RE: [Clamav-users] RFC: squidclam

2005-01-13 Thread Mitch (WebCob)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Lord Sent: January 13, 2005 12:50 PM To: clamav-users@lists.clamav.net Subject: [Clamav-users] RFC: squidclam Hi, just wrote a small programm to replace SquidClamAV_Redirector.py Reason for doing tha

RE: [Clamav-users] Virus Tests from www.testvirus.org

2004-12-01 Thread Mitch (WebCob)
-Original Message- At 12.08 01/12/2004, you wrote: >> And now a wish: >> Is possible to implement in clamav-milter or clamd itself the >> possibility to define a list of suffix I'd like to consider as: >> UNAUTHORIZED ATTACH TYPE > >That is not the job of a virus-scanner, it's the job

RE: [Clamav-users] virus tests

2004-11-25 Thread Mitch (WebCob)
-Original Message- I checked it too and everething is ok, except tests nr. 24, 25 ( which are non-virus, anyway ). We're running .80 on Gentoo. Robert [Mitch says:] 24 & 25 could be stopped similar to how password protected zips are stopped - not because they are viral, but because of

update as soon as possible WAS RE: [Clamav-users] Independent Testing

2004-10-21 Thread Mitch (WebCob)
> Hi, how do you make ClamAV update virus database as soon as possible > when the signature becomes ready? > > Sam. > [Mitch (bitblock)] Sam. Bad toad! Don't hijack threads. You can run freshclam - there is no such thing as an instant update - the latest version uses DNS records to allow more

RE: [Clamav-users] Re: Delays scanning MS Access db file ?

2004-10-04 Thread Mitch (WebCob)
> On a off-topic side note, if anyone knows what SMTP related > timeout issues > come up if a Milter timeout is set to greater than several > minutes, I'd be very > interested to hear. Does sendmail somehow keep the SMTP session > alive even > if the Milter is taking longer than the SMTP DATA time

RE: [Clamav-users] virus submission problem

2004-09-28 Thread Mitch \(WebCob\)
> > This is not an isolated case. The virus submission page must be changed > to run the latest RELEASED version of clamav. > Haven't looked in a while, but I think it should: Display result using latest RELEASE Display result using latest CVS Display IDENTITY of the virus Display config of the

RE: [Clamav-users] Re: Re: Re: Windows port ?

2004-09-25 Thread Mitch \(WebCob\)
> -Original Message- > From: [EMAIL PROTECTED] [mailto:clamav-users- > [EMAIL PROTECTED] On Behalf Of Tomasz Kojm > Sent: September 25, 2004 12:22 > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] Re: Re: Re: Windows port ? > > On Sun, 26 Sep 2004 00:09:2

RE: AW: [Clamav-users] Re: Re: Re: Windows port ?

2004-09-25 Thread Mitch \(WebCob\)
> The GPL defines "source" as "the preferred form of the work for making > modifications to it". If the maintainers of the clamav db add new > signatures by unpacking the database, modifying it and packing it again, > it is source code (the act of packing and unpacking is IMHO similar to > tarring

RE: [Clamav-users] Re: Re: Re: Re: Windows port ?

2004-09-23 Thread Mitch \(WebCob\)
> > > > Ok, you can download the clam database handling and file scanner > > > > at http://uscanit.free.fr/lib.zip > > > > > > It looks OK. Thanks for publishing it. > > > > > > > Can you clarify for the rest of us? Does that mean the clam team is > > accepting this sort of usage of the db? > > The

RE: [Clamav-users] Re: Re: Re: Re: Windows port ?

2004-09-23 Thread Mitch \(WebCob\)
> > Ok, you can download the clam database handling and file scanner at > > http://uscanit.free.fr/lib.zip > > It looks OK. Thanks for publishing it. > Can you clarify for the rest of us? Does that mean the clam team is accepting this sort of usage of the db? m/ ---

RE: [Clamav-users] Re: Re: Re: Re: Windows port ?

2004-09-22 Thread Mitch \(WebCob\)
Remi wrote: > > No, it won't. Security by obscurity is a nonsense. > It's true only for cryptography I think. > Anyone with a disassembler can find your secret sauce as soon as they download your product. A lot of effort yes... but if what you think you have found has any value it will be done. C

RE: [Clamav-users] Re: Re: Windows port ?

2004-09-22 Thread Mitch \(WebCob\)
Or write an open source program which does the scanning without dependancy on cygwin. GPL it, give away the source. Keep your heuristics separate, and if you like your interface, etc. This is the same effect as the windows wrapper that exists without the underlying overhead of the gygwin underneath

RE: [Clamav-users] Notification E-mail

2004-09-20 Thread Mitch \(WebCob\)
> With one caveat. > It is perfectly acceptable to place an explanatory message in an SMTP > REJECT message. > > Something like > > EHLO (hi) > MAIL FROM (ok) > RCPT TO (ok) > DATA (can't accept for delivery, contains the EICAR virus!) > > If the mail is being sent by a virus, the virus will usuall

RE: [Clamav-users] daemon restarting while clamdscan is running

2004-09-10 Thread Mitch \(WebCob\)
I think this was mentioned in a man page somewhere... I believe that clam would return a timeout error, and what happens with that depends on the script that calls clamdscan. If it accepts nothing other than success, the mail should be deferred and tried again later by the MTA. not authoritive, b

RE: [Clamav-users] OverSize.Zip file

2004-09-02 Thread Mitch \(WebCob\)
Winzip reports the AVERAGE and clam uses the PEAK value... try bumping up the value to two or three times that amount: ArchiveMaxCompressionRatio from 1000 to test this... the culprit could be an ascii file with a lot of white space that is hugely compressible.   m/ -Original Message-

RE: [Clamav-users] Downloading clam virus definition files automatically

2004-08-26 Thread Mitch \(WebCob\)
> I think such a provider would be liable for very little - but it is very > expensive to establish that in court. Law suits are trivial to initiate > and we are in a very litigous society. If you have 10,000 customers you > can bet at least one of them will levy a suit against you for some > perce

RE: [Clamav-users] Second-tier Mirrors...

2004-08-26 Thread Mitch \(WebCob\)
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Graham > Toal > > Aren't we missing something obvious here? Shouldn't we be using some > sort of distributed technology like BitTorrent? > That's been asked and answered... Bittorrent is meant to optimi

RE: [Clamav-users] Second-tier Mirrors...

2004-08-25 Thread Mitch \(WebCob\)
> I would love to setup a mirror, but 10Mbps and 100GB/month is more than > I've got available. > > --TWH By my count that makes 5 of us I recall seeing volunteer and it isn't even an option yet. As we are already trampling the rules with cnames to cnames... what about this... the second tier cna

RE: [Clamav-users] Second-tier Mirrors...

2004-08-25 Thread Mitch \(WebCob\)
> > > Someone recently suggested the idea of allowing sites with > less than the > > > mirror site requirements becoming second-tier mirrors. This thread is > > > an attempt to see what kind of interest there is in such an > idea and for > > > the developers to respond whether or not the idea has

RE: [Clamav-users] Downloading clam virus definition files automatically

2004-08-23 Thread Mitch \(WebCob\)
> If you really want updates instantly, there *is* a solution. Volunteer > to run a mirror. All mirrors are given updates within 2 minutes. > > Damian Menscher Joining this thread a little late - sorry... Then we get back to the level of committment required to do that... With things as they ar

RE: [Clamav-users] Freshclam cron interval {Revisado por Antivirus}

2004-08-17 Thread Mitch \(WebCob\)
> > run freschclam on one machine, use on-update-execute to run an > rsync script > after a successfull download to update all your other machines. > > > == > Chris Candreva -- [EMAIL PROTECTED] Does the clamd process need to be signaled on

RE: [Clamav-users] Freshclam cron interval {Revisado por Antivirus}

2004-08-16 Thread Mitch \(WebCob\)
> No, the cron job only runs on the hour (minute == 0) so it will only run > once per hour at a random time between hh:00 and hh:30. > > A. > D'oh! Note to self - don't think you are smart when you're tired! Thanks. --- SF.Net email is sponso

RE: [Clamav-users] Freshclam cron interval {Revisado por Antivirus}

2004-08-15 Thread Mitch \(WebCob\)
> > Please always try to _avoid_ to have cron based internet > services run by the > > hour. Please consider another value than 0. What about 17 or 41 > as the value > > for the minute? > > As per discussions on this list on awhile ago; I use the following for > my crontab entry > 0 * * * * sleep

RE: [Clamav-users] Idea for more timely virusdb updates

2004-08-15 Thread Mitch \(WebCob\)
> >I still don't see why rsync can't be used here. It can > >easily do incremental > >updates. > > True. However, > (1) many firewall admins allow outgoing HTTP and DNS > ports; I cannot say the same for rsync port. > (2) The uncompressed signature (viruses.db*) files is a > good candidate for rsy

RE: [Clamav-users] Idea for more timely virusdb updates

2004-08-13 Thread Mitch \(WebCob\)
> Similarly, BitTorrent *requires* "raw" Internet access in order > to operate - > again - not a normal situation for an AV server. > Don't know what exactly you meant by "raw" as opposed to sauteed, broiled, baked or toasted, but BitTorrent does NOT require unfirewalled access. It does require a

RE: [Clamav-users] Idea for more timely virusdb updates

2004-08-13 Thread Mitch \(WebCob\)
> > DNS for serial numbers plus HTTP for actual data transfer still sounds > > New version of freshclam will work in this way. Big thanks to all for > the interesting thread ! > Sounds cool Tomasz! Be interested to hear if this helps reduce the load on the mirrors at all. Once this is tested, an u

RE: [Clamav-users] OpenSource Clamav not ready?

2004-08-12 Thread Mitch \(WebCob\)
> So does that mean you no longer use Exiscan's "demime" facility, because, > if I understand this correctly, it is sufficient to pass the mime parts > to clamd for scanning. Using it and ScanMail would appear to bring some > "competition" between Exiscan's demime and ClamAV's ScanMail. > > Could s

RE: [Clamav-users] Idea for more timely virusdb updates

2004-08-11 Thread Mitch \(WebCob\)
> Opening another port is simply no option for any serious > enterprise use. There > is simply no way to open another port in the firewall. In addition I am > confident that IANA will not allow to reserve a fixed port number > for this > service. After all port numbers are a limited resource with t

RE: [Clamav-users] Idea for more timely virusdb updates

2004-08-10 Thread Mitch \(WebCob\)
> I've already mentioned this jokingly, but I was half serious: I think > setting up a bittorrent would solve a lot of the bandwidth problems. > Been playing with that a bit recently - the more I think about it, the more I like it... saw a website that has built a custom tracker to manage leeches,

RE: [Clamav-users] Idea for more timely virusdb updates

2004-08-10 Thread Mitch \(WebCob\)
> The mirror page talkes about the need for mirrors, about > exponential growth, > and how at least a 10mbit pipe is needed to host a mirror. It puts March > 2004 traffic at about 120gig/month > I think I read it differently... I thought it was 120GB / month per mirror (at that point in time there

RE: [Clamav-users] Idea for more timely virusdb updates

2004-08-10 Thread Mitch \(WebCob\)
> right, but as discussed below, generally bind servers don't have > 100k people > waiting for notifications and updates. > Nope, true... but like I suggested, the notification tree doesn't have to be flat... One server notifying 10 servers is time consuming and sure - costs a lot of bandwidt

RE: [Clamav-users] Re: [Clamav-virusdb] Update (daily: 445)

2004-08-09 Thread Mitch \(WebCob\)
> I have 445 (have had it for 5 hours or so) and it still calls it > Trojan.JS.RunMe. Am I missing something? I can see in my > clamd.log where > it picked up the changes and reloaded the database, and sigtool -l lists > both Trojan.JS.RunMe and Worm.Bagle.AI-2 in it. > I'm going to take a guess

RE: [Clamav-users] Idea for more timely virusdb updates

2004-08-09 Thread Mitch \(WebCob\)
What about a deeper mirroring system? Perhaps one that supports notification? One of the things I like about BIND (not enough to use it, but still an admired concept ;-) is the way zones can be distributed... notification speeds things up if it works, polling creates a failsafe in which a missing

RE: [Clamav-users] Clamav Engine upgrades?

2004-08-05 Thread Mitch \(WebCob\)
This is predicated on the developers of the database incrementing the "functionality level" when they make changes like this. I'm still not sure I get it, but there seems to be some resistance to doing this consistantly. Some changes in detection seem to make it into CVS, and I think future versi

RE: [Clamav-users] Virus found, not detected by Clamav, can'tsubmit (claimed already recognised but is not)

2004-07-27 Thread Mitch \(WebCob\)
I'd be willing to hack the code to add the information mentioned the other day - care to share the base script (off list is fine by me). I'd like to make it a little more informative what was found and how it was found etc. thanks m/ > -Original Message- > From: [EMAIL PROTECTED] > [mai

RE: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)

2004-07-27 Thread Mitch \(WebCob\)
Hi. Before you do, I've been told by Tomasz Papszun that there are signatures that won't work for anything other than CVS... so you'd have to try building a CVS version to make it work. I suggested changes to allow us users to know this info when we do an upload to the webform, but haven't had re

Signatures and versions... RE: [Clamav-users] Suggestion: Feature Freeze

2004-07-26 Thread Mitch \(WebCob\)
> I'd like to second that. Those of us depending on clamav to catch stuff > can't afford to upgrade in the middle of the day for new signatures to > work. And why don't these new signatures work? Has that interface not > yet stabilized? > > Thanks, > John Just wondering... If signatures come

[Clamav-users] New virus not getting scanned, but web interface says already detected?

2004-07-26 Thread Mitch \(WebCob\)
For one thing, the web interface for uploading could be A LOT MORE USEFUL by stating it's current clamscan version, what it detects the upload as, selected options/config, and signature database - just allowing easier confirmation of relavent settings. I've downloaded the 0.75, and upgraded, ensur

RE: [Clamav-users] Ethics Question

2004-06-10 Thread Mitch \(WebCob\)
I'd say so. You aren't talking about doing this after the fact, but as the message is received and detected as viral - right? They'd have to have hung up immediately and even then, it's unlikely the modem handshake would be complete yet on the next call ;-) > On Thu, 10 Jun 2004, Nigel Horne wrote

RE: [Clamav-users] Ethics Question

2004-06-09 Thread Mitch \(WebCob\)
ing experiment... m/ > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of jef moskot > Sent: Wednesday, June 09, 2004 3:50 PM > To: [EMAIL PROTECTED] > Subject: RE: [Clamav-users] Ethics Question > > > On Wed, 9 Jun 2004

RE: [Clamav-users] Ethics Question

2004-06-09 Thread Mitch \(WebCob\)
What's the harm? You aren't selling them anything... Spam is something done for commercial gain by definition isn't it? they are hurting you - wasting your bandwidth etc... and as many of my customers could prove - they can go for MONTHS not knowing they are infected. Your message could say somethi

Bad ideas WAS RE: [Clamav-users] Zero bytes vbs & cpl attachment

2004-05-31 Thread Mitch \(WebCob\)
> (it was removed) there is nothing for ClamAV to find. About the best > you can do is to educate others that stripping viruses out of email (and > letting the rest through) is a Bad Idea. While you are mentioning bad ideas... what about this trend of sending bounce messages to the sender or post

RE: [Clamav-users] Re: Virus Alias Database

2004-05-10 Thread Mitch \(WebCob\)
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Kevin > Spicer > Sent: Monday, May 10, 2004 10:49 AM > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] Re: Virus Alias Database > > > Its running PHP & MySQL on apache2, unfortunately this is my home bo

[Clamav-users] You might not see OUTDATED warning...

2004-04-29 Thread Mitch \(WebCob\)
Just so all will know ;-) It seems that 0.65 isn't smart enough to notice the difference - I didn't get the warning on that box... but I'm upgrading anyways... I'm assume the version smarts were added around 0.67? Or is there some config value that causes me to not see a warning? Thanks. m/

RE: [Clamav-users] W32.Netsky.B@mm not removed

2004-04-19 Thread Mitch \(WebCob\)
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Jim Maul > Sent: Monday, April 19, 2004 11:04 AM > To: [EMAIL PROTECTED] > Subject: RE: [Clamav-users] [EMAIL PROTECTED] not removed > > hi, > > I also have some "NetSky.q.2" not dtected; They are detecte

RE: [Clamav-users] Updating ClamAV method other than freshclam

2004-04-08 Thread Mitch \(WebCob\)
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Lionel > Bouton > Sent: Thursday, April 08, 2004 12:26 AM > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] Updating ClamAV method other than freshclam > > > I just do that because I have 4 systems usin

RE: [Clamav-users] Virus Names

2004-04-07 Thread Mitch \(WebCob\)
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of B. van > Ouwerkerk > Sent: Wednesday, April 07, 2004 2:00 AM > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] Virus Names > > > I don't fancy the idea of doing the same job someone else does > but I co

RE: [Clamav-users] Virus aliases

2004-03-11 Thread Mitch \(WebCob\)
> -Original Message- > From: Tomasz Kojm > > On Thu, 11 Mar 2004 10:15:50 + > Dave Ewart <[EMAIL PROTECTED]> wrote: > > > 2. Can the alias details be extracted from the .cvd files? If not > > currently, is there any way to add this detail? > > Virus aliases will be supported in signa

RE: [Clamav-users] Virus aliases

2004-03-11 Thread Mitch \(WebCob\)
> No idea how easy this would be to implement but here goes: > > As well as the virus signature databases, how about having an alias > database which would contain a record for each virus, indicating its > ClamAV name along with those used by the more mainstream AV software > like Sophos, McAfee et

RE: [Clamav-users] Simple patch for dealing with password zip files

2004-03-03 Thread Mitch \(WebCob\)
Fantastic Michael! I think that will be a good interrum until there is an official method of dealing with the problem. Thanks. m/ > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Michael L > Torrie > Sent: Wednesday, March 03, 2004 12:38 PM > To: [EMA

RE: [Clamav-users] Password-protected .zip file viruses

2004-03-03 Thread Mitch \(WebCob\)
But... > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Chris > Meadors > Sent: Tuesday, March 02, 2004 11:44 PM > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] Password-protected .zip file viruses > > > Paul Boven wrote: > > > How about only tryin

RE: [Clamav-users] password-protected Worm.Bagle.H

2004-03-03 Thread Mitch \(WebCob\)
That's got my vote - can the core team give some indication of options being considered and what general direction we'll go here? Thanks. m/ > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Andy Dills > Sent: Tuesday, March 02, 2004 11:05 PM > To: [EMA

RE: [Clamav-users] Password-protected .zip file viruses

2004-03-02 Thread Mitch \(WebCob\)
My understanding of reliable zip password checking was that you needed two or more files encoded with the same password in the archive to allow a good check... Maybe I'm wrong on that, but still I'd rather a setting that allows me to reject unscannable attachements. Preferably as mentioned before

RE: [Clamav-users] password-protected Worm.Bagle.H

2004-03-02 Thread Mitch \(WebCob\)
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Diego > d'Ambra > Sent: Tuesday, March 02, 2004 4:55 AM > To: [EMAIL PROTECTED] > Subject: RE: [Clamav-users] password-protected Worm.Bagle.H > > > > -Original Message- > > From: [EMAIL PROTECTED]

[Clamav-users] Submission to virusbtn.com and AV-test.org?

2004-02-24 Thread Mitch \(WebCob\)
I was looking for reviews on virus protection quality as well as response time... Helen, the editor of virusbtn.com says as far as she knows, Clam AV has never been submitted for review. I asked for details on the process, and ask here if there is any reason NOT to submit to various reviewers - d

RE: [Clamav-users] 2 questions - virus naming convention & virus information

2004-02-21 Thread Mitch \(WebCob\)
D] Behalf Of Peter > Bonivart > Sent: Saturday, February 21, 2004 2:19 AM > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] 2 questions - virus naming convention & > virus information > > > Mitch (WebCob) wrote: > > 1) Does the ClamAV system use a common naming co

[Clamav-users] 2 questions - virus naming convention & virus information

2004-02-20 Thread Mitch \(WebCob\)
1) Does the ClamAV system use a common naming convention? Where does it come from? By this I mean I think I see other virus detection software using the same names for things - how is this agreed upon? 2) Is there a Clam source for virus information? I'd like to tie my filter to a status page that