headers
Nigel Horne | 1 Dec 2008 16:25
Picon
Gravatar

ClamAV Webinar on 3rd December Reminder

Hi Everyone,

This is a reminder of this week's ClamAV Webcast on Wednesday 3rd December
at 1800UTC (1300EST).

The presentation will cover common pitfalls in the deployment of ClamAV. It
will then recommend the best practices for logging, scan limits, SMP 
systems, usage of
PUA, setting up freshclam, using ClamAV on more hosts on your network and
submitting detection statistics, followed by an overview of the engine
configuration flags found in 0.94.1.

Finally the presentation will describe a recommended upgrade procedure,
showing common pitfalls and best practices to avoid them such as forgetting
to review configuration changes, testing the new version before deployment
and restarting the daemons.

The broadcast will include a Q&A session.

For further details, including how to listen to the broadcast and a
biography of the speaker, Török Edvin, please visit
http://www.clamav.net/2008/10/30/clamav-best-practices-webinar/

As always this session will be recorded and archived on ClamAV.net and
Sourcefire.com.

Finally, if you have any topic you'd like to see us cover in the future, or
if you'd like to give  a presentation (we welcome talks from the 
community), please contact me at
nigel.horne <at> sourcefire.com <mailto:nigel.horne <at> sourcefire.com> or +1 301
(Continue reading)

Permalink | Reply | 0 comments |
headers
Thomasz Blaszczyk | 3 Dec 2008 02:02
Picon

clamAV scanning algorithm

 Hi,

 I am new to CLAMAV & I am just wonder how files are scanned.

 Does it work like:
 1. PE section is taken from file to be scanned
 2. MD5 is calculated
 3. That MD5 is compared to all signatures in ClamAV Database
 4. If match virus is found.

 I have simplified this. But please let me know if I am right in above
 steps for scanning files.

 Regards,
 Tom
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Permalink | Reply | 9 comments |
headers
Thomasz Blaszczyk | 3 Dec 2008 01:59
Picon

Re: confirm 878cdf1f1ee11bbfe4f147caa216e145422ff8a2

Hi,

I am new to CLAMAV & I am just wonder how files are scanned.

Does it work like:
1. PE section is taken from file to be scanned
2. MD5 is calculated
3. That MD5 is compared to all signatures in ClamAV Database
4. If match virus is found.

I have simplified this. But please let me know if I am right in above
steps for scanning files.

Regards,
Tom
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Permalink | Reply | 0 comments |
headers
Török Edwin | 3 Dec 2008 20:58
Picon

Re: clamAV scanning algorithm

On 2008-12-03 03:02, Thomasz Blaszczyk wrote:
>  Hi,
>   

Hi,

>  I am new to CLAMAV & I am just wonder how files are scanned.
>
>  Does it work like:
>  1. PE section is taken from file to be scanned
>   

It is much more than that, ClamAV can also process a variety of archive
formats, containers, and executable packers.
Also PE files aren't the only malware files, you can have malware in
scripts too.

Have a look at filetypes_int.h for the file types we support. New file
type definitions can be added via database updates.
>  2. MD5 is calculated
>   

Correct, but ClamAV also uses a pattern matcher (Aho-Corasick and
extended version of Boyer-Moore), not only MD5.
See signatures.pdf for the kind of patterns it supports (in particular
it supports wildcards with AC matcher).

So ClamAV actually tries to match those patterns inside the file. It
also has some heuristic and algorithmic detections.
(Continue reading)

Permalink | Reply | 8 comments |
headers
Thomasz Blaszczyk | 3 Dec 2008 23:41
Picon

Re: clamAV scanning algorithm

Thank you for reply,

Török Edwin, Very, very good web seminar!

I have 2 more questions:

1) I'd like to measure & compare performance of AC & BM algorithms.

clamscan displays in 'scan summary' a 'time'. Does this time include
disc access, signature tree building in AC(phase1) or BM
Just wonder If I can use this time or I should figure out new timestamps.

>Time: 2.189 sec (0 m 2 s)

2) I've downloaded Eicar Test Anti-Virus File and crated 10bytes file.
(See logs below) Then I've appended Eicar to this file. Why clamscan
doesn't find a signature in this file?

LOGS:
1. Creating 10bytes file

tomb <at> tomb_localhost
~/projects/aau/virus_scanner/clamav-0.94.1/database $ time dd
if=/dev/urandom of=../../testbox/new10bytes.com bs=10 count=1
1+0 records in
1+0 records out
10 bytes (10 B) copied, 4.8609e-05 s, 206 kB/s

real	0m0.001s
user	0m0.000s
(Continue reading)

Permalink | Reply | 3 comments |
headers
Joseph Benden | 4 Dec 2008 00:24

Re: clamAV scanning algorithm

See:

http://www.eicar.org/anti_virus_test_file.htm

Specifically:

"Any anti-virus product that supports the EICAR test file should  
detect it in any file providing that the file starts with the  
following 68 characters, and is exactly 68 bytes long"

Best Regards,
Joseph Benden

              .--.
             |o_o |
             |:_/ |
            //   \ \
           (|     | )
           /'\_   _/`\
           \___)=(___/
http://www.ThrallingPenguin.com/
--------------------------------
  We design, develop, and extend
  software technologies for the
     most demanding business
    applications, as well as
      offer VoIP Consulting
            services.

On Dec 3, 2008, at 5:41 PM, Thomasz Blaszczyk wrote:
(Continue reading)

Permalink | Reply | 1 comment |
headers
Török Edwin | 4 Dec 2008 09:57
Picon

Re: clamAV scanning algorithm

On 2008-12-04 00:41, Thomasz Blaszczyk wrote:
> Thank you for reply,
>
> Török Edwin, Very, very good web seminar!
>   

Thanks

> I have 2 more questions:
>
> 1) I'd like to measure & compare performance of AC & BM algorithms.
>
> clamscan displays in 'scan summary' a 'time'. Does this time include
> disc access, signature tree building in AC(phase1) or BM
> Just wonder If I can use this time or I should figure out new timestamps.
>   

It includes all of the above: it is the time from the launch of clamscan
(after options are parsed), till the scan is complete.

Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Permalink | Reply | 0 comments |
headers
Thomasz Blaszczyk | 4 Dec 2008 22:18
Picon

build & debugging ex1.c

Hi,
I just want to debug ex1.c in Code::Blocks IDE,
But it fails, Please have look at my screenshot: http://omploader.org/vem1m

What I did:
I've created new folder  'ex1' and I've copied ex1.c file to this folder.
Next I've moved all files from libclamav to this folder.
I change only one line in ex1.c:
#include <clamav.h>
to
#include "clamav.h"

When I build it fails, saying:

obj/Debug/ex1.o||In function `main':|
/home/tomb/projects/aau/virus_scanner/codeblocks/ex1/ex1.c|64|undefined
reference to `cl_retdbdir'|
/home/tomb/projects/aau/virus_scanner/codeblocks/ex1/ex1.c|64|undefined
reference to `cl_load'|
/home/tomb/projects/aau/virus_scanner/codeblocks/ex1/ex1.c|65|undefined
reference to `cl_strerror'|
/home/tomb/projects/aau/virus_scanner/codeblocks/ex1/ex1.c|73|undefined
reference to `cl_build'|
/home/tomb/projects/aau/virus_scanner/codeblocks/ex1/ex1.c|74|undefined
reference to `cl_strerror'|
/home/tomb/projects/aau/virus_scanner/codeblocks/ex1/ex1.c|75|undefined
reference to `cl_free'|
/home/tomb/projects/aau/virus_scanner/codeblocks/ex1/ex1.c|93|undefined
reference to `cl_scandesc'|
/home/tomb/projects/aau/virus_scanner/codeblocks/ex1/ex1.c|99|undefined
(Continue reading)

Permalink | Reply | 0 comments |
headers
Thomasz Blaszczyk | 6 Dec 2008 14:55
Picon

Re: clamAV scanning algorithm

Thanks Joseph for answer,

The quote appears too restrictive - as I found that the file can be
longer, as long as it starts with the Eicar.

> "Any anti-virus product that supports the EICAR test file should
> detect it in any file providing that the file starts with the
> following 68 characters, and is exactly 68 bytes long"
>
> Best Regards,
> Joseph Benden
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Permalink | Reply | 0 comments |
headers
Thomasz Blaszczyk | 6 Dec 2008 19:34
Picon

Re: build & debugging ex1.c

Thanks,

There were many troubles. (I am building project from files I have
copied from libclamav to my new created project folder).
In many files a line #include <inttypes.h> was missing.
Guess something wrong with cltypes.h  (#ifndef __CLTYPES_H).
Please have a look on my compilation errors:
http://omploader.org/vem1s
http://omploader.org/vem14

But I get stuck now  whith message in mbox.c|4591|error: incompatible
type for argument 2 of 'connect'|

The argument is: (const struct sockaddr *)sin

Can anyone help with this?

Please have a look for this errot here:
http://omploader.org/venNy

> Since you already moved the files, you should actually add those to your
> project.
Right I forgot to check that option as well. I am new to Code::Blocks
& mostly I\m using MPLAB IDE from Microchip. There you cannot include
header file in program and add this header file to project, it won't
compile.

Thanks for all suggestions  & information about performance
measurements.  I will go for it!
(Continue reading)

Permalink | Reply | 9 comments |

Gmane