case in the OP's world. If it is the case he could always pipe 
 files as root to the clamd socket. There's a clamd-stream client on 
 sourceforge from a couple years ago that may do the trick.

clamdscan can do the streaming (although you can't scan anything larger
than StreamMaxLength):
$ clamdscan  - filetoscan

Best regards,
--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] feature request?

[Rekrutacja]

Chuck Swiger wrote:
 On May 8, 2008, at 4:08 PM, Rekrutacja wrote:
 is it possible that developers will add option to clamscan, to load  
 file
 list to be scanned, from other file?
 
 Can't you do this via something like:
 
 % ls -1  /tmp/filelist_to_scan
 % xargs clamdscan  /tmp/filelist_to_scan
 
 ...?

i didn't know i can give more than 1 argument to clamscan... by the way
- any idea how to scan files encoded in base64 ? there are PHP.shells on
my server, that are easly found by clamscan when in normal text, but
when encoded in base64 , clam doesn't detect anything.

i thought base64 was added already?

also, any way to add daemon but not for mails, but one that will scan
files added to some directory in the background automatically?

 
 the problem is i have many users uploading files, and i log it. i want
 clamscan to run like every minute or less, and scan these files from  
 the
 list, but it takes a lot of time for clamscan to load into memory
 (viruses databases)
 
 Right, so use clamdscan rather than normal clamscan.
 
 wouldn't that be easier to just be able to add like --load-from-file
 option, where i can tell clamscan which files should be scanned?
 
 I don't see anything wrong with the notion of having explicit support  
 for loading filenames from a file, but you can use xargs to place such  
 files onto the command-line arguments and get the same results
 


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] feature request?

[Chuck Swiger]

On May 8, 2008, at 5:43 PM, Dennis Peterson wrote:
 Can't you do this via something like:

 % ls -1  /tmp/filelist_to_scan
 % xargs clamdscan  /tmp/filelist_to_scan

 The clamd user would need to be root for this to always work. That is
 probably not a good idea when scanning user space.

If clamd doesn't have permissions to read some of the files you want  
to check, use clamscan as root instead, although any potential  
security risk from a maliciously crafted input file would likely  
affect clamscan in such circumstances as well.

Add salt and season to taste.

-- 
-Chuck

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] feature request?

[Dennis Peterson]

Chuck Swiger wrote:
 On May 8, 2008, at 5:43 PM, Dennis Peterson wrote:
 Can't you do this via something like:

 % ls -1  /tmp/filelist_to_scan
 % xargs clamdscan  /tmp/filelist_to_scan
 The clamd user would need to be root for this to always work. That is
 probably not a good idea when scanning user space.
 
 If clamd doesn't have permissions to read some of the files you want  
 to check, use clamscan as root instead, although any potential  
 security risk from a maliciously crafted input file would likely  
 affect clamscan in such circumstances as well.
 
 Add salt and season to taste.
 

If permissions on home dirs or (dev dirs) are set correctly clamd would 
be locked out of all of them. But there's no reason to assume that would 
be the case in the OP's world. If it is the case he could always pipe 
files as root to the clamd socket. There's a clamd-stream client on 
sourceforge from a couple years ago that may do the trick.

I distincty said 'No salt' - Milton

dp
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] feature request?

[Chuck Swiger]

On May 8, 2008, at 4:08 PM, Rekrutacja wrote:
 is it possible that developers will add option to clamscan, to load  
 file
 list to be scanned, from other file?

Can't you do this via something like:

% ls -1  /tmp/filelist_to_scan
% xargs clamdscan  /tmp/filelist_to_scan

...?

 the problem is i have many users uploading files, and i log it. i want
 clamscan to run like every minute or less, and scan these files from  
 the
 list, but it takes a lot of time for clamscan to load into memory
 (viruses databases)

Right, so use clamdscan rather than normal clamscan.

 wouldn't that be easier to just be able to add like --load-from-file
 option, where i can tell clamscan which files should be scanned?

I don't see anything wrong with the notion of having explicit support  
for loading filenames from a file, but you can use xargs to place such  
files onto the command-line arguments and get the same results

-- 
-Chuck

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] feature request?

[Dennis Peterson]

Chuck Swiger wrote:
 On May 8, 2008, at 4:08 PM, Rekrutacja wrote:
 is it possible that developers will add option to clamscan, to load  
 file
 list to be scanned, from other file?
 
 Can't you do this via something like:
 
 % ls -1  /tmp/filelist_to_scan
 % xargs clamdscan  /tmp/filelist_to_scan

The clamd user would need to be root for this to always work. That is 
probably not a good idea when scanning user space.

dp
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] feature request?

[Rekrutacja]

Chuck Swiger wrote:
 On May 8, 2008, at 4:08 PM, Rekrutacja wrote:
 is it possible that developers will add option to clamscan, to load  
 file
 list to be scanned, from other file?
 
 Can't you do this via something like:
 
 % ls -1  /tmp/filelist_to_scan
 % xargs clamdscan  /tmp/filelist_to_scan
 
 ...?

i didn't know i can give more than 1 argument to clamscan... by the way 
- any idea how to scan files encoded in base64 ? there are PHP.shells on 
my server, that are easly found by clamscan when in normal text, but 
when encoded in base64 , clam doesn't detect anything.

i thought base64 was added already?

also, any way to add daemon but not for mails, but one that will scan 
files added to some directory in the background automatically?

 
 the problem is i have many users uploading files, and i log it. i want
 clamscan to run like every minute or less, and scan these files from  
 the
 list, but it takes a lot of time for clamscan to load into memory
 (viruses databases)
 
 Right, so use clamdscan rather than normal clamscan.
 
 wouldn't that be easier to just be able to add like --load-from-file
 option, where i can tell clamscan which files should be scanned?
 
 I don't see anything wrong with the notion of having explicit support  
 for loading filenames from a file, but you can use xargs to place such  
 files onto the command-line arguments and get the same results
 

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Feature request for freshclam: settable timeout

[René Berber]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

A new option to set timeout for freshclam's operation would IMO be useful to
avoid problems with mirrors.

For at least a week I've seen the time it takes freshclam to update the database
from my regional mirrors increase a lot.  Usually it takes seconds, but lately
it has taken 20 min average, today I just killed freshclam after waiting 2 hr,
then it took 2 minutes on a re-run.  I'm seeing these problem on two separate
servers (both do very few (1 to 4) daily updates since traffic is low-volume).

So I rather skip the update than having freshclam running for so long.
- --
René Berber
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFEX6NgL3NNweKTRgwRAr25AJoDqNLSCxcoVIci1eRvME/PPgnCbgCVFv4C
AgxggXTg56Yr+Tk05K/f+w==
=AWsG
-END PGP SIGNATURE-

___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Feature Request

[karlp]

Has anyone considered or requested that the URL for upgrading Clamav might
be put in the notice the admin receives when the following message is
sent:

WARNING: Your ClamAV installation is OUTDATED - please update immediately!

I may just poke through the source code, but my time can be better spent
elsewhere...

This is NOT meant to be taken as a high priority. Keeping my servers clean
from viruses is significantly more important than worrying about whether I
have to type clamav.net in the URL field.

Thanks for not flaming me.

___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] feature request in virusdb ml

[Cedric Foll]

Hi,

I would like to have information obout the severity/frequence of viruses 
add in the mailing list.
It should be nice to know when a virus added is very dangerous and that 
an update is required urgently. At least add the information provided 
during submission about frequency of the virus.

Thanks for the work of all the team. Your job is really appreciated.

Regards.

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] feature request in virusdb ml

[Antony Stone]

On Monday 16 February 2004 8:54 pm, Cedric Foll wrote:

 Hi,

 I would like to have information obout the severity/frequence of viruses
 add in the mailing list.
 It should be nice to know when a virus added is very dangerous and that
 an update is required urgently. At least add the information provided
 during submission about frequency of the virus.

It is very difficult to tell how dangerous or severe a virus is, and therefore 
how urgent the update is, until it's really too late.   How do you define 
dangerous?   How quickly the virus spreads?   Or what damage it does when it 
arrives?   Either way, I'd prefer to get a quick signature for anything nasty 
rather than request the signature-creators spend extra time assessing the 
risk associated with a particular piece of code.

I think most people attitude will be: If it's a virus, give me a signature 
quick!   I don't care how bad the virus is - I just want protection from it.

Regards,

Antony.

-- 
Never write it in Perl if you can do it in Awk.
Never do it in Awk if sed can handle it.
Never use sed when tr can do the job.
Never invoke tr when cat is sufficient.
Avoid using cat whenever possible.

 Please reply to the list;
   please don't CC me.



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] feature request for clam (STREAM mode)

[Stefan Kaltenbrunner]

Tomasz Kojm wrote:

On Sun, 17 Aug 2003 19:38:10 +0200
Arkadiusz Miskiewicz [EMAIL PROTECTED] wrote:
 

Hi,

STREAM support is long awaited feature by me. Unfortunately it seems
badly designed.
   

The idea of the protocol is based on OpenAntiVirus ScannerDaemon's POST
command, with some enhancements.
 

Current protocol is:
- connect with default clamav port (command connection)
- send STREAM uppercase
- clamd returns port number
- we connect with that number and send data to be scanned there (data 
connection)
   

That's it.

 

Problems are:
- if we want to scan few files we need to connect to reconnect to
command connection every time, too - why? Why no multiple STREAM
commands allowed?
   

Do you mean STREAM should support an optional argument for a number of
sockets clamd should start waiting on ? No problem.
 

- data port is random so I need to open all ports on my firewall which
is very 
   

This problem has been already reported a few days ago. The port number
range will be configurable in clamav.conf.
 

sad. Instead of this it would be great if I could send data over
,,command connection'' and don't use ,,data connection'' at all.
   

Oh, I don't think this is a good idea - it will make the command socket
a bottleneck because a scan process for may be long and we can't depend
on the backlog argument of the listen() function due to portability
reasons. 

I really, really dislike this solution which reminds me in some way to 
the (br0ken) ftp-protocol. A solution like this make any kind of 
loadbalancing(using a standard TCP balancing solution) nearly 
impossible. Any chance that this design could be changed to using a 
single TCP-Port. This would allow use to loadbalance/failover clamd 
easily between a large number of hosts (just like it's possible with 
spamd from the spamassassin package today).

Stefan



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] feature request for clam (STREAM mode)

[Nigel Horne]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Shouldn't this be on the developers list, not here?

- -Nigel

- -- 
Nigel Horne. Arranger, Composer, Conductor, Typesetter.
Owner of the brass band group of the Internet. ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk/music.htm
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/QIPCOv/MqfDWaY8RApe1AKCfnMzUe4FmPedTfw2FiM+jB1+jtACeOSD1
sZAQrJaDTdGlBOSsHu9H6+Y=
=gQsP
-END PGP SIGNATURE-



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] feature request for clam (STREAM mode)

[Arkadiusz Miskiewicz]

Hi,

STREAM support is long awaited feature by me. Unfortunately it seems badly 
designed.

Current protocol is:
- connect with default clamav port (command connection)
- send STREAM uppercase
- clamd returns port number
- we connect with that number and send data to be scanned there (data 
connection)

Problems are:
- if we want to scan few files we need to connect to reconnect to command 
connection every time, too - why? Why no multiple STREAM commands allowed?
- data port is random so I need to open all ports on my firewall which is very 
sad. Instead of this it would be great if I could send data over ,,command 
connection'' and don't use ,,data connection'' at all.

clamscan btw. is missing STREAM mode for multiple files when scanning. With 
this support clamscan would be second(? - after clamav-milter) antivirus 
daemon that sould work in such scenario with multiple hosts where mail spool 
is on different host than antivirus daemon.

-- 
Arkadiusz MikiewiczCS at FoE, Wroclaw University of Technology
[EMAIL PROTECTED]   AM2-6BONE, 1024/3DB19BBD, arekm(at)ircnet, PLD/Linux



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] feature request for clam (STREAM mode)

[Tomasz Kojm]

On Sun, 17 Aug 2003 19:38:10 +0200
Arkadiusz Miskiewicz [EMAIL PROTECTED] wrote:

 Hi,
 
 STREAM support is long awaited feature by me. Unfortunately it seems
 badly designed.

The idea of the protocol is based on OpenAntiVirus ScannerDaemon's POST
command, with some enhancements.

 Current protocol is:
 - connect with default clamav port (command connection)
 - send STREAM uppercase
 - clamd returns port number
 - we connect with that number and send data to be scanned there (data 
 connection)

That's it.

 Problems are:
 - if we want to scan few files we need to connect to reconnect to
 command connection every time, too - why? Why no multiple STREAM
 commands allowed?

Do you mean STREAM should support an optional argument for a number of
sockets clamd should start waiting on ? No problem.

 - data port is random so I need to open all ports on my firewall which
 is very 

This problem has been already reported a few days ago. The port number
range will be configurable in clamav.conf.

 sad. Instead of this it would be great if I could send data over
 ,,command connection'' and don't use ,,data connection'' at all.

Oh, I don't think this is a good idea - it will make the command socket
a bottleneck because a scan process for may be long and we can't depend
on the backlog argument of the listen() function due to portability
reasons. 
 clamscan btw. is missing STREAM mode for multiple files when scanning.
 With 

clamscan doesn't connect to clamd at all. clamdscan uses STREAM while
reading from a standard input, but this is not yet fully implemented.
clamdscan will support remote scanning (with something like
--remote-host option)  soon.

Best regards,
Tomasz Kojm
-- 
  oo.   [EMAIL PROTECTED]
 (\/)\. http://www.konarski.edu.pl/~zolw
\..._   I nie zapomnij kliknac w brzuszek... 
  //\   /\\ - C. Amboinensiswww.pajacyk.pl


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] feature request for clam (STREAM mode)

[Arkadiusz Miskiewicz]

On Sunday 17 of August 2003 22:29, Tomasz Kojm wrote:
  - if we want to scan few files we need to connect to reconnect to
  command connection every time, too - why? Why no multiple STREAM
  commands allowed?

 Do you mean STREAM should support an optional argument for a number of
 sockets clamd should start waiting on ? No problem.
I was thinking about something other... don't disconnect after returning 
stream: OK/OTHER_MESSAGE and allow to send another STREAM request. In this 
way I wouldn't need to reconnect every time if I want to scan few files.

  - data port is random so I need to open all ports on my firewall which
  is very

 This problem has been already reported a few days ago. The port number
 range will be configurable in clamav.conf.
btw. does clamd checking whether data connection comes from the same IP as 
command connection?

  clamscan btw. is missing STREAM mode for multiple files when scanning.
  With

 clamscan doesn't connect to clamd at all.
Unfortunately :-( Also clam libraries don't have any network support which 
also would be useful. It would be really great to just specify
clamscan ---remote-host=x.y.z.q:2145 /some/directory :)

 clamdscan uses STREAM while
 reading from a standard input, but this is not yet fully implemented.
 clamdscan will support remote scanning (with something like
 --remote-host option)  soon.
Great. 


 Best regards,
 Tomasz Kojm

-- 
Arkadiusz MikiewiczCS at FoE, Wroclaw University of Technology
[EMAIL PROTECTED]   AM2-6BONE, 1024/3DB19BBD, arekm(at)ircnet, PLD/Linux



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] feature request for clam (STREAM mode)

[Tomasz Kojm]

On Sun, 17 Aug 2003 22:45:07 +0200
Arkadiusz Miskiewicz [EMAIL PROTECTED] wrote:

 On Sunday 17 of August 2003 22:29, Tomasz Kojm wrote:
   - if we want to scan few files we need to connect to reconnect to
   command connection every time, too - why? Why no multiple STREAM
   commands allowed?
 
  Do you mean STREAM should support an optional argument for a number
  of sockets clamd should start waiting on ? No problem.
 I was thinking about something other... don't disconnect after
 returning stream: OK/OTHER_MESSAGE and allow to send another STREAM
 request. In this way I wouldn't need to reconnect every time if I want
 to scan few files.

This will cause the problem I've described in my previous mail - will
block the command socket with big files.

Best regards,
Tomasz Kojm
-- 
  oo.   [EMAIL PROTECTED]
 (\/)\. http://www.konarski.edu.pl/~zolw
\..._   I nie zapomnij kliknac w brzuszek... 
  //\   /\\ - C. Amboinensiswww.pajacyk.pl


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users