|
List Info
Thread: Re: Keep going if AV Scanner fails?
|
|
| Re: Keep going if AV Scanner fails? |
 
United States |
2007-08-18 05:45:25 |
> -----Original Message-----
> From: amavis-user-bounces lists.sourceforge.net
> [mailto:amavis-user-bounceslists.sourceforge.net] On
Behalf
> Of Matthew Kitchin (Usenet/Lists)
> Sent: Friday, August 17, 2007 10:03 PM
> To: amavis-userlists.sourceforge.net
> Subject: [AMaViS-user] Keep going if AV Scanner fails?
>
> unavailable. I would
> prefer it continue to pass the mail and maybe blast
massive
> warnings to
> specified email addresses.
You could use clamav (not clamd) as secondary scanner, and
as for
socket, normal types of things like swatch to watch logs
would help.
>
> Does anyone know a good way to make this happen?
--
Michael Scheidell, CTO
SECNAP Network Security Corporation
Keep up to date with latest information on IT security: Real
time
security alerts:
http://www.secnap.com/news
____________________________________________________________
_____________
This email has been scanned and certified safe by
SpammerTrap(tm).
For Information please see http://www.spammertrap.com
____________________________________________________________
_____________
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: Keep going if AV Scanner fails? |
|
2007-08-18 09:46:18 |
On 8/18/07, Michael Scheidell wrote:
> > unavailable. I would
> > prefer it continue to pass the mail and maybe
blast massive
> > warnings to
> > specified email addresses.
>
> You could use clamav (not clamd) as secondary scanner,
and as for
> socket, normal types of things like swatch to watch
logs would help.
>
> >
> > Does anyone know a good way to make this happen?
>
> --
> Michael Scheidell, CTO
Yes, you should have clamscan as a secondary scanner but if
the
database is corrupt I would think there would be problems
with both
(have not tried it though). Make sure your update script is
a recent
one that tests the downloads before employing them and
consider
spending money (gasp) on an additional anti virus engine.
Maybe Mark
would consider a boolean variable that would let you choose
whether
amavisd-new dies or not when all virus scanners fail (or
show you
where to hack the code) - but I'm afraid all you need is a
few HOWTOs
that tell you to enable it and then you get a bunch of poor
victims
wondering why their entire enterprise is infected - and
blaming
amavisd-new.
--
Gary V
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: Keep going if AV Scanner fails? |
United States |
2007-08-18 13:42:28 |
At 09:46 AM 8/18/2007, Gary V wrote:
>On 8/18/07, Michael Scheidell wrote:
>
> > > unavailable. I would
> > > prefer it continue to pass the mail and maybe
blast massive
> > > warnings to
> > > specified email addresses.
> >
> > You could use clamav (not clamd) as secondary
scanner, and as for
> > socket, normal types of things like swatch to
watch logs would help.
> >
> > >
> > > Does anyone know a good way to make this
happen?
> >
> > --
> > Michael Scheidell, CTO
>
>
>Yes, you should have clamscan as a secondary scanner but
if the
>database is corrupt I would think there would be
problems with both
>(have not tried it though). Make sure your update script
is a recent
>one that tests the downloads before employing them and
consider
>spending money (gasp) on an additional anti virus
engine. Maybe Mark
>would consider a boolean variable that would let you
choose whether
>amavisd-new dies or not when all virus scanners fail (or
show you
>where to hack the code) - but I'm afraid all you need is
a few HOWTOs
>that tell you to enable it and then you get a bunch of
poor victims
>wondering why their entire enterprise is infected - and
blaming
>amavisd-new.
>
>--
>Gary V
There is actually a sample entry that does this... force AV
scanning
to pass if all "real" scanners fail. Look near
the bottom of the
av_scanners_backup list for something like:
# always succeeds (uncomment to consider mail clean if all
other scanners fail)
# ['always-clean', sub ],
Be sure to also uncomment the "ClamAV-clamscan"
backup entry so that
the it will have a shot at the mail too.
--
Noel Jones
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: Keep going if AV Scanner fails? |
United States |
2007-08-18 13:55:28 |
On Sat, Aug 18, 2007 at 06:45:25AM -0400, Michael Scheidell
wrote:
> > -----Original Message-----
> > From: amavis-user-bounceslists.sourceforge.net
> > [mailto:amavis-user-bounceslists.sourceforge.net] On
Behalf
> > Of Matthew Kitchin (Usenet/Lists)
> > Sent: Friday, August 17, 2007 10:03 PM
> > To: amavis-userlists.sourceforge.net
> > Subject: [AMaViS-user] Keep going if AV Scanner
fails?
> >
> > unavailable. I would
> > prefer it continue to pass the mail and maybe
blast massive
> > warnings to
> > specified email addresses.
>
> You could use clamav (not clamd) as secondary scanner,
and as for
> socket, normal types of things like swatch to watch
logs would help.
Have you tried to run clamscan lately? When I was setting
up my
latest amavisd system I had socket permission problems for
the clamd
socket, and my test messages were taking *minutes* to scan.
I assumed
this was because clamscan was taking so long to parse the
signature
dictionary at each invocation.
I'm not sure that clamscan is a reasonable fallback
strategy any
more, at least for mail volumes beyond a home server.
To answer the original OP, if it's *really* OK in your
scenario to
pass through mails without scanning when the main AV is
down, you could
easily set up a dummy secondary scanner which just returns
"OK" without
checking the file.
-- Clifton
--
Clifton Royston -- cliftonriandicomputing.com /
cliftonrlava.net
President - I and I Computing * http://www.iandicomput
ing.com/
Custom programming, network design, systems and network
consulting services
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: Keep going if AV Scanner fails? |
United States |
2007-08-18 15:13:32 |
At 01:55 PM 8/18/2007, Clifton Royston wrote:
> Have you tried to run clamscan lately? When I was
setting up my
>latest amavisd system I had socket permission problems
for the clamd
>socket, and my test messages were taking *minutes* to
scan. I assumed
>this was because clamscan was taking so long to parse
the signature
>dictionary at each invocation.
The current clamscan 0.91.1 is much improved at loading the
dictionary. Simple messages should scan in less than 2
seconds. There may still be some performance problems
scanning PDF
files, you can use --no-pdf to work around that if you have
a problem
(I don't think any current sigs depend on PDF scanning, not
even the
stock scam PDF sigs).
Although I admit that 2 seconds is still 100 times longer
than clamd
takes, and that could cause a problem on a busy system.
--
Noel Jones
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: Keep going if AV Scanner fails? |
United States |
2007-08-18 15:32:53 |
On Sat, Aug 18, 2007 at 03:13:32PM -0500, Noel Jones wrote:
> At 01:55 PM 8/18/2007, Clifton Royston wrote:
> > Have you tried to run clamscan lately? When I
was setting up my
> >latest amavisd system I had socket permission
problems for the clamd
> >socket, and my test messages were taking *minutes*
to scan. I assumed
> >this was because clamscan was taking so long to
parse the signature
> >dictionary at each invocation.
>
> The current clamscan 0.91.1 is much improved at loading
the
> dictionary. Simple messages should scan in less than 2
> seconds. There may still be some performance problems
scanning PDF
> files, you can use --no-pdf to work around that if you
have a problem
> (I don't think any current sigs depend on PDF scanning,
not even the
> stock scam PDF sigs).
Oh, that's very good news. I just upgraded from 0.90.3 a
week ago,
and hadn't retested that. (As it happens I just last
weekend fixed
something in my own code that had a near-identical problem
with a large
signature file, and went from taking almost 2 minutes to
load to less
than 1 second.)
> Although I admit that 2 seconds is still 100 times
longer than clamd
> takes, and that could cause a problem on a busy
system.
Still, that's in a perfectly acceptable range. I should
retest it so
I know how to characterize it.
-- Clifton
--
Clifton Royston -- cliftonriandicomputing.com /
cliftonrlava.net
President - I and I Computing * http://www.iandicomput
ing.com/
Custom programming, network design, systems and network
consulting services
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: Keep going if AV Scanner fails? |
|
2007-08-18 15:56:02 |
On 8/18/07, Noel Jones <njonesmegan.vbhcs.org> wrote:
> > > > I would prefer it continue to pass the
mail and maybe blast massive
> > > > warnings to specified email addresses.
> > >
> There is actually a sample entry that does this...
force AV scanning
> to pass if all "real" scanners fail. Look
near the bottom of the
> av_scanners_backup list for something like:
>
> # always succeeds (uncomment to consider mail clean if
all other scanners fail)
> # ['always-clean', sub ],
>
> Be sure to also uncomment the
"ClamAV-clamscan" backup entry so that
> the it will have a shot at the mail too.
> --
> Noel Jones
>
Thanks Noel, I forgot about that one.
--
Gary V
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: Keep going if AV Scanner fails? |
|
2007-08-18 16:13:48 |
On 8/18/07, Noel Jones <njonesmegan.vbhcs.org> wrote:
> At 01:55 PM 8/18/2007, Clifton Royston wrote:
>
> > Have you tried to run clamscan lately? When I
was setting up my
> >latest amavisd system I had socket permission
problems for the clamd
> >socket, and my test messages were taking *minutes*
to scan. I assumed
> >this was because clamscan was taking so long to
parse the signature
> >dictionary at each invocation.
>
> The current clamscan 0.91.1 is much improved at loading
the
> dictionary. Simple messages should scan in less than
2
> seconds.
I think this may solve the mystery why for some apparently
unknown
reason random people were unable to connect to the socket.
It appeared
to be a permission problem but may have been they were not
waiting
long enough for the socket to get created. I noticed this on
one of my
systems where it took a couple minutes after starting clamd
for the
socket to get created. Since upgrading to the latest
version, I could
not reproduce this behavior.
--
Gary V
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: Keep going if AV Scanner fails? |
United States |
2007-08-18 16:27:27 |
On Sat, Aug 18, 2007 at 03:13:48PM -0600, Gary V wrote:
> On 8/18/07, Noel Jones <njonesmegan.vbhcs.org> wrote:
> > At 01:55 PM 8/18/2007, Clifton Royston wrote:
> >
> > > Have you tried to run clamscan lately?
When I was setting up my
> > >latest amavisd system I had socket permission
problems for the clamd
> > >socket, and my test messages were taking
*minutes* to scan. I assumed
> > >this was because clamscan was taking so long
to parse the signature
> > >dictionary at each invocation.
> >
> > The current clamscan 0.91.1 is much improved at
loading the
> > dictionary. Simple messages should scan in less
than 2
> > seconds.
>
> I think this may solve the mystery why for some
apparently unknown
> reason random people were unable to connect to the
socket. It appeared
> to be a permission problem but may have been they were
not waiting
> long enough for the socket to get created. I noticed
this on one of my
> systems where it took a couple minutes after starting
clamd for the
> socket to get created. Since upgrading to the latest
version, I could
> not reproduce this behavior.
Holy heck. That may indeed explain the problems I was
having when I
was going back and forth for hours between different sets of
effective
users, groups, permissions and ownership for the ClamAV
daemon and
directories, some of which indeed *should* have worked. In
the end, I
went back to a combination I was sure I had tried earlier,
and it
worked. This may just account for it - with some of the
combinations I
may just have been too impatient.
-- Clifton
--
Clifton Royston -- cliftonriandicomputing.com /
cliftonrlava.net
President - I and I Computing * http://www.iandicomput
ing.com/
Custom programming, network design, systems and network
consulting services
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: Keep going if AV Scanner fails? |
United States |
2007-08-20 10:23:22 |
Gary V wrote:
> (have not tried it though). Make sure your update
script is a recent
> one that tests the downloads before employing them and
consider
This is one of the most important steps IMHO. I would make
sure the
script tests the dat files before copying them into place.
The scripts
that I have used over the years tests the dat files with the
eicar virus
test pattern to make sure they work before copying them into
place.
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
|
|