On Fri, 18 Feb 2005 15:45:54 -0600 (CST), Damian Menscher <[EMAIL PROTECTED]> wrote: > Latest version of clamav, or clamdwatch?
Latest version of clamdwatch (0.7.1, as distributed with clamav 0.83). > Why is the most recent version required (I'm assuming some new > functionality is required, but when was that functionality introduced)? > Can you give us a preview of what the new signature will be so we can > prepare ourselves? AFAIK, the updated Eicar signature used by clamav will enforce the rule that it may be no more than 128 bytes long and only contains whitespace after the signature itself. Older versions of clamdwatch contain the Eicar signature within the perl script itself. They feed the entire perl script to clamd to check if detects the Eicar signature. Until now this would work fine. From Monday the >128 bytes and lots of non-whitespace nature of the script will mean that clamd will not detect the Eicar signature in the clamdwatch script. Newer versions (use 0.7.1) of clamdwatch write a temporary file containing only the Eicar virus. Equals < 128 bytes and nothing but Eicar goodness in the file. This is fed to clamd, which detects the Eicar signature now and after Monday, resulting in happy sysadmins. This functionality was first introduced in clamdwatch v0.7rc1 (12/09/2004), I believe, but you want the current 0.7.1 version. The Eicar string itself hasn't changed, AFAIK, but clamav was forgiving in interpreting the string itself anywhere in a file as sufficient to make a positive match, whereas the "standard" specifies "It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters." (http://www.eicar.org/anti_virus_test_file.htm) Hope this helps, -- des -- http://frommars.org/ _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
