Discussion:
[clamav-users] clamav-milter feature requst
(too old to reply)
Benny Pedersen
2016-08-03 23:10:11 UTC
Permalink
make it possible to have policy banks in clamav-milter so eq one can
have 3dr party signatures that just add header like it would do when
accept virus, but lets be creative possible aswell make a PUA.pattern to
accept or deny as virus

so one policy bank for officiel signatures, and upto a random number of
other policy banks as users see fit for there needs

if that is aswell will be supported in clamd socket it will save alot of
workarounds i think

would it be possible to see that ?


_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
G.W. Haywood
2016-08-04 17:15:06 UTC
Permalink
Hi there,
make it possible to have policy banks in clamav-milter ...
Are you sure that you mean clamav-milter?
--
73,
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Reindl Harald
2016-08-04 17:20:28 UTC
Permalink
Post by G.W. Haywood
Hi there,
make it possible to have policy banks in clamav-milter ...
Are you sure that you mean clamav-milter?
it's just Benny - most time you have no chance what he is talking about
but he talks much on each and every list...
Benny Pedersen
2016-08-04 17:47:37 UTC
Permalink
Post by G.W. Haywood
make it possible to have policy banks in clamav-milter ...
Are you sure that you mean clamav-milter?
its what sendmail uses imho ?

and if it happens there it works just what amavisd do with make some
virus signature over to spam signature to be processed in spamscanner
like spamasssassin

reason for this is that make this clamav signature is that its more ram
effitive then make native spamasssasin rules

xsing fingers to see updates comming


_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Reindl Harald
2016-08-04 17:50:17 UTC
Permalink
Post by Benny Pedersen
Post by G.W. Haywood
make it possible to have policy banks in clamav-milter ...
Are you sure that you mean clamav-milter?
its what sendmail uses imho ?
and if it happens there it works just what amavisd do with make some
virus signature over to spam signature to be processed in spamscanner
like spamasssassin
reason for this is that make this clamav signature is that its more ram
effitive then make native spamasssasin rules
xsing fingers to see updates comming
different signatures for different clamd are your friend

[***@testserver:/etc/mail/spamassassin]$ cat clamav.cf
loadplugin ClamAV clamav.pm

full CLAMAV_JNK eval:check_clamav('/run/clamd/clamd-sa.sock')
describe CLAMAV_JNK ClamAV detected malware/phishing/junk
score CLAMAV_JNK 6.0

full CLAMAV_MLW eval:check_clamav('/run/clamd/clamd.sock')
describe CLAMAV_MLW ClamAV detected malware/phishing
score CLAMAV_MLW 9.9

[***@testserver:~]$ ls /var/lib/clamav
insgesamt 138M
-rw-r--r-- 2 clamupdate clamupdate 45K 2016-08-03 13:40
foxhole_filename.cdb
-rw-r--r-- 2 clamupdate clamupdate 44K 2016-06-28 09:58 foxhole_generic.cdb
-rw-r--r-- 2 clamupdate clamupdate 4,1K 2016-06-18 17:22
thelounge_blocked_extensions.cdb
-rw-r--r-- 2 clamupdate clamupdate 31M 2016-08-04 02:15 daily.cld
-rw-r--r-- 2 clamupdate clamupdate 105M 2016-05-25 14:25 main.cvd
-rw-r--r-- 3 clamupdate clamupdate 11K 2016-03-09 09:56 sanesecurity.ftm
-rw-r--r-- 2 clamupdate clamupdate 100K 2016-08-04 01:48
bofhland_malware_attach.hdb
-rw-r--r-- 2 clamupdate clamupdate 82 2016-07-13 21:44 crdfam.clamav.hdb
-rw-r--r-- 2 clamupdate clamupdate 953K 2016-08-03 12:52 rogue.hdb
-rw-r--r-- 2 clamupdate clamupdate 143K 2016-08-04 01:45
winnow_extended_malware.hdb
-rw-r--r-- 2 clamupdate clamupdate 281K 2016-08-04 01:45 winnow_malware.hdb
-rw-r--r-- 2 clamupdate clamupdate 48K 2015-08-05 09:24 hackingteam.hsb
-rw-r--r-- 2 clamupdate clamupdate 9,3K 2015-02-19 09:26 malwarehash.hsb
-rw-r--r-- 2 clamupdate clamupdate 42K 2016-08-04 01:46 porcupine.hsb
-rw-r--r-- 3 clamupdate clamupdate 6,2K 2016-08-01 17:33 sigwhitelist.ign2
-rw-r--r-- 3 clamupdate clamupdate 146K 2016-08-04 01:53 blurl.ndb
-rw-r--r-- 3 clamupdate clamupdate 17K 2016-08-04 01:48
bofhland_malware_URL.ndb
-rw-r--r-- 2 clamupdate clamupdate 318K 2016-08-04 01:46 porcupine.ndb
-rw-r--r-- 3 clamupdate clamupdate 788K 2016-08-04 01:45
winnow_malware_links.ndb
[***@testserver:~]$ ls /var/lib/clamav-spam/
insgesamt 87M
-rw-r--r-- 2 clamupdate clamupdate 8,5K 2016-05-31 11:52 foxhole_all.cdb
-rw-r--r-- 2 clamupdate clamupdate 2,0K 2016-07-13 14:59 foxhole_js.cdb
-rw-r--r-- 2 clamupdate clamupdate 5,7K 2016-06-18 17:22
thelounge_tagged_extensions.cdb
-rw-r--r-- 2 clamupdate clamupdate 52M 2016-08-04 02:16 safebrowsing.cvd
-rw-r--r-- 3 clamupdate clamupdate 11K 2016-03-09 09:56 sanesecurity.ftm
-rw-r--r-- 2 clamupdate clamupdate 298 2016-06-21 09:54 spamattach.hdb
-rw-r--r-- 2 clamupdate clamupdate 767 2016-07-20 09:59 spamimg.hdb
-rw-r--r-- 2 clamupdate clamupdate 515K 2016-08-04 01:45
winnow.attachments.hdb
-rw-r--r-- 2 clamupdate clamupdate 66 2016-08-04 01:45 winnow_bad_cw.hdb
-rw-r--r-- 3 clamupdate clamupdate 6,2K 2016-08-01 17:33 sigwhitelist.ign2
-rw-r--r-- 2 clamupdate clamupdate 502 2015-11-15 10:52 spam.ldb
-rw-r--r-- 2 clamupdate clamupdate 660 2016-08-04 01:45
winnow.complex.patterns.ldb
-rw-r--r-- 2 clamupdate clamupdate 41K 2016-08-03 15:42 badmacro.ndb
-rw-r--r-- 3 clamupdate clamupdate 146K 2016-08-04 01:53 blurl.ndb
-rw-r--r-- 2 clamupdate clamupdate 20K 2016-08-04 01:48
bofhland_cracked_URL.ndb
-rw-r--r-- 3 clamupdate clamupdate 17K 2016-08-04 01:48
bofhland_malware_URL.ndb
-rw-r--r-- 2 clamupdate clamupdate 3,3K 2016-08-04 01:48
bofhland_phishing_URL.ndb
-rw-r--r-- 2 clamupdate clamupdate 6,4M 2016-08-02 13:55 junk.ndb
-rw-r--r-- 2 clamupdate clamupdate 260K 2016-08-04 01:53 jurlbla.ndb
-rw-r--r-- 2 clamupdate clamupdate 400K 2016-08-03 21:53 jurlbl.ndb
-rw-r--r-- 2 clamupdate clamupdate 240K 2016-07-29 18:20 lott.ndb
-rw-r--r-- 2 clamupdate clamupdate 3,7M 2016-08-03 12:39 phish.ndb
-rw-r--r-- 2 clamupdate clamupdate 4,9M 2016-08-04 01:46 phishtank.ndb
-rw-r--r-- 2 clamupdate clamupdate 14M 2016-08-04 01:45 scamnailer.ndb
-rw-r--r-- 2 clamupdate clamupdate 1,8M 2016-07-16 12:00 scam.ndb
-rw-r--r-- 2 clamupdate clamupdate 53K 2016-08-03 18:54 spearl.ndb
-rw-r--r-- 2 clamupdate clamupdate 2,0M 2016-08-03 18:49 spear.ndb
-rw-r--r-- 2 clamupdate clamupdate 159 2016-08-04 01:45
winnow_extended_malware_links.ndb
-rw-r--r-- 3 clamupdate clamupdate 788K 2016-08-04 01:45
winnow_malware_links.ndb
-rw-r--r-- 2 clamupdate clamupdate 607K 2016-08-04 01:45
winnow_phish_complete.ndb
-rw-r--r-- 2 clamupdate clamupdate 147K 2016-08-04 01:45
winnow_spam_complete.ndb
-rw-r--r-- 2 clamupdate clamupdate 1,5K 2015-07-01 14:54
Sanesecurity_sigtest.yara
-rw-r--r-- 2 clamupdate clamupdate 1,3K 2016-02-22 13:21
Sanesecurity_spam.yara
Matus UHLAR - fantomas
2016-08-04 19:18:15 UTC
Permalink
Post by Reindl Harald
Post by Benny Pedersen
reason for this is that make this clamav signature is that its more ram
effitive then make native spamasssasin rules
different signatures for different clamd are your friend
loadplugin ClamAV clamav.pm
full CLAMAV_JNK eval:check_clamav('/run/clamd/clamd-sa.sock')
describe CLAMAV_JNK ClamAV detected malware/phishing/junk
score CLAMAV_JNK 6.0
full CLAMAV_MLW eval:check_clamav('/run/clamd/clamd.sock')
describe CLAMAV_MLW ClamAV detected malware/phishing
score CLAMAV_MLW 9.9
I'm afraid that running multiple clamd (that's what clamav-milter uses)
instances is least memory effective possibility.
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Reindl Harald
2016-08-04 19:25:09 UTC
Permalink
Post by Matus UHLAR - fantomas
Post by Reindl Harald
Post by Benny Pedersen
reason for this is that make this clamav signature is that its more ram
effitive then make native spamasssasin rules
different signatures for different clamd are your friend
loadplugin ClamAV clamav.pm
full CLAMAV_JNK eval:check_clamav('/run/clamd/clamd-sa.sock')
describe CLAMAV_JNK ClamAV detected malware/phishing/junk
score CLAMAV_JNK 6.0
full CLAMAV_MLW eval:check_clamav('/run/clamd/clamd.sock')
describe CLAMAV_MLW ClamAV detected malware/phishing
score CLAMAV_MLW 9.9
I'm afraid that running multiple clamd (that's what clamav-milter uses)
instances is least memory effective possibility
nope

one clamd with all signatures here has a memory usage of 800 MB, both
together have around the same, eahc of them a part of it depending of
what signatures they have loaded

"clamd is more RAM effective than a spamassassin rule" si just wrong,
that's it - clamd is and never was RAM efefctive and it's memory usage
is realted to the amount and size of signatures

what Benny want's is that he can control the type of answers depending
on signatures (as far as it#s understandable what he really talks about
which isn't easy usually) and that's exactly what you get by split your
signatures to multiple instances and score them differently depening of
the signature types

the clamav-milter should be *the very last* instance with onnly 100%
sure signatures to bypass any shorcurcuit and otehr whitelistings and
catch *real malware* end the end of the chain even from normally
whitelisted people if their machines got infected

the *real underlying* problem is that there is no chance to get rid of
20 years old samples without a massive amount of work and that it's time
that the main/daily signatures are splitted and conditionally loadable
Loading...