Hi,
Following the long thread of "Idea for more timely virusdb updates", I have put together
a basic system of putting daily.cvd in DNS TXT records.
It stores current version of daily.cvd, new signatures, and what time a particular signature was added.
Which means the next time clamav come up with a signature sooner than other AV vendors, we'll
have a record of it without having to lookup each mail from clamav-db :)
This is still an early version, so record names might change (or added, or even removed) later.
Here's how it work:
- current daily.cvd version number : version.daily.db.clamav.or.id.
- number of virus on that daily.cvd : count.daily.db.clamav.or.id.
- number of new virus (compared to the previuse daily.cvd) : newcount.daily.db.clamav.or.id.
- release date of a daily.cvd version : added.VERSION_NUMBER.daily.db.clamav.or.id
- daily.cvd version number when a virus was added : version.VIRUS_NAME.virus.daily.db.clamav.or.id
- virus signatures : *.signature.daily.db.clamav.or.id (See examples below)
DNS records are updated as necessary, with checks run every 5 minutes with data from an official mirror.
Note that I started with daily.cvd version 450, so newcount is now = count and all virus signatures displayed.
In next db update, "newcount" should be a lot smaller than "count".
If current version is greater than your previous recorded version, you can run freshclam manually.
Or you could also build you own db which only contains new viruses.
It's a little complicated, but possible. See examples below.
I can put togeteher some scripts to automate process described in the example later.
Let me know what you think of it.
Regards,
Fajar http://justreadthis.com/
=================================================================================== Examples :
============================================================ (1) Getting db version [EMAIL PROTECTED] clamdsndb]# host -t txt version.daily.db.clamav.or.id version.daily.db.clamav.or.id text "450"
============================================================ (2) Getting release date of a daily.cvd : [EMAIL PROTECTED] clamdsndb]# host -t txt added.450.daily.db.clamav.or.id added.450.daily.db.clamav.or.id text "2004081317"
450 is the version, 2004081317 is YYYYMMDDHH the daily.cvd was added.
=============================================================
(3) Getting db version of a virus :
[EMAIL PROTECTED] clamdsndb]# host -t txt version.Trojan.Proxy.Agent.AT.virus.daily.db.clamav.or.id
version.Trojan.Proxy.Agent.AT.virus.daily.db.clamav.or.id text "450"
============================================================ (4) Building an incremental .db (or listing new viruses in that db version):
- get new virus count [EMAIL PROTECTED] clamdsndb]# host -t txt newcount.daily.db.clamav.or.id newcount.daily.db.clamav.or.id text "1597"
- get new virus name, if necessary. Note thate "450 "is the db version, and "0" is
virus number (starting from 0 to value_of_newcount.daily.db.clamav.or.id minus 1) :
[EMAIL PROTECTED] clamdsndb]# host -t txt name.0.450.signature.daily.db.clamav.or.id
name.0.450.signature.daily.db.clamav.or.id text "Oror-fam"
- see how many TXT records is needed to store virus signature :
[EMAIL PROTECTED] clamdsndb]# host -t txt span.0.450.signature.daily.db.clamav.or.id
span.0.450.signature.daily.db.clamav.or.id text "1"
- get the actual virus signature. The first "0" is the sequence number. If span is 1
then there's only one sequence (which is 0).
[EMAIL PROTECTED] clamdsndb]# host -t txt 0.0.450.signature.daily.db.clamav.or.id
0.0.450.signature.daily.db.clamav.or.id text "Oror-fam (Clam)=495243*56697275*53455859330f5455*4b617a61*536e617073686f"
if signature is longer than 250 chars, span will be greater than 1 and there's more than 1 sequence needed :
[EMAIL PROTECTED] clamdsndb]# host -t txt name.1595.450.signature.daily.db.clamav.or.id
name.1595.450.signature.daily.db.clamav.or.id text "Trojan.Proxy.Agent.AT"
[EMAIL PROTECTED] clamdsndb]# host -t txt span.1595.450.signature.daily.db.clamav.or.id
span.1595.450.signature.daily.db.clamav.or.id text "2"
[EMAIL PROTECTED] clamdsndb]# host -t txt 0.1595.450.signature.daily.db.clamav.or.id
0.1595.450.signature.daily.db.clamav.or.id text "Trojan.Proxy.Agent.AT (Clam)=1e256262ead02065bb855c998659396ccd561300e120ebfee524667cd0c5cbdce84eedac952b6bd413bdb1db3ec9d19ea533dd76525a26e8f9ee660390a517004b9ea0d0695ae4e0f4e5353e3b72426fab8d099b74577e64e5d8fe5f84ab9b920d2a85b0c66cebe6c4a4a18553dd2"
[EMAIL PROTECTED] clamdsndb]# host -t txt 1.1595.450.signature.daily.db.clamav.or.id
1.1595.450.signature.daily.db.clamav.or.id text "29bfd622035d7d6c70991bf16c394e00b6484c8477c412aa0788dc915c0d8d41bf72ad424257491"
which makes the signature (concatenate all sequence in order) :
"Trojan.Proxy.Agent.AT (Clam)=1e256262ead02065bb855c998659396ccd561300e120ebfee524667cd0c5cbdce84eedac952b6bd413bdb1db3ec9d19ea533dd76525a26e8f9ee660390a517004b9ea0d0695ae4e0f4e5353e3b72426fab8d099b74577e64e5d8fe5f84ab9b920d2a85b0c66cebe6c4a4a18553dd229bfd622035d7d6c70991bf16c394e00b6484c8477c412aa0788dc915c0d8d41bf72ad424257491"
With those signatures, you can create your own .db file (put the signatures together in one file, separated by newline) and put it in your DatabaseDirectory folder. ============================================================
------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
