[Clamav-users] Amavisd-new/clamav not catching attached sort-of-mime parts
Sorry for the crosspost, but I'm not really sure where this one belongs. I'm trialling amavisd-new (-p9) and clamav (up to and including 0.73) by running it over the virus archive created by our existing amavisd-new/uvscan setup. It seems that there is a category of messages that uvscan catches but clamav misses. If a forwarded message, or digest, or similar message contains a virus with its original MIME boundaries, neither amavisd nor clamav seems to attempt to interpret it as a separate MIME part. The message containing the virus is either not a multipart message or has its own MIME boundaries. I understand that a compliant client would not attempt to interpret this as an attachment, but I'd rather see my scanner be more aggressive in looking for attachments than trust that all the MUAs behind me are well-behaved. For example, the following was caught as a virus by uvscan, when it appeared inline in a message digest. Clamav missed it. Amvisd-new didn't save it as a separate file in the /tmp/amavis//parts directory. --luqzgpxlkepsvagxljox Content-Type: application/octet-stream; name="Info.exe" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Info.exe" TVoAAAEC//8AAEAAQAC0TM0h [rest of virus payload snipped] Would it make sense to look for, say, sequences of Base64 encoding even when there is no MIME context and try and treat them as message parts? cheers rob c --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: [AMaViS-user] Amavisd-new/clamav not catching attached sort-of-mime parts
Following up my own question ... On Thu, Jun 17, 2004 at 02:19:42PM +1000, Rob Chanter wrote: > > Would it make sense to look for, say, sequences of Base64 encoding > even when there is no MIME context and try and treat them as message > parts? Nobody else has this problem? (apart from the lurkers who support me in email ;-)) Does the development snapshot have more aggressive checking for might-or-might-not-be MIME parts? rob c --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] What to use with clamav?
On Mon, Aug 02, 2004 at 10:02:32AM -0400, Randall Perry wrote: > I installed and tested clamav successfully on Mac OS 10.3.4 using > darwinports. > > I've read through the clamav docs but am thoroughly confused as to which of > the many smtp interface options to use. I was going to try milter, but can't > find any docs anywhere on where to get milter and how to configure it. > > Little help? MacOSX 10.3.x uses Postfix. I'd suggest using amavisd-new. The README.postfix that comes with amavisd-new should get you going. cheers rob --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] freshclam --quiet warnings/bugs
On Sun, Aug 15, 2004 at 05:31:54PM +0200, Micha Silver wrote:
> >
> > I would love to get emailed a notice when the virus database
> > has been updated, and when it tried but failed.
>
> I use the two options in freshclam.conf: OnUpdateExecute and OnErrorExecute
> to call a small script that sends me a success (or failure when that
> happens) message each time. "Quick and dirty". Works fine.
I do the same. I leave the retries to my freshclam-failed.sh script.
freshclam-update.sh:
-
#!/bin/sh
# Mail details of a successful DB update to virusadmin.
# Set notify address as required
VIRUSADM="[EMAIL PROTECTED]"
# Environment and scratch files.
SIGTOOL="/usr/local/bin/sigtool"
VIRUSDBDIR="/var/amavisd/virusdb"
MYHOSTNAME=`/usr/bin/hostname`
VINFO="/tmp/siginfo.`date +%H%M%S`"
# shouldn't be necessary if clam was linked correctly
LD_LIBRARY_PATH=/usr/local/lib
export LD_LIBRARY_PATH
for i in ${VIRUSDBDIR}/*.cvd
do
echo >> $VINFO
echo "SIGTOOL INFO FOR ${i}" >> $VINFO
echo >> $VINFO
${SIGTOOL} --stdout --info $i >> $VINFO
echo >> $VINFO
done
mailx -s "freshclam
update succeeded for ${MYHOSTNAME}" $VIRUSADM <$VINFO
rm $VINFO
-
freshclam-failed.sh
#!/bin/sh
# Mail to be sent when freshclam fails.
# Set notify address as required
VIRUSADM="[EMAIL PROTECTED]"
MYHOSTNAME=`/usr/bin/hostname`
FCINFO="/tmp/fcinfo.`date +%H%M%S`"
echo "The ClamAV updater freshclam has failed for some reason." >>$FCINFO
echo "Please investigate (/var/log/clamav.log might be useful)." >>$FCINFO
echo >>$FCINFO
echo "Trying again ..." >>$FCINFO
echo >>$FCINFO
# try again and touch the "failed" file if it still fails so we know
# when the last actual failure was.
/usr/local/bin/freshclam --stdout \
--on-error-execute="touch /var/amavisd/freshclam-failed" >>$FCINFO
mailx -s "Freshclam update FAILED on ${MYHOSTNAME}" $VIRUSADM <$FCINFO
rm $FCINFO
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] freshclam --quiet warnings/bugs
On Tue, Aug 17, 2004 at 09:04:11AM +0200, Tomasz Papszun wrote:
> On Tue, 17 Aug 2004 at 12:58:34 +1000, Rob Chanter wrote:
> [...]
> > VINFO="/tmp/siginfo.`date +%H%M%S`"
> [...]
> > echo >> $VINFO
> [...]
> > FCINFO="/tmp/fcinfo.`date +%H%M%S`"
> [...]
> > echo "The ClamAV updater freshclam has failed for some reason." >>$FCINFO
> [...]
>
> Such setup is vulnerable to "/tmp file race condition" (the filenames
> are very predictable).
> You'd better use files in a directory writable only by the user
> executing the scripts or use mktemp(1) to create unique filenames.
> You remove the files at the end of scripts, so having nice-looking names
> isn't needed anyway.
You're absolutely right. On Linux I'd use mktemp(1), but that's not on
these Solaris boxes (there's only the library call, so I'd have to write
my own wrapper utility and a couple extra lines of shell is so much less
effort). I figured that having per-second timestamps would be reasonable
protection from accidental (not malicious) race conditions, but I'd be
better off moving them into a space owned by the scanner user. So here's
a newer example:
#!/bin/sh
# Mail details of a successful DB update to virusadmin.
# Set notify address as required
VIRUSADM="[EMAIL PROTECTED]"
# Environment and scratch files.
SIGTOOL="/usr/local/bin/sigtool"
SCANNER_BASE="/var/amavisd"
VIRUSDBDIR="${SCANNER_BASE}/virusdb"
MYHOSTNAME=`/usr/bin/hostname`
VINFO="${SCANNER_BASE}/siginfo.$$.`date +%H%M%S`"
LD_LIBRARY_PATH=/usr/local/lib
export LD_LIBRARY_PATH
for i in ${VIRUSDBDIR}/*.cvd
do
echo >> $VINFO
echo "SIGTOOL INFO FOR ${i}" >> $VINFO
echo >> $VINFO
${SIGTOOL} --stdout --info $i >> $VINFO
echo >> $VINFO
done
mailx -s "freshclam update succeeded for ${MYHOSTNAME}" \
$VIRUSADM <$VINFO
rm $VINFO
cheers
rob
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] new Wiki site
On Sat, Nov 06, 2004 at 01:33:41PM +0100, Thomas Lamy wrote: > Luca Gibelli wrote: > >Hello Graham Toal, > > > > > >>What's needed is an installation script which installs a completely > >>independent copy in one of two locations, so you can double-buffer > >>the installs. > > > > > >"./configure --prefix=path" can already do that. > > > along with --program-prefix=test_ so clamd becomes test_clamd etc. This > avoids later confusion... We manage multiple versions of clam via graft. Works great. We can test new versions in place non-intrusively and switch easily between 'active' versions. http://www.gormand.com.au/peters/tools/graft/graft.html cheers rob ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] GMP must be in /usr and not /usr/local
On Wed, Nov 10, 2004 at 04:45:07PM -0600, Alex S Moore wrote: > On Wed, 2004-11-10 at 14:24 -0800, Sakshale eQuorian wrote: > > Hi; > > > > Since I wanted to upgrade to 8.0, I decided to install > > GMP on my solaris box to get rid of the "SECURITY WARNING" > > that came with version 7.0. > > > > Shouldn't /usr/local/include be included in the path? > > Especially given that I built clamav to run in /usr/local. > > I would not put anything in /usr. There are options that you should use > when building programs, such as CFLAGS, LDFLAGS, LD_OPTIONS, to point to > other locations, for things like -I, -L, -R respectively. Specifically, the below 'configure' line works for me on Solaris. There is no '-lgmp' needed because the configure script picks that up. The installation prefix and user/group are, obviously, specific to our site. Also, on Solaris 9 (and 8, I think) make sure you build clam and gmp to the same ABI. We compiled gmp as 32-bit and clamav with the defaults. ABI=32 ./configure --prefix=/usr/local/graft/gmp- make make install graft -v -i gmp- LDFLAGS='-L/usr/local/lib -R/usr/local/lib -lgcc_s' \ ./configure --prefix=/usr/local/graft/clamav- \ --with-user=amavisd --with-group=amavisd make make install the man page for ld(1) has all the info you might need. Alternatively, you could look at crle(1) to define additional system library locations. (P.S. graft is great for managing clamav installations: http://www.gormand.com.au/peters/tools/graft/graft.html) cheers rob ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Virus not detected by clamav
On Mon, Dec 19, 2005 at 08:39:10AM -0800, Dennis Peterson wrote: > > In fact it would be nice to have a command line switch that generates a > listing of what is seen and understood by the applications after reading > the clamd.conf and freshclam.conf files, as well as where they were found. Postfix's postconf(1) is an excellent model for this: postconf [no args]: print the entire running config postconf : print just that variable. -h to omit the 'name=' part. postconf -d: print the default values of known config variables postconf -n: print only non-default or explicitly set variables postconf -e: edit a config variable There are other options to list supported map types and locking methods that wouldn't be as relevant to a theoretical clamconf(1). It's scripting-friendly, and gives a standard set of installation info to post to the ML for help There are plenty of apps I have to deal with that I wish had an equivalent of postconf. cheers rob ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] how to upgrade ClamAV-0.87 into ClamAV-0.88.4?
On Sat, Oct 07, 2006 at 09:09:41PM -0700, Dennis Peterson wrote: > Galactic wrote: > >You have to upgrade ClamAV to the next version. Right now, the > >current version of ClamAV is 0.88.4-1. You update your def's by > >running freshclam. > > > >Franklyn > > > > Where did that version number come from? The one I see on the official > site is 0.88.4. > The convention in most Linux package systems is to append the package version at the end of the software version. So 0.88.4-2, if there was one (for a particular distro), would fix packaging bugs in 0.88.4-1, but be based on the same code release. cheers rob ___ http://lurker.clamav.net/list/clamav-users.html
