Re: [Clamav-users] (no subject)
Spiro Harvey wrote: Shame you haven't talked to to others - like havp for example - before doing this. The announcement to EOL the old releases was made at the start of october last year. If people using clam as an integral part of their software don't read announcements, what fault is that of the clam developers? They had 6 months to sort it out. The thing is that there are a few little issues here that, as points of law are not clear yet. In what follows words like 'vendor' may not be used entirely legally precisely, IANAL, but I am certain that with a bit of squinting my meaning will be clear. I know that in certain jurisdictions, reaching out to someone elses computer (ie not your property) and disabling functionality on it could constitute a criminal act. I sincerely hope that someone somewhere under such a jurisdiction goes to the police and reports the Clamav developers for such an offense. Why? Because Clamav is now in the same category as Apple, Amazon and Sony (to name three that come to mind right away). This is the category of vendors who have remotely disabled (or removed) software running on computers or devices belonging to their customers. Not on computers or devices belonging to the vendor and which are leased to customers, but the *property* of those customers. I believe that this is extremely inappropriate behavior for *any* vendor. I am shocked that an OSS vendor would even consider such an action. Note the massive amount of negative press that Amazon got for remotely deleting copies of George Orwell's 1984 from the Kindle. Sony have recently started remotely disabling Linux functionality on the PS3 iirc. Do we really want the OSS community to be tarred with the same brush? This kind of high-handed arrogance NEEDS to be put down and hard. I imagine that the Clamav team would be hard put to raise a decent legal defense against this and, so, if they lose such a case a legal precedent could be set which could conceivably deter this kind of thing from larger organisations. I would really love to see that happen even if it destroys the Clamav project. No hard feelings against them, but if Clamav want to set themselves up as sacrificial lambs to test a point of law and it ultimately benefits society at large, great. -- Please remember that an email is just like a postcard; it is not confidential nor private nor secure and can be read by many other people than the intended recipient. A postcard can be read by anyone at the mail sorting office and expecting what is written on it to be private and secret is not realistic. Please hold no higher expectation of email. If you need to send confidential information in an email you need to use encryption. PGP is Pretty good for this. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
Jim Preston wrote: Steve Wray wrote: Spiro Harvey wrote: Shame you haven't talked to to others - like havp for example - before doing this. The announcement to EOL the old releases was made at the start of october last year. If people using clam as an integral part of their software don't read announcements, what fault is that of the clam developers? They had 6 months to sort it out. The thing is that there are a few little issues here that, as points of law are not clear yet. In what follows words like 'vendor' may not be used entirely legally precisely, IANAL, but I am certain that with a bit of squinting my meaning will be clear. I know that in certain jurisdictions, reaching out to someone elses computer (ie not your property) and disabling functionality on it could constitute a criminal act. I sincerely hope that someone somewhere under such a jurisdiction goes to the police and reports the Clamav developers for such an offense. Why? Because Clamav is now in the same category as Apple, Amazon and Sony (to name three that come to mind right away). This is the category of vendors who have remotely disabled (or removed) software running on computers or devices belonging to their customers. Not on computers or devices belonging to the vendor and which are leased to customers, but the *property* of those customers. I believe that this is extremely inappropriate behavior for *any* vendor. I am shocked that an OSS vendor would even consider such an action. Note the massive amount of negative press that Amazon got for remotely deleting copies of George Orwell's 1984 from the Kindle. Sony have recently started remotely disabling Linux functionality on the PS3 iirc. Do we really want the OSS community to be tarred with the same brush? This kind of high-handed arrogance NEEDS to be put down and hard. I imagine that the Clamav team would be hard put to raise a decent legal defense against this and, so, if they lose such a case a legal precedent could be set which could conceivably deter this kind of thing from larger organisations. I would really love to see that happen even if it destroys the Clamav project. No hard feelings against them, but if Clamav want to set themselves up as sacrificial lambs to test a point of law and it ultimately benefits society at large, great. Well, prosecution would be justified if ClamAV had actually done something illegal. What they did was modifiy their signature database to support new features with advance notice and the fact that any particular installation of unsupported software failed to handle it properly is the onus of the owners / sysadmins of the individual systems. If you happen to fall into that category, then it is time to upgrade your system. I am not a lawyer but I do think that this is something that the authorities might possibly examine. I do think that pushing out an update which disables functionality without explicitly requesting permission to make such a change *before* making that change *should* be criminal. Ie: without someone on the server which is about to have a service stopped having to at least press the 'y' key on their keyboard, for example. This kind of thing really is extremely arrogant, I can see no other way to put it. Sorry if that offends. -- Please remember that an email is just like a postcard; it is not confidential nor private nor secure and can be read by many other people than the intended recipient. A postcard can be read by anyone at the mail sorting office and expecting what is written on it to be private and secret is not realistic. Please hold no higher expectation of email. If you need to send confidential information in an email you need to use encryption. PGP is Pretty good for this. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
Spiro Harvey wrote: On Wed, 21 Apr 2010 14:36:17 +1200 Steve Wray wrote: I know that in certain jurisdictions, reaching out to someone elses computer (ie not your property) and disabling functionality on it could constitute a criminal act. I sincerely hope that someone somewhere under such a jurisdiction goes to the police and reports the Clamav developers for such an offense. Points to consider: 4. What did you pay for the software? 5. Where's your contract with them? This is part of the attitude problem from many open source projects. They are (too often) run by technicians and programmers with no input from the business side. What the Clamav team did, I can't believe it would have made it through a business analyst and I can't believe that any executive would have signed off on something like that after considering the potential impact it could have on their clients. For the last 4 years or so I have had to shift my mindset from that of pure sysadmin to taking business considerations into account; its very easy for someone who is absorbed with programming and engineering to forget that IT is there to support business and that business is not there to support IT. This is something that I personally have struggled hard with, it can be difficult for a 'geek' to move in that direction. But its very very important if OSS is to be taken seriously in the enterprise. So many OSS projects do not view their users as clients or customers; they view them either as experimental subjects or as fellow experimenters. They only take the technical considerations into account and largely ignore potential impact on business. This is true both of the Clamav developers and of those people who didn't take precautions against potential problems such as the Clamav developers introduced. (And make no mistake; a problem was *created* by the Clamav team, a problem that did not exist prior to the changes they made). I have been using Linux since 1991 and I have seen a lot of positive change in that time. I have seen it go from crazy 'fringe' to being widely accepted in the enterprise. But shenanigans like this can risk all of that hard work. This is why I raised the legal and ethical issue; because that is what the business end should be considering and its what the technical end only rarely considers. I understand that Clamav is free as in 'beer' and that there is no legal contract with the Clamav team. However, Clamav has a parent company, Sourcefire, which is listed on Nasdaq and is a 'proper' corporation. I have written to them to find out what they think of this, if anything at all... Sourcefire actually have executives and a general council and I am sure that they employ business analysts as well. I will be interested to see if what the Clamav team did is condoned by the parent company which clearly has some business acumen behind it. Don't get distracted by issues such as "Oh those bad silly sysadmins out there who messed up, its really *their* fault not the fault of the Clamav developers!" That is just *not* helpful. The damage is already done; damage to peoples systems and damage to the reputation not only of Clamav but of OSS in general. -- Please remember that an email is just like a postcard; it is not confidential nor private nor secure and can be read by many other people than the intended recipient. A postcard can be read by anyone at the mail sorting office and expecting what is written on it to be private and secret is not realistic. Please hold no higher expectation of email. If you need to send confidential information in an email you need to use encryption. PGP is Pretty good for this. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
Spiro Harvey wrote: On Thu, 22 Apr 2010 08:19:31 +1200 Steve Wray wrote: Don't get distracted by issues such as "Oh those bad silly sysadmins out there who messed up, its really *their* fault not the fault of the Clamav developers!" That is just *not* helpful. The damage is already done; damage to peoples systems and damage to the reputation not only of Clamav but of OSS in general. If you were to talk about helpful, perhaps you should be proposing a way for them to do it better next time. That would really be in the spirit of OSS. But I am; involve business people in the decision making process *at* Clamav. I'm sure that Sourcefire have the resources to do that. I'm just not sure what the status of this is. I'd like to know. -- Please remember that an email is just like a postcard; it is not confidential nor private nor secure and can be read by many other people than the intended recipient. A postcard can be read by anyone at the mail sorting office and expecting what is written on it to be private and secret is not realistic. Please hold no higher expectation of email. If you need to send confidential information in an email you need to use encryption. PGP is Pretty good for this. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
Peter Bonivart wrote: On Wed, Apr 21, 2010 at 10:39 PM, Christopher X. Candreva wrote: IMHO, open source projects don't have a business side. Opensource projects exist for the developers to get the software they need, faster, through colaboration with others. If anyone else finds it usefull that's an added bonus. But if no one other than the devs use it themselves, the project has fullfilled it's purpose. Adding business value is the job of the distros, or Apple if they include it, or myself as an ISP. That's why I said before I think the real let-down here are the distros that didn't do anything about it. Extreme ? Maybe, but that's why I use open-source, for getting best of breed, newest, breaking with history when needed. This would be ok if the distros maintained the servers which their distributed version of Clamav updated from. They don't. The responsibility in this case is that of those who maintain Clamav, not the distros. I would suggest that distros may want to take note of this situation; its perhaps not unreasonable for them to maintain eg their own Clamav update servers. -- Please remember that an email is just like a postcard; it is not confidential nor private nor secure and can be read by many other people than the intended recipient. A postcard can be read by anyone at the mail sorting office and expecting what is written on it to be private and secret is not realistic. Please hold no higher expectation of email. If you need to send confidential information in an email you need to use encryption. PGP is Pretty good for this. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
Spiro Harvey wrote: On Thu, 22 Apr 2010 08:51:00 +1200 Steve Wray wrote: This would be ok if the distros maintained the servers which their distributed version of Clamav updated from. They don't. The responsibility in this case is that of those who maintain Clamav, not the distros. I would suggest that distros may want to take note of this situation; its perhaps not unreasonable for them to maintain eg their own Clamav update servers. But the distro are the ones who gave you outdated unsupported software. Had they provided you with a newer package, you wouldn't have had this problem. I didn't have this problem I am just worried that OSS is *still* having problems dealing with basic business commonsense. Are you suggesting that if your distribution had packaged ClamAV 0.96 and your server(s) didn't break, that you would *still* be upset? Just on principle? I am not upset; I am concerned for OSS and for the way that this reflects badly on it. And yes I really do think it has been bad PR ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
Jim Preston wrote: On Apr 21, 2010, at 2:48 PM, Robert Wyatt wrote: Eray Aslan wrote: Does anyone have access to legal opinion for a lawsuit against clamav developers or its parent company? Perhaps Germany is the better place for it. Yeah, I've got a legal opinion for you. You have no standing to recover any damages and any suit you file would be subject to a counterclaim for a frivolous lawsuit. ___ And I hope you do file a frivolous lawsuit and lose your shirt in court and lawyer fees. Lawyers will only be too happy to take your money for your lost cause. Ahhh but it wouldn't be a civil case; it'd be a criminal case. The prosecution would be the crown or government. -- Please remember that an email is just like a postcard; it is not confidential nor private nor secure and can be read by many other people than the intended recipient. A postcard can be read by anyone at the mail sorting office and expecting what is written on it to be private and secret is not realistic. Please hold no higher expectation of email. If you need to send confidential information in an email you need to use encryption. PGP is Pretty good for this. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
Jim Preston wrote: On Apr 21, 2010, at 5:42 PM, Steve Wray wrote: Jim Preston wrote: On Apr 21, 2010, at 2:48 PM, Robert Wyatt wrote: Eray Aslan wrote: Does anyone have access to legal opinion for a lawsuit against clamav developers or its parent company? Perhaps Germany is the better place for it. Yeah, I've got a legal opinion for you. You have no standing to recover any damages and any suit you file would be subject to a counterclaim for a frivolous lawsuit. ___ And I hope you do file a frivolous lawsuit and lose your shirt in court and lawyer fees. Lawyers will only be too happy to take your money for your lost cause. Ahhh but it wouldn't be a civil case; it'd be a criminal case. The prosecution would be the crown or government. And would still be a monumental waste of your tax revenue, but what the heck, it's your money If there is the slightest chance that a legal precedent could be set that would deter the likes of Apple or Sony disabling functionality in consumer devices by remote control I would be ALL for spending tax money on this. And I would have thought that virtually anyone in the FOSS community would have agreed. Excuse me for my error. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
Robert Wyatt wrote: Simon Hobson wrote: The **ONLY** defence I can think of is that they assumed an implicit permission by virtue of the user running the update process to fetch signature updates. That's a very tenuous thing to infer when pushing an update that is so different in purpose to what would normally be fetched. Well, it's not the only defense that I can think of. For exactly how long had this message appeared before the ClamAV engine actually died? LibClamAV Warning: LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON’T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: * ... they're called "idiot lights" for a reason and are disregarded at the user's peril. I believe that best practice with this sort of thing is to only issue warnings and not to actually force a potentially harmful change without *express* consent of the user. Ie: NOT passive or implicit consent. Making potentially harmful changes based only on passive or implicit consent is.. well 'inconsiderate' is about as mild a phrase as I care to use. -- Please remember that an email is just like a postcard; it is not confidential nor private nor secure and can be read by many other people than the intended recipient. A postcard can be read by anyone at the mail sorting office and expecting what is written on it to be private and secret is not realistic. Please hold no higher expectation of email. If you need to send confidential information in an email you need to use encryption. PGP is Pretty good for this. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Phishing feature defaults, naming, and 0.92
Christoph Cordes wrote: > Hello, > > so in the end it boils down to this: > > - after a new release ClamAV should mimic the behavior of the > preceding version by default unless it's a major release (.x0) or the > user enabled possible new features explicitly. furthermore the > default behavior should be as conservative as possible. Did i get > this right? I must remember this question in case I ever have to interview someone for a job as system administrator... If they disagree with the above then they should be in a different line of work. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV Vulnerability
Christoph Cordes wrote: > Am 20.11.2007 um 11:06 schrieb Sean Doherty: > >> Anyone know if there is any substance to this vulnerability claim? >> >> http://wabisabilabi.blogspot.com/2007/11/focus-on-clamav-remote- >> code-execution.html > > No. Ok, slight ambiguity here. On the face of it you appear to be saying: "No one knows if there is any substance to this vulnerability claim." of course you *could* intend to mean: "*I* don't know if there is any substance to this vulnerability claim." or even: "There is no substance to this vulnerability claim." ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] false positives?
Hi there, I'm not sure this is the right mailing list for this but here goes anyway. I need to find out if I am dealing with a false positive or with a real problem. I've been running clamav over some of our webservers content for the past year or so and it has never found anything (apart from the eicar test signature that I occasionaly drop in there to make sure the system is working properly). It recently found something on two of our servers. Both servers run moodle. Clamav identifies it as JS.Dropper-14 The file concerned downloaded directly from the moodle site is also identified as being infected though its a different version of the file and differs slightly. You can find it here: http://cvs.moodle.org/moodle/mod/quiz/protect_js.php I've had our developers going over this code and they can't find anything suspicious about it. Personally I'm suspicious of the huge block of binary data... but I'm not really a programmer. Please advise. Thanks! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positives?
Noel Jones wrote: > Steve Wray wrote: >> Hi there, >> I'm not sure this is the right mailing list for this but here goes anyway. >> >> I need to find out if I am dealing with a false positive or with a real >> problem. >> >> I've been running clamav over some of our webservers content for the >> past year or so and it has never found anything (apart from the eicar >> test signature that I occasionaly drop in there to make sure the system >> is working properly). >> >> It recently found something on two of our servers. Both servers run moodle. >> >> Clamav identifies it as JS.Dropper-14 >> >> The file concerned downloaded directly from the moodle site is also >> identified as being infected though its a different version of the file >> and differs slightly. >> >> You can find it here: >> >> http://cvs.moodle.org/moodle/mod/quiz/protect_js.php >> >> I've had our developers going over this code and they can't find >> anything suspicious about it. Personally I'm suspicious of the huge >> block of binary data... but I'm not really a programmer. >> >> Please advise. >> > > get the opinion of many other scanners by submitting the file > to http://virusscan.jotti.org/ or http://www.virustotal.com/ > > If nothing else finds it suspicious, submit the file as a > false positive at > http://www.clamav.org/sendvirus/ Ok well one other thing did find it suspicious: Panda 9.0.0.4 2008.03.02 Exploit/IFrame.FileDownload nothing else did though. At what point should I start to worry about this? :-/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positives?
Noel Jones wrote: > Steve Wray wrote: >> Noel Jones wrote: >>> Steve Wray wrote: >>>> Hi there, >>>> I'm not sure this is the right mailing list for this but here goes anyway. >>>> >>>> I need to find out if I am dealing with a false positive or with a real >>>> problem. >>>> >>>> I've been running clamav over some of our webservers content for the >>>> past year or so and it has never found anything (apart from the eicar >>>> test signature that I occasionaly drop in there to make sure the system >>>> is working properly). >>>> >>>> It recently found something on two of our servers. Both servers run moodle. >>>> >>>> Clamav identifies it as JS.Dropper-14 >>>> >>>> The file concerned downloaded directly from the moodle site is also >>>> identified as being infected though its a different version of the file >>>> and differs slightly. >>>> >>>> You can find it here: >>>> >>>> http://cvs.moodle.org/moodle/mod/quiz/protect_js.php >>>> >>>> I've had our developers going over this code and they can't find >>>> anything suspicious about it. Personally I'm suspicious of the huge >>>> block of binary data... but I'm not really a programmer. >>>> >>>> Please advise. >>>> >>> get the opinion of many other scanners by submitting the file >>> to http://virusscan.jotti.org/ or http://www.virustotal.com/ >>> >>> If nothing else finds it suspicious, submit the file as a >>> false positive at >>> http://www.clamav.org/sendvirus/ >> Ok well one other thing did find it suspicious: >> >> Panda9.0.0.4 2008.03.02 Exploit/IFrame.FileDownload >> >> nothing else did though. >> >> At what point should I start to worry about this? >> :-/ >> >> > > Submit it as a false positive and let the clamav signature > team evaluate it. Well I've submitted it as a false positive... but I don't really know that it is false... we shall see! Thanks for the advice and help ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] simplest replacement for ancient amavis-perl
Tilman Schmidt wrote: > Am 11.08.2008 12:05 schrieb Ian Eiloart: >> In fact, if you accept the email, then silently discard it, then you >> effectively endorsing the validity of the email. You'll be improving >> the reputation of the original sender in the eyes of the ISP. > > Worse, it can even be a punishable offense. At least here in Germany, > doing so for a third party's mail (which according to most lawyers > also covers a company doing it for mail addressed to its own employees) > constitutes "NachrichtenunterdrĂĽckung" (message suppression), a felony > punishable with up to 5 years in prison. > (Talk about lawmakers' support in the fight against spam ...) > > So dropping mail into the bitbucket is not an alternative. I have to > either reject it or deliver it. Wow. So... the default, unpatched build of qmail is quite popular in Germany? That was Dans policy when he designed qmail; all mail must be delivered or bounced. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
