-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Lord
Sent: January 13, 2005 12:50 PM
To: clamav-users@lists.clamav.net
Subject: [Clamav-users] RFC: squidclam
Hi,
just wrote a small programm to replace SquidClamAV_Redirector.py
Reason for doing tha
-Original Message-
At 12.08 01/12/2004, you wrote:
>> And now a wish:
>> Is possible to implement in clamav-milter or clamd itself the
>> possibility to define a list of suffix I'd like to consider as:
>> UNAUTHORIZED ATTACH TYPE
>
>That is not the job of a virus-scanner, it's the job
-Original Message-
I checked it too and everething is ok, except tests
nr. 24, 25 ( which are non-virus, anyway ).
We're running .80 on Gentoo.
Robert
[Mitch says:]
24 & 25 could be stopped similar to how password protected zips are stopped
- not because they are viral, but because of
> Hi, how do you make ClamAV update virus database as soon as possible
> when the signature becomes ready?
>
> Sam.
>
[Mitch (bitblock)]
Sam. Bad toad! Don't hijack threads.
You can run freshclam - there is no such thing as an instant update - the
latest version uses DNS records to allow more
> On a off-topic side note, if anyone knows what SMTP related
> timeout issues
> come up if a Milter timeout is set to greater than several
> minutes, I'd be very
> interested to hear. Does sendmail somehow keep the SMTP session
> alive even
> if the Milter is taking longer than the SMTP DATA time
> > This is not an isolated case. The virus submission page must be changed
> to run the latest RELEASED version of clamav.
>
Haven't looked in a while, but I think it should:
Display result using latest RELEASE
Display result using latest CVS
Display IDENTITY of the virus
Display config of the
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:clamav-users-
> [EMAIL PROTECTED] On Behalf Of Tomasz Kojm
> Sent: September 25, 2004 12:22
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Re: Re: Re: Windows port ?
>
> On Sun, 26 Sep 2004 00:09:2
> The GPL defines "source" as "the preferred form of the work for making
> modifications to it". If the maintainers of the clamav db add new
> signatures by unpacking the database, modifying it and packing it again,
> it is source code (the act of packing and unpacking is IMHO similar to
> tarring
> > > > Ok, you can download the clam database handling and file scanner
> > > > at http://uscanit.free.fr/lib.zip
> > >
> > > It looks OK. Thanks for publishing it.
> > >
> >
> > Can you clarify for the rest of us? Does that mean the clam team is
> > accepting this sort of usage of the db?
>
> The
> > Ok, you can download the clam database handling and file scanner at
> > http://uscanit.free.fr/lib.zip
>
> It looks OK. Thanks for publishing it.
>
Can you clarify for the rest of us? Does that mean the clam team is
accepting this sort of usage of the db?
m/
---
Remi wrote:
> > No, it won't. Security by obscurity is a nonsense.
> It's true only for cryptography I think.
>
Anyone with a disassembler can find your secret sauce as soon as they
download your product. A lot of effort yes... but if what you think you have
found has any value it will be done. C
Or write an open source program which does the scanning without dependancy
on cygwin. GPL it, give away the source. Keep your heuristics separate, and
if you like your interface, etc. This is the same effect as the windows
wrapper that exists without the underlying overhead of the gygwin underneath
> With one caveat.
> It is perfectly acceptable to place an explanatory message in an SMTP
> REJECT message.
>
> Something like
>
> EHLO (hi)
> MAIL FROM (ok)
> RCPT TO (ok)
> DATA (can't accept for delivery, contains the EICAR virus!)
>
> If the mail is being sent by a virus, the virus will usuall
I think this was mentioned in a man page somewhere...
I believe that clam would return a timeout error, and what happens with that
depends on the script that calls clamdscan. If it accepts nothing other than
success, the mail should be deferred and tried again later by the MTA.
not authoritive, b
Winzip
reports the AVERAGE and clam uses the PEAK value... try bumping up the value to
two or three times that amount:
ArchiveMaxCompressionRatio from 1000
to test this... the
culprit could be an ascii file with a lot of white space that is hugely
compressible.
m/
-Original Message-
> I think such a provider would be liable for very little - but it is very
> expensive to establish that in court. Law suits are trivial to initiate
> and we are in a very litigous society. If you have 10,000 customers you
> can bet at least one of them will levy a suit against you for some
> perce
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Graham
> Toal
>
> Aren't we missing something obvious here? Shouldn't we be using some
> sort of distributed technology like BitTorrent?
>
That's been asked and answered... Bittorrent is meant to optimi
> I would love to setup a mirror, but 10Mbps and 100GB/month is more than
> I've got available.
>
> --TWH
By my count that makes 5 of us I recall seeing volunteer and it isn't even
an option yet.
As we are already trampling the rules with cnames to cnames... what about
this... the second tier cna
> > > Someone recently suggested the idea of allowing sites with
> less than the
> > > mirror site requirements becoming second-tier mirrors. This thread is
> > > an attempt to see what kind of interest there is in such an
> idea and for
> > > the developers to respond whether or not the idea has
> If you really want updates instantly, there *is* a solution. Volunteer
> to run a mirror. All mirrors are given updates within 2 minutes.
>
> Damian Menscher
Joining this thread a little late - sorry...
Then we get back to the level of committment required to do that... With
things as they ar
>
> run freschclam on one machine, use on-update-execute to run an
> rsync script
> after a successfull download to update all your other machines.
>
>
> ==
> Chris Candreva -- [EMAIL PROTECTED]
Does the clamd process need to be signaled on
> No, the cron job only runs on the hour (minute == 0) so it will only run
> once per hour at a random time between hh:00 and hh:30.
>
> A.
>
D'oh! Note to self - don't think you are smart when you're tired! Thanks.
---
SF.Net email is sponso
> > Please always try to _avoid_ to have cron based internet
> services run by the
> > hour. Please consider another value than 0. What about 17 or 41
> as the value
> > for the minute?
>
> As per discussions on this list on awhile ago; I use the following for
> my crontab entry
> 0 * * * * sleep
> >I still don't see why rsync can't be used here. It can
> >easily do incremental
> >updates.
>
> True. However,
> (1) many firewall admins allow outgoing HTTP and DNS
> ports; I cannot say the same for rsync port.
> (2) The uncompressed signature (viruses.db*) files is a
> good candidate for rsy
> Similarly, BitTorrent *requires* "raw" Internet access in order
> to operate -
> again - not a normal situation for an AV server.
>
Don't know what exactly you meant by "raw" as opposed to sauteed, broiled,
baked or toasted, but BitTorrent does NOT require unfirewalled access. It
does require a
> > DNS for serial numbers plus HTTP for actual data transfer still sounds
>
> New version of freshclam will work in this way. Big thanks to all for
> the interesting thread !
>
Sounds cool Tomasz! Be interested to hear if this helps reduce the load on
the mirrors at all. Once this is tested, an u
> So does that mean you no longer use Exiscan's "demime" facility, because,
> if I understand this correctly, it is sufficient to pass the mime parts
> to clamd for scanning. Using it and ScanMail would appear to bring some
> "competition" between Exiscan's demime and ClamAV's ScanMail.
>
> Could s
> Opening another port is simply no option for any serious
> enterprise use. There
> is simply no way to open another port in the firewall. In addition I am
> confident that IANA will not allow to reserve a fixed port number
> for this
> service. After all port numbers are a limited resource with t
> I've already mentioned this jokingly, but I was half serious: I think
> setting up a bittorrent would solve a lot of the bandwidth problems.
>
Been playing with that a bit recently - the more I think about it, the more
I like it... saw a website that has built a custom tracker to manage
leeches,
> The mirror page talkes about the need for mirrors, about
> exponential growth,
> and how at least a 10mbit pipe is needed to host a mirror. It puts March
> 2004 traffic at about 120gig/month
>
I think I read it differently... I thought it was 120GB / month per mirror
(at that point in time there
> right, but as discussed below, generally bind servers don't have
> 100k people
> waiting for notifications and updates.
>
Nope, true... but like I suggested, the notification tree doesn't have to be
flat...
One server notifying 10 servers is time consuming and sure - costs a lot
of bandwidt
> I have 445 (have had it for 5 hours or so) and it still calls it
> Trojan.JS.RunMe. Am I missing something? I can see in my
> clamd.log where
> it picked up the changes and reloaded the database, and sigtool -l lists
> both Trojan.JS.RunMe and Worm.Bagle.AI-2 in it.
>
I'm going to take a guess
What about a deeper mirroring system? Perhaps one that supports
notification?
One of the things I like about BIND (not enough to use it, but still an
admired concept ;-) is the way zones can be distributed... notification
speeds things up if it works, polling creates a failsafe in which a missing
This is predicated on the developers of the database incrementing the
"functionality level" when they make changes like this.
I'm still not sure I get it, but there seems to be some resistance to doing
this consistantly.
Some changes in detection seem to make it into CVS, and I think future
versi
I'd be willing to hack the code to add the information mentioned the other
day - care to share the base script (off list is fine by me).
I'd like to make it a little more informative what was found and how it was
found etc.
thanks
m/
> -Original Message-
> From: [EMAIL PROTECTED]
> [mai
Hi.
Before you do, I've been told by Tomasz Papszun that there are signatures
that won't work for anything other than CVS... so you'd have to try building
a CVS version to make it work.
I suggested changes to allow us users to know this info when we do an upload
to the webform, but haven't had re
> I'd like to second that. Those of us depending on clamav to catch stuff
> can't afford to upgrade in the middle of the day for new signatures to
> work. And why don't these new signatures work? Has that interface not
> yet stabilized?
>
> Thanks,
> John
Just wondering...
If signatures come
For one thing, the web interface for uploading could be A LOT MORE USEFUL by
stating it's current clamscan version, what it detects the upload as,
selected options/config, and signature database - just allowing easier
confirmation of relavent settings.
I've downloaded the 0.75, and upgraded, ensur
I'd say so. You aren't talking about doing this after the fact, but as the
message is received and detected as viral - right? They'd have to have hung
up immediately and even then, it's unlikely the modem handshake would be
complete yet on the next call ;-)
> On Thu, 10 Jun 2004, Nigel Horne wrote
ing
experiment...
m/
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of jef moskot
> Sent: Wednesday, June 09, 2004 3:50 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Clamav-users] Ethics Question
>
>
> On Wed, 9 Jun 2004
What's the harm? You aren't selling them anything... Spam is something done
for commercial gain by definition isn't it? they are hurting you - wasting
your bandwidth etc... and as many of my customers could prove - they can go
for MONTHS not knowing they are infected. Your message could say somethi
> (it was removed) there is nothing for ClamAV to find. About the best
> you can do is to educate others that stripping viruses out of email (and
> letting the rest through) is a Bad Idea.
While you are mentioning bad ideas... what about this trend of sending
bounce messages to the sender or post
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Kevin
> Spicer
> Sent: Monday, May 10, 2004 10:49 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Re: Virus Alias Database
>
>
> Its running PHP & MySQL on apache2, unfortunately this is my home bo
Just so all will know ;-)
It seems that 0.65 isn't smart enough to notice the difference - I didn't
get the warning on that box... but I'm upgrading anyways...
I'm assume the version smarts were added around 0.67?
Or is there some config value that causes me to not see a warning?
Thanks.
m/
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Jim Maul
> Sent: Monday, April 19, 2004 11:04 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Clamav-users] [EMAIL PROTECTED] not removed
> > hi,
> > I also have some "NetSky.q.2" not dtected; They are detecte
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Lionel
> Bouton
> Sent: Thursday, April 08, 2004 12:26 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Updating ClamAV method other than freshclam
>
>
> I just do that because I have 4 systems usin
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of B. van
> Ouwerkerk
> Sent: Wednesday, April 07, 2004 2:00 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Virus Names
>
>
> I don't fancy the idea of doing the same job someone else does
> but I co
> -Original Message-
> From: Tomasz Kojm
>
> On Thu, 11 Mar 2004 10:15:50 +
> Dave Ewart <[EMAIL PROTECTED]> wrote:
>
> > 2. Can the alias details be extracted from the .cvd files? If not
> > currently, is there any way to add this detail?
>
> Virus aliases will be supported in signa
> No idea how easy this would be to implement but here goes:
>
> As well as the virus signature databases, how about having an alias
> database which would contain a record for each virus, indicating its
> ClamAV name along with those used by the more mainstream AV software
> like Sophos, McAfee et
Fantastic Michael!
I think that will be a good interrum until there is an official method of
dealing with the problem.
Thanks.
m/
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Michael L
> Torrie
> Sent: Wednesday, March 03, 2004 12:38 PM
> To: [EMA
But...
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Chris
> Meadors
> Sent: Tuesday, March 02, 2004 11:44 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Password-protected .zip file viruses
>
>
> Paul Boven wrote:
>
> > How about only tryin
That's got my vote - can the core team give some indication of options being
considered and what general direction we'll go here?
Thanks.
m/
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Andy Dills
> Sent: Tuesday, March 02, 2004 11:05 PM
> To: [EMA
My understanding of reliable zip password checking was that you needed two
or more files encoded with the same password in the archive to allow a good
check...
Maybe I'm wrong on that, but still I'd rather a setting that allows me to
reject unscannable attachements. Preferably as mentioned before
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Diego
> d'Ambra
> Sent: Tuesday, March 02, 2004 4:55 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Clamav-users] password-protected Worm.Bagle.H
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
I was looking for reviews on virus protection quality as well as response
time...
Helen, the editor of virusbtn.com says as far as she knows, Clam AV has
never been submitted for review.
I asked for details on the process, and ask here if there is any reason NOT
to submit to various reviewers - d
D] Behalf Of Peter
> Bonivart
> Sent: Saturday, February 21, 2004 2:19 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] 2 questions - virus naming convention &
> virus information
>
>
> Mitch (WebCob) wrote:
> > 1) Does the ClamAV system use a common naming co
1) Does the ClamAV system use a common naming convention? Where does it come
from? By this I mean I think I see other virus detection software using the
same names for things - how is this agreed upon?
2) Is there a Clam source for virus information? I'd like to tie my filter
to a status page that
57 matches
Mail list logo