aCaB wrote:
li...@truthisfreedom.org.uk wrote:
I guess my question is two-fold:
a) Is this possible with ClamAV or do I need to look elsewhere?
b) What's the best way to achieve this.
Hi,
It is certainly possible.
As for the HOW, that mostly depends on how you interface with the ftp
server.
If your ftpd accepts only a YES/NO type of answer (which I presume), and
can't take actions based on the reported virus name then you'll need to
be a bit creative.
For example you run a main clamd with the full db loaded which reports
to the ftpd. This should keep away most of the known badware.
Then you scan each uploaded file a second time but with only one or a
few custom signatures (e.g. "base64_decode") and report the "suspect"
file to yourself.
How to trigger this second scan depends again on your ftpd. If it's got
post-upload hooks, then you should probably use them. Otherwise you can
setup a small cron job using "find -mtime" and clamscan to check the
whole ftp space.
OK, sounds like a plan, I love the theory just need to check the servers
can cope with the load (there are well over 100,000 sites where we're
looking to implement this!)
I'll look into the post-upload.
Thanks,
M.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
