On Monday 03 February 2014 21:30:38 Kris Deugau did opine: > Gene Heskett wrote: > > On Sunday 02 February 2014 09:12:36 G.W. Haywood did opine: > >> You might be. IF I understand what you're doing, it seems to me that > >> you're piping a stream of data to the standard input of a process and > >> asking that process to scan the stream for interesting things. You > >> aren't telling it where the stream comes from, so it doesn't know, so > >> it can't tell you anything other than what it finds in the anonymous > >> stream. I suppose it could tell you a byte offset from the start of > >> the stream if it counted the bytes, but that wouldn't be a lot of use > >> if the stream came from the concatenation of half a million files. > >> > >> In effect, you're saying "What's in this anonymous stream of data?" > > > > Wrong concept, its being used on each incoming email, even before SA > > looks at it. Point being that the email will normally have a subject > > line which, when the mail has been sorted into the incoming kde > > folders, knowing the subject line contents would go a long way toward > > identifying the mail. > > I'm not sure how much clamav really "knows" about whether it's scanning > an email or an executable blob. It's smart enough to dig into > attachments to emails, but there is only a limited amount of > intelligence there. > > My own favourite ClamAV integration glue, the MIMEDefang milter, does > its own work to split off attachments and untangle "email" into "files" > (more or less), and then points Clam at the whole set, on the > not-unlikely chance Clam can't decode the attached file(s) from the > email message. IIRC some time ago, there were a number of viruses that > produced either broken or obscure MIME, and ClamAV couldn't find the > virus in the complete email, but when it was fed the detached and > decoded file, it triggered just fine. > > > One other item I just found that I do not like. When clamav is > > restarted at reboot time, it wipes the existing > > /var/log/clamav/clamav.log file, destroying any interesting records > > from yesterday. That's not at all nice. It really, REALLY, needs to > > be maintained by logrotate. > > File a bug with your Linux distribution; I agree this is poor behaviour > but I've never seen it happen on the RHEL/CentOS systems or Debian > systems I've used ClamAV on.
Humm, I built this one from the tarball when the distro stopped updating at in the 96.x time frame. Something I can fix in /etc/clamav/clam.conf maybe? > -kgd > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml Cheers, Gene -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene> NOTICE: Will pay 100 USD for an HP-4815A defective but complete probe assembly. _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
