Updated Clam AV monitor
Same song, 4th verse. Its gotta get better, it can't get worse. Just updated the Clam AV monitor, again. The bug I thought I killed yesterday, wasn't quite dead. Think I got him this time. Also, Thanks Ed for sharing your code, the Eicar-Test is in this release. -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com signature.asc Description: OpenPGP digital signature ___ mon mailing list mon@linux.kernel.org http://linux.kernel.org/mailman/listinfo/mon
Re: Updated Clam AV monitor
* Ed Ravin wrote: Sorry, I should have posted the clamd.monitor used at my shop. The one from http://www.cmpublishers.com/oss/ checks the TCP banner, complains if the socket isn't answered or if you're running an outdated clamd (the latter a nice feature which is not in the one I've been using). Please don't use the 9-29-2009 release. However, the clamd monitor attached to this message goes through the steps to actually submit a piece of email for virus scanning, and uses the EICAR fake virus to test whether clamd is actually going through the message. That goes a bit deeper into the internals and might turn up problems that a simple socket open/close wouldn't. NICE!!! That is cool. I'll add that to a future release. I didn't realize there was a Clamav::Client perl module. I'll have to use that in a future release too. We use a similar monitor for SpamAssassin that uses the corresponding fake spam signature to test whether spamd is checking messages - if anyone's interested, let me know. -- Ed Sure, I could use that. Whats going on right here, is what makes Open Source Software so great -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com signature.asc Description: OpenPGP digital signature ___ mon mailing list mon@linux.kernel.org http://linux.kernel.org/mailman/listinfo/mon
Re: Updated Clam AV monitor
* Ed Ravin wrote: Sorry, I should have posted the clamd.monitor used at my shop. The one from http://www.cmpublishers.com/oss/ checks the TCP banner, complains if the socket isn't answered or if you're running an outdated clamd (the latter a nice feature which is not in the one I've been using). However, the clamd monitor attached to this message goes through the steps to actually submit a piece of email for virus scanning, and uses the EICAR fake virus to test whether clamd is actually going through the message. That goes a bit deeper into the internals and might turn up problems that a simple socket open/close wouldn't. AAAHHH! Every minute run clamd.monitor against our servers. Later that day... A few hundred emails to our noc with the subject line VIRUS ALERT: Eicar-Test-Signature Good News: The clamd's are working right. :-) Ed, what does your shop do for clamd's VirusEvent? If' I'm going to use this code, emailing the noc every minute per server running clamd won't work. -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com signature.asc Description: OpenPGP digital signature ___ mon mailing list mon@linux.kernel.org http://linux.kernel.org/mailman/listinfo/mon
Re: Updated Clam AV monitor
On Sun, Nov 01, 2009 at 04:39:03PM -0500, Nathan Gibbs wrote: AAAHHH! Every minute run clamd.monitor against our servers. Later that day... A few hundred emails to our noc with the subject line VIRUS ALERT: Eicar-Test-Signature ... If' I'm going to use this code, emailing the noc every minute per server running clamd won't work. Indeed. It all depends on what you want to do - in my opinion, an incoming virus is hardly worth reporting if it's been identified and the email is being quarantined. I'd rather get email about the viruses that haven't been ID'd and that are about to start running on the network when someone clicks on them :-(. Since VirusEvent accepts a command line, you can replace the command you have there now with a script that filters out the Eicar-Test-Signature before sending any mail. You could also not bother with VirusEvent and look at the syslogs at the end of the day to see what clamd's been up to. ___ mon mailing list mon@linux.kernel.org http://linux.kernel.org/mailman/listinfo/mon
Re: Updated Clam AV monitor
* Nathan Gibbs wrote: I just updated the Clam AV monitor. The Clamav Team listed this monitor on their site. signature.asc Description: OpenPGP digital signature ___ mon mailing list mon@linux.kernel.org http://linux.kernel.org/mailman/listinfo/mon
Re: Updated Clam AV monitor
On Sat, 31 Oct 2009, Nathan Gibbs wrote: * Nathan Gibbs wrote: I just updated the Clam AV monitor. The Clamav Team listed this monitor on their site. That's good news, but a URL for it would make the good news better :) ___ mon mailing list mon@linux.kernel.org http://linux.kernel.org/mailman/listinfo/mon
Re: Updated Clam AV monitor
* Jim Trocki wrote: On Sat, 31 Oct 2009, Nathan Gibbs wrote: The Clamav Team listed this monitor on their site. That's good news, but a URL for it would make the good news better :) Oops' my bad. :-( http://www.clamav.net/download/third-party-tools/3rdparty-misc I was so excited, I forgot to add the link :-) -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com signature.asc Description: OpenPGP digital signature ___ mon mailing list mon@linux.kernel.org http://linux.kernel.org/mailman/listinfo/mon
Re: Updated Clam AV monitor
Sorry, I should have posted the clamd.monitor used at my shop.
The one from http://www.cmpublishers.com/oss/ checks the TCP
banner, complains if the socket isn't answered or if you're running
an outdated clamd (the latter a nice feature which is not in the
one I've been using).
However, the clamd monitor attached to this message goes through
the steps to actually submit a piece of email for virus scanning,
and uses the EICAR fake virus to test whether clamd is actually
going through the message. That goes a bit deeper into the internals
and might turn up problems that a simple socket open/close wouldn't.
We use a similar monitor for SpamAssassin that uses the corresponding
fake spam signature to test whether spamd is checking messages - if
anyone's interested, let me know.
-- Ed
#!/usr/local/bin/perl5.6.1
# clamd.monitor - make sure clamd recognizes the EICAR test virus
# Written by Jed Davis. Released to public (license is GPL) courtesy of
# PANIX Public Access Networks, http://www.panix.com
require 5.006;
use strict;
use Getopt::Std;
use ClamAV::Client;
use IO::String;
my $usage = clamd.monitor [-d] [-p port] [-t timeout] host [host...]\n;
our ($opt_t, $opt_p, $opt_d);
getopts(p:t:d) || die $usage;
my $tcpport = $opt_p || 9001;
my $timeout = $opt_t || 30;
my $debugp = $opt_d;
# Standard test virus - broken up into two lines to avoid triggering
# anti-virus systems (cough, cough)
my $virus = 'x5o...@ap[4\pzx54(P^)7CC)7}$EICAR-STANDARD-' .
'ANTIVIRUS-TEST-FILE!$H+H*';
my (@failures);
for my $host (@ARGV) {
my $result = undef;
eval {
alarm $timeout;
$SIG{ALRM} = sub { die Timeout ($timeout seconds)\n };
my $scanner = ClamAV::Client-new(
socket_host = $host,
socket_port = $tcpport);
$result = $scanner-scan_stream(IO::String-new($virus));
print STDERR DEBUG: $host: $result\n if $debugp;
};
if ($@) {
chomp $@;
$@ =~ s/^(Could not establish socket connection), tried UNIX
domain and TCP sockets at .*/$1/;
push @failures, [$host, Exception: $@];
} elsif (!$result) {
push @failures, [$host, Responded, but failed to recognize
test virus];
} elsif ($result ne Eicar-Test-Signature) {
push @failures, [$host, Unexpected response: $result];
}
}
print join( ,map{$$_[...@failures).\n;
print join(,map{$$_[0]: $$_[1]\n}...@failures);
exit ($#failures=0);
___
mon mailing list
mon@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon
Updated Clam AV monitor
I just updated the Clam AV monitor. signature.asc Description: OpenPGP digital signature ___ mon mailing list mon@linux.kernel.org http://linux.kernel.org/mailman/listinfo/mon
