headers
Tomasz Kojm | 1 Sep 2010 11:27
Favicon

Re: automatic file submission

On Sat, 28 Aug 2010 09:01:34 -0500 Dave M <dave.nerd <at> gmail.com> wrote:
> Hello,
> 
> I'd like to add the ability to let end users automatically upload
> suspicious files from a GUI interface.  I have two questions about
> this:
> 
> 1. Do you have any objections with this kind of functionality?  I
> can't imagine there would be too many submissions as a result as the
> GUI is for Linux, but there are a decent number of users in general.

Hi Dave,

please hard code some limits (eg. max 5 submissions per day). This will
help in case there's a bug in your app and it starts submitting all
files from a user's hard drive instead of selected ones ;-)

> 2. If there are no objections, is there anything you'd like me to add
> to the required website fields (name, email address, etc)?  I could
> automate those to identify as the GUI, or ensure the user fills those
> in and understands not to submit more than 2 per day (for example).

The name/e-mail address is a must be. The user should also be able to
provide a description which is very welcome and (very important!) be
able to mark the file either as 'not detected' or 'false positive',

Thanks,

--

-- 
   oo    .....         Tomasz Kojm <tkojm <at> clamav.net>
(Continue reading)

Permalink | Reply | 3 comments |
headers
Dave M | 2 Sep 2010 04:01
Picon

Re: automatic file submission

On Wed, Sep 1, 2010 at 4:27 AM, Tomasz Kojm <tkojm <at> clamav.net> wrote:
> On Sat, 28 Aug 2010 09:01:34 -0500 Dave M <dave.nerd <at> gmail.com> wrote:
>> Hello,
>>
>> I'd like to add the ability to let end users automatically upload
>> suspicious files from a GUI interface.  I have two questions about
>> this:
>>
>> 1. Do you have any objections with this kind of functionality?  I
>> can't imagine there would be too many submissions as a result as the
>> GUI is for Linux, but there are a decent number of users in general.
>
> Hi Dave,
>
> please hard code some limits (eg. max 5 submissions per day). This will
> help in case there's a bug in your app and it starts submitting all
> files from a user's hard drive instead of selected ones ;-)
>
>> 2. If there are no objections, is there anything you'd like me to add
>> to the required website fields (name, email address, etc)?  I could
>> automate those to identify as the GUI, or ensure the user fills those
>> in and understands not to submit more than 2 per day (for example).
>
> The name/e-mail address is a must be. The user should also be able to
> provide a description which is very welcome and (very important!) be
> able to mark the file either as 'not detected' or 'false positive',
>
Will do.  And thanks!

Dave M
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tony Zhai | 4 Sep 2010 06:44
Picon
Gravatar

About the size of daily.cvd

Hi,
I want to know the max size of the daily.cvd.
I would like to just use daily.cvd instead of both of daily.cvd and
mail.cvd because my system has a small memory.
The daily.cvd contains about 70K signatures a month ago but more than
110K now. I am afraid it will be increased every day.

Can you tell me the max size of daily.cvd?

Thanks a lot.

Best regards,
--Tony
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Permalink | Reply | 1 comment |
headers
Török Edwin | 4 Sep 2010 08:53
Picon

Re: About the size of daily.cvd

On Sat, 4 Sep 2010 12:44:35 +0800
Tony Zhai <tonyzhai <at> gmail.com> wrote:

> Hi,
> I want to know the max size of the daily.cvd.
> I would like to just use daily.cvd instead of both of daily.cvd and
> mail.cvd

I don't think that just skipping main.cvd is a good idea, you'll miss
most signatures.

What kind of files are you scanning?
If you are scanning only your own email you might consider rejecting
all emails that contain executable attachments. You can do that with a
single ClamAV signature for example. 
Then you could remove the PE signatures from your local DB with a
script. That will get you rid of 739024 signatures.

> because my system has a small memory.

Have you tried 0.96.2? It has some memory usage optimizations.

> The daily.cvd contains about 70K signatures a month ago but more than
> 110K now. I am afraid it will be increased every day.
> 
> Can you tell me the max size of daily.cvd?

In theory there is no maximum size.

Best regards,
(Continue reading)

Permalink | Reply | 0 comments |
headers
Hossein Rahimi | 4 Sep 2010 20:54
Picon
Gravatar

Signature Matching on GPUs

Hi all,

I am planning to add the ability of using compute devices for signature
matching to ClamAV. I have already implemented the Aho-Corasick algorithm
besides KMP and Boyer Moore using CUDA for matching simple and raw strings
without any wildcard or meta-character/regular expression compatibility.

you can read the report through the project here:
http://pasargad.cse.shirazu.ac.ir/~rahimy/cuda-strmatch.zip

I have talked on initial issues with Edwin and below is a summary of what I
am going to do:

First thing is moving to OpenCL instead of CUDA, this is choice is mainly
because the cross-platform nature of OpenCL. So, the implemented module can
be compiled and run on machines with multiple brands of commodity hardware
such as ATI, Intel, Nvidia, and any device that has OpenCL compatible
driver.

If we were successful to move to the OpenCL library, then I might take these
steps:
1- implement an Aho-Corasick data structure suitable for Compute devices,
while being lightweight and memory optimized.
2- designing a scalable architecture for moving both buffers and signatures
to be moved to GPU and scanned for, a major challenge for implementing such
a module for ClamAV is the huge number of signatures ( o(100k) ).
3- creating the Aho-Corasick trie for chunks of signatures, so the first
version of this module might be the one which does the signature chunk
matching on the GPU, then gives back data about each signature chunk (i.e.
match offset and final state for each match) and does the meta matching on
(Continue reading)

Permalink | Reply | 0 comments |
headers
Alfred Klomp | 9 Sep 2010 16:46
Picon
Favicon

Patch: Clamuko: add ClamukoIgnoreSuperuser option

Hi all,

The attached patch against Clamav-0.96.2 adds a ClamukoIgnoreSuperuser 
option to Clamukofs. If set to "yes", files that are opened by processes 
running as root will be ignored. They will not be scanned, and access is 
always allowed. Regular processes are still denied access to the files.

Rationale: this gives the administrator more options for dealing with 
infected files, such as copying them, gzipping them, or moving them to a 
different partition.

Possible issues: the name of the option is a bit long, but using the 
word "root" felt too ambiguous for something at the filesystem level. 
Also, the code checks the ownership of /proc/≤pid> to determine the uid 
of the process, which may not be the most elegant or portable way to do it.

If someone finds this sort of thing useful, it should be relatively 
simple to modify the patch so that Clamuko can accept a list of ignored 
uid's, instead of just uid 0.

Kind regards,
--Alfred Klomp

--

-- 
Bokxing IT
Elektronicaweg 14a
2628 XG Delft
T: 088-00 164 00
F: 015-25 609 77
support <at> bokxing.nl
(Continue reading)

Permalink | Reply | 1 comment |
headers
Tomasz Kojm | 10 Sep 2010 12:08
Favicon

Re: Patch: Clamuko: add ClamukoIgnoreSuperuser option

On Thu, 09 Sep 2010 16:46:23 +0200 Alfred Klomp <alfred <at> bokxing.nl> wrote:
> Hi all,
> 
> The attached patch against Clamav-0.96.2 adds a ClamukoIgnoreSuperuser
> option to Clamukofs. If set to "yes", files that are opened by processes
> running as root will be ignored. They will not be scanned, and access is
> always allowed. Regular processes are still denied access to the files.
> 
> Rationale: this gives the administrator more options for dealing with
> infected files, such as copying them, gzipping them, or moving them to a
> different partition.
> 
> Possible issues: the name of the option is a bit long, but using the
> word "root" felt too ambiguous for something at the filesystem level.
> Also, the code checks the ownership of /proc/≤pid> to determine the uid
> of the process, which may not be the most elegant or portable way to do it.
> 
> If someone finds this sort of thing useful, it should be relatively
> simple to modify the patch so that Clamuko can accept a list of ignored
> uid's, instead of just uid 0.

Hey Alfred,

please open an enhancement request in our bugzilla
(http://bugs.clamav.net) and attach your patch there

Thanks,

--

-- 
   oo    .....         Tomasz Kojm <tkojm <at> clamav.net>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Luca Gibelli | 14 Sep 2010 18:17
Favicon

Re: automatic file submission

Hello Dave,

sorry for the late reply.

> > I'd like to add the ability to let end users automatically upload
> > suspicious files from a GUI interface.  I have two questions about
> > this:
> please hard code some limits (eg. max 5 submissions per day). This will
> help in case there's a bug in your app and it starts submitting all
> files from a user's hard drive instead of selected ones ;-)

also please use a User-Agent that will help us to identify these kind of
submissions. Something like Programname/Automatic_Submission

Thanks,

Best regards

--

-- 
Luca Gibelli (luca _at_ clamav.net)       ClamAV, a GPL anti-virus toolkit
[Tel] +39 0187 1851862 [Fax] +39 0187 1852252 [IM] nervous/jabber.linux.it
PGP key id 5EFC5582  <at>  any key-server || http://www.clamav.net/gpg/luca.gpg
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Permalink | Reply | 1 comment |
headers
Dave M | 14 Sep 2010 18:20
Picon

Re: automatic file submission

On Tue, Sep 14, 2010 at 11:17 AM, Luca Gibelli <luca <at> clamav.net> wrote:
> Hello Dave,
>
> sorry for the late reply.
>
>> > I'd like to add the ability to let end users automatically upload
>> > suspicious files from a GUI interface.  I have two questions about
>> > this:
>> please hard code some limits (eg. max 5 submissions per day). This will
>> help in case there's a bug in your app and it starts submitting all
>> files from a user's hard drive instead of selected ones ;-)
>
> also please use a User-Agent that will help us to identify these kind of
> submissions. Something like Programname/Automatic_Submission
>
Easy enough!  Thank you again.

Dave M
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Permalink | Reply | 0 comments |
headers
Per Jessen | 24 Sep 2010 17:33
Picon
Favicon

configuring to build 0.96.3

I'm trying to build 0.96.3, but configure keps getting stuck in a tight
loop whilst "checking for CVE-2010-0405..." 

/Per Jessen, Zürich

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Permalink | Reply | 2 comments |

Gmane